Process summary

Access control process

When hiring a new employee, no background check is performed. The company views everyone as ethical and honest. Prior to gaining access to the Critical system, an end user will request access via his or her supervisor. The supervisor will then acknowledge to the administration office for Critical that the end user is an authorized user and that the access that he or she is requesting is appropriate. In many cases, no record of the access request or approval is retained and the system does not record the date when access was granted.

After the initial system access is granted, all further access requests are made directly by the End-User and the administration office for Critical. When an employee no longer works for StellenTEK, his or her system access is deactivated.

Process flow

Members of the sales team have end-user access to the Critical system. This enables them to enter data in the Critical system daily to capture the items sold to their specific customers. Sales managers are granted access as power-users and can enter data into the system for all customers. All members of the sales team receive quarterly bonuses based on the number of new customer accounts they create. When a new customer is created, the system automatically scans the other customer names looking for duplicates. If no d????plica????e???? a????e fo????nd, ????he acco????n???? i???? ma????ked ????ne????.????

In addition to connecting healthcare managers with their clients, StellenTEK also sells an exclusive line of health supplements. The system tracks the amount and location of each product sold. Every day, the inventory is replenished as necessary. There is a separation of duties between various departments. A summary of the products sold and the location is available every day using the corporate data warehouse. Some managers prefer to see their results in a paper report.

Configuration management process

Requests for software changes are made in the Rational ticketing tracker, which establishes a workflow for change approvers. All changes must be tracked in the Rational ticket tracker. Changes must be approved by the Change Manager (CM) prior to being assigned to a software developer.

After development, changes are reviewed by the Change Control Board (CCB), which meets on a weekly basis, prior to being approved for production. As a note, all software testing is performed in the testing environment and then moved into the development environment. Testing is completed by compa????ing ????he ????of????????a????e???????? f????nc????ionali???????? ????o ????he ????eq????i????emen????????. The Q????ali????y Assurance (QA) team allocates its time testing updates based on which updates are determined to be significant.

After approval, the new version of the software is moved into the Production environment and end users can use the new software. During the CCB meeting, the change and the testing results are reviewed for the security impact and for the impact on the other systems. Changes must be approved by the CCB prior to implementation into production. This process requires a lot of coordination and takes some time. StellenTEK is in the IT business, so software updates cannot be delayed. The CCB review and approval process is sometimes skipped if the project is running behind.

This simulation is a work of fiction. Any names of persons, companies, events or incidents, are fictitious. Any resemblance to actual persons, living or dead, companies or actual events is purely coincidental.

Contingency planning process

Data in the Critical system is replicated every Wednesday from the primary processing site in Washington, DC to an alternate processing site in Omaha, Nebraska on a near real-time basis. The server room is open to all employees to enable easy coverage for the IT team, should someone be out of the office. Critical has a security categorization of High, a recovery time objective (RTO) of six hours and a recovery point objective (RPO) of one hour. There is a policy that requires that functional tests be performed at least every other year for systems with high security categorizations. Company management has not performed a functional exercise in five years due to resource limitations. The security manager and program manager performed a test five years ago when they reviewed the contact information in the Information System Contingency Plan.

Please respond to the following questions

1.Identify the controls in place, describe how you would test whether the controls are operating effectively? Also identfy the documentation you would need from the client to test each control.

2. identify and describe the control weaknesses and for each weakness document the condition, criteria and effect of the weakness.

3. Provide overall observation about risks presented by IT controls.