PROJECT
Running Head: CYBERSECURITY STRATEGY AND ACTION PLAN 1
CYBERSECURITY STRATEGY AND ACTION PLAN 17
Project 1: Cybersecurity Strategy and Action Plan
February 8, 2022
Introduction
Based on the case study's information, Padget solutions has established various branches across the globe in offering services related to hotel and business management companies. Additionally, through analysis of the financial statement, the Island Banking Services has been declared bankruptcy after engaging in a money laundering scenario. Bankruptcy is a situation whereby an organization cannot settle all its debts using the available resources. Due to the case of the failing company, it has attracted many companies for buyout through acquisition and merger. Padgett-Beale can benefit from purchasing various technological infrastructures from the falling company. The Padgett-Beale Company will pay by licenses, software, operating systems, and hardware from the bankrupt Island banking Services. Based on the case study, it is clear that the merger between the Inland Banking Services will make the Padgett-Beale a subsidiary company reading to a company named PBI Financial Service (PBI-FS).
Based on various statistics, a company needs to engage in acquisitions deals, and the merger should understand the strengths and weaknesses to be inherited (Barrett, 2018). Merger and acquisitions decisions on cyber security should be made by a third party such as an external inspector if the company does not have a comprehensive infrastructure to assess the various vulnerabilities in the technological infrastructure. Based on the case study, the Padgett-Beale Solutions Company agreed to work under Island Banking Services bankruptcy in the same business center and fully integrate most of its operations. It is predicted that the PSI-FS will operate as a fully owned subsidiary in the next five years and operate its cybersecurity programs separately from its main activities. The new company must educate its employees on making comprehensive cybersecurity decisions throughout their operations (Kshetri, 2017). The education program should focus more on the information from the key stakeholders, such as information from the financial service industry and legal and regulatory standards that the Island Banking Services violated.
Therefore, it is critical to identify the loopholes in the cybersecurity infrastructure that will aid in developing strategies to secure the most vital and sensitive information of the company. The Padgett-Beale Company needs to be proactive and aggressive in securing the finance accounts while ensuring that the company has involved the external experts in reducing the chances of black hat hackers from penetrating through the company's technological infrastructure to compromise, destroy or steal some data that may jeopardize the activities of the organization. The company has a great responsibility to comply with the cybersecurity rules and regulations to avoid huge penalties. The entire organization, including the junior employees, should be incorporated during the decision-making to ensure that the whole organization is moving in the same direction in the fight against cybercrimes. Therefore, the first step will require PBI-FS to identify the risks and vulnerabilities affecting the technological infrastructure. Based on the case study, the Island Banking Services lacked specialized personnel to monitor the database and servers regularly. The other risk was insider threat that may be associated with employees who could leak sensitive data to a third party without the consent of the senior management. The second step would involve establishing a risk register that will allocate duties and prioritize what is supposed to be addressed first.
Step 1: Gap Analysis
A gap analysis is when a company or an enterprise conducts a comprehensive analysis to uncover gaps in the technical infrastructure to develop infrastructure to secure the most sensitive data of an organization. Risk identification is critical since it allows an organization to make the most effective decision in securing its software and operating systems. The NIST framework is the most effective technological methodology to identify gaps in cybersecurity. The gap analysis focuses on efficiency, reducing shortcomings, and providing real-time data through evidence-based information to the key stakeholders such as the sponsors.
The PBI-FS should conduct a gap analysis based on the previous cyber security challenges and the information provided during the merger and acquisition of the new company. Therefore, Padgett-Beale Merger and acquisition should ensure that all the gaps that affected the Island banking Services are addressed before starting the operation in the new deal. For instance, the case study indicates that the Island Banking Service was outsourcing various products and services from the Island-operated company, such as managing the network, hardware, and software, which could have created some vulnerability to the system.
Through the gap analysis, there are approximately ten risks and cybersecurity issues that need immediate address by the PBI-FS. The risks and issues created vulnerability to the Island Banking Company. The first step for the PBI-FS is to operate with the laid standard provided by the National Institute of Standards and Technology (NIST) cybersecurity framework. Therefore, it is critical to address the gaps since Island Banking lacks cybersecurity programs. Thus, the risk and gaps include a lack of protection technology and risk management and the risk management strategy, insider threats, shortage of a competent and qualified IT professional, using the third party to control most of the technological products, and lack of encryptions on major internet devices.
