Issues Related to Security Interoperability and Operations - Case Study Example

PROJECT 2: CASE STUDY 1 (CON'T) ANALYSIS—IDENTIFY ITS CONTROLS

Issues Related to Security Interoperability, and Operations

Among the issues faced by Banking Solutions Inc, a number of them are related to security, interoperability, and operations. The issues related to these three aspects include the following:

• The company has not been ensuring frequent update of its data center DRBCP. The last update was done back in the year 2009, two year after it was created in 2007, which shows the inconsistence of maintaining often update as required in data and information management.
• The latest testing of the data center DRBCP was done in 2007. The testing activities were not even adequately done since it only consisted of a conceptual, table-top walkthrough of the DRBCP. The item processing facility DRBCPs have not even been tested yet.
• The site-specific DRBCPs have been written for the five largest item processing facilities with some remaining item processing facilities, which have a generic “small center” DRBCP template. This template is seen to have been distributed to and customized by facility management by June 2010, while up to four items processing facilities have not yet completed the customization exercise.
• Failure to identify Recovery Time Objectives as well as Recovery Point Objectives for the organization’s critical business processes and systems in the DRBCP was still another major issue. The critical systems in the DRBCP included detailed hardware inventories and software inventories. Other included processes and requirements within the DRBCP include critical business process including process owners, alternative processing facility addresses as well as directions, notification listing, critical plan participant roles, responsibilities, vender contact listing, core business forms, recovery procedures for core systems, as well as procedures initiated to manage public relations and communication.
• Not all the plan participants have been issued with the process plan as seen in the review of DRBCP distribution lists. This is an issue affecting the business process. Besides, storing the plan copies online and having the duplicate they depict the ineffectiveness of the business process. Better and safer ways of storing back information regarding the plan could have been applied.
• Another process issue is that all the participants of the critical plan have hardly been trained on how to use DRBC.
• Typically, several power users whose actions are recorded onto event logs have been found to have write access to the logs themselves even without administration approval, which facilitates possible information security risk.
• Various data centers have been established with each of the data centers acting as a “hot site” processing location for the other. The issue in this case is that, DRBCPs or even any other documentation hardly outline specific processing responsibilities for backup facilities.
• The other major issue is based on the poor backup storage of information. Full backups of critical data, software programs, as well as configurations are performed only once every week. This could be done even more frequently.
• At the item processing facilities, the management is tasked with offering contracts to the off-site storage of backup tapes while the management has contracted the bank across the street to offer storage for its backup tapes within a safety deposit box, at one of the item processing facilities. The night Operations Manager on the other hand, for another item processing facility, stores the backup tapes within a safe at his home. Tapes are stored in a shed at the back of a building at a third item processing center.

Prioritization of IT Security Controls

IT controls can be optimized and prioritized, but this would be based on immediate need, security posture, complexity, resource availability, and cost. The choice of security controls would be sensitive and thus intensive care would be necessary. Careful selection is typically important because it can help in securing information systems that are safe and promising (National Institute of Standards and Technology , 2014). The security category is very critical. Determination of the security category regarding information systems requires some intensive analysis. This determination should thus be a priority. This should include the potential values of impact to the respective objectives, such as confidentiality, availability, and integrity. The IT security category also determines the budget required for any specified IT control. In selecting meaningful IT security controls, approaches that are comparable, repeatable, and more consistent should be facilitated (National Institute of Standards and Technology , 2014). Further, recommendations for the minimum security controls for information systems need to be provided.

The security controls in this case have to be in accordance with the FIPS 199, which entails the Standards for Security Categorization of Federal Information and Information Systems (National Institute of Standards and Technology , 2014). In this case, IT security controls will be initiated to achieve confidentiality, integrity, and availability. Regarding confidentiality, the preservation of authority restrictions on information access as well as disclosure would be very critical and the IT controls, which have the capabilities of achieving this objective, should be initiated. Such IT controls should include adequate means for the protection of personal privacy as well as proprietary (National Institute of Standards and Technology , 2014). Focusing of integrity achievement would be based on IT security controls that can guard against improper destruction of information or modification. The controls should ensure that there are no information repudiations and authenticities. When selecting the best IT security controls, availability should be considered a priority. This prioritization would ensure that there is timely access and reliable access to information. The same aspect would be applicable when using the same information. When there is a loss of availability, it would imply that there would be a disruption of access to information as well as problems in using such information.

The security controls to be selected should be within the reach of the organization in terms of cost and timeline specifications. The prioritization process should be able to meet all the required security milestones. The milestones would help the organization protect its data and information from the risk factors as well as escalating information insecurity threats. The IT security controls should thus be able to show a roadmap the Banking Solutions Inc. can use in addressing the possible information risks with respect to their priority. The security controls should also be in a position of depicting the pragmatic approach, which could allow effective action against the specified security threats. The controls will also have to support the financial as well as the operational planning of Banking Solutions Inc. More importantly, the best IT security controls would be the one giving way to the promotion of objectives as well as measurable progress indicators in aspect like information security, item progress, and operations among others. This way, it will enhance the promotion of consistency among future security assessors.

Generally, the selected IT security controls should be stable and flexible for the organization’s information systems. In this regard, the prioritized IT security control would meet the immediate security/protection needs of the organization as well as any demand for its future protection requirements and technology complexities (Dempsey, et al., 2011)). The IT security controls would definitely create a strong foundation for developing assessment methods and the right procedures for determining the effectiveness of security controls. The effectiveness of the selected security control is determined by the implementation correctness and how the implemented controls adequately meet the needs of Banking Solutions Inc. according to its immediate security risk tolerance. This aspect implies that security controls should be implemented in line with the prevailing security plan to address the existing threats as well as the organization’s security plans. Status of the organization’s security could be determined with the use of metrics that are established Banking Solutions Inc. to convey the organization’s information security posture, and its reliance under known information security threats.

Applicable Government Regulations

A number of government regulations and standards are applicable to the identified IT security controls. Such government regulations and standards are meant to govern the way the requirements have to be met, implemented, or even measured. Legislations and executive regulations, usually put emphasis on the management, quantification, and reporting of their security performances (Chew, et al., 2008). The main purpose of such regulations/legislations and standards are to aid in facilitating the streamlining of the US government operations. Through the regulations, it would be easy for Banking Solutions to improve on efficiencies regarding information security controls. The major legislations include the Federal Information Security Management Act (FISMA) and the Government Performance Result Act (GPRA) (Chew, et al., 2008).

Some of the major regulations are based on the Federal Information Security Management Act (FISMA). FISMA requires organizations to provide adequate protection of their information resources by implementing security programs that are comprehensive and commensurate with the security information and data being processed, transmitted, or even being stored. Banking Solutions Inc. is also required through the Act to assess and report its performance regarding the implementation of its information security programs. FISMA is meant to provide comprehensive frameworks to ensure the effectiveness of its IT security controls. Through FISMA, the organization is required to have a clear understanding of the networked nature of the prevailing computing environment (Chew, et al., 2008). FISMA also provides for the information security controls management and ensures that the minimum information security controls are maintained. It provides a meaningful way of improving an oversight of the required standards regarding information security programs. FISMA also acknowledges the best security products in offering good information security to organizations like Banking Solutions Inc.

Generally, FISMA mandates the National Institutes of Standards and Technology to develop standards and guidelines regarding information systems. It requires organizations to make the necessary steps in identifying and assessing security risks that could be facing their respective information systems. Organizations are then required to define and then implement the applicable information security controls in order to protect their respective information resources. Organizations are required to report on their information security status on quarterly and annually basis (Chew, et al., 2008).

The GPRA mainly focuses on the improvement of information security program effectiveness as well as its efficiency through an adequate articulation of the program goals, as well as the provision of information on the performance of the information security program. Organizations are required by the government through GPRA to develop multiyear security control plans. The organizations’ performances are required to be reported against such plans. GPRA mainly mandates organizations to carry out strategic as well as performance planning activities that would always culminate in annual submissions of reports about information security strategic plans and their performance measures. Organizations are generally required to define their long-term goals and objectives, set targets of performance that are measurable, and report their performances against such goals and objectives (Chew, et al., 2008).

Enhancement of Security Posture by Controls

All IT security controls are meant to promote security on information and information system by enhancing the security posture of a given organization. The control considered, under the NIST Special Publication 800-53 is Unsuccessful Logon Attempts (AC-7). This control is with the family of AC- Access Control. The control enforces a limit to a user regarding every invalid logon attempts that are consecutive (National Institute of Standards and Technology , 2014). An information system is required under this control to automatically lock the account or node until it is released by the respective administrator. It delays the next logon attempt after the maximum number of unsuccessful trials is reached.

The requirement that unauthorized users should not access information illegally is securely implemented successfully. The control applies irrespective of whether logon attempts are initiated using local or wide area network connections (NIST Special Publication 800-53 (Rev. 4), 2014). Automatic lockouts are usually initiated by the information system temporarily due to the potentiality for the service denial. The lockouts are released after some predetermined amount of time that has been established by the organization and this happen automatically. The organization can choose initiate different algorithms for use on different information systems with respect to the corresponding capabilities of the different systems’ components. This may happen when delay algorithms are selected. The security posture of the specific organization is thus enhanced through this control also given that responses to unsuccessful attempts to logon can be implemented at the application levels as well as at the operating system (NIST Special Publication 800-53 (Rev. 4), 2014).