Case Study: Security Review

Helping education institutions count on a secure environment

Education institutions throughout Australia face increasing threats to their ICT environments. These include both Internet based malicious threats as well as intentional and unintentional threats on the internal environment, namely inquisitive students.

Business Aspect has an extensive track record in helping schools face up to these challenges and was recently engaged by a major Queensland college to review the security level of their IT systems and data. This included:

  • Undertaking an organisation-wide information security review.
  • Performing external penetration testing; and  
  • Performing an internal technology vulnerability assessment.

The external penetration testing of the gateway included both “black box” and “white box” testing as well as vulnerability testing and assurance of the internal technology environment. Business Aspect undertook:

  • Testing key server and device segments to identify vulnerabilities that may allow a student to gain unauthorised access to staff servers or other unauthorised information.
  • Reviewing firewall configuration including filtering rules (both outbound and inbound); and
  • Reviewing logging, alerting or intrusion detection or protection mechanisms on servers and/or infrastructure.

The vulnerability assessment was augmented by a broader risk-based review of the organisation’s information security management controls, including:

  • Reviewing information security policy and procedures (e.g. information security policy, patch management; change management).
  • Reviewing IT risk management processes.
  • Assessing the risks to the college using previously identified vulnerabilities as input to the risk assessment together with threats.
  • Reviewing backup and disaster recovery plans and procedures; and
  • Development of a risk mitigation plan detailing prioritised recommendations for risk remediation.

Findings and recommendations with associated priority levels (high, medium and low) were presented with an analysis of the estimated effort (duration and complexity) to implement each recommendation, allowing the organisation to prioritise and plan for the implementation of remediation actions.

The Security Review Report provided the college with a clear direction for improving their information and technology security posture in alignment with their risk profile. This resulted in increased protection against insider threats and targeted attacks.