IT Security Controls Discussion

User Generated

Qroerrpr

Writing

Description

Project #2 Identify Requirements

Instructions  

Using the case study and NIST SP 800-53, Identify and prioritize IT Security controls that should be implemented. Discuss any applicable US Government regulations/standards that apply to this organization (The organization is from Project 1)

Step by Step  

Step 1: Review the selected case study and describe at least10 issues related to security, interoperability, and operations.

Step 2: Prioritize and articulate the selected requirements based on immediate need, security posture, complexity, resource availability, and cost.

Step 3: Identify at least 4 applicable government regulations/ standards that govern how the requirements must be met, implemented, or measured. Provide rationale for why these are applicable.

Step 4: Using NIST Special Publication 800-53 select at least 4 security controls that relate to these issues and describe how these controls enhance the security posture or facilitates the secure implementation of these requirements.

Additional Information

  1. Consult the grading rubric for specific content and formatting requirements for this assignment.
  2. Your 5 – 8 page paper should be professional in appearance with consistent use of fonts, font sizes, margins, etc. You should use headings and page breaks to organize your paper. 
  3. Your paper should use standard terms and definitions for cybersecurity. See Course Content > Cybersecurity Concepts Review for recommended resources.
  4. The CSIA program recommends that you follow standard APA formatting since this will give you a document that meets the “professional appearance” requirements. APA formatting guidelines and examples are found under Course Resources > APA Resources. An APA template file (MS Word format) has also been provided for your use CSIA_Basic_Paper_Template(APA_6ed,Nov2014).docx.  
  5. You must include a cover page with the assignment title, your name, and the due date. Your reference list must be on a separate page at the end of your file. These pages do not count towards the assignment’s page count.  
  6. You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.  
  7. You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow a consistent citation style (APA, MLA, etc.). 