Step 2: Cyber Security Issues
Inability to establish a cybersecurity program
Island Banking Services faced a data breach mainly due to the lack of a cyber security program. The absence of the cyber security program creates vulnerability to an organization's data that lack protection software and up-to-date infrastructure. The PBI-FS should prioritize developing cybersecurity programs that are up to date and controlled by a registered software developer. The Island Banking Service had various vulnerabilities in the financial institutions through the case study, thus creating poor customer service. Therefore, the Chief Information Security Officer at PBI-FS should be aggressive and proactive in developing a cybersecurity program based on federal and state laws and regulations. Additionally, the program should comply with the Bank Secrecy Act (BSA).
Utilizing the services of a third party
Through the third-party point of access, the black hat hackers have a wider way to penetrate through the company's technological infrastructure. For instance, the black hat hackers can access the financial systems through the third-party infrastructure or penetrate through the system by hacking many databases and servers within the organization. The third party can also create vulnerability through insider threats, while Island Banking Company has little control of the third party's action.
Inability to develop encryptions on data on its devices
Encryption technology is among the best protective technologies protecting sensitive data from hacking. The data are stored in a language that a human cannot understand through technology. Therefore, even if the black hat hackers steal the data, they will not benefit since they will not interpret the information. The encryptions technology will enhance data security, particularly related to customers, by minimizing the potential interceptions.
Inability to develop infrastructure to prevent the endpoint threats
The endpoint threat noted in the Inland banking Company contributed to the data breach. PBI-FS must develop a computer system that will lose data through endpoint security attributes. The endpoint threats may occur through phishing attacks and calculations such as unpatched vulnerabilities. Phishing attacks mainly access an organization's password to servers and databases directed to employees and entice them to provide sensitive information by directing them to software that extracts the passwords.
The other threat noted was a violation of confidentiality.
In most cases, employees and other key stakeholders forget to delete their personal information from the existing software. Since PBI-FS is required to buy all the technological infrastructure such as software and hardware and other digital assets such as word processing documents, electronic emails, presentations, and logos, it is important for Island Banking to forward all the digital assets. Based on the case study, the Island Banking Company was forced to open storage devices and digital media through the search warrant after it had declined to open the infrastructure by the technology enforcement agency.
Data theft
The Island Banking Company is vulnerable in sharing the most sensitive data with the employees. The employees are more likely to share some data for the enterprise for a fee to the main competitors and the black hat hackers. The main reason for the data theft is to destroy the integrity and confidentiality of data safety. The most effective method f ensuring minimal access of data to the employees is through biometric technologies such as iris and face scanning.
The potential hacking on cybersecurity
The Island Banking Company had sold the financial transactions processing software to another company based on the case study. The software contains much information about an organization thus could be an avenue for a third party to compromise the remaining data in the database and servers. The PBI-FS must involve the IT professionals before selling any program to a third party.
The other risk is the lack of IT professionals.
The case study shows that Island Banking Company lacks internal IT professionals to monitor the financial services. The internal IT personnel can conduct regular testing to identify vulnerabilities and advice the institution on the best measures to protect data in an organization (Lamba, 2018). Additionally, it is critical to incorporate the external IT Company to assist in a data breach.
Utilization of the same cybersecurity software from Island Banking Company
The case study shows that even after the establishment of PBI-FS, the company continued to use some of the software utilized by the Island Banking Company. The PBI-FS needs to update the software and replace some that are outdated. The analysis shows that PBI-FS is still intended to operate systems, database software, transaction processing software, and productivity software.
Inside threat
Most of the employees from Padgett-Beale and the Island Banking Services Company were not involved during the merger of the two companies. Therefore, most of them are not happy are more likely not to support the PBI-FS projects. Thus they are likely to share most of the sensitive information from the company. PBI-FS is supposed to implement biometric technology that will prevent employees from accessing databases and servers' rooms.
Proper asset management
The case study shows that Island Banking Services lacks proper inventory for its applications and software. Since the company was declared bankrupt due to engaging in money laundering activities, there is a gap between responsibilities and their actual implementations and cybersecurity.
