SANS Institute InfoSec Reading Room

Abstract
This practical is a case study of an Insurance Company’s migration to an enterprise-wide security system. It is the intent of this practical to provide a path to follow when creating or migrating to a security system. Initially, a primitive online security system was the only mechanism to control access to corporate data. The exposures were severe - there were no integrity controls outside of the online environment. Anyone with basic programming skills could add, change and/or delete production data.

A project plan was developed to identify tasks, assign resources and ensure milestones were met. The scope of the security initiative included creating an inventory of information assets, creating new objects (data within datasets), constructing new groups and granting the appropriate permissions for access to the objects. Training documentation was created to instruct the users how to access the new system, both in an interactive and batch mode. Mini boot camps were conducted to train the trainers, who in turn, provided mentoring and tutoring for the user community.. Additional staff was recruited from other departments to provide user support for the rollout. D-Day arrived and the rollout experience only minor glitches. All the exposures were mitigated to the satisfaction of internal and external auditors.

Before Snapshot – May 1998
The Bumper Insurance Company (BIC – not its real name) is operating in a 1980’s technology environment. There are no LANs or WANs, just 3270 (dumb – green screen) terminals linked by coax to the mainframe. In addition, BIC had previously acquired another insurance company and runs the acquired company’s applications on the BIC mainframe. A proprietary security system provides access control for the online applications; there is no provision for access controls outside of the online environment. What are our risks? How can we quantify the risks?