Unformatted Attachment Preview

Journal of Information Systems Education, Vol. 22(2) Teaching Case Bank Solutions Disaster Recovery and Business Continuity: A Case Study for CSIA 485 Steve Camara Senior Manager, KPMG LLP 1021 E Cary Street, Suite 2000 Richmond, VA 23219 scamara@kpmg.com Robert Crossler Vishal Midha Assistant Professor Computer Information Systems The University of Texas – Pan American recrossler@utpa.edu, vmidha@utpa.edu Linda Wallace Associate Professor Accounting and Information Systems Virginia Tech wallacel@vt.edu ABSTRACT Disaster Recovery and Business Continuity (DR/BC) planning is an issue that students will likely come in contact with as they enter industry. Many different fields require this knowledge, whether employees are advising a company implementing a new DR/BC program, auditing a company’s existing program, or implementing and/or serving as a key participant in a company program. Often times in the classroom it is difficult to find real world practice for students to apply the theories taught. The information in this case provides students with real world data to practice what they would do if they were on an engagement team evaluating a DR/BC plan. Providing students with this opportunity better prepares them for one of the jobs they could perform after graduation. Keywords: Case study, Computer security, Critical thinking, Experiential learning & education, Information assurance and security, Role-play, Security, Team projects 117 Journal of Information Systems Education, Vol. 22(2) 2. CASE TEXT 2. 1 Company Background Bank Solutions, Inc. (a pseudonym), founded in 1973 by the First Presidential Bank, a major bank of its time, is a provider of item processing services i to community banks, savings and loan associations, Internet banks, and small- to mid-size credit unions. It offers a full range of services, including in-clearing and Proof of Deposit (POD) processing, item capture, return and exception item processing, image archive storage and retrieval, and customer statement rendering. Bank Solutions was formed in 1973 when the Chief Operating Officer of First Presidential Bank, a major commercial bank, recognized an opportunity. Since item processing functions are standardized (they have to be in order for originating and receiving financial institutions to clear customer transactions) and scalable with increases in item processing volumes, they were able to offer these services to other financial institutions wishing to reduce operating expense and focus on growth strategies and other core business functions. First Presidential marketed these services under the Bank Solutions brand name. Over the next 15 years, Bank Solutions enjoyed modest growth. By 1988, it served 41 small- to mid-size financial institutions. It had not, however, developed a market presence outside of the Northwestern Region of the United States, as management had hoped. This was primarily because Bank Solutions was unable to compete with other item-processing service providers that had developed proprietary software systems considered “top of the line.” To make matters worse, at the time almost one quarter of Bank Solutions‟ client base was saving and loan associations (saving and loans). As a result of the Savings and Loan crisis, 60% of Bank Solutions‟ savings and loan customer base failed over the six years spanning 1985–1991, thus stunting the outsourcer‟s growth. The related slow down of the financial services and real estate industries and the recession of 1990–1991 presented further headwinds to the growth objectives of First Presidential management. In 1994, First Presidential sold off Bank Solutions. Under new management, Bank Solutions thrived. Keys to the company‟s renewed success included the following: • The development of key strategic partnerships with other industry participants, including data clearing houses and financial institution core processing system ii outsourcers. • The introduction of a new company culture that focused on open door management, mentoring, and enhanced employee benefits. • The development of a proprietary, state of the art item processing system that uses state-of-the-art Optical Character Recognition (OCR) technology to achieve character recognition accuracies that were previously unheard of. • The implementation of “remote capture” technologiesiii to meet electronic banking initiatives and regulations such as “Check 21.” • The upgrade or replacement of other administrative information systems, including the company‟s financial reporting system. This helped to increase operational effectiveness and efficiencies. From 1995–2008, Bank Solutions enjoyed unprecedented growth. During that timeframe, the company expanded operations to 18 item processing facilities, two data centers in which the item processing system was hosted, and 345 financial institutions. 2.2 Current Scenario (2011) Douglas Smith, the Chief Information Officer for Bank Solutions, was one of the original members of “new management” and responsible for many of Bank Solutions‟ past successes. A solid, middle-sized company with continued growth potential, Bank Solutions has become a target for a leveraged corporate buyout. This is an attractive situation for Douglas and other members of executive management. Several of these individuals are close to retirement; and initial indications are that the price of the buyout will be very favorable for members of executive management. The CEO and other influential members of executive management want Bank Solutions to remain an attractive purchase option and, as a result, have contracted the services of your team as an outside consultant to identify operating and regulatory risks and advise them on control measures to mitigate the risks. 