Implementation of Security Plan

Relationship: Create and implement data dictionary when designing DRBCP strategy to effectively describe, define and document data to ensure that files can be located and its integrity are maintained at all times.

4. DRBCP team member are not trained or familiar with the policy and procedure

Relationship: after the DRBCP is implemented, the team lead and other top management should prepare to take on training session making sure each and every defined role has a designated team member is equipped and prepared to respond during emergency

Relationship: a copy should be readily available to all team member and also make sure it is available to third-party vendor

6. Recovery Team member descriptions not defined in the DRBCP strategy

Relationship: To know who need to do what.

7. Power users have write permission to the log files

Relationship: permission to folder and files should be properly delegated through Active Directory via windows server 2012. Team member with power user write is a security risk due to the fact that he/she can modify log files and other critical data. Limited permission should only be given to members based on the specific role in the DRBCP

8. Backup process routinely failed due to unknown reason at one item processing facility.

Relationship: properly managing log file is vital during restore process. All storage media should be verified to ensure availability of data during emergency. Due to backup failure, NetApp is highly recommended to provide an effective cloud-based storage.

9. Business Function Recovery Priorities not set

Issue Prioritization

Each security issue identified is unique and should be treated differently. The following are the proposed prioritizations based on urgency, security posture, availability resource. Priorities are ranked on a scale of 1-4; Priority 5 (Critical), Priority 4 (High), Priority 3 (Medium) and Priority 1 (low)

Priority 1. Incomplete documentation– each and every aspect of the plan should be defined and properly document

Priority 2 – customize the remaining four item processing facilities.

Priority 3 - DRBCP failed to identify Recovery Time Objectives (RTOs) - time to recover should be minimized

Priority 2 A copy of DRBCP not readily available. Access to information is very critical especially incoming third-party vendors. The plan should be accessible and visible.

Priority 3 Recovery Team member descriptions not defined. Designate team leader and a backup leader. Define each team member duties based on their expertise or responsibility.

Priority 3 Business Function Recovery Priorities not set- identify and define critical infrastructure, applications and data

Priority 4 Power users have write access to the log files. Implement Active Directory to effectively apply permission based on team member role or function.

Priority 5 – outdated DRBCP – Immediately develop or update current plan utilizing all recommendation from the review.

Priority 5 – team member training and awareness –implement training programs to educate team members to be equipped and ready to execute the plan effetely during an emergency.

Priority 5 Backup process routinely failed due to unknown reason. Upgrade hardware and software and verify or conduct drill to verify the plan meets expectation. Investigate very backup or restore error and implement immediate solution.

Government Regulations and Standards.

1. The Payment Card Industry Data Security Standard (PCI DSS) is a security standard implemented in 2004 by credit card companies such as Discover, Visa, MasterCard and American Express. This financial service is administered by the Payment Card Industry Security Standards Council (n.d)

Rationale: to protect consumers and secure debit and credit card transactions against criminals and data fraud or theft.

2. Gramm-Leach-Bliley Act (GLBA) – this standard is geared towards customers personal information and security review. It outlined how financial institutions collects and sure data. focus on the information security review of consumers’ personal financial information (Gramm-Leach-Bliley Act, n.d.).

Rationale: to protect and defends sensitive data from unauthorized personal and lowers financial institution risk against the rising threat of cyber attacks

3. NIST SP 800-92: Guide to Computer Security Log Management – this regulation helps financial institution develop and implement log management infrastructures.

Rationale: to establish log management policies and procedures to make ensure log management for specific systems is done successfully throughout the institution. System admin should receive adequate support (Noblis, n.d).

4. NIST SP 800-84 Rv1 – focus on procedures for supporting business operations while recuperating from a substantial interruption. It addresses organization’s mission essential; facility-based plan and information systems.

Rationale - to help organizations in developing, designing, conducting, and evaluating test, training, and exercise to aid team member in preparing for hostile situations involving IT infrastructure (Grance, et al)

NIST SP 800-53 controls Used

NIST 800-53 Control – AT-3 Role Based Security Training & AU-6 Audit Review, Analysis, and Reporting.

NIST 800-53 Control – MP-4 Media Storage and MP-5 Media Transport

Rationale: backup system including media storage should be properly vetted to make sure data can be accessible and readily available. This control outlined how to properly safe guide all storage media and procedure to recycle when no longer needed.

NIST 800-53 Control - AT-1 Security Awareness and Training Policy and procedures.

Rationale: develop security awareness and training programs including disaster recovery, incident response, and business continuity.

Recovery Planning (RC.RP) RC.RP-1

Rationale: DRBCP strategy should be done during or after an incident and procedures are performed and sustained to ensure timely restoration of systems or facilities affected by cyber-attack or data breach (Tsygalnitsky, n.d).

References