Running head: CASE STUDY- GAP ANALYSIS
Case Study-Gap Analysis
P1
1
CASE STUDY- GAP ANALYSIS
2
Introduction
As the use of computers and other digital devices have become very important for
businesses like Bank solutions Inc, they have also become targets for attacks. It is therefore
very important for businesses to ensure that they all the devices and systems that are used are
not compromised in any way. Farooq et al. (2015) note that information security is all about
protecting information and all the systems that are related to information from unauthorized
access. The information security triad is made up of three aspects i.e. confidentiality, integrity
and availability (CIA). Confidentiality is about ensuring that the information is not accessed
or made available to people who do not have the authorization. Integrity is the surety that the
information has not been compromised in any way. According to Farooq et al., (2015),
availability means that the information can be accessed easily by those who have
authorization
Key Issues
There are several issues that come out of the case study for Bank Solutions Inc.
Failures in the backup process at one item processing center have not been solved and that
means there could be irregularities in the backups. There is also the issue of there not being a
clear policy on how the backups should be stored with some being stored in areas where they
could easily be accessed or lost for example some are stored in safety deposit box, in a shed
at the back of the building or in a safe at home. There has also not been any training that has
been done for the critical participants on the use of DRBCPs. Power users in the organization
have access and write passwords to the event logs. There is also no documentation regarding
responsibilities of backup facilities. Key participants do not have a copy of the DRBP plan
even though it is stored on the network.
CASE STUDY- GAP ANALYSIS
3
Challenges
One of the challenges that were faced by Bank Solutions Inc. was the inability for it to
grow despite the fact that there was the opportunity for it to do so. For close to 15 years they
enjoyed modest growth but were unable to expand outside the Northwestern region of the
United States. They were also unable to compete with other service providers who had
developed software that was proprietary and “top of the line”. The fact that the software was
better than what was being offered by Bank Solutions meant that they could not compete
effectively. Their customer base that was made up of loans and saving associations was also
affected by the loans and saving crisis.
Risks from the Case Study
There were several risks that the Bank Solutions Inc. system. One of the risks was that
it was operating on software that had been last updated 2009 and there was a risk that it could
fail at any time. The testing activities on the DRBCP was last done in 2007 and the item
processing of the BRBCP has not been done so one cannot tell how effective it is. Since not
all the key participants have a copy of the plan, it is possible that they would not know what
to do in the event that something failed in the system. The use of DRBCPs is not being done
as it should since critical participants have not been trained and they are therefore not using it
as it should be.
Recommended Security Strategy
It is important for any organizations to ensure that its data is always protected. The
process of creating the security strategy should be followed and the strategy should include a
detailed look at the environment the system is existing in. the first step in the creation of the
security strategy will involve the completion of a security inventory that will take stock of all
the programs and people that will need to be accounted. A review of the security current
CASE STUDY- GAP ANALYSIS
4
security goals and policies will also be done and finally, the security framework will be
created (Knapp et al., 2009). The security strategy to be implemented will need to focus on
the elements of people, process, and technology equally in order for it to be successful. The
people employed will need to be highly experienced and capable of handling the roles
assigned to them. The processes used in the organization will need to be well defined,
flexible and easily adaptable.
The technology that is used will also need to be advanced, very innovative and very
secure so as to protect the information of the organization. The security strategy will involve
making changes to the current staff in order to make sure that the correct staffs are the ones
who have been engaged in the organization. A review of all the processes used within the
organization will also be done and ensure that they are standardized across all the item
processing facilities. The technology in use will also be tested and updated so that the most
recent and secure version of the applications is what will be in use. The technology will also
need to be updated on a regular basis to take advantage of the new features (Kuusk et al.,
2015).
Proposed Security Solutions
It is important for the management of Bank Solutions to ensure that the security of the
system is well maintained. Based on the key security issues in the case study, the first thing
that should be done is to ensure that all the software that is in use is tested to check for any
faults that could make it vulnerable. The software should also be updated so that the latest
version should be the one in use. The backup process should be standardized across all the
branches and should be done on a regular basis and the backups should be stored in safer
locations as opposed to the current ones being used and managers at the various item
processing facilities should not be tasked with contracting storage for offsite backups. Power
CASE STUDY- GAP ANALYSIS
5
users who have access to the event longs should also not have write access to the logs in
order to prevent them from also making the changes to the logs.
Proposed Timeline
In order for the security strategy to be effective, it is important to understand the
importance of the key elements of the organization and which threats can affect the business.
There will be the need to define the responsibilities and roles of the staff that works within
the organization. The top management will also need to identify staff or hire staff who
possess the relevant skills to work with the system effectively. Those who not possess the
skills will be trained on the concepts of a secure system and other concepts like integrity,
confidentiality, and privacy.
The efforts will have to be extended to ensure that the entire workforce has been fully
trained and are also aware of what their duties and responsibilities are when using the system.
All the processes of the item processing cycle will be assessed for effectiveness and any areas
that need improvement will be identified and taken care of. Since also the organization also
interacts with the external environment, a procedure of checking their security and
compliance will be created. It will also be important for the documents that have the policies
of the organization, procedures, contracts and any other key documents should be examined
and the necessary changes should be made.
Recommendations
In order to mitigate the risks that have been identified, the following
recommendations can be considered. The organization should seek to review and make the
necessary changes to its policies regarding how regular backups should be done, how they
should be done and where they should be stored. A company that provides backup services
can be contracted to store the backups. The management needs to come up with measures and
CASE STUDY- GAP ANALYSIS
6
effective supervision in order to make sure that the new backup policies are properly
implemented. In order to make sure that the software applications that are in use are updated,
it is recommended that a policy should be put in place that will indicate how the updates will
be done. This will enable uniformity of updates and also reduce errors done by staff when
updating. The management should also ensure that all the key staff have a copy of the
DRPCB plan and also are aware of what it contains. This will provide the staff with a
reference note and also help them to own the plan.
The contracting of offsite storage facilities should be done by the top management
through a process that will allow them to get the best backup storage service provider, this
will help in ensuring that the security of the backups is guaranteed. The process should not
only focus on costs but also take special keen on the efficiency, capacity, and durability of the
backup storage. The people who have passwords for event logging should also not be the
same ones who have the write access passwords so as to prevent any manipulation of the
event logs (Stallings et al, 2012).
Conclusion
The successful implementation will ensure that the security of the data is guaranteed.
The creations of a security strategy is not a one-time activity and the management of Bank
Solutions Inc. should do assessments on a regular basis for example quarterly in order to be
able to measure how effective the measures that were implemented are. All the staffs that
are assigned various roles and responsibilities should be held reliable for the success or
failure in their assigned areas. In the case of any changes within the organization, the strategy
should be revised to reflect those changes (Peltier, 2016).
CASE STUDY- GAP ANALYSIS
7
References
Farooq, M. U., Waseem, M., Khairi, A., & Mazhar, S. (2015). A critical analysis of the
security concerns of the internet of things (IoT). International Journal of Computer
Applications, 111(7).
Knapp, K. J., Morris, R. F., Marshall, T. E., & Byrd, T. A. (2009). Information security
policy: An organizational-level process model. Computers & Security, 28(7), 493508.
Kuusk, A. G., & Gao, J. (2015). Consolidating People, Process, and Technology to Bridge
the Great Wall of Operational and Information Technologies. In Engineering Asset
Management-Systems, Professional Practices and Certification (pp. 1715-1726).
Springer, Cham.
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines
for effective information security management. CRC Press.
Stallings, W., & Brown, L. (2012). Computer security. Principles and practice (2 nd ed).
Edinburgh Gate: Pearson education limited.
BANK SOLUTIONS DISASTER RECOVERY AND BUSINESS CONTINUITY
P2
Bank solutions disaster recovery and business continuity plan need review this is because
of the risks that the business exposed to at the current status of operations. Considering that its
growth and success has attracted a leveraged buyout, there is the need for the Chief information
officer and its team of experts to implement far-reaching controls to mitigate risks that Bank
solutions may face or reduce their attractiveness to investors. Bank solutions core business is
disaster recovery and business continuity this is only achievable with above operations that
mitigate possible risks.
Several risks identified by interviewing personnel and management of Bank Solutions.
The risks identified include; the first potential risk is that majority of the senior executives are
almost retiring there is not session plan in Bank Solutions to ensure business continuity. To
mitigate this Bank solution, need to review its in-house human capital and identify the second
generation of executives that can take over leadership even in the event of the buyout to ensure
business continuity. The second-generation leaders of Bank Solutions need to be trained,
mentored and supervised delegation program instituted to gauge their competence in business
continuity. Secondly, the backup facilities servers are shared resources this is a risk. Mitigating
the risk, there is need to have dedicated servers for backup services that are regularly updated
and have adequate security features. Thirdly, the list of individuals with access to servers is a
risk. There need to be different levels of access to the servers that gives final administrative
authorization to a few people captured through a request process (Stallings et al., 2012).
Fourthly, the manual maintenance of an incident tracks is a risk because there is exposure to
human error. To mitigate this, there is need to generate the episode tracks with manual records as
backup automatically. Fifth, the data centers processes have not been tested recently. Bank
Solutions have no records of any lapses in their security systems. Operationally there is need to
routinely test operations and security procedures with the aim of improving processes and
security.
Sixth, the customization of the item processes facility not completed. The customization
needs to be fast-tracked to generate information that the management can use for improvement.
Seventh, the persons that are critical to the disaster recovery and business continuity plan
(DRBCP) all need to be trained on the procedures to prepare them for any eventuality. Some
participants have not been taught and are not aware of their responsibilities. Eighth, all
participants need to be knowledgeable and capable of implementing DRBCP to reduce the risk of
exposure. Ninth, it has been reported that power users have access to the backup facilities in
addition to having access to logs routinely. The power users are a threat to Bank solutions data
and storage systems. There is need to control this access by having procedures of requesting
access, and when temporary access issued, it is under supervision. Tenth, there is no policy on
Bank solutions in the storage of backup tapes. Bank solutions need an elaborate system of
backup data storage that all data centers, backup facilities, and all operations need to adhere.