2.3 Risk Assessment Task As members of the engagement team performing the risk assessment, your team has been given the task of assessing Bank Solutions‟ incident handling, business continuity, and disaster recovery strategy. In order to perform the assessment, preliminary interviews with Douglas Smith, the Data Center Managers, Systems Engineers and Network Architect in each of Banking Solutions‟ data centers, and the IT Managers and Day and Night Operations Managers from seven of the largest item processing facilities were conducted. Additionally, the following documentation related to Bank Solutions‟ security incident management, DR/BC planning activities was reviewed: • Flow charts that diagram the item processing operations and data flow between Bank Solutions item processing facilities and data centers and outside entities (see Appendix A) • A diagram of Bank Solutions‟ network architecture 118 Journal of Information Systems Education, Vol. 22(2) • Bank Solutions‟ Data Center Disaster Recovery and • • • • • • • • • • • Business Continuity Plan (DRBCP) Policies, procedures, guidelines, and standards related to security incident response Item Processing Facility DRBCPs Results from the most recently completed DRBCP test/exercise Distribution list for the DRBCP Bank Solutions‟ Backup and Recovery Policy. Screen prints of the configurations from Bank Solutions‟ backup utility (these configurations show what server shares are subject to automated backup and the frequency of those backups) Contracts with the off-site storage provider A system-generated listing of access to event logging servers A list of individuals who have been provided access to recall backup tapes from the off-site storage vendor. Screenshots of the Intrusion Detection System (IDS), firewall, and other event logging capability configurations Excerpts from the IDS and firewall event logs and management‟s manually maintained incident tracking log. 2.4 Facts: Risk Assessment Findings Based on the discussions held with the management and a review of the documentation provided, you note the following facts: 1. With the assistance of an external consultant, Bank Solutions wrote its current data center DRBCP in 2007. It was last updated in January 2009. 2. According to Douglas, the data center DRBCP was last tested in 2007. Testing activities consisted of a conceptual, table-top walkthrough of the DRBCP conducted by Douglas with the Data Center Managers and Network and Systems Engineers. Item processing facility DRBCPs have not yet been tested. 3. Site-specific DRBCPs have been written for the five largest item processing facilities. The remaining item processing facilities have a generic “small center” DRBCP template that was distributed to and customized by facility management in June 2010. Four item processing facilities have not yet completed the customization exercise. 4. DRBCPs contain several sections, including the following: • Emergency/crisis response procedures • Business recovery procedures • “Return to normal” procedures • Various appendices Recovery Time Objectives and Recovery Point iv Objectives for each critical business process and system were not identified in the DRBCP. The following details, most of which are included in the DRBCP appendices, are also documented in the text of the DRBCP: 119 • Critical systems, including detailed hardware and software inventories • Critical business processes and process owners • Alternative processing facility addresses and directions • “Calling Trees” (notification listings) • Critical plan participant roles, responsibilities, and requirements Critical vendor contact listings Key business forms Specific recovery procedures for key systems Procedures for managing public relations and communications Based on a review of DRBCP distribution lists, it appears that not all key plan participants have a copy of the plan. When this was discussed with Douglas, he responded that copies of all DRBCPs are stored on the network (which is replicated across both data centers and via backup tape). Critical plan participants have not been trained to use DRBCPs. Bank Solutions has implemented a robust host-based IDS, including detailed event logging and reporting capabilities. However, neither the DRBCP nor any other policy, standard, guideline, or procedure addresses security incident handling steps, including escalation points of contact and procedures for preserving the forensic qualities of logical evidence. Event logging is also performed when power users perform specific privileged activities on production servers and selected administrative back office systems. Interestingly, it was noted that several of the same power users whose actions are recorded onto event logs also have write access to the logs themselves. A review of the network diagram and conversations with the Network Architect reveal that redundancies have been implemented at the network perimeter (e.g., routers, firewalls, IDS, load balancers, etc.). Banking Solutions has organized their DR/BC program according to a “sister center” format; that is, each data center serves as the other‟s “hot site” processing location and each item processing facility has been assigned a corresponding item processing facility to serve as a backup processing location. Neither the DRBCPs nor any other documentation outline specific processing responsibilities for backup facilities. On a daily basis, transaction detail and item image files from the current day‟s processing operations are uploaded from each item processing facility to their regional data center (see Appendix A). At the data centers, electronic vaulting has been established whereby all e-mail, file, and application servers and databases at the data center are continuously backed up to the other data center via dual dedicated fiber optic lines. A data backup and recovery utility has been implemented in each data center and the item processing facilities. Full backups of critical data files, software programs, and configurations are performed • • • • 5. 6. 7. 8. 9. 10. 11. 12. 13. Journal of Information Systems Education, Vol. 22(2) once a week and incremental backups are performed on a daily basis Monday through Friday. 14. At one item processing facility, backup jobs have routinely failed due to unknown causes. When the topic was discussed with the IT Manager on duty, he shrugged the failures off noting that the core financial institution transaction data and images are transmitted to and archived at the Bank Solutions Data Center East on a daily basis. 