Drbcp

Running Head: Case Study--Gap Analysis

Project 1: Security and Technology Issues

Benson S. John

Practical Applications in Cybersecurity Management & Policy

UMUC

31st March, 2019

Introduction

As technology in advancing, so are cybercriminals using sophisticated techniques to exploit vulnerability in information system. Bank Solutions Inc rely on this system for financial transactions and it is therefore very critical to make sure their system is well protected and can survive during a possible cyber attack and their system can continue to operate with limited or unnoticeable downtime. To prepare for the foreseen, High ranking members of the company has contracted a third-party vendor to analyze their Disaster Recovery and Business Continuity plan (DRBCP) and identify operating or regulatory risks and recommend possible mitigation strategy. The vendor has identified the following security gaps and recommended state of the art strategy to protect confidentiality, integrity, and availability (Conducting A Gap Analysis: A Four-Step Template, 2019).

Technology or Security Issues:

· Out dated data center DRBCP. Was last updater in January 2009.

· DRBCPs processing facility have not been verified or tested.

· Recovery Time Objectives and Recovery Point were not identified in the DRBCP.

· The DRBCP distribution lists was not readily available to all plan participants

· Critical plan members have not been trained to use DRBCPs

· Power users should not have modified permission to prevent them from editing the event logs or perform administrative work.

· Four item processing facilities have not yet completed the customization DRBCP exercise (Gap Analysis: A Template for Connecting Potential with Performance, n.d).

· DRBCP and other vital policy and guideline failed to address security incident handling steps.

· The DRBCPs documentation failed to outline specific processing responsibilities for backup facilities

· Backup jobs at one processing facility have routinely failed due to unknown causes

Security Issues

Bank Solutions, Inc is a financial institution that deals with vital customers personal and financial information and it is therefore important to have a reliable and secured data backup. Backing up data on a regular bases will protect against the risk of losing critical information due to system failure, human errors, software or other events. The following security and technology issues were identified

· DRBCP – this is a high-risk issue that needs to be address immediately and failure to resolve will result to an availability of customers information which may impact the bank’s operation or ability to provide services to its customer when needed.

· DRBCP and Incident Response Team – to effectively execute any plan or procedure, the response team should have adequate and detailed knowledge of what needs to be done. All resources should be available to each team member.

· Access Control – permission should only be given to team member based on the need to know or role. For example, power users should have been given write permission to the log file. This is a very big risk with a possibility of modifying log data.

Identify Risks and Challenges

After the gap analysis, it is time to map out the risk with in the bank’s information system to be able to achieving the institution’s security objectives. For Bank Solutions, Inc to be compliance with DRBCP, the following risk and challenges needs to be resolve immediately

· A successful execution of the DRBCP depends on training or knowledge of all team member

· Although the process may expose some causes, if it failed to penetrate deeper enough, the projected resolutions may not resolve or address the actual root cause of the problem.

· As technology is changing so is the bank’s information system and it is therefore possible for the analysis to be inaccurate due to outdate technology as in the case of Bank Solutions, Inc.

· DRBCP test or exercise has not being completed since 2007 – the plan should be tested and verified to make sure it is ready when needed (Recognizing the Gaps in Gap Analysis, n.d).

Apply Risk Identification

The goal of risk identification is to find all possible risks within the Banks’s information system. Experience and technical expertise play a vital role in risk identification including team dynamics and personal contacts. The team participation and face-to-face meeting or interaction is vital in encouraging an open-door communication and trust. In the absence of this, team members may be unwilling to talk about their risk concerns. A risk identification process requires an adequate input from all team member. To effectively identify risk, the following processes should be in place:

· The entire DRBCP team should participate and actively involved.

· Possible risks should be identified by all team members.

· Any possible risk identified should be recorded

· All potential risks identified should be documented and followed up by the head of the team (Risk Identification, 2015).

Define Security Strategy

An DRBCP security strategy is very critical for any institution that focuses on building an effective plan alignes with their business and IT strategy. It provides a provides a direction that team members can understand and follow to archive company’s objectives. The following strategy solution designed to effectively mitigate the risk or issue identified.

· Develop and implement an updated version of DRBCP that clearly defines what needs to be done before and after an incident.

· Define roles and identify team members and key personnel, contacts and third-party that that may be contracted to participate or execute DRBCP.

· All team member should have a vast knowledge of the DRBCP and should copy of the plan readily available.

· Test and verify DRBCP plan- conduct a drill or practiced to make sure the team archives the intended purpose and reinforced personnel awareness and tasks in the event of an actual disaster (Key steps to perform a successful information security gap analysis, n.d).

· Implement Access Control through active directory domain service (AD DS) in Microsoft windows 2012 server to delegate permission and roles.

Related Security Solutions that Consist of People Processes

To implement an effective or successfully DRBCP process, it is important to consider teams. Depending on the individual team member experience and knowledge, a successful execution of the plan or incomplete result will be expected. It is therefore important to put together a knowledgeable team whose expertise covers all the necessary requirement. The plan should consist of the following:

· Management Committee -this can be an executive member who oversee the process and actively involves in the approvals process especially when it comes to budgetary issues, strategic direction and policy considerations

· Disaster Recovery Coordinator – this is an individual from the IT department that manages the overall recovery process in the event of any possible disruption. This team member is responsible for activating the recovery plans among the team, and coordinate those efforts as they progress.

· IT Infrastructure – these areas require an expert and therefore may require a team member who is specialized and involves in the recovery process. These team members will be responsible for identifying strategies and solutions that may be need to restore or recover vital operations in their areas of expertise. For example, an administrator from servers or storage, Networks, and Applications support (Herrera, M., & Long, n.d).

Link Solutions

Each and every solutions and step in executing DRBCP process is vital. The preliminary interviews for recovery allow team member to collaborative understand every aspect of recovery component and critical business processes. The following component are linked together to accomplish a positive outcome:

· Recovery Planning - development, educate, and perform drills to verify disaster recovery plan that includes establishing and maintaining contacts for disaster recovery support systems.

· Recovery operations- verify test facility accessibility and safety and assess all risk, restore operations and establish mitigation measures and finally apply lessons learned

Timeline

The table below shows when each of the security issue should be address within a time frame and task priority. The priority is ranging from 1 through 5; with 5 being the highest priority (Holsberg, n.d).

Security Issues

Required Resources

Timeline for Addressing Issue / Month

Task priority

Out dated DRBCP

Develop newer or update current version focusing on business vision.as stated in the policy

4

5

Access Control

Implement Active Directory Domain Service (AD DS) on current Microsoft Server Operating System to delegate access based on role

Rationale: This will restrict what users can do on the

Resources needed: Specialized system server admin or personnel

4

5

Key Team member not been properly trained to use DRBCP

Continuous education or training and certification

3

4

No job title

Define roles and identify team members and key personnel, contacts and third-party

4

2

DRBCP not verified

Rationale: DRBCP needs to be verified to make issue it meets the expected outcome.

Needed: Conduct DRBCP drill to and verify plan

3

5

Lack of knowledge, education, and training, about computer security

Develop training or certification for all team

Needed: All system admin and team members

6

3

Out dated technology

All server, workstation and application

6

4

DRBCP and other vital policy and guideline failed to address security incident handling steps.

This should be clearly defined in the policy

6

5

The DRBCPs documentation failed to outline specific processing responsibilities for backup facilities.

Team leader and high-ranking member

4

3

Backup jobs at one processing facility have routinely failed due to unknown causes

Verify back system, media or network storage and investigate root cause

4

4

Plans to Mitigate Technology Issues and Next Step

Analysis showed that the information system for Bank Solutions Inc is completely out of date and will therefore need an overall investment in technology and implement the above recommendations. A welled trained and qualified team member needs to be developed with a designated team leader. Due to storage and media failure, invest in virtualization or cloud based stored. This will minimize or eliminate most of the expenses incurred including tape backups, extra server storage. In addition to technology, determine the company’s priorities based on strategy and best Practices, identify and completely fill in the gap with the recommended resolution with in a reasonable time frame (Lohrey, 2017).

References

Conducting A Gap Analysis: A Four-Step Template. (2019, February 05). Retrieved from https://www.clearpointstrategy.com/gap-analysis-template/

Gap Analysis: A Template for Connecting Potential with Performance. (n.d.). Retrieved from https://www.shopify.com/enterprise/gap-analysis

Recognizing the Gaps in Gap Analysis. (n.d.). Retrieved from http://www.rmmagazine.com/2016/10/03/recognizing-the-gaps-in-gap-analysis/

Risk Identification. (2015, April 10). Retrieved from https://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineering/risk-management/risk-identification

Key steps to perform a successful information security gap analysis. (n.d.). Retrieved from https://searchsecurity.techtarget.com/tip/Key-steps-to-perform-a-successful-information-security-gap-analysis

Herrera, M., & Long, R. (n.d.). Disaster Recovery Planning: Who Needs A Seat At The Table & Why. Retrieved from https://www.drj.com/articles/online-exclusive/disaster-recovery-planning-who-needs-a-seat-at-the-table-why.html

Holsberg, M. (n.d.). Disaster Recovery, Roles, and Responsibilities. Retrieved from https://www.emergency-response-planning.com/blog/bid/59671/disaster-recovery-roles-and-responsibilities

Lohrey, J. (2017, November 21). Regulatory Gap Analysis. Retrieved from https://smallbusiness.chron.com/regulatory-gap-analysis-80381.html

2

Applied Sciences

Architecture and Design

Biology

Business & Finance

Chemistry

Computer Science

Geography

Geology

Education

Engineering

English

Environmental science

Spanish

Government

History

Human Resource Management

Information Systems

Law

Literature

Mathematics

Nursing

Physics

Political Science

Psychology

Reading

Science

Social Science

Home

Blog

Archive

Contact

google+twitterfacebook

Copyright © 2019 HomeworkMarket.com