Security, Interoperability, and Operations in Bank Solutions, Inc - Case Study Example

Case study November 08, Case study Information technology has emerged to be the backbone of the finance industry whose balk of services relate to data storage, data management, and dissemination of data. Threats to data safety such as physical damage due to accidents and calamities or intentional threats that could be internal or external identify need for security measures for protecting data from loss and breach. Disaster recovery and business continuity (DRBC) planning prepares an organization for dealing with the threats but security controls and regulations also exist for promoting data security. The scope of operations of Bank Solutions Inc. identifies the need for security measures but risk assessment of the company’s operational set up identifies security, interoperability, and operations issues that threaten the organization’s ability to implement DRBC plan and safeguard its data. This report analyses issue around the organization’s system, based on results from its internal report, and recommend IT security controls and government regulations and standards that can safeguard the company’s data. Issues related to security, interoperability, and operations in Bank Solutions, Inc. Security issues Scope of the company’s operations that identifies data in electronic format and the company’s outdated and untested data system identifies integrity, confidentiality, and authentication as major security issues (The United Nations, 2007). This is because the company’s outdated and untested could be inefficient in detecting and preventing possible internal threats. This also raises authenticity, repudiation, and integrity concerns due to possible arbitrary data alteration (Camara, Crossler, Midha, & Wallace, 2011). Confidentiality is also an issue because of company’s laxity in customization and implementation of disaster recovery and business continuity master plan that mean that stored data is susceptible to breach from employees who are not entitled to access and external threats. Such access can only identify malicious intention and breach of confidentiality (Chhabra, 2013) and lack of regulation on data access suggests this. Operations Operational issues are also evident in the case and implementation of Information Technology governance is an example. Effective governance offers leadership for availability and implementation of necessary frameworks for operations and security of a system (Grajek & Pirani, 2012). Assessment results suggest lack of such governance, leading to application of an outdated and untested system. Identified failure by some facilities to customize and implement DRBC plans also shows lack of effective governance in operating and managing the company’s information system. This further means that some personnel could lack knowledge and application of the plans, leading to non-uniform operations and operational inefficiencies. Professional competence in operating system infrastructure is another significant issue, especially because the organization has not trained its plan participants (2012). The lack of training also suggests significance of inefficiency in operations, even in other areas (Dreager, 2007). Interoperability Data management is also done at center level with limited integration and implementing a cloud system that will link all systems, for back up is necessary (Grajek & Pirani, 2012). Independent security management, from the organization’s strategic and operational planning is another issue as the analysis results fail to identify the role of strategic and operational planning (The U.S. Government Accountability Office, N.d.). Interdepartmental infrastructure, for efficient operations is also significant and is identifiable from the low-level interdependence of data centers (Doumeingts, Muller, Morel, & Vallespir, 2007). Prioritized requirements based on immediate need, security posture, complexity, resource availability, and cost The most important need is integrity among IT personnel and should be prioritized. This will ensure moral practice and personnel’s initiative towards data safety, through honesty that will either mitigate possible internal breach or identify and report threats for prevention and management of external threats. Leadership and seminar may be necessary for promoting integrity at no extra cost or resource necessity and the process is not complex. Proposing policies and moral codes can also help achieve this. Testing and updating the system is another need for the organization. Expertise, software and hardware, and money for financing the resources may be necessary and the process is complex. It will however prevent security breach and data loss and will reinforce effects of achieved integrity. While integrity and a tested and updated system ensure safety from deliberate threats, customization and implementation of disaster recovery and business continuity master plan will improve the company’s ability to detect and prevent other threats such as physical damage due to calamities and accidental malware. IT governance and training of personnel may however be necessary. Incorporating software that restrict data alteration, to ensure authenticity, and introduction of a cloud system, for an integrated system across the organization, are other necessities. These will require software, programs, and expertise for installation and management. Their significance is however low to identify the low priority. After implementing these necessities, the company can consider its overall IT governance for efficiency and effectiveness of development and implementation of security measures. General personnel training and interdepartmental infrastructure may also be necessary for efficiency. Data and cost of implementing