Promoting Information Security in Banking Solutions Inc - Case Study Example

Multiple Projects based on 2 case studies scenarios Affiliation PROJECT CASE STUDY GAP ANALYSIS Summary of Security Issues One of the major information security issue faced by Bank Solutions Inc. is the time it takes to update its data center. Failure to maintain frequent updates is dangerous since and data crime may not be noticed with certainty for immediate action. The data center for the organization is not tested frequently as well. Important aspects, such as item processing facility, have remained untested for about two years, which stands to be a major information security issue. Another major issue is the failure to write site-specific DRBCPs for all item processing facilities, but on for the five largest processing facilities. Skipping some item processing facilities poses information security risk to both customers and the institution. Various sections of DRBCPs have been affected including emergency and crisis response procedures, business recovery procedures, and “return to normal” procedures among other appendices. Other failures contributing to information security issues include problems regarding critical systems, business processes, alternative processing facility address as well as directions, notification listing, and procedures for public relations management. Besides, only some key plan participants have been issued with a plan copy, with the rest of the copies being stored on the network. Information about the plan could thus be accessed by untargeted individuals, which is a major security threat (Hurst, 2013). The banking organization has not even provided adequate training to the critical plan participants regarding the use of DRBCPs. Furthermore, the DRBCP hardly addresses how to handle possible security incidents. This could as well be addressed by another policy, a standard, guidelines, or even procedures. There are no handling steps or contact escalation points or even procedures useful in the preservation of forensic qualities for logical evidences. Another key issue regarding information security is event logging where users have the right to initiate specific privileged activities regarding production servers, in which a number of them have been having write access to the logs even without administration permission (IDG Communications, 2014). Redundancies have as well been implemented as the perimeter of the network as seen in the organization’s network diagram. The organizations DR/BC programs have been organized in such a way that each program’s center serves as the host site and processing location for the other center. Each of the item processing facility is assigned a corresponding item processing that serves as a backup processing location. In this case, specific processing responsibilities for backup facilities have not been outlined. Again, transaction detail as well as item image files, specifically from the current day’s processing operations are uploaded from each item processing facility to their regional data center on daily basis. This aspect poses information security issues to the banking institution. Electronic vaulting has also been established at the data center. In this case, all e-mail, file, and application servers, as well as databases, at the data center, are continuously backed up to the other data center through dual dedicated fiber optic lines. Besides, full backups on critical data files, software programs, as well as configurations have been found to be performed once every week. Incremental backups are also performed on a daily basis Monday through Friday. At one of the item processing facilities, backup jobs have routinely failed under the basis of unknown causes. At the item processing facilities, the management has been found to have the task of contracting the off-site storage of the backup tapes in which case at one of the item processing facilities, the management has contracted a bank just across the street to store its backup tapes in a safety deposit box. This could be a meaningful idea, but information insecurity with no strong backup could be disastrous (IDG Communications, 2014). This has been even worse in the case where at another item processing facility, the night Operations Manager has been storing the backup tapes in a safe at his home. The same issue is found where at a third item processing center, tapes are stored in a shed at the back of the building. Recommended Security Strategy Most of the information security issues highlighted in the case study are based on organization’s reliance on information technology for survival. Concern on organization’s information security has thus become an issue by its own, which can be resolved by initiating the right strategy to mitigate and compact insecurity vulnerability in information and data storage as well as communication within Banking Solutions Inc. A meaningful strategy would in this regard would the initiation of best practices to promote information security within the organization whereby employees of Banking Solutions should be encouraged to make security awareness a priority (Brecht & McDonough, 2010). They can be encouraged to use Symantec Data Loss Prevention in enforcing the organization’s policies as well as changing employee behavior. Ensuring security awareness could be done by providing security information, showing reports and findings, as well as explaining most of the information security issues faced by Banking Solutions Inc. This strategy would encourage all stakeholders to come together and share insecurity information or even personal experiences. This would ultimately lead to the reinforcement of good security practices (Brecht & McDonough, 2010). Typically, security awareness strategy can be implemented and initiated formally or informally. Irrespective of the way the awareness is done, it should be meant to communicate the right message regarding information security (IDG Communications, 2014). The scope of security awareness should be to persuade the employees and clients to listen and act accordingly as measures to avoiding, deterring, detecting, and defending against threats on information security as well as security breach. This way, the organization could reach its key objective of information security awareness, which involve preventing incidents, attacks, threats, loss data, or disclosure of confidential information through unlawful means (Brecht & McDonough, 2010). Prioritizing the Strategy with a proposed timeline Information security awareness may not be readily achieved if the right procedures are not developed. The strategy would take a predetermined time before it is fully implemented. The entire process will take three weeks. In the first week, user training will be initiated. User training will involve providing