Root Cause Analysis
Here are the requirements for Paper Two.
1. The paper needs to be specific to the company you researched.
2. Ask yourself what caused the issue. Then ask what caused that issue. Keep asking until to find what you believe are the root causes. Ideally find more than one root cause.
3. Recommendations are likely to have People, Policy, and Technology elements - one or more.
4. Argue why you believe your recommendations will work.
YOU NEED TO ADDED TO THE FINAL DRAFT DOCUMENT
Surname 1 Mejia 7 Carlos Mejia Dr. Mansur Hasib CDF 281 OM1 4/19/2020 Company Background Sony corporation is a Japanese multinational company based in Tokyo, Konan, and Minato. Sony is among the globally known electronic brand. The company began in 1946 as Tokyo Telecommunications Engineering Corporation with a starting capital of 200,000 yen that later relocated to Shinagawa, Tokyo (Sullivan 25). The specialty of the company is diverse, including professional and consumer electronics, gaming, and entertainment. The company has gradually grown from humble roots to an established multinational company. The company started from a tape player to the Walkman to the current OLED television. The traditional operations of Sony cooperative have grown through innovation and has been profitable for more than 60 years. The vision of Sony is to fill the world with emotion using technology and creativity. Sony is guided by various values, including dreams and curiosity, diversity, integrity and sincerity, and sustainability. Sony pursues the creation of the best by connecting diversity and varying viewpoints. The company believes in earning trust from consumers through responsible and ethical conduct and disciplined ethical conduct. Organizational Structure The organizational structure of Sony rotates around the growing pressure in the gaming, entertainment, and electronics markets. The design of its architecture reflects the criteria used in the determination of the positions and roles of its employees and to adapt to the changing innovations in the industry. Sony's corporate structure supports the improvement to cater to the increasing competition from rival companies and global market situations. Sony corporation contains a balanced matrix of organizational structure that is primarily based on the effectiveness of the various business segments for the profitability development of innovative products in the market. Various executives head different sectors such as R&D, business development, energy and business, and the storage media departments. Sony's organization is based on various features such as function-based groups, geographic and business type divisions. In terms of the functions, it has the CEO, finance, R&D, legal and external relations, engineering, and HR to support functional efficacy. In the business division, the company sustains its division according to the type of product. Primarily, the segments include devices and games, music, storage media, home entertainment, and mobile communications. Sony's least concentrates on the geographical distribution in its business. However, it uses the geographic divisions to plan, finance, and establish strategic decisions. The primary geographic divisions include Japan, Europe, Asia-pacific, United States, China, and other regions. The primary advantage of Sony's Corporation is flexibility. The connections between the divisions assist the company is focusing on the different products and maintaining innovation as a growth strategy in the company. Sony strengthened its systems after the 2011 breach on its PlayStation network that resulted in the loss of 77 million user accounts. However, hardening primarily focused on the firewalls to monitor the threats and continuously updating the system to detect the changing security signatures. The Hack On December 17th, 2014, Sony announced that it had canceled the release of the comedy movie, The Interview following controversy about its content (Daugirdas and Julian 419). The comedy movie highlights that two journalists are recruited to eliminate a North Korean leader. The decision to cancel the release of the film was associated with a unique breach into Sony's networks as well as threats directed towards movie theaters that show the film. On Monday, November 24th, at 7 AM Pacific Standard Time (PST), Sony picture systems were attacked. The malware used by the hackers infected the system successfully, affecting the Sony global network; however, the IT team was not able to contain the attack. The malware had an algorithm that overwrote and stole the data in seven different ways, complicating the recovery process by the Sony IT team. After one hour, the malware had taken and formatted data in 3263 PCs and 837 servers. However, Sony was able to save 3535 personal computers and 728 servers by entirely shutting down the system and stopped the spread of the malware (Zetter 2014). The hackers threatened to disclose sensitive company information, including personally identifiable information concerning both customers and employees such as names, addresses, financial, emails, unreleased movies, privacy websites as well as social security information. Consequently, investigations by the FBI indicated that the attackers had infiltrated Sony Corp. network systems several days before they initiated the attack. Who and Why The Guardians of Peace (GOP) claimed responsibility for the attack against Sony systems (Zetter 2014). Later, the FBI placed blame to the North Korean government for the hack, de facto citing Guardians of Peace as a government-sponsored unit. The technical analysis of the malware by the FBI indicated considerable similarities with that used by the Korean government in 2013, such as the encryption algorithms, overwrite method, codes, and compromised network (Haggard 2015). Additionally, the FBI established that the IP address for North Korea was hardcoded in the overwrite malware that was used to destroy Sony Corp.'s personal computers. The features of the malware attack against Sony reflected several similarities with the attack against South Korean banks and media companies in 2013. The report by the FBI was unique since the US state agency had never before