IT Controls - Case Study Example

Case Study: IT Controls Introduction This document examines the security issues related to security, interoperability, andoperations of Bank Solutions, Inc. In addition, it prioritizes and articulates selected requirements based on immediate need, security posture, complexity, available resources, and cost. Furthermore, it takes into consideration the applicable regulations and standards and establish the applicable control measures. Security and privacy controls of information systems is one of the primary strategies organizations and individuals implement to protect their operations, assets, etc. from various threats such as natural catastrophes, human errors, cyber-attacks and structural failures (FIPS, 2006). Organizations customize and execute security controls as part of its far-reaching practices for the management of privacy risk and information security. The security control processes are provided for by the legislations, policies, executive guidelines, standards, directives, conventions, missions and business requirements and they aim to address various security and privacy needs of the organizations or individuals (NIST, 2013). Each group or individual has specialized selections of controls designed for specific organizational functions, technologies, and business environment. The significance of establishing security functionality and assurance is to ensure the trustworthiness of the information technology systems and products based on sound systems and security engineering principles (NIST, 2013). The information security controls are intended to expedite compliance with appropriate federal laws, policies, executive orders, standards, directives, and guidance. The compliance of the information system with the laws and regulations involves the organizations executing absolute attentiveness concerning risk management and information of the security (FIPS, 2006). These includes using appropriate information as a program for executing risk management of the entire organization, utilizing reliability and flexibility to ensure the organization’s documented controls satisfy the organization’s goals and requirements. The organization should use available tools and techniques at its disposal for developing, implementing and maintaining protections and controls of information systems. Security control refers to safety measures and designed or recommended for an organization to ensure reliability, privacy and accessibility of data processed, stored and transferred by those organizations and placate a range of defined security requirements (NIST, 2013). It is imperative for the top managers to understand the insecurity associated with information system of the organization and the adverse effects of such insecurity on the firm’s processes, properties, individuals, other companies and the nation-state (Greene, 2014). They must also be aware of the existing security programs and the security controls in existence to safeguard the firms’ information and information system. Such knowledge will enable organizations leaders to make an informed judgment and take appropriate measures to mitigate threats to tolerable levels (NIST, 2013). The critical goal of such measures is to ensure day-to-day involvement in the organizations activities to provide adequate security measures to prevent “unauthorized access, use, disclosure, disruption, modification or destruction of information” (NIST, 2013, p. 2). For an organization to achieve adequate information security, the stakeholders must ensure multifaceted missions processes and information systems of the firm. A. Bank Solutions, Inc. Information Security Issues 1. Regular update of information: The firm does not maintain up-to-date data. The consultant firm is conducting a review of the firms security established that they had written current their current data center DRBCP in 2007, and the last update was made in 2009. According to Johnson ( 2014), a firm must update its data daily or weekly to ensure maximum security of information. 2. Adequate and complete assessment of organization’s processes and facilities: The organization conducted a test for its data center DRBCP in 2007 using conceptual table-top walkthrough testing activities, but they had not tested item processing facilities. 3. Ensure complete, flexibility and availability of processes: Although the organization had written site-specific DRBCP for its five largest items processing facilities they had written the item facilities for generic small centers. Furthermore, there were four item processing facilities that had not completed customization process. 4. Recognize and document all business processes: The management had not identified all the critical business process and system in the DRBCP 5. Share control plans with all stakeholders: The review of the DRBCP distribution list revealed that not all principal participants have a copy of the plan. However, the Chief Executive Officer did not consider it as an important aspect of effective security controls. 6. Provide training to all stakeholders: Most of the critical plan participants did not have training on how to use DRBCP. According to FIPS (2006), the organization is responsible for offering information system users basic security awareness at levels from contractors, senior executives to managers. They offer such training for new users, when the necessity for such training occurs as a result of changes in information system and any other time the organization deems it necessary to offer such training. Also, the users require training for awareness on information security and user action to ensure security and respond to alleged security episodes. 7. Establish policies and standard guidelines: Apart from the robust host-based IDS the organization has implemented, there are no policy principles, guidelines or practices on security implementation phases. 8. Regulate the right of access to information: Although the organization was performing event log when power users carried out particularly privileged undertakings on production servers, most of the same power users had write access to the event logs where their actions had been recorded. 9. Maintaining of manual and electronic documents: The firm has organized its DR/BC into ‘sister center’ format whereby each center serves the rests as its ‘hot site’ processing place and each processing facility has its designated item processing facility functioning as backup processing location (FIPS, 2006). However, there was no documentation outline functioning as a backup service for accurate processing. 