week 3 ( security managment )

Date of Submission : 2/23/2109

Contents Student’s Name: Ritesh Parepally 1 Institution: Colorado Technical university 1 (Week 1) Project Outline 3 Background Information 3 Security Requirements 4 Security Responsibilities Roles in both Silo and WG 5 Responsibilities of the Chief Security Officer (CSO) of the Western County Bank 5 Flow of Information 5 Security Decision Making 5 (Week 2) 6 (Week 3) System Design Principles 10 (Week 4) The Training Module 11 (Week 5) Final submission 12 References 13

Comprehensive Security Management Plan

This section describes the establishment of a Comprehensive Security Management Plan for Western County Bank. In the last two years, Western County Bank has experienced a rapid growth in which it is expected to continue in the near future. The bank is expected to experience a 70% growth in the next eighteen months and it is seen to present new challenges in terms of security and this call for Comprehensive Security Management Plan. The continued growth has also hinted that the Ban is going to deal with more data and this will attract safety and security issues. The Company has annual revenue of $198 million but is expected to experience significant growth in the future. It has 300 employees in which 100 works part-time while the rest works full time. It is located in Ohio State and it has a size 23 square kilometers. The bank currently uses PRINCE2 project management of ISO 27001 (Dorca, Munteanu, Popescu, S., Chioreanu, & Peleskei, 2016, May).

Figure 1 Corporate Organizational Chart

Figure 2 WG Structure

To establish a Comprehensive Security Management Plan for this company, the guidance of the security working group (WG) and Silo structure will be employed. Our priority security to Western County Ban in regards to WG includes; (a) protection of data at rest, (b) protection of data in transit, and (c) secured network access. This is because the three are the sensitive areas as far as security in any organization is a concern. For both Silo structure and WG, data at rest and data in transit will be protected by encryption. While for the secure network access, access controls like firewalls will be installed in the network infrastructure in the case of both Silo structure and WG.

In the two organizational structure, Chief Information Security Officer is the head of information security whose role lies heavily in the administration of security that leading. There are no role differences as far as CIO in concern in the two security organizations.

According to Peltier (2016), CSO officers are responsible for the enhancement and improvement of physical security and intensify IT security. They identify protection calls and objectives of the organization and make sure that they are in line with the strategic plans of the organization. CSOs works with other security executive officers to make decisions on the needs of security priority. They also spend in accordance with financial constraints and directives of the organization. In addition to these CSOs oversee coordination of security directors, staff, and managers and at the same time works with state, federal, and local law enforcement and other agencies in security sectors.

Information security in the security department flows in one direction. Security information from staffs and security executive officers must pass through CSO for approval.

Decision making in the security department of the Western County Bank is effected through meetings. A discussion meeting shall be held whenever the security decision is to be made with the approval of the CSO.

Security Business Requirements

Organizations need to develop comprehensive risk assessment techniques in determining the worth of any data generated or stored in the organizations. In ensuring the best use of IT available resources, more insights into understanding the relative importance of data systems, such as in communication and storage mechanisms are useful. For the organizations to meet such requirements, a security risk assessment that put in the ideas and best practices of risk assessment approaches and that which includes all the factors in IT organizations should be employed. The

security assessment should focus on the main areas of the organization that includes both the hardware and software, awareness and training of the employees and incorporate all business processes. The main goal in assessing the security risk of an organization is to help in identifying and modifying the security status of the organization, further, this helps the management to engage and collaborate with other security personnel in examining their organizations from an attacker's point of view (Security Risk Assessment Project Management, 2016). Commitment to the allocation of resources and the implementation of best solutions are also made through the assessment strategies. Assessment also facilitate the options to prioritize and allocate the most needed technological resources. Data storage and their associated threats to external attacks ere the leading variables in security business requirements.

Security business requirements are built upon different rationale to ensures the use of IT in any area does not attract additional risks that would lead to the attack of the business. The rationale for performing security business requirements include cost justification for stabilizing the budgeting in terms of the added expenses. Productivity that comes with the security requirements and management must also be assessed to avoid unexpected losses. Breaking barriers in making decisions concerning the business security should also involve the staff so that no operations on matters business security escapes them and to create more awareness of the happenings around them. Staff analysis and communication also plays important requirements in business security and need to be given more emphasis on winning the attacker's strength of access. The security requirements of a business, therefore, are determined by the business objectives, the business system network or orientation as well as the infrastructural configurations. Additional requirements to the business security entail the information about the business that is available to the public or from the business website, database files and management, network details and protocols, network monitoring, the government regulations on the business and whether the business has documented and stable policies of operations.

Capability Maturity Model Integration (CMMI) and The Process Areas (PA)

The capability maturity model integration is a model that describes the behavior and processes in organizations. The model is useful in improving their processes as well as in motivating the production through efficiencies in risk reduction in the software and product development services. The CMMI model has specific operation guidelines starting with the appraisal of all activities within an organization. The appraisal assesses three main areas such including the development of services in a process, the establishment of the developed services and the management as well as the product acquisition of the established services. Appraisal in the CMMI model is a process running in stages (Kovacheva & Todorov, 2015).

On the other hand, as a behavioral model, the CMMI can be used by organizations to help manage their logistics to facilitate the process of improving their performance. Organizations such as the IT developers and users can also use the CMMI behavioral model to benchmark and create effective structures for productivity improvement, and ensure efficient operating behaviors within the organizations. At every stage, the CMMI targets an easier understanding of any business and in cost-effective ways while integrating and deploying (Summary of CMMI-SW (Staged), 2017). The behavioral benchmarking tips ensure the organizations' focus remains settled on quality and not quantity. By using the model, organizations can move to the top level of maturity defines by the CMMI model. The levels include the lowest which is the initial, the managed level, defined level, quantitatively managed level and the top level, the optimizing level. The CMMI model has up to twenty-two process areas that helps an organization achieve its goals to the top maturity level. Some of the process areal include product improvement, organizational training, organizational process performance, organizational performance management, the organizational process focuses among others.

The process area of the high importance of a CMMI model for my project is the organizational performance management (OPM). My main reason is in its goal, focusing on innovation and deployment and is also at the top level of organizational maturity. The general practice is mainly to manage business performance towards meeting the business objectives easily. The specific practices by the goal of this PA include the management of business performance by identifying potential areas for improvement, selects improvements for the business by eliciting the suggested improvements and deploying improvements through evaluating the deployment effects.

This paper addresses the types of outsourcing IT and how they affect the running of the organizations when incorporated into the cloud computing system. Further, it discusses the security business management and how to avoid the risks from attackers through the use of IT. CMMI and its process area are also discussed into how they help an organization reach the maturity level of optimization with their defined goals and specific as well as the general objectives.

Dorca, V., Munteanu, R., Popescu, S., Chioreanu, A., & Peleskei, C. (2016, May). Agile approach with Kanban in information security risk management. In 2016 IEEE International Conference on Automation, Quality and Testing, Robotics (AQTR) .

Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.

Kovacheva, T., & Todorov, N. (2015). Optimizing software development process: A case study for integrated Agile-CMMI process model. 2011 IEEE EUROCON - International Conference on Computer as a Tool.

Security Risk Assessment Project Management. (2016). The Security Risk Assessment Handbook.

Summary of CMMI-SW (Staged). (2017). Jumpstart CMM?/CMMI??Software Process Improvements.