Bank Solutions

Bank Solutions

Larry Hencshel

Project 2

CSIA 485

As a result of the analysis performed and conclusions reached for the Bank Solutions infrastructure, there are numerous issues which have been identified and these will need to be prioritized in terms of the most important areas which should be addressed and how this can be achieved. The most effective way that this can be achieved will be to use an established security standard as the foundation and then amend this as required to meet the specific requirements of Bank Solutions as an organization.

This can therefore be facilitated through the targeted utilization of guidelines provided by the National Institute of Standards & Technology (NIST), which provides a recognized and comprehensive set of security standards which have already been deployed across multiple enterprise organizations, and is also responsible for the mandatory application of security across all Federal infrastructures.

The outcome of the Bank Solutions analysis and review has been to determine the following elements as needing to be addressed primarily:

  • Backup Failure – BCDRP
  • Backup Policy – BCDRP
  • Status Updates – BCDRP
  • Communication - BCDRP
  • Testing – BCDRP
  • Authentication – Segregation of Duties
  • Authorization – Segregation of Duties
  • Security Policy – Auditing
  • Security Policy – Awareness & Training
  • Security Policy – Role Based Security Training

As the NIST standards have already been utilized across multiple organizations and industry types, the core definitions which will identify security controls can be considered typical and representative of their presentation through NIST SP 800-53. These define management, operational, and technical controls, each of which will contain appropriate security recommendations and solutions which can be leveraged for Bank Solutions:

  1. Backup Failure - BCDRP

Due to the regular nature of the backup failures which have been identified and reported at Bank Solutions, it should be envisaged that urgent steps are taken to resolve them. However, at the current time, as the remaining infrastructure has remained largely stable, there has been little impetus to correct this accordingly. This should not preclude the issue from being addressed through the use of the requisite NIST control:

Contingency Planning (CP) – Operational Control

CP-9(1).1 – Information System Backup

Assessment Objective:

The organization tests backup information to verify media reliability and information integrity.

  1. Backup Policy - BCDRP

As well as ensuring that there is sufficient configuration implemented to perform the backups themselves, there will also need to be appropriate documentation as to which procedures and policies should be followed in this regard, as defined by the following NIST control:

Contingency Planning (CP) – Operational Control

CP-9.1 – Information System Backup

Assessment Objective:

a.Conducts backups of user-level information contained in the information system

b.Conducts backups of system-level information contained in the information system

c.Conducts backups of information system documentation including security-related documentation

d.Protects the confidentiality, integrity, and availability of backup information at storage locations

  1. Status Updates – BCDRP
  2. Communication – BCDRP

Given the size and scope of the Bank Solutions organization then the way in which security issues and policies are updated will be critical to the long-term success and effectiveness of the organization’s Information Systems. There will be a variety of different procedures and departments affected across some of the different policies and the following NIST controls will be used to defined these elements in the most efficient and effective manner:

Planning (PL) – Management Control

PL-1 – Security Planning Policy & Procedures

Assessment Objective:

a. Develops, documents, and disseminates to:

1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance

2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls

b. Reviews and updates the current:

1. Security planning policy

2. Security planning procedures

Contingency Planning (CP) – Operational Control

CP-1 – Contingency Planning Policy & Procedures

Assessment Objective:

a. Tests the contingency plan for the information system using to determine the effectiveness of the plan and the organizational readiness to execute the plan

b. Reviews the contingency plan test results

c. Initiates corrective actions, if needed

  1. Testing - BCDRP

Due to the importance with which many of the Bank Solutions systems are viewed, there needs to be the ability to ensure that configurations are tested and validated accordingly, and that any potential disaster recovery and business continuity plans can be evaluated prior to them being needed by way of response to a real-world situation. NIST also provides appropriate controls by which testing can therefore be achieved:

Contingency Planning (CP) – Operational Control

CP-4(2).1 – Contingency Plan Testing & Exercises

Assessment Objectives:

The organization tests the contingency plan at the alternate processing site, to familiarize contingency personnel with the facility and available resources; and to evaluate the capabilities of the alternate processing site to support contingency operations

  1. Authentication - Segregation of Duties
  2. Authorization – Segregation of Duties

The core network implementation and associated Information Systems at Bank Solutions will be maintained on a continual basis by a variety of administrators and system users. While permissions and access may be defined to facilitate these roles it will also be a requirement to ensure that there are no situations where single personnel are entirely responsible for systems or have authorization in excess of their defined organizational roles and responsibilities:

Access Control (AC) – Technical Control

AC-5.1 – Separation of Duties

Assessment Objective:

a. Separates duties of individuals

b. Documents separation of duties of individuals

c. Defines information system access authorizations to support separation of duties

  1. Security Policy - Auditing

All of the Information Systems used at Bank Solutions will generate logs and information as to their utilization and relative levels of performance. These should be used to review the appropriate utilization in terms of security with their review on a regular basis; being viewed as critical in determining the relative state of security and apparent identification of security vulnerabilities and issues at the earliest possible opportunity:

Audit/Accountability (AU) – Technical Control

AU-6 – Audit Review, Analysis, and Reporting

Assessment Objective:

a. Reviews and analyzes information system audit records for indications of inappropriate or unusual activity

b.Reports findings to organization-defined personnel or roles

  1. Security Policy – Awareness & Training
  2. Security Policy – Role Based Security Training

All Bank Solutions personnel need to be made aware of their own responsibilities with regards to the successful implementation and fulfilment of tasks in the most effective manner from a security point of view. Therefore there will need to be a considered approach to ensuring that personnel receive regular security training at all times:

Awareness/Training (AT) – Operational Control

AT-1 – Security Awareness and Training Policy and Procedures

Assessment Objective:

a. Develops, documents, and disseminates to:

1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance

2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls

b. Reviews and updates the current:

1. Security awareness and training policy

2. Security awareness and training procedures

Awareness/Training (AT) - Operational Control

AT-3 - Role-Based Security Training

Assessment Objective:

l: The organization provides role-based security training to personnel with assigned security roles and responsibilities:

a. Before authorizing access to the information system or performing assigned duties

b. When required by information system changes; and

c. quarterly thereafter

Conclusion

The combination of each of these security controls will serve to address the risks which were identified as well as the way in which the organization will exist on a stable and secure foundation by which future changes can be made in line with business requirements and the surrounding environmental circumstances.

References

Benson, C. (2013). Security Planning. Retrieved from Microsoft Technet:

Hill, D. G. (2009). Data Protection: Governance, Risk Management, and Compliance. CRC Press.

IT Governance Institute. (2006). Information Security Governance: Guidance for Boards of Directors and Executive Management. Retrieved from Information Systems Audit and Control Association:

Microsoft. (2013). Enterprise Security Best Practices. Retrieved from Technet:

NIST. (2009, August). Recommended Security Controls for Federal Information Systems and Organizations. Retrieved from National Institute of Standards & Technology:

NIST. (2012, September). Guide for Conducting Risk Assessments. Retrieved from National Institute of Standards & Technology:

SANS. (n.d.). Twenty Critical Security Controls for Effective Cyber Defense. Retrieved from The Critical Security Controls:

Swanson, M., Bowen, P., Phillips, A. W., Gallup, D., & Lynes, D. (2010, May). Contingency Planning Guide for Federal Information Systems. Retrieved from National Institute of Standards and Technology:

Swanson, M., Hash, J., & Bowen, P. (2006, February). Guide for Developing Security Plans for Federal Information Systems. Retrieved from National Institute of Standards & Technology:

1 | Page