CSIA 485 Case Study 1 Gap Analysis
CSIA 485 Case Study 1 Gap Analysis
Key Issues, Challenges and Risks from the Case Study
Bank Solutions Inc is a financial institution that is underwent an operational restructure through the implementation of a new information system. The novel system resulted in increments in profit generation elevating the company’s competitive position in the economic market. Given the risk assessment findings on the company prior to sale, several operational malpractices are identified from documentation, management and operational cohesion. First, the Data Center Disaster Recovery and Business Continuity Plan is out dated. The DRBCP was updated in the year 2009 meaning it is not up to recent standards. Equally, the DRBCP was last tested in the year 2007. This suggests that the plan is susceptible to market risks that have developed since 2007. Several participants in the distribution list of the DRBCP do not possess a copy of the plan thus constrains the effectiveness of its applicability. In addition, participants in the distribution list are not trained adequately on how to apply the DRBCP.
The biggest threat to Bank Solutions Inc is its inadequacy of the Recovery time and Recovery point objectives. Impact analysis on the DRBCP identified there lacks such objectives in every critical business process. Recovery time objectives are lead calculations that converse on the status of an organization in the occurrence of risks that halt functionality. The DR plan needs to integrate the recovery time objective in order for the enterprise to withstand loss. The recovery point objective in the DR plan stipulates the time where the recovery process should initiate given risk occurrence and loss. Lack of the recovery point objective in the DR plan means that Bank Solutions Inc has no backup frequency thus cannot recover certain information if they were lost.
The DR/BC program implemented by Bank Solutions Inc uses the sister center concept where each data center acts as the processing location for the other server. Equally, there is no backup processing location meaning the DRBCP plan has no accountability on information backup. The bank is faced with a back up failure in one of the processing facilities. Job logging has routinely failed to backup for unknown reasons. Management of the bank has been accounted with the responsibility of identifying and hiring an offsite storage facility. Poor contracting may result in ineffective information processing and storage. The final risk that the financial institution faces is in the numerous numbers of workers who have accessibility to log files. Several workers possess the same access rights as administrators putting information in the log files at risk of damage, loss or modification. An overview of the system placed by Bank Solution shows that the information system lacks confidentiality and integrity to some degree while the recovery process equally lacks effectiveness.
Recommended Security Strategy
The general goal for strategizing is to optimize risk management and ascertain gradual improvements in the system over time. To accomplish such a goal, Bank Solutions Inc requires motivating factor and a collection of small short-term objectives that add up into one whole plan. The long-term strategy under recommendation is divided into three short-term plans.
One: Establish Governance and Classification of Information
Classification of data is important in the development of intelligence for any financial organization. Data governance spans authoritative resources such as research information and intellectual properties. The process requires vivid oversight as well as efficient stewardship from personnel who ensure integrity of data, access control and overall security. Successful capture of data governance revolves around information collection, prioritization, labeling, retrieval and management of the various data formats applied in transaction, research and documentation.
Two: Equip Personnel Through Training, Awareness and Consultation.
Organization in modern networked environment cannot ascertain integrity, confidentiality and availability of information to transaction parties if each person within the organization does not understand their duties and responsibilities. The key to addressing human associated risks in information security is through training, awareness and education. Dependent on the level of education and job hierarchy, personnel need to undergo appropriate training on a frequent basis in order to ascertain security of information assigned under their care. In addition, the organization through training and awareness needs to establish a collaborative workforce held together by common understanding.
Three: Optimization of Services, Compliance Assistance and Measurements
Bank Solutions Inc requires tools and technical controls that achieve compliance to scales financial and technological standards. Further automation of processes is necessary in the mitigation of threats. Situational awareness can be integrated in the DRBCP plan in order to increase accuracy of risk estimation. This will in turn reflect in reduction of response time through effective planning. Further comprehension of risk in all processes is elevated through integration of models such as vulnerability management, intrusion detection, forensics, security event management and patch management.
The above three strategy phases link directly to the overall Bank Solutions Inc risk mitigation plan and further address inefficiency of operations.
Proposed Security Solutions and Relationships to the Case Study
Through analysis of the impact analysis and recent security events, all endpoint devices and processes in Bank Solutions Inc should be:
- Performed behind a registered and tested firewall that is monitored centrally, tested annually and granted semi annually. The prior information system was decentralized for event logging and hosting thus presenting efficiency and access challenges form the organization.
- All organization units should be contacted in order to identify owners, custodians and stewards of information in order to establish data governance, accountability and data classification.
- Move general data to a central position in order to increase data access and availability to all departments of the bank. Equally, centralization will remove redundancies that arise in movement, difference in storage methods in decentralized systems and in departmental communication.
- Identity finder and report results should be performed centrally and annually in order to increase risk identity and management capabilities.
- In physical threat monitoring, access to control systems such as card readers and door locks should have a wide range of sensors and interconnected alarm actuators given unauthorized access.
- Information system security should be enhanced through interoperability of components to ensure functional continuity in the absence or failure of one component. For instance, Bank Solutions can combine communication devices with security ones. This allows communication systems to act as alarm actuators in the failure of the alarm system. In addition, employee can similarly work as security personnel constantly monitoring the information system.
Security Strategy Timeline
Future Steps in Mitigation of Risks
We have the capacity, through our dedicated team of writers, to complete an order similar to this. In addition, our customer support team is always on standby, which ensures we are in touch with you before, during and after the completion of the paper. Go ahead, place your order now, and experience our exquisite service.
Use the order calculator below to get an accurate quote for your order. Contact our live support team for any further inquiry. Thank you for making BrilliantTermpapers the custom essay services provider of your choice.