education to all employees and other stakeholders. During the second week, employees will be assessed to determine the value of the training process and the possible benefits regarding the strategy’s objectives (Brecht & McDonough, 2010). The assessment would also provide essential elements for the awareness process. The assessment would be done under a meaningful plan that has common goals and objectives. The third week would involve the implementation of the right policies and procedures. This will be done after all the security issue have been addressed and understood how to respond to them. High-Level Remediation Plan regarding Next Steps A high-level remediation plan regarding the next steps in promoting information security involves key ideas that would ensure that future threats and incidents are avoided. Awareness activities such as training programs that are computer-based as well as training videos could be used. This aspect will avoid the case of taking necessary actions when insecurity problems occur. In future, employees in Banking Solutions Inc. will be able to ensure security on confidential data and information because they will have an adequate knowledge about information security. The management department for information and communication technology could also create pamphlet, signs, brochures, and posters for employees and other stakeholders to read and gain knowledge about the importance of ensuring information security and the best way forward (Brecht & McDonough, 2010). Computer and internet users are encouraged to use hard-to-guess passwords. Such passwords should also be changed frequently. Antivirus software programs should also be used on all computers since it will assist in data protection. Employees will be advised not give their personal or their clients’ information online to either non-trusted sites or individuals. In the most critical security cases, employees would be advised not to leave their computers logged in when they need to be away because someone else within the same organization could access confidential information illegally (Brecht & McDonough, 2010). Clients would be advised not to post online their private emails as this could invite spam emails. At all time, security software should be installed to aid in safeguarding personal and the organization’s data. References Brecht, D., & McDonough, M. (2010, June 4). Ideas to Promote Information Security Awareness. Retrieved from Bright Hub Inc.: http://www.brighthub.com/computing/enterprise-security/articles/75233.aspx IDG Communications. (2014, January 06). The important issues in Information Security today. Retrieved from CSO staff (CSO Online): http://www.cso.com.au/article/535154/important_issues_information_security_today_/ Hurst, S. (2013, February 22). Top 10 security challenges for 2013. Retrieved from Finalist Announcement : http://www.scmagazine.com/top-10-security-challenges-for- 2013/article/281519/ PROJECT 2: CASE STUDY 1 (CONT) ANALYSIS—IDENTIFY ITS CONTROLS Issues Related to Security Interoperability, and Operations Among the issues faced by Banking Solutions Inc, a number of them are related to security, interoperability, and operations. The issues related to these three aspects include the following: a) The company has not been ensuring frequent update of its data center DRBCP. The last update was done back in the year 2009, two year after it was created in 2007, which shows the inconsistence of maintaining often update as required in data and information management. b) The latest testing of the data center DRBCP was done in 2007. The testing activities were not even adequately done since it only consisted of a conceptual, table-top walkthrough of the DRBCP. The item processing facility DRBCPs have not even been tested yet. c) The site-specific DRBCPs have been written for the five largest item processing facilities with some remaining item processing facilities, which have a generic “small center” DRBCP template. This template is seen to have been distributed to and customized by facility management by June 2010, while up to four items processing facilities have not yet completed the customization exercise. d) Failure to identify Recovery Time Objectives as well as Recovery Point Objectives for the organization’s critical business processes and systems in the DRBCP was still another major issue. The critical systems in the DRBCP included detailed hardware inventories and software inventories. Other included processes and requirements within the DRBCP include critical business process including process owners, alternative processing facility addresses as well as directions, notification listing, critical plan participant roles, responsibilities, vender contact listing, core business forms, recovery procedures for core systems, as well as procedures initiated to manage public relations and communication. e) Not all the plan participants have been issued with the process plan as seen in the review of DRBCP distribution lists. This is an issue affecting the business process. Besides, storing the plan copies online and having the duplicate they depict the ineffectiveness of the business process. Better and safer ways of storing back information regarding the plan could have been applied. f) Another process issue is that all the participants of the critical plan have hardly been trained on how to use DRBC. g) Typically, several power users whose actions are recorded onto event logs have been found to have write access to the logs themselves even without administration approval, which facilitates possible information security risk. h) Various data centers have been established with each of the data centers acting as a “hot site” processing location for the other. The issue in this case is that, DRBCPs or even any other documentation hardly outline specific processing responsibilities for backup facilities. i) The other major issue is based on the poor backup storage of information. Full backups of critical data, software programs, as well as configurations are performed only once every week. This could be done even more frequently. j) At the item processing facilities, the management is tasked with offering contracts to the off-site storage of backup tapes while the management has contracted the bank across the street to offer storage for its backup tapes within a safety deposit box, at one of the item processing facilities. The night Operations Manager on the other hand, for another item processing facility, stores the backup tapes within a safe at his home. Tapes are stored in a shed at the back of a building at a third item processing center. Prioritization of IT Security Controls IT controls can be optimized and prioritized, but this would be based on immediate need, security posture, complexity, resource availability, and cost. The choice of