CWU Gap Analysis and Security Controls Assessment Discussion


Description

To: Chief Counsel Assurance Officer

From: VICKYSON J, Merger & Acquisitions Team

Date: March 30, 2020

Subject: Gap Separation and Assurance Controls Assessment

Several events which enjoy been attested as contributing factors towards the stagnation of Island Banking Services (IBS) where potent to accept-situate due to petty or non-existent inside controls at the IBS. The after a whiledrawal of telling inside controls strengthend illegal guide to accept-situate invisible and prevented the reestablishment of operations subjoined law enforcement personnel removed vital equipment and axioms for proof. A gap separation has since been produced as a resources of identifying applicpotent categories or families of assurance controls to remediate the lavish of such events reoccurring and resulting in a shutdown of interest operations.

The illegal exploration into IBS was easy due to illegal vital-force that accept-placered at the audience and went undetected. This comportment was potent to go undetected due to the after a whiledrawal of audit and accountability controls being implemented at IBS. The audit and accountability race of assurance controls is defined in NIST Particular Promulgation (SP) 800-53, Rev. 4. This race of controls insist-upons the vindication and fractions revisal of activities and regularity history to fix ductility, expose violations and act issues, and reverberation bound or impertinent vital-force (Nieles, Dempsey & Pillitteri, 2017, p. 60). Controls in this race not solely insist-upon the vindication of regularitys history, but too fix non-repudiation. This resources that users actions can be uniquely traced to fix accountability (Nieles, Dempsey & Pillitteri, 2017, p. 60). The integrating audit and accountability controls procure enpotent auditors to expose and bound vital-force produced at IBS in the advenient.

When the law enforcement exploration was easy, sundry of IBS’ workstations and servers were seized for forensic proof. This resulted in the halting of financial services supposing by the audience as IBS did not enjoy a backup hot or deliberate position attested for uninterruptedness of operations. Moreover, the storage media that law enforcement seized as proof was not backed up. This left IBS after a while no was to restore the axioms from the clear. IBS did not enjoy decent casualty delineations or clear repartee delineations in situate which resulted in a worst-case scenario condition. Having a casualty delineation in situate would enjoy fixd the audience were easy for this likeness of clear and would enjoy been to accept steps to restore operations and minimize the mischief (Nieles, Dempsey & Pillitteri, 2017, p. 61-62). For exemplification, IBS should enjoy had an off-position processing readiness attested after a while backup equipment availpotent to restart vital operations. Moreover, as sinferior of their casualty delineationning efforts, IBS too should enjoy exposed clear repartee delineations, enabling the audience to cortege employees and criterion their coop measures (Nieles, Dempsey & Pillitteri, 2017, p. 64). Both Casualty Planning and Clear Repartee denominated assurance controls are attested inferior the Cyberassurance Framework as protective controls for counsel defence (NIST, 2018, p. 35). Having inside controls in situate to lay-open and criterion casualty delineations and clear repartee efforts may enjoy very well-mannered-mannered prevented IBS from filing for stagnation.

To summarize, assurance controls from the subjoined families (Audit and Accountability, Casualty Planning, and Clear Response) enjoy been attested as crucial gaps in the counsel assurance program for IBS. The controls that IBS currently has in situate enjoy been deemed petty or forfeiture all-together. To remediate the lavish of a advenient shutdown of operations and to dishearten bound actions, such as the that accept-placered inferior preceding tenure, PBI-FS must appear to straightway consolidate the alienate controls into the counsel assurance program.

Thank you,

VICKYSYON

Merger & Acquisitions Team

References

Nieles, M., Dempsey, K., & Pillitteri, V. Y. (2017, June). NIST particular promulgation 800-12, species 1: An entrance to counsel assurance. Retrieved from https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final

NIST (2018, April 16), Framework for decorous crucial infrastructure cybersecurity. Version 1.1. Retrieved from https://doi.org/10.6028/NIST.CSWP.04162018