15. At the item processing facilities, the management has been tasked with contracting the off-site storage of backup tapes. At one of the item processing facilities, management has contracted the bank across the street to store its backup tapes in a safety deposit box. At another item processing facility, the night Operations Manager stores the backup tapes in a safe at his home. At a third item processing center, tapes are stored in a shed at the back of the building. ii 120 Journal of Information Systems Education, Vol. 22(2) This is individual project. As a member of an engagement team in charge of performing the incident handling, DR/BC risk assessment for Bank Solutions. you should read the case background and the facts identified in the interviews. Individual Work: For all of the facts/ findings, prepare a written report that lists the condition(s) that present risks to Bank Solutions as well as proposed recommendations for addressing those conditions. 121 Journal of Information Systems Education, Vol. 22(2) Appendix A This case was developed solely for class discussion. While the situation described in this case is based on realistic events, the Bank Solutions is a fictional organization. Further, the names, product/service offerings, and the names of all individuals in the case are fictional. Any resemblance to actual companies, offerings, or individuals is accidental. 122 Copyright of Journal of Information Systems Education is the property of Journal of Information Systems Education and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. 6/12/2019 Project 2: Case Study—Identify Requirements - CSIA 485 6380 Practical Applications in Cybersecurity Management and Policy (2195) - … Security, Interoperability, and Operations Issues Excellent Outstanding Acceptable Needs Significant Improvement Missing / Unacceptable Issues 10 points Identifies at least 10 issues based on the case study. 8 points Identifies at least 8 issues based on the case study. 6 points Identifies at least 6 issues based on the case study. 3 points Identifies at least 3 issues based on the case study. The discussion lacked detail and/or was not well supported by information drawn from authoritative sources. 0 points Doesn’t identify any issues based on the case study. / 10 Relationship 12 points Clearly describes and relates issues to security, interoperability and operations. 9 points Basically describes and relates issues to security, interoperability and operations. 6 points Weakly describes and relates issues to security, interoperability and operations. 3 points Little description or related issues to security, interoperability and operations. (Or, inappropriate or excessive copying from other authors' work.) 0 points No description or relationship of issues to security, interoperability and operations. / 12 Requirements Excellent Outstanding Acceptable Needs Significant Improvement Missing / Unacceptable Prioritization https://learn.umuc.edu/d2l/lms/dropbox/user/folder_submit_files.d2l?db=797911&grpid=0&isprv=0&bp=0&ou=386579 1/6 6/12/2019 Project 2: Case Study—Identify Requirements - CSIA 485 6380 Practical Applications in Cybersecurity Management and Policy (2195) - … 12 points Clearly prioritizes and articulates the issues as requirements based on immediate need, security posture, complexity, resource availability and cost. 9 points Basically prioritizes and articulates the issues as requirements based on immediate need, security posture, complexity, resource availability and cost. 6 points Weakly prioritizes and articulates the issues as requirements based on immediate need, security posture, complexity, resource availability and cost. 3 points Little prioritization or articulation of the issues as requirements based on immediate need, security posture, complexity, resource availability and cost. (Or, inappropriate or excessive copying from other authors' work.) 0 points No prioritization or articulation of the issues as requirements based on immediate need, security posture, complexity, resource availability and cost. / 12 Applicable Regulations and Standards Excellent Outstanding Acceptable Needs Significant Improvement Missing / Unacceptable ID Applicable Government Documents 5 points Identifies at least 4 government regulations and standards. 4 points Identifies at least 3 government regulations and standards. 2 points Identifies at least 2 government regulations and standards. 1 point Identifies at least 1 government regulation or standard. (Or, inappropriate or excessive copying from other authors' work.) 0 points No government regulations or standards identified. /5 Rationale Used 12 points https://learn.umuc.edu/d2l/lms/dropbox/user/folder_submit_files.d2l?db=797911&grpid=0&isprv=0&bp=0&ou=386579 2/6 6/12/2019 Project 2: Case Study—Identify Requirements - CSIA 485 6380 Practical Applications in Cybersecurity Management and Policy (2195) - … Clearly identifies applicable government regulations and standards that govern how the requirements must be met, implemented or measured. Must provide the rationale for selecting the documents. 9 points Basically identifies applicable government regulations and standards that govern how the requirements must be met, implemented or measured. Must provide the rationale for selecting the documents. 6 points Weakly identifies applicable government regulations and standards that govern how the requirements must be met, implemented or measured. May provide the rationale for selecting the documents. 