security controls would be sensitive and thus intensive care would be necessary. Careful selection is typically important because it can help in securing information systems that are safe and promising (National Institute of Standards and Technology , 2014). The security category is very critical. Determination of the security category regarding information systems requires some intensive analysis. This determination should thus be a priority. This should include the potential values of impact to the respective objectives, such as confidentiality, availability, and integrity. The IT security category also determines the budget required for any specified IT control. In selecting meaningful IT security controls, approaches that are comparable, repeatable, and more consistent should be facilitated (National Institute of Standards and Technology , 2014). Further, recommendations for the minimum security controls for information systems need to be provided. The security controls in this case have to be in accordance with the FIPS 199, which entails the Standards for Security Categorization of Federal Information and Information Systems (National Institute of Standards and Technology , 2014). In this case, IT security controls will be initiated to achieve confidentiality, integrity, and availability. Regarding confidentiality, the preservation of authority restrictions on information access as well as disclosure would be very critical and the IT controls, which have the capabilities of achieving this objective, should be initiated. Such IT controls should include adequate means for the protection of personal privacy as well as proprietary (National Institute of Standards and Technology , 2014). Focusing of integrity achievement would be based on IT security controls that can guard against improper destruction of information or modification. The controls should ensure that there are no information repudiations and authenticities. When selecting the best IT security controls, availability should be considered a priority. This prioritization would ensure that there is timely access and reliable access to information. The same aspect would be applicable when using the same information. When there is a loss of availability, it would imply that there would be a disruption of access to information as well as problems in using such information. The security controls to be selected should be within the reach of the organization in terms of cost and timeline specifications. The prioritization process should be able to meet all the required security milestones. The milestones would help the organization protect its data and information from the risk factors as well as escalating information insecurity threats. The IT security controls should thus be able to show a roadmap the Banking Solutions Inc. can use in addressing the possible information risks with respect to their priority. The security controls should also be in a position of depicting the pragmatic approach, which could allow effective action against the specified security threats. The controls will also have to support the financial as well as the operational planning of Banking Solutions Inc. More importantly, the best IT security controls would be the one giving way to the promotion of objectives as well as measurable progress indicators in aspect like information security, item progress, and operations among others. This way, it will enhance the promotion of consistency among future security assessors. Generally, the selected IT security controls should be stable and flexible for the organization’s information systems. In this regard, the prioritized IT security control would meet the immediate security/protection needs of the organization as well as any demand for its future protection requirements and technology complexities (Dempsey, et al., 2011)). The IT security controls would definitely create a strong foundation for developing assessment methods and the right procedures for determining the effectiveness of security controls. The effectiveness of the selected security control is determined by the implementation correctness and how the implemented controls adequately meet the needs of Banking Solutions Inc. according to its immediate security risk tolerance. This aspect implies that security controls should be implemented in line with the prevailing security plan to address the existing threats as well as the organization’s security plans. Status of the organization’s security could be determined with the use of metrics that are established Banking Solutions Inc. to convey the organization’s information security posture, and its reliance under known information security threats. Applicable Government Regulations A number of government regulations and standards are applicable to the identified IT security controls. Such government regulations and standards are meant to govern the way the requirements have to be met, implemented, or even measured. Legislations and executive regulations, usually put emphasis on the management, quantification, and reporting of their security performances (Chew, et al., 2008). The main purpose of such regulations/legislations and standards are to aid in facilitating the streamlining of the US government operations. Through the regulations, it would be easy for Banking Solutions to improve on efficiencies regarding information security controls. The major legislations include the Federal Information Security Management Act (FISMA) and the Government Performance Result Act (GPRA) (Chew, et al., 2008). Some of the major regulations are based on the Federal Information Security Management Act (FISMA). FISMA requires organizations to provide adequate protection of their information resources by implementing security programs that are comprehensive and commensurate with the security information and data being processed, transmitted, or even being stored. Banking Solutions Inc. is also required through the Act to assess and report its performance regarding the implementation of its information security programs. FISMA is meant to provide comprehensive frameworks to ensure the effectiveness of its IT security controls. Through FISMA, the organization is required to have a clear understanding of the networked nature of the prevailing computing environment (Chew, et al., 2008). FISMA also provides for the information security controls management and ensures that the minimum information security controls are maintained. It provides a meaningful way of improving an oversight of the required standards regarding information security programs. FISMA also acknowledges the best security products in offering good information security to organizations like Banking Solutions Inc. Generally, FISMA mandates the National Institutes of Standards and Technology to develop standards and guidelines regarding information systems. It requires organizations to make the necessary steps in identifying and assessing security risks that could be facing their respective information systems. Organizations are then required to define and then implement the applicable information security controls in order to protect their respective information resources. Organizations are required to report on their information security status on quarterly and annually basis (Chew, et al., 2008). The GPRA mainly focuses on the improvement of information security program effectiveness as well as its efficiency through an adequate articulation of the program goals, as well as the provision of information on the performance of the information security program. Organizations are required by the government through GPRA to develop multiyear security control plans. The organizations’ performances are required to be reported against such plans. GPRA mainly mandates organizations to carry out strategic as well as performance planning activities that would always culminate in annual submissions of reports about information security strategic plans and their performance measures. Organizations are generally required to define their long-term goals and objectives, set targets of performance that are measurable, and report their performances against such goals and objectives (Chew, et al., 2008). Enhancement of Security Posture by Controls All IT security controls are meant to promote security on information and information system by enhancing the security posture of a given organization. The control considered, under the NIST Special Publication 800-53 is Unsuccessful Logon Attempts (AC-7). This control is with the family of AC- Access Control. The control enforces a limit to a user regarding every invalid logon attempts that are consecutive (National Institute of Standards and Technology , 2014). An information system is required under this control to automatically lock the account or node until it is released by the respective administrator. It delays the next logon attempt after the maximum number of unsuccessful trials is reached. The requirement that unauthorized users should not access information illegally is securely implemented successfully. The control applies irrespective of whether logon attempts are initiated using local or wide area network connections (NIST Special Publication 800-53 (Rev. 4), 2014). Automatic lockouts are usually initiated by the information system temporarily due to the potentiality for the service denial. The lockouts are released after some predetermined amount of time that has been established by the organization and this happen automatically. The organization can choose initiate different algorithms for use on different information systems with respect to the corresponding capabilities of the different systems’ components. This may happen when delay algorithms are selected. The security posture of the specific organization is thus enhanced through this control also given that responses to unsuccessful attempts to logon can be implemented at the application levels as well as at the operating system (NIST Special Publication 800-53 (Rev. 4), 2014). References Chew, E., Swanson, M., Stine, K., Bartol, N., Brown, A., & Robinson, W. (2008). Performance Measurement Gudie for Information Security. NIST Special Publication 800-55 Revision 1, 1-40. Dempsey, K., Chawla, N. S., Johnson, A., Johnston, R., Jones, A. C., Orebaugh, A., . . . Stine, K. (2011)). I N F O R M A T I O N S E CU R I T Y: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. Special Publication 800-137: Information Security Continuous Monitoring for Federal information Systems and Organizations, 1-36. National Institute of Standards and Technology . (2014, July 31). Security CONTROLS: Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved from NIST Special Publication 800-53 Revision 4: http://csrc.nist.gov/groups/SMA/fisma/controls.html NIST Special Publication 800-53 (Rev. 4). (2014). Security Controls and Assessment Procedures for Federal Information Systems and Organizations: AC-7 - UNSUCCESSFUL LOGON ATTEMPTS. Retrieved from National Institute of Standards and Technology : http://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-7 PCI Security Standard Council. (2011). The Prioritized Approach to Pursue PCI DSS Compliance. PCI DSS Prioritized App roac h for PCI DSS 2.0, 1-18. PROJECT 3: CASE STUDY 1 (CONT) TECHNOLOGY EVALUATION The security technology analyzed in this project is the Unsuccessful Logon Attempts which entails the locking out of accounts due to unsuccessful login attempts. This could happen after a user tries to login to an account for a number of specified times without any success. This technology is typically core for security administrators who have the responsibility of protecting organizational data (TechTarget, 2014). The same could be applied in when protecting illegal access to SQL Server databases. Essentially, extra protection to password- protected websites or databases is important. Other than creation of a restriction technology/program, visitors IP address could be used to store the log attempts to an organization’s database in which it would be possible to block access to login failure for a predetermined length of time after a given number of unsuccessful attempts. Restricting access using the security restriction program is done to enhance information security. User often tries to get login information such as user name and password to gain unauthorized access to a restricted system or website. An organization could restrict extra number of users by only allowing a certain number of users in order to avoid extra load on server. To create the technology program, one needs to create a new table within the existing database. This table should strictly store information regarding any login attempts from a given organization’s computer. An SQL script could be used to create the table especially in MySQL Server for the organization. In most case, SQL is used as a query that is performed using a declarative SELECT statement. The SELECT element is used to retrieve data from the table created to store login information of users. SELLECT statements that are standardized do not have any persistent effects the organizations database. SQL is mainly designed to query the data contained within a rational database. It is usually a set-based and declarative query language. A programming process would be applied in this case. After the program is created successfully, the system will start checking any unauthorized logins attempts. When attempts limit is not reached, the system will check if the data entered is correct. Once the data is verified, all information about any previous login attempts are deleted (WebCheatSheet, 2014). Most information systems give room for only three unsuccessful attempts. For this program, the next authorization user would have only three login attempts, after which the system restricts access for 30 minutes (WebCheatSheet, 2014). The same user can retry for other three attempts before access is denied for another 30 minutes when the system records three unsuccessful attempts. Verifying account lock out configuration is very critical. For the verification process, the security properties for the system are reviewed. This is best done within the local security settings. Windows server operating systems could be used by default, including Window 2000 Server, Windows 2003 Server, and Windows NT 4.0 among others. As mentioned above, three attempts before being locked out are set by default, but this can be adjusted according to the organizations requirements and security vulnerability. The organization can address its information security needs by configuring SQL Server in such a way that all failed login attempts are recorded within the SQL Server Error Log. Achieving this requirement can be done following the right procedure of activating and frequently reviewing the audit level of the database security. The program would thus give the security management to review the number of failed login attempts to it information system/ server by users, in which it would be easy to learn about any brute force and other password attacks on the system/server. The auditing process on account logon failure events as well as account lockouts could be enabled by default. Similarly, the auditing of logon failures and the account lockouts can be disabled using the right policy procedure. The failure audits usually generate audit entries when logon attempts fail. This implies that whenever an invalid logon attempt happens, a message has to be generated within the event log. The administrator can then view the generated message in the reports of performance after he or she configures monitoring for the information system/server. The security administrator can monitor the server performance and create reports for the information system. This can be done using tools like the Monitoring and Reporting snap-in in Server Management tool (Microsoft Corporation, 2014). This tool provides information regarding server performance as well as usage. It also provides access to various tools for configuring monitoring options (Microsoft Corporation, 2014). The Monitoring Configuration Wizard is another tool used for enabling, modifying, or even repairing both the monitoring feature and the reporting feature of the server. The wizard is run after installing the server to establish the first monitoring configuration. The administrator would be required to run the wizard once again in case changes have to be made. Another important tool involves the server performance and usage reports, which contain detailed information regarding the usage of the system server and its condition. Reports about performance contain status information regarding services, security threat alerts, and performance counters. The report also contains internet account details and usage, as well as the prevailing remote connectivity. The program ensures that such reports are generated automatically on the basis of the selections made after running the Monitoring Configuration Wizard. Generally, this security technology program is based on stored procedures and it has both advantages and drawbacks in information security and management. One of the major advantages is the aspect of maintainability. In this case, it is easy to maintain because the used scripts are kept in one location whereby tracking information security and updating the system becomes easy. The technology program can be tested regardless of the application. Besides, business rules and regulations are completely isolated from the technology implying that there is hardly any confusion of having the existing business rules affect the security monitoring program. Since the program is based on stored procedures, speed optimization is achieved. SQL has the ability to perform set-based processing quickly and efficiently on large data. This means that the system can monitor unauthorized attempts initiated by a large number of users concurrently and ensure effectiveness. It ensures security through limiting direct access to data and information via defined roles within the database system. Security is also achieved through the provision of interfaces to the underlying data and information structures such that all implementations and the data/information are shielded (Hambrick, 2013). The common disadvantages of using the technology include limited coding functionality whereby robust application code is not applicable. Portability is not ensured because the security system is established only to protect data and information within the organization only. Upgrading to better versions may also be difficult, which implies that the technology may become less effective with time and more sophisticated security attack techniques are discovered. Besides, in case of errors, reports are hardly generated until runtime (Hambrick, 2013). Regarding the installation budget, the cost depends on the organization’s structure as well as concerns for development. This implies that the cost of the technology program would include both the installation cost and cost of maintenance. The information security program would definitely require a dedicated professional. Due to security risks, given that the developer may not be fully trusted by the organization, a separate DBA may be required to ensure that the developer does not access the information database at any given time (Hambrick, 2013). An extra cost will be incurred in this case. In any case, the key goal should be to develop an effective way of restricting unauthorized users or preventing users from overloading the information server. References Hambrick, P. (2013, June 4). Advantages and Drawbacks of Using Stored Procedures for Processing Data . Retrieved from seguetech: http://www.seguetech.com/blog/06/04/Advantage-drawbacks-stored-procedures-processing-data Microsoft (2014 ). Auditing failed logon events and account lockouts. Retrieved from TechNet: http://technet.microsoft.com/en-us/library/cc671957%28v=ws.10%29.aspx Tech Target. (2014, January). Locking out accounts with unsuccessful login attempts. Retrieved from TechTarget.com: http://searchsqlserver.techtarget.com/answer/Locking-out-accounts-with-unsuccessful-login-attempts WebCheatSheet. (2014). Blocking access to the login page after three unsuccessful login attempts. Retrieved from WebCheatSheet: http://webcheatsheet.com/php/blocking_system_access.php PROJECT 4: CASE STUDY 1 (CONT) SECURITY PLAN AND RECOMMENDATION MEMO This project involves the development of a Security Plan and a Recommendation