responds to post below just half page 1
To: Padgett-Beale CISO
From: bosek sakayo
Date: March 31, 2020
Subject: Identification and Selection of IT Security Controls
Introduction
The M&A team has identified three events that contributed to the bankruptcy of IBS. The company officers and senior managers were able to conduct criminal activity using company IT assets without detection, does not have a disaster recovery/business continuity plan, and storage media was not backed up on offsite premises. The following families of controls from NIST SP 800-53 will be used to remediate the mentioned deficiency (Security and Privacy Controls, 2013):
- AU (Audit and Accountability) – The AU family focuses on the audit process and guide an organization employing effective auditing into process and system.
- CP (Contingency Planning) – The CP family focuses on preparing an organization to be able to maintain the essential mission and functions during a disruptive event. It guides an organization supporting an effective contingency plan, and cost-effective means for reacting rapidly and effectively to a troublesome occasion.
Analysis
The following are the controls within the AU and CP families that are recommended to deter the above shortages.
- AU-3 Content of Audit Records— This control enforces the establishment of audit records from information systems such as when what, and where the event occurred, and the source, outcomes of the game and involved, and involved subjects (NIST, n.d.). This control can be implemented by employing software that manages the audit. This will help deter people in the company executing criminal activities using the company’s IT asset. For example, a malicious person trying to log in to