necessities are the fundamental bases of the prioritization, and are supreme for the company’s scope and need for competitiveness. Applicable government regulations/ standards that govern measure or implementation of the requirements Section 609.930 of Code of Federal Regulations identifies some of the applicable government regulations to the case. One of the regulations is need for “security and integrity of system institution and borrower data” and corresponds to the identified integrity and privacy issue (Cornell University Law School, n.d. p. 1). This requires the company to establish a reliable system that protects data from threats. The company has however not achieved this because of its failure to test and update its system for disaster prevention and management. Another government regulation, based on the policies and procedure, is an organization’s responsibility to ensure privacy of its clients’ data. This identifies need for controls that can safeguard data should there be breach of integrity and measures for authenticity are examples. Failure to update the system establishes threats to privacy and a breach of the provision. Another regulation is the required ability to readjust after occurrence of a risk and identifies with the organization’s failure to implement DRBC plan in some facilities and failure to educate its members on required skills. This therefore addresses issues such as employee training and governance that the organization lacks. Another regulation requires an organization’s ability to detect and manage intrusions. This is however possible with an updated system and a competent team of staff that the company lacks (Cornell University Law School, n.d.; Powner, 2009). Security controls that relate to the issues and effects of the controls on enhancing security posture or implementation of identified requirements “Unsuccessful logon attempts,” “separation of duty,” “information flow enforcement,” and “access control policy and procedures” are some of the controls that relate to the issues (National Institute of Standards and Technology, 2013, p. F-7- F21). Unsuccessful logon attempts, information flow enforcement, and access control policy control possible unauthorized data access through approved accounts, therefore ensures privacy, and promote authenticity. Separation of duties however distributes roles among personnel and departments and therefore facilitates governance and competence due to specialization. Information flow enforcement also facilitates interdepartmental integration and strategic planning for cohesion. The unsuccessful logon attempts limit the number of unsuccessful logins and therefore prevent unauthorized login through trial and error entry of password. This will ensure that only authorized personnel access data and will address issues such as authenticity, confidentiality, and privacy, through ensuring accountability. The attained level of accountability will also facilitate integrity. Information flow enforcement offers control over accessibility of data to personnel and facilitates integrity through ensuring accountability of few individuals. Effective enforced flow also incorporates need of different departments and requires IT governance for effective interdepartmental operations. The enforcement will also require, and therefore ensure strategic planning. access control and policy procedures ensures availability of revised policies and procedures and will ensure updated and tested systems with awareness and competence of the systems among relevant employees, through IT governance. The last of applicable controls is separations of duty and is likely to reinforce restricted access to data, personnel’s competence due to specialization, and integrity due to accountability among few individuals. Implementing the four controls will therefore help the company address most of its security, operations, and interoperability issues. References Camara, S., Crossler, R., Midha, V., & Wallace, L. (2011). Bank solution disaster recovery and business continuity: A case study for CSIA 485. Journal of Information Systems Education, 22(2) : 117-123. Chhabra, S. (2013). ICT influences on human development, interaction, and collaboration. Hershey, PA: Idea Group Inc (IGI). Cornell University Law School. (n.d.). 12 CFR 609.930- Policies and procedures. Cornell University Law School. Retrieved from: http://www.law.cornell.edu/cfr/text/12/609.930. Doumeingts, G., Muller, J., Morel, G., & Vallespir, B. (2007). Enterprise interoperability: Nnew challenges and approaches. London, UK: Springer Science & Business Media. Dreager, J. (2007). Information technology investment and the relationship to jey hospital operational metrics: An exploratory analysis. Ann Arbor, MI: ProQuest. Grajek, S. & Pirani, J. (2012). Top-ten IT issues, 2012. Educause Review. Retrieved from: http://www.educause.edu/ero/article/top-ten-it-issues-2012. National Institute of Standards and Technology. (2013). Security privacy controls for federal information systems and organizations. The U.S. Department of Commerce. Retrieved from: http://www.disa.mil/Services/DoD-Cloud-Broker/~/media/Files/DISA/Services/Cloud-Broker/NIST-SP80053-SecurityandPrivacyControls.pdf. Powner, D. (2009). Information technology: Federal laws, regulations, and mandatory standards for securing private sector IT systems and data in critical infrastructure sector. Washington, DC: DIANE Publishing. The U.S. Government Accountability Office. (N.d.). Issue summary. The U.S. Government Accountability Office. retrieved from: http://www.gao.gov/key_issues/leading_practices_information_technology_management/issue_summary. The United Nations. (2007). Information and communication technology policy and legal issues for Central Asia: Guide for ICT policymakers. Geneva: United Nations Publications. Read More