Step 3: risk register
|
Risk ID |
Risk |
Category |
Severity |
Applicable Laws, Regulations, Standards |
Risk Mitigation Strategy (description) |
Implementation: Required Technologies, Products, or Services |
NIST Cybersecurity Framework Category and Sub Category Identifier (e.g., ID.AM-1) |
Sub-Category Description |
|
001 |
Theft of customer information from online transactions |
|
|
|
Encrypt all communications between customers and the company’s online ordering system. |
Implement Transport Layer Security; purchase and deploy digital certificates to encrypt communications. |
PR.DS-2 |
Data-in-transit is protected. |
|
002 |
Threats from within the organization |
Employee |
5 |
BSA 31 USC 531 |
Prevent and avoid |
Enhance the training on the best adoption method to protect the data, particularly through phishing attacks |
N/A |
N/A |
|
003 |
Implementation of protective software |
technology |
1 |
BSA 31 USC 531 |
Transfer |
The company should implement audit and log procedure |
PR.PT |
PR.PT-1 and PR.PT 2 |
|
004 |
Protection processes and procedure |
process |
3 |
Compliance to OFAC 31 CFR 500 and CFR part 103
|
Data mitigation |
Use a backup policy such as the implementation of cloud computing technology to enhance safety and privacy |
PR.IP |
PR.PT-2, PR.PT 4 and PR.PT 5 |
|
005 |
Data privacy and security |
Availability and integrity |
3 |
BSA 31 USC 531 |
Mitigation of the data |
Implementation of removal, transfer, prevention while ensuring enough data for analysis |
PR.DS |
PR.PT-3, PR.PT 4 and PR.PT 5 |
|
006 |
Training and awareness |
Complying with the existing rules and regulations |
2 |
OFAC 31CFR 500,103 and BSA 31 USC 531 |
avoidance |
Training and making awareness to PBI-SF employees |
PR>AT |
PR.AT-1 |
|
007 |
Analysis for the chain risk |
Confidentiality and integrity |
1 |
Section 21.11 and amp;163.180 |
Risk transfer |
Establishment and implementation of SCRM for the employees to adopt and embrace |
ID.SC |
ID.SC-1 |
|
008 |
Management of the anticipated risk |
Procedure and process |
3 |
BSA 31 USC 531 |
Mitigation |
Involving the employees in the development of policies to mitigate data breach |
ID.RM |
ID.RM-1, ID.RM-2 |
|
009 |
Management of asset risk |
Integrity, availability, and confidentiality |
3 |
BSA 31 USC 531 |
Acceptance |
Management of the data through the internal and external IT professional |
ID.RA |
ID.RA-1, ID.RA-3 and ID.RA-6 |
|
010 |
Governance |
Process and people |
5 |
OFAC 31 CFR 500 and BSA 31 USC 531 |
Mitigation |
Complying with the legal and regulatory policies |
ID.GV |
ID.GV-3 and ID.GV-1 |
Step 4: reviewing the laws and regulations
The effective laws to regulate the relationship between the two companies
Island Banking Services and Padgett-Beale Solutions Company should develop policies and rules that will define the acquisitions and mergers. The policy will enable the organization to develop rules that will hold specific employees responsible and accountable for the data breach, including data theft and fraud.
Policy statements
Due to the nature of the activities conducted by Padgett Beale Solutions, understand the need for quality services to customers by securing their data, particularly the financial information. Data privacy and integrity is critical for effective decision-making. The policy should adhere to the two companies by incorporating views and opinions from employees on the entire PBI-FS personnel. The key stakeholder should accept the policies and develop penalties and fines for the party that will violate the laid guidelines.
Management of cookies
The PBI-FS should use the emerging technology to attract and maintain trust among the customers. PBI-FS should develop a website containing critical information about the organization. Cookies technology has been common among major industries and companies to track and follow customers who have shown interest in a company’s product by visiting and exploring the website (Sander, 2020).
Step 5: Risk management and the cyber security framework in the NIST cyber security
The National Institute of Standard and Technology (NIST) provides a framework for identifying, detecting, protecting, responding, and mitigating data breach cases (NIST CSF, 2018). The NIST provides more than nine hundred cybersecurity solutions that fit the nature of any organization across the globe. Data security improves the development of the organization and enhances the career progress of the employees. Based on the nature of PBI-FS, the NIST provide various recommendations, such as the implementation of intrusion prevention and instruction detection systems.
There should be effective policies regarding internet devices in an organization. For instance, employees should not be allowed to use the organization's internet devices such as smartphones and laptops to conduct personal business. Secondly, employees should only use the organization's email to run an organization's official company. Acceptance means that the data risk is within the acceptable level based on the risk management responses, and the organization can handle the risk without involving external IT experts. On the other hand, transfer indicates that data is vulnerable and not within the acceptable level; thus, a third party such as an insurance company needs to be incorporated to take part in the risk. Mitigation means that PBI-FS can use the available technology to reduce the impact of a data breach. Avoid means that some risks can lead to adverse effects to the information in an organization; thus, should be avoided at all costs.