solely associated a cyber-attack to a state. The interview is a comedy movie produced by Sony, about journalists who traveled to North Korea with a primary mission to assassinate Kim Jong U. The North Korean government complained about the movie for over a month and demanded the show be stopped with immediate effect since it promotes terrorism. Moreover, it previously had sent a letter to the United Nations concerning the contents of the movie. Despite the FBI and the media claiming the motives of the attackers stems from North Korean outrage about a movie, which many found unreasonable. Financial implications of the Breach Following the attack, Sony Corp. was reduced to using fax machines and old blackberry phones to communicate through messages and pay employees paper checks. The leaked information caused public embarrassment and increased worries concerning the identity theft of Sony employees, which suffered litigation from previous employees for failure to properly secure their networks. Sony suffered big losses from the attack, losing movie profits from The Interview. The attack by Guardians of Peace on Sony's movie studios, including leaked scripts of Mall Cop: Blart 2, Goosebumps, and The Wedding Ringer, had a detrimental financial impact on the company (Zetter 2014). Furthermore, GOP released critical marketing studies that include information about the adaptation of the Angry Birds Movie and the underlying principle for making or not making a movie. Hence, this would compromise their marketing campaigns since their critical information was made available to its competitors. Sony invested considerably in its movie studio to conduct new marketing studies. The company spent on computer repairs and replacement on the company's personal computers that were damaged. Moreover, they spend on conducting investigations on what happened to the confidential information and the measures they put in place to ensure that they would not reoccur in the future. The financial information relating to the vendor contracts was also leaked, which affected their power in negotiating a contract since the leaked information indicates how Sony is willing to pay a vendor in case they rent an asset for production. All of the information released impacted on Sony Corp had a financial implication, and they had to buy a computer and cybersecurity equipment to boost their security status. Consequently, leaked information impacted Sony employees as well as external parties that Sony spends time and money to contain the financial impact of the breach. Recommendations Contingency Planning (CP): Cyber Security Contingency Plan is risk management plan documented on paper which lays out instructions for the company, recommendations and considerations that the company should ponder in the event of breach in its security or in case of any unforeseen disaster in order to recover lost information. Sony Corporation should create an effective contingency plan in view of the experience of the major security breach by GOP. The company should involve the leadership who have thorough knowledge of the breach like malware infection, data theft and ransomware which were prevalent in the breach. The people responsible for creating the CP should enforce the plan and provide appropriate training to the higher authorities of the company to ensure protection of sensitive data like, personal information, marketing plans, company’s underlying principles for certain kind of business like making a movie and the like. Along with hiring personnel internally, Sony company should involve their legal team for creating the CP. The legal counsel would appropriately advise the Chief Information Officer and the Chief Executive Officer among the leaders who would be involved in setting the CP in place to contain any cybersecurity breach in future as experienced by Sony company in 2014 without losing information critical to the company, its employees and its customers. The team should include Data Backup Plan, Disaster Recovery Plan and Emergency Mode Operation Plan within the CP in order to highlight the controls that should be correctly placed in order to mitigate the impact of security breach on Sony’s systems and servers. Security Assessment and Authorization (CA): Sony Company is recommended to develop, document and disseminate CA policy in order to curtail the losses caused by cyber security breach in future. The CA process is a formal authorization package which comprehensively outlines the extent to which the design and implementation confers to specific security requirements of Sony Company and meets the government guidelines as well as federal mandates. The assessment process should include all the technical and non-technical elements, information system policies, safeguards, policies, documentation and vulnerabilities of the organization. The authorization policy should include scope and purpose of the policy, roles and responsibilities of the involved personnel, commitment from management team at Sony, coordination among the various entities of Sony including business division, geographic division as well as function-based groups. The legal landscape has shifted to business resilience with the management board, risk executives and committees are being held accountable for it. Strict procedures should be implemented for SA Policy and Controls. The current SA policy and procedures should be reviewed and the glitched should be documented and corrected in the new SA Policy. Alongside the security policies and procedures at the organization’s level, system specific policies and procedures, the company should also be developed which would reflect upon the complex nature of the organization. Nonetheless, the CA would work as general information security policy for other organizations as well. Security control assessment should be conducted early on to determine its effectiveness so that risk management and business resilience can be incorporated at its best. Conclusion Organizations need to recognize the importance of cybersecurity and uphold defense against cyber-attacks. The presence of robust security control can stop some of the attacks. Sony announced that it had canceled the release