Room in a bank vault of all information is a possible policy that can be installed and
implemented to reduce the risk of exposure to clients' data.
Bank solutions have active contracts with clients that need to be profiled and customized
according to client's needs and volume of business to Bank solutions. Prioritization will help
Bank solutions to allocate its scarce resources are serving their valued customers. The workflow
processes are not transparent. Bank Solutions has a pool of human resources capital in the form
of system engineers, network architects, and data center managers that it can use to improve the
workflow to improve operations, security, and systems operability. The system needs to be
simple, secure and have the capacity for upgrading according to the changing needs.
Security is a fast-changing business due to technological changes. Bank solutions have
proprietary assets that they need to register with relevant authorities to safeguard possible
infringement by workers and business partners. Bank solutions need to incorporate nondisclosure agreements with their partners to protect their security systems and technologies. The
workers (human capital) can be a source of risk. Business solutions need to have contracts with
employees to safeguard copyrights and patents (Farooq et al., 2015).
There are several governments security regulations that Bank Solutions need to comply.
The Federal information security and management act (FISMA), this law was enacted in 2002
and guides the management and security of information. This bill is part of the E-government act
of 2002 that enables the government to operate in the information technology space protecting
citizens and businesses. The need for certification and accreditation will help Bank solutions
recognized in the financial sector. The act includes provisions for plans for security,
responsibility of officials and authorization of their actions to manage and secure information.
There are other acts standards for security categorization of federal data and information system
(FIPS publication 199). The government additionally provides guidelines through Security
certification and accreditation of national information system (NIST special publication 80037).
Bank Solutions have overcome over-reliance on one business segment in the past which
was a significant risk. Bank solutions need to diversify in the significant financial sector services
with its experience and reputation in the market. The location risks in its operations that
hampered Business Solutions expansion into the Northwestern United States need to pursue
continued growth. The new technologies that Bank Solutions are developing are essential both
for business continuity and business growth. This report has addressed the operational risks,
security risks, technological risks and human capital risks and suggested the risk mitigation
measures that Bank Solutions need to implement to overcome disaster and guarantee business
continuity. The implementation of increased controls, improved operational efficiencies that are
secure and efficient will increase Bank Solutions market value to the potential investors and also
better security and services to its valued clients. Mr. Douglas Smith the CIO need to constitute a
team that will spearhead operational and safety changes that will make Bank solutions secure,
highly efficient and with systems that can be operationally supportive of the business. Lastly, for
remote access, Bank Solutions need to have levels of access to the request for access provided by
the managed system administrator that records during of access provided and for what purpose.
There is additional need for a redundancy system in case there are delays or operational
challenges that can support continuation of operations at Bank Solutions. Diversified business
operations at bank Solution which add value to current clients’ calls for joint solutions
development aimed at customer needs in the fast-changing technology space. The future of Bank
Solutions tied to how fast it responds to business challenges and developing effective operational
procedures that are simple, secure and trusted. The functional system as much as they are
automated there is the need for administrative control of access especially to servers and backup
centers. A leveraged buyout is a possible avenue for Bank Solutions to realize gains on the
equity, but it should not come at the expense of business continuity with current client contracts.
In conclusion, bank solutions disaster recovery and business continuity plan need review
this is because of the risks that the business exposed to at the current status of operations. Several
risks identified by interviewing personnel and management of Bank Solutions. The risks
identified include; the first potential risk is that majority of the senior executives are almost
retiring there is not session plan in Bank Solutions to ensure business continuity. Bank solutions
have active contracts with clients that need to be profiled and customized according to client's
needs and volume of business to Bank solutions. Prioritization will help Bank solutions to
allocate its scarce resources are serving their valued customers. Security is a fast-changing
business due to technological changes. Bank solutions have proprietary assets that they need to
register with relevant authorities to safeguard possible infringement by workers and business
partners. The need for certification and accreditation will help Bank solutions recognized in the
financial sector. The act includes provisions for plans for security, responsibility of officials and
authorization of their actions to manage and secure information. The implementation of
increased controls, improved operational efficiencies that are secure and efficient will increase
Bank Solutions market value to the potential investors and also better security and services to its
valued clients. Bank solutions core business is disaster recovery and business continuity this is
only achievable with above operations that mitigate possible risks.
References
Burke, Trevor. (2003). United States IT security laws: A guide to IT security legislation and
contractor
responsibilities.
https://www.sans.org/reading-room/whitepapers/legal/us-
government-security-laws-1306
Farooq, M. U., Waseem, M., Khairi, A., &Mazhar, S. (2015). A critical analysis of the security
concerns of the internet of things (IoT). International Journal of Computer Applications,
111(7).
Stallings, W., & Brown, L. (2012). Computer security. Principles and practice (2 nd). Edinburgh
Gate: Pearson education limited.
Purchase answer to see full
attachment