3 points Little identification of applicable government regulations and standards that govern how the requirements must be met, implemented or measured. May provide some rationale for selecting the documents. (Or, inappropriate or excessive copying from other authors' work.) 0 points Doesn’t identify any applicable government regulations and standards that govern how the requirements must be met, implemented or measured. Doesn’t provide the rationale for selecting the documents. / 12 Cites Regulations and Standards 5 points Clearly cites all government regulations and standards used. 4 points Basically cites all but 1 government regulation or standard used. 2 points Cites all but 2 government regulations or standards used. 1 point Cites just 1 government regulation or standard used. (Or, inappropriate or excessive copying from other authors' work.) 0 points Doesn’t cite any government regulations or standards. /5 Controls Excellent Outstanding Acceptable Needs Significant Improvement Missing / Unacceptable Defines Controls https://learn.umuc.edu/d2l/lms/dropbox/user/folder_submit_files.d2l?db=797911&grpid=0&isprv=0&bp=0&ou=386579 3/6 6/12/2019 Project 2: Case Study—Identify Requirements - CSIA 485 6380 Practical Applications in Cybersecurity Management and Policy (2195) - … 12 points Identifies at least 4 appropriate NIST controls and links them to each issue using logic. 9 points Identifies at least 3 appropriate NIST controls and links them to each issue using logic. 6 points Identifies at least 2 appropriate NIST controls and links them to each issue using logic. 3 points Identifies at least 1 appropriate NIST control and links it to each issue using logic. (Or, inappropriate or excessive copying from other authors' work.) 0 points Doesn’t identify any appropriate NIST controls or links them to the issue using logic. / 12 Rationale for Control 12 points Clear and detailed rationale as to how those controls mitigate the risk identified. 9 points Basic description of rationale as to how those controls mitigate the risk identified. 6 points Weak description of rationale as to how those controls mitigate the risk identified. 3 points Little description and rationale as to how those controls mitigate the risk identified. (Or, inappropriate or excessive copying from other authors' work.) 0 points No description or rationale as to how those controls mitigate the risk identified. / 12 Finds and Applies Knowledge Excellent Outstanding Acceptable Needs Significant Improvement Missing / Unacceptable Use of Authoritative Sources 5 points Cited and used at least 5 authoritative or scholarly sources in paper. One must be NIST SP 80053. 4 points Cite and used at least 3 authoritative or scholarly sources in paper. One must be NIST SP 80053. 2 points https://learn.umuc.edu/d2l/lms/dropbox/user/folder_submit_files.d2l?db=797911&grpid=0&isprv=0&bp=0&ou=386579 4/6 6/12/2019 Project 2: Case Study—Identify Requirements - CSIA 485 6380 Practical Applications in Cybersecurity Management and Policy (2195) - … Cited and used at least 2 authoritative or scholarly sources in paper. One must be NIST SP 80053. 1 point Cite and used at least 1 authoritative or scholarly source in paper. 0 points No authoritative or scholarly sources used in paper. NIST SP 800-53 not mentioned. /5 Citation of Sources 5 points Work contains a reference list containing entries for all cited resources. Sufficient information is provided to allow a reader to find and retrieve the cited sources. Reference list entries and in- text citations are consistently and correctly formatted using an appropriate citation style (APA, MLA, etc.). 4 points Work contains a reference list containing entries for all cited resources. Sufficient information is provided to allow a reader to find and retrieve the cited sources. One or two inconsistencies or errors in format for in-text citations and/or reference list entries. 2 points Work contains a reference list containing entries for all cited resources. Sufficient information is provided to allow a reader to find and retrieve the cited sources. No more than 5 inconsistencies or errors in format for in-text citations and/or reference list entries. 1 point Work attempts to credit sources but demonstrates a fundamental failure to understand and/or consistently apply a professional formatting style for the reference list and/or citations. 0 points Reference list is missing. Work demonstrates an overall failure to incorporate and/or credit authoritative sources for information used in the paper. /5 Organization, Execution and Appearance Excellent Outstanding Acceptable Needs Significant Improvement Missing / Unacceptable Formatting https://learn.umuc.edu/d2l/lms/dropbox/user/folder_submit_files.d2l?db=797911&grpid=0&isprv=0&bp=0&ou=386579 5/6 6/12/2019 Project 2: Case Study—Identify Requirements - CSIA 485 6380 Practical Applications in Cybersecurity Management and Policy (2195) - … 5 points Prepared MS Word document, used consistent formatting, section subheadings, submitted one file, used instructor provided template, correct coversheet and separate reference page and meets minimum page count. 4 points MS Word document didn’t follow up to two (2) of the following: used consistent formatting, section subheadings, submitted one file, used instructor provided template, correct coversheet and separate reference page and meets minimum page count. 2 points MS Word document didn’t follow up to four (4) of the following: used consistent formatting, section subheadings, submitted one file, used instructor provided template, correct coversheet and separate reference page and meets minimum page count. 1 point MS Word document followed only one (1) of the following: used consistent formatting, section subheadings, submitted one file, used instructor provided template, correct coversheet and separate reference page and meets minimum page count. 0 points Non MS Word document didn’t any of the following: used consistent formatting, section subheadings, submitted one file, used instructor provided template, correct coversheet and separate reference page and meets minimum page count. /5 Grammar and Punctuation 5 points No grammar, use of first/second person, spelling or punctuation errors. 4 points Less than 5 grammar errors, use of first/second person, spelling or punctuation errors. 2 points Less than 10 grammar errors, use of first/second person, spelling or punctuation errors. 1 point Less than 15 grammar errors, use of first/second person, spelling or punctuation errors. 0 points More than 15 grammar errors, use of first/second person, spelling or punctuation errors. /5 Total https://learn.umuc.edu/d2l/lms/dropbox/user/folder_submit_files.d2l?db=797911&grpid=0&isprv=0&bp=0&ou=386579 / 100 6/6
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