Memo to the CIO. The plan communicates the security, policies, and the technologies being recommended from Projects 1, 2, and 3. Information Security Plan Executive Summery This information security plan is meant to establish and state the policies that govern Banking Solutions Inc.’s IT standards as well as practices. The plan will protect the organization’s information and its critical data resources from possible threats. The main objective is to ensure the existence business continuity in the organization, minimize business risks, and maximize the organization’s return on investment including business opportunities. The information security will be achieved through the implementation of suitable controls, which include policies, security technology processes, procedures, hardware and software functions, and organizational structures. The controls have to be established and implemented, monitored and reviewed, as well as improved accordingly. This would ensure that the organization’s security, as one of the many business objectives, is achieved. This involves governing the privacy, security, as well as confidentiality of the organization’s data. All users of the organization are required to follow the Banking Solutions Inc. policies. It is also required that the organization’s employees maintain a shared responsibility regarding security of the organization’s information with respect to their departments. Purpose The main purpose of this security plan is to see that Banking Solutions maintains confidentiality, integrity, and data availability. The plan also will ensure that Banking Solutions defines, develops, and documents information policies as well as procedures supporting the goals and objectives of the organization. The plan also aims to allow Banking Solutions to satisfy responsibilities regarding the legal and ethical requirements with respect to the organization’s IT resources. The security policies and procedures stand for the organization’s foundation. Internal controls would provide a system of checks as well as balances meant for identifying irregularities, preventing waste, as well as fraud and abuse of information. Scope The plan will apply to whole organization including the management, employees, and other stakeholders. The key idea is to ensure data security. The information to be protected is typically part of the organization’s assets such as data, images, text, software, and related information resources whether stored online, on computers, or on paper among other storage media. IT Governance Committee and Responsibilities It governance is typically the management’s responsibility. It consists of aspects such as the leadership, the organizational structure, and the process for ensuring that IT sustains and extends the organization’s strategies and objectives. The management in this case will be responsible for the people to govern the information security and the strategic direction to be taken. It will ensure that the information security objectives are achieved accordingly. The Organization’s Policy Statement All departments within the organization will be obligated to protect the organization’s information resources. This will be done by implementing the security standards as well as procedures that are developed and approved by the government and the Information Security Board of Review. The organization’s departments will be required to meet all the minimum security standards. All departments would be encouraged to adopt the standards exceeding the minimum requirements. The information users will be responsible for complying with the general policies and their respective departments’ policies. Enforcement All users will be required to comply with both federal and state laws as well as the organization’s policies and procedures that govern the high-sensitive data security. Any user caught engaging in unauthorized access, use, alteration, destruction, or disclosure of data/information will be violating this plan and will be subjected to the appropriate disciplinary action such dismissal or legal action or even both. Information Security Program Information security programs have been established, documented, and implemented. The programs are typically designed to improve IT operations effectiveness and ability to satisfy the existing regulatory requirements. The program is mainly set to ensure confidentiality as well as integrity of information within the organization. It is also meant to maintain an appropriate level of information and data accessibility. Three technological means have been put in place to ensure that information is protected from all reasonable forms of threat. The most technological/program measures include the use of firewall protection, use of remote access technology, and the use of account lockout technology/program (Avoyan, 2011). These technological means have both software and hardware components aimed at keeping information and related facilities secure. Regarding the firewall protection technology, the organization’s computers would be protected from internet threats by a firewall. An ISA Server is used to provide proxy firewall solutions to the organization. The firewall protection network diagram would be as shown in figure 1 below (Avoyan, 2011). Firewall Protection Technology Figure 1: Firewall Protection Network Diagram Remote Access Technology For the remote access technology, Banking Solutions Inc. would be able to control its users such that they can only connect to the internet from a specified remote location. This will allow the use of network resources, but at a controlled usage such that external threats are minimized. The same technology minimizes the risk of attackers gaining unauthorized access to the organization’s threats. The technology will enhance information security and allow user flexibility, even those willing to work from home (Microsoft, 2014). The remote access technology can be designed as shown in figure 2 below. Figure 2: Remote Access Technology Network Diagram Account Lockout and Password Technology Concept This technology program would be important because the security of the organization’s information relies on the restriction level against unauthorized users. This program controls aspects like the number of possible login attempts, password length, password uniqueness, as well as password lifespan. Other than logon attempts, it prevents dictionary attacks, which involve the use of known words to try to access account information (Microsoft, Account Lockout and Password Concepts, 2004). Brute force attacks, in which unauthorized users try all possible permutations, are prevented. Figure 3 describes the authentication process using the steps, which occur whenever logon attempts fail to work. Figure 3: A Network Diagram for Failed Logon Attempt Process Associated Costs The cost of ensuring security on the organizations information is relatively high. The cost would include installation cost for the three technologies, running costs, maintenance costs, and labor cost. The management will need to set a budget to meet these cost. Risk Assessment Risk assessment would be important to determine the vulnerability of the organization information to attacks. There is generally a high risk since Banking Solutions is a financial institution with some online transactions and mode of payment. Besides, financial information is highly vulnerable to security attacks. The management can thus formulate effective strategies after an effective risk assessment (Microsoft, Account Lockout and Password Concepts, 2004). Expected Return on Investment (ROI) ROI would be the benefits resulting from the investment of security technologies. The technologies are likely to yield high ROI in which the investment gains would compare favorably to the investment costs. As long as risks and previous security problems will be eliminated, the technologies will result to increased profitability of the business. ROI will determine the plan effectiveness (Farris, Bendle, Pfeifer, & Reibstein, 2010). It will be computed as follows: ROI = (Net profits / Investment Cost) × 100 Where: Net Profit = Gross Profits –Total Expenses Recommendation Memo MEMO TO: The CIO FROM: Information Security Planner DATE: October 25, 2014 SUBJECT: INFORMATION SECURITY PLAN FOR BANKING SOLUTIONS INC. Banking Solutions Inc. is currently facing significant information security problems. The sensitivity of its business operations requires the use of highly secured information systems. An information security plan has been designed to help solve the problem. The plan incorporates three key technological security programs. These include firewall protection technology, account lockout technological process, and a remotely controlled access technology. A combination of these technologies would ensure that all possible threats to the organization’s information are mitigated. The security plan will ensure that security on information is promoted with respect to the organization’s policies and government regulations. The main objective will be ensuring continuity of the business, minimizing information security risks, and maximizing the returns on investment (ROI). A close analysis has shown that although the investment cost would be relatively high, the financial benefits would be high. This is because the number of risks would be minimized greatly. Investors are likely to be attracted to the business because of the increased profitability and decreased risks of losses. This follows the fact that security controls would be in place to increase customer confidence as well. It is therefore recommended that the plan be reviewed the soonest possible in order to facilitate the necessary steps for implementation. It is also advisable to initiate any changes on the plan where necessary to perfectly meet the organization’s needs and budget especially given the prevailing changes within the business environment. References Avoyan, H. (2011, August 17). How to Protect Your Network: Firewall Best Practices. Retrieved from blog.monitis.com: http://blog.monitis.com/2011/08/17/how-to-protect-your-network-firewall-best-practices/ Farris, P. W., Bendle, N. T., Pfeifer, P. E., & Reibstein, D. J. (2010). Marketing Metrics: The Definitive Guide to Measuring Marketing Performance. . Upper Saddle River, New Jersey: Pearson Education, Inc. Microsoft. (2014, July 31). Account Lockout and Password Concepts. Retrieved from technet.microsoft.com: http://technet.microsoft.com/en-us/library/cc780271%28v=ws.10%29.aspx Microsoft. (2014). Securing Remote Access. Retrieved from technet.microsoft.com: http://technet.microsoft.com/en-us/library/cc875831.aspx PROJECT 5: CASE STUDY 2 High Level Plan Introduction This plan is designed purposely to guide the implementation of changes and mitigation of vulnerability and convergence issues in DaimlerChrysler (DC). It is a high-level plan that shows the system development life cycle (SDLC) for the proposed program for implementing the changes as well as for mitigating and solving the convergence issues. In the plan, the implementation solutions are related to Confidentiality, Integrity, and Availability (CIA). Generally, the plan incorporates people, processes, and technology. It defines, develops, and documents the information policies as well as procedures supporting goals and objectives of the organization. It would as well assist the organization to satisfy its ethical and legal responsibilities during the change implementation and when dealing with vulnerability and convergence issues. Goals and Objectives Business Goals and Objectives DC has been established mainly with a goal of boosting its profits by cutting spending and squeezing costs. This was viewed to be achievable after Daimler-Benz Ag buys Chrysler Corp. The main objective is to gain higher competitiveness and larger market for its car products. The newly established merger aims to boost its revenues and increase the net profits by benefiting from economies of scale. Project Goals and Objectives The project is meant to meet some key goals and objectives. While the merger has realized some advantages of economies of scale and profitability, there are issues related to the convergence. The merger has also been subjected to increased vulnerability due to its new scope and success factors. In such a case, criminals are likely to initiate threat to the company through various ways. The project therefore aims to solve the associated issues. One of the main goals is to mitigate such information security vulnerability which is attributed to its growth and the changing global technological advancements. Another goal is to solve the convergence issues that are likely to affect the business. The project objective is therefore to formulate a program that would lead to the achievement of these two goals while ensuring confidentiality, integrity, and availability of the information under focus. Scope The project scope here refers to the work to be accomplished throughout the project life cycle. The scope is highly important in the management of the project and its completion. The project is expected to meet the set deadline with resource restraint. This implies that changes could be initiated to the scope because if not approved, the project may not be completed successfully. Scope creep management would therefore be necessary. Scope creep would involve the expansion of the project scope when changes have to be initiated, and it could lead to an increase in the general project expenses. Scope Definition The project will involve a thorough study of the organization’s background including its time before converging with Chrysler Corp. to form DaimlerChrysler. It would be critical to consider Daimler-Benz Ag and Chrysler Corp. separately. The benefits associated with the convergence process will also be analyzed, including the ability to increase profitability, larger market share, cost reduction through economies of scale, and other benefits. Such advantages are then compared with the perceived or realized issues related to security vulnerability and convergence. The projected project expenses would also be evaluated to determine the project feasibility. The time for the project completion is also critical, which together with the financial costs would determine the project milestone in which all the activities requiring special attention are identified. Items beyond Scope Items beyond the project scope include the benefits of the business and the proposed project to the society and employees. The project will also have some impact on the national and global economies. Projected Expenses The projected expenses will include mainly the project cost. The projected expenses will be based on cost projection, which refers to a financial investment statement for the project development, its implementation, and maintenance (McConnell, 2010). The cost involves all expenses to be incurred when establishing the project initiating to make it fully operational. The financial investments will cover all the procurement costs, leases, tax payments, purchases of software and hardware, training programs, internal and external project resources, and installation costs. The financial investment statement would reflect operational costs estimates that include project maintenance costs and operations costs. These would cover the whole project lifecycle (McConnell, 2010). System Development Life Cycle/Schedule Cost estimates are best based on each work phase making the system development lifecycle. Each of the various phases makes use of different resources, different timeline, and consequently different expenses. The project would consist of various activities, but only the activities falling within the critical path would be important (Marakas & OBrien, 2010). Such activities would be the most useful in determining the projected expenses. Some activities may be included, but they may end up being beyond the scope of the project. Cost estimate should thus be based on the project’s critical path and the resulting phases (Marakas & OBrien, 2010). Essentially, the system development will be as follows: Figure 4: The Management Phases Network Diagram The organization will have a structured way of resolving the vulnerability issues with respect to Confidentiality, Integrity, and Availability of information/data. The first step is to discover the vulnerability areas by investigating all inventories/information available within the organization. Confidentiality ensures that sensitive information is prevented from being reached by unwanted people. This aspect will be a significant based for the analysis leading to the vulnerability discovery. This will be done with respect to the organization policies regarding confidentiality of information. The possible risks will then be prioritized after categorizing the possible risks based on the information integrity held by the organization. Integrity here ensures consistency, accuracy, as well as trustworthiness when handling data and information. Assessment is then done by determining a baseline risk profile in order to eliminate the risks based on criticality and vulnerability level among other aspects (Gibilisco, 2013). A report is generated by measuring the level of the business risks according to both business objectives and security policies, with respect to information availability. Availability refers to the way the information has been managed (Gibilisco, 2013). Rigorous maintenance of hardware, performance of hardware repairs, provision of redundancy and failure measures, and the existence of adequate communication bandwidth among other requirements should be considered when generating the report (Gibilisco, 2013). Remediation is done by prioritizing and fixing vulnerabilities according to the risks after which controls are established to demonstrate progress. The final step is to verify that the threats have been eliminated accordingly. These steps are shown in a network diagram shown below. Figure 5: Vulnerability Lifecycle Management Network Diagram Milestones Project milestones exist within the management framework and include events that need special attention. The milestones would be marking the beginning and the completion of work packages or the system lifecycle phases. They can be determined for the projected expenses since they are the basis for initiating corrective measures once problems arise. Assumptions The assumptions include: The time set for the project completion will be adequate The financial budget set for the project completion will be sufficient Adequate skills are available and there will be no need for extra labor or skills Constraints Project Constraints The project constraints include the following: Strict and limited time (short deadline) Strict budget Limited resources including skills limitation Critical Project Barriers The critical project barriers are likely to cause adjustment in the project development lifecycle. One of them is technical barriers in which the existing technology may limit the solution design. This constraint will cause adjustments in the skills, required, the time set, and the budget allocated for the project completion. References Avoyan, H. (2011, August 17). How to Protect Your Network: Firewall Best Practices. Retrieved from blog.monitis.com: http://blog.monitis.com/2011/08/17/how-to-protect-your-network-firewall-best-practices/ Centers for Disease Control and Prevention. (2014). Vulnerability Management Life Cycle. http://www.cdc.gov/cancer/npcr/tools/security/vmlc.htm. Farris, P. W., Bendle, N. T., Pfeifer, P. E., & Reibstein, D. J. (2010). Marketing Metrics: The Definitive Guide to Measuring Marketing Performance. . Upper Saddle River, New Jersey: Pearson Education, Inc. Gibilisco, S. (2013, May). Confidentiality, Integrity, and Availability (CIA). Retrieved from whatis.techtarget.com: http://whatis.techtarget.com/definition/Confidentiality-integrity- and-availability-CIA Ktenas, S. (2013). Effort Estimation for Software Development. Spyros Ktenas. Marakas, J. A., & OBrien, G. M. (2010). Management information systems (10th ed. ed.). New York: McGraw-Hill/Irwin. pp. 485–489. ISBN 0073376817. McConnell, E. (2010, November 17). Cost Projection Statement and Analysis. Retrieved from http://www.mymanagementguide.com/cost-projection-statement-and-analysis/ Michigan Technological University: Information Security Board of Review Members. (2011). Information Security Plan. Rev: 3, 1-27. Read More