Step 6: Cybersecurity strategy that Padgett Beale Solutions should be taken
The first recommendation is to create awareness and train employees to detect security vulnerability and data breaches and communicate to the relevant authorities. The second recommendation is to implement data encryptions through IBM Guardian (Choi, Jeon & Kim, 2019). The encryption technologies will enhance data security and privacy even if the data may land in the wrong people's hands. The third measure is to implement a backup solution. The most effective technology infrastructure for data safety is cloud computing technology since it is less vulnerable to attacks. The fourth recommendation implementation of the updated Barracuda CloudGen Firewall solution process will enable PBI-FS to protect the organization's computers from external threats. The fifth measure would be implementing a Demilitarized Users Zone, which collaborates with the firewall to prevent malware (CRT, 2019).
Step 7: a proposed plan of action and Implementation timetable
|
Action description |
Resources |
Timeline |
Budget estimate $ |
Description |
|
Intrusion prevention and detection |
IT personnel and internet devices such as laptops |
Three days |
450,000 |
Intrusion prevention and detection will require highly specialized personnel and powerful laptops. |
|
Development of strategic leadership |
Employees |
Three days |
310,000 |
Training is needed to enlighten the employees on effective strategic leadership to identify and manage vulnerabilities. |
|
Implementation of encryption technology |
IT specialist and computers |
Five days |
300,000 |
Implementation of encryption technology will ensure that even if critical data were stolen, it would not be of any use to the third party. |
|
Implementation of 2-factors authentication |
It will involve the IT professional and scanner |
One day |
150,000 |
No third party will access data without the verification code from the authorized user. |
|
Implementation of the firewall |
The IT specialist |
One week |
350,000 |
The employees should also be trained to update the firewall based on the recommendation from the software developer. |
Step 8: summary and recommendation
Based on the analysis, the PBI-FS has various cybersecurity issues inherited from Island Banking Services. If the PBI-FS undertakes no measures, the company will also be vulnerable to a data breach. Therefore, the following recommendations are critical in enhancing data privacy, integrity, and confidentially. The first recommendation is that the PBI-FS review the laws and develop policies to adhere to rules and regulations governing the team's acquisition and merger. Secondly, the company should assess the competence of the IT professionals and ascertain whether they are competent enough to secure the organization's data using the available resources. I also recommend PBI-FS involve the employees during the planning and implementation of the technology. Researches show that employees are more likely to support projects engaged in thorough planning and implementation. The fourth recommendation is that there should be effective communication in addressing the strategies and policies concerning access control. Effective communication is essential in any organization to put everybody on the board. Lastly is to communicate the available resources required to implement an effective technological policy.
Memorandum
To: PBI-FS
From: computer expert
Date: 4 February 2022
Subject: Mitigation recommendation for the cybersecurity risks
I am taking this chance to recommend based on the gap analysis following PBI-FS Company formed after the merger between Padgett-Bealee and Island Banking Services Company since the Island Banking Company has been declared bankruptcy through cyber insecurity and money laundering, there are various risks associated with the transfer of hardware, software, and files.
Throughout my analysis have emphasized about comply with the laid rules and regulations from the federal government to enhance data security. My analysis has also included the plan of action where I have given the timelines, people responsible, and the budget required to implement the changes. The timeline is short of ensuring that the company will not create more vulnerability during the project implementation. The estimated cost will enable the company to seek sponsors and grants if there is an insufficient fund within the organization.
The key stakeholders at PBI-FS should review the rules and regulations to enhance compliance and avoid penalties and fines from the relevant authority. Therefore, I recommend PBI-FS check how to handle data breaches based on Federal Information Security Management Act (FISMA). The IT professionals should be recruited based on experience and merit to ensure detective systems, firewall, and 2-factor authentication technologies are well installed and regularly monitored.
References
Barrett, M. P. (2018). Framework for improving critical infrastructure cybersecurity. National Institute of Standards and Technology, Gaithersburg, MD, USA, Tech. Rep.
Choi, J. P., Jeon, D. S., & Kim, B. C. (2019). Privacy and personal data collection with information externalities. Journal of Public Economics, 173, 113-124.
CRT, (n.d.). (2019). Barracuda Firewall: An In-Depth Review. CR-T. Retrieved from, https://crt.com/blog/barracuda-firewall-an-in-depth-review/
Kshetri, N. (2017). Blockchain's roles in strengthening cybersecurity and protecting privacy. Telecommunications policy, 41(10), 1027-1038.
Lamba, A. (2018). Protecting ‘Cybersecurity & Resiliency’of Nation’s Critical Infrastructure– Energy, Oil & Gas. International Journal of Current Research, 10, 76865-76876.
NIST CSF, (2018). Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology
Sander, J. (2020). How to Handle Cyber Security during Mergers and Acquisitions. Finance Digest. Retrieved 22 February 2021, from https://www.financedigest.com/how-to-handlecyber-security-during-mergers-and-acquisitions.html.