RUNNING HEAD: PROJECT 2 IDENTIFY REQUIREMENTS

Project 2: Case Study – Identify Requirements
Name
Institution
Course
Date

1

PROJECT 2 PROJECT 2 IDENTIFY REQUIREMENTS

2

Introduction
Based on the case study provide, it is evident that Bank Solutions disaster recovery and
business continuity requires the practical applications of cybersecurity management skills and
knowledge. The chronology of events as captured in the case study illustrates cybersecurity
challenges caused by the failure to adhere to the (CIA) availability, integrity, and confidentiality
principles and procedures as it is required in information security management. Therefore, the
data and information stored in Bank Solution’s systems and network were exposed to network
threats and vulnerability. Perhaps the perpetrators of the network security breaches highlighted in
the case study exploited the security gaps and lapses in the Bank’s network motivated by the
sensitive and classified data that the Bank stores in its network.
This paper takes into consideration the fact that the Bank has become a target for
perpetrators of internet attack and provides a review of the Bank’s security, interoperability, and
operations. The paper will also prioritize and articulate these requirements based on their security
posture, immediate need, resource availability, complexity, and cost. In addition, the paper will
identify the 4 applicable requirements, government regulations/ standards that govern how these
requirements would be met, implemented, and measured. Finally, the paper will rely on the NIST
Special Publication 800-53 to identify the 4 security controls that relate to these issues with a
description of how these controls enhance the security posture or facilitate the secure
implementation of these security postures.
Security, Interoperability and Operational Issues
Upon a thorough review of the case study of Bank solutions disaster recovery and business
continuity and subsequent management discussion, a number of security, interoperability, and
operational issues were identified. Below is an analysis of each issue that arises from the case

PROJECT 2 PROJECT 2 IDENTIFY REQUIREMENTS

3

study. The first issue is that Bank Solutions Inc. is using an outdated version of Disaster
Recovery and Business Continuity Plan (DRBCP) originally written in 2007 and lastly updated
in 2009 (Camara Crossler., Midha & Wallace, 2012). Secondly, the DRBCP still relies on an
outdated testing protocol which was last tested in 2007 when the item processing facility plans
were deliberated ignored during the last test (Camara Crossler., Midha & Wallace, 2012).
The third issue is that the DRBCP’s Site-specific is not customized and updated leaving,
four-item processing facilities in the DRBCP customization process. Fourthly, the DRBCP has
not identified the applicable Recovery Point Objectives (RPOs) of the Recovery Time Objectives
(RTO). The fifth issue is that the DRBCP stakeholders are yet to be trained to familiarize with
the processes, plan, and procedures. The sixth issue is that...


Anonymous
Excellent! Definitely coming back for more study materials.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags