Case Study

Publicly Traded Company with 3,000 employees IT Department with 55 There is NO dedicated security staff but 2 operations staff provide this capability in IT IT is centralized, mix of Cloud and on premise systems and utilizes Microsoft products There are more project requests than resources (either fiscal or human) to fulfill the requests Since 2009 there has been a hold on new purchases or significant upgrades There seems to be little desire to upgrade large systems even though they are over 10 years old Firewall infrastructure is aging (over 9 years old).

Your company has had a few defacement issues with an extranet website that your vendors use to do business with you. The website is based on old asp code and the vendor has not updated the site or the code in over 8 years. There are known cross-site scripting and SQL injection vulnerabilities in the site but to date only easily corrected defacement of the site has occurred. You have a planned upgrade for this software, including the website interface but that will not be implemented for 18 months. The Vendor is of little assistance and the contract in place is over 10 years old and provides no protections or language that you can use to force the Vendor to fix the vulnerability. You are fairly certain that a breach will occur, that it is only a matter of when. The website is critical to your business function and the business unit is not willing to shut down the website as the resulting manual labor would be extensive.

1. What do you as the CIO put in place to protect the organization within the parameters provided? How and to whom do you communicate the issue(s) to?

2. You understand that the site has known vulnerabilities as the defacement indicates and you understand that it would be brand and marketing nightmare if the site is compromised. You also understand there is no allocated funding to replace or even fix the site. How do you assess the situation?

3. Do you have any options with the Vendor? If yes, then what are they and how do you proceed with moving forward? Is this a systemic issue? Are there other technology issues that you need to address? If so, what are they and how would you address them?

4. If a breach occurs, how will you handle the during and after phases in terms of action items, time frames and communications?