10. Storage of backup: The storage of the backup of item processing facilities has been maintained. However, some of the backups are not securely stored because the night operations manager has kept one in a safe at his home while the other is stored in a shed at the back of the building. The one back that has been put in a secure and reliable custody is that which is in safety deposit box in another bank. The safety of the other backups is unreliable (NIST, 2013). B. Prioritizing Security Issues 1. The organization should assess and document the existing processes and assets that need to be secured. The management should maintain complete records of these facilities and the necessary security measures to be implemented. This should also include processing, storage and transmission of information. 2. The management should create, document, update and execute security controls to achieve its requirements and objectives. 3. Bank Solution, Inc. should ensure the information is complete, flexible and available to all relevant users. The control system works and the importance of such controls on the information system to the individuals and the organization. 4. Assess the completeness of control practices and information system. 5. Share control plans with all relevant stakeholders. 6. The management should ensure all workers at various levels have adequate training on how the 7. The establishment of policy guidelines to control the individual and organization processes and information dissemination. 8. The information system officers should restrict the right to access the information to relevant persons. The information should be made available to the persons within their department to promote their performance, but the same should be restricted to other departments unless such departments require it for decision-making. 9. Securing the backup of the item processing facilities. Such backups should be stored in the banks, and other copies in a safe within the firms building where they can be accessed by an authorized individual. Other top managers in the information technology department should be able to access the backup in the absence of the responsible officer. 10. The firm should maintain both manual and electronic copy of the control practices they are implementing on the information security systems. C. Government Regulations The E-Government Act articulates information security with economic and national security concerns. Federal Information Security Management Act (FISMA) of 2002 stresses on the significance for organizations to create, document and apply organization-wide program to offer security for the information systems that supports its processes (NIST, 2013). That would apply to Bank Solution, Inc. to protect the security of information during transmission to other banks and across departments. The National Institutes of Standards and Technology (NIST) establish various standards for security controls of information (NIST, 2013). For instance, it establishes minimum requirements for the organizations to safeguard and control organization’s information. The standards also ensure adequate information safety for all agency processes and properties apart from national security systems. WHMIS) is a national hazard communication standard applicable in Canada in alignment with the US standards. Its purpose is to categorize, label hazardous containers, provide safety material sheets and offer training programs to the workers (Greene, 2014). The President Management Agenda (PMA) is a presidential decree or order requiring public organizations to implement specific management practices focused on improving services to the citizens (Greene, 2014). It emphasizes on regular reviews for departments, increased administrative flexibility, and public accountability. The requirement or order in line with the practices of the private organizations such as Bank Solution, Inc. 4. Security Controls Related to the Issue Audit and accountability: The organization should always conduct an audit and ensure accountability of the available assets and control measures in place to ensure complete protection of information systems (Welch, 2009). For example, the CEO of the Bank Solution has not been dismissing some of the claims about failing systems in the organization. Awareness and training: Bank Solutions can increase its performance by offering regular training to its workers on the importance of various control practices and processes of information systems. Training will improve employees’ efficiency and promote accessibility, availability and flexibility of information to the relevant users. Contingency management: This is based on the principle that workers with desired characters are rewarded adequately while those with undesired behavior severely punished (Welch, 2009). This principle encourages employees to adhere to the organizational rules and regulations hence increase in productivity. Since the workers at Bank Solutions have been earning low income execution of contingency management can help the organization to motivate employees based on individual or group performance (U.S. Department of Justice, 2014). Systems and communications protections: Banking Solution Inc. should ensure the safety of information and communicate the planned control processes to the relevant persons for effective organizational performance. This will enhance security by restricting access to information to appropriate users. U.S. (Department of Justice, 2014). References FIPS, 2006). Minimum Security Requirements for Federal Information and Information Systems FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Retrieved on 2nd April 2015 from http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final- march.pdf Greene, S. (2014). Security Program and Policies: Principles and Practices. Pearson College Division. Johnson, R. (2014). Security Policies and Implementation Issues, (2nd Ed.). USA: Jones & Bartlett Publishers. NIST, (2013). Security and Privacy Controls for Federal Information Systems and Organizations NIST Special Publication 800-53 Revision 4. Retrieved on 2nd April 2015 from http://disa.mil/services/dod-cloud-broker/~/media/files/disa/services/cloud-broker/nist-sp80053-securityandprivacycontrols.pdf U.S. Department of Justice, (2014). Criminal Justice Information Services (CJIS) Security Policy, Federal Bureau of Investigation, Version 5.3. Retrieved on 2nd April 2015 from http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center Welch, D. (2009). Determinants Of International Human Resource Management Approaches and Activities: A Suggested Framework. Journal of Management Studies, 31, 139-164 Read More