Peak View Sound Sources is a public company based in Denver, Colorado and is focused on providing digital media and Web sites to music companies and musicians through the Mountain and West Coast regions. The company has a solid reputation and is starting to get some national and worldwide attention, with new prospective companies wanting to take advantage of the quality services they have seen on other existing Web sites.
Your company has been hired to assist Peak View Sound Sources (PVSS) to ascertain the security posture of the company’s Information Systems resources and services. You are heading the team of auditors tasked to perform the audit and assessment.
You enter the company offices of PVSS and begin your analysis of the environment and situation.
Initial analysis has allowed you to determine that the company is made up of the following divisions:
Corporate Management and Support Staff: This organization contains the executive management, human resources, and accounting teams. All company decisions are directed from the management team.
Information Technology: This team manages the networks, servers, Web sites, and desktop environments for the company. The team has a perception of being difficult to work with, as they are slow to adopt new technology and slow to implement new offerings. The reality is that the team has resources and wants to uptake the newest and greatest technology, but they spend most of their time putting out fires and reacting to issues.
Media Content and Design: This team is in charge of working with the record companies and musicians to create the Web Sites and implement the product offerings that are sold.
Sales and Marketing: This team works with the musicians and record companies to offer and sell the services of PVSS.
There is a concern about the security of the infrastructure with respect to the ability to protect the copyrighted material that PVSS is given to host, because a single incident several years ago took place in which an entire new CD was released prematurely via the Internet. Although PVSS was not directly linked to the leak, there are suspicions surrounding PVSS.
As you continue your analysis, you see that the Information Technology (IT) department has developed several guidelines and procedures about how various systems should be considered and set up, but this is internal only to the IT department. Every time a new machine is set up and deployed, within a month, the configuration is changed.
Explain why you think the use of these guidelines and procedures is not sufficient and may not solve the problem. Consider how a company-wide policy program could help the situation.
As you begin to prepare your game plan to conduct an Information Security Audit, talk about why you think this current situation makes it difficult to identify the controls that need to be examined.
If you were performing this security audit, with which regulations would you want to ensure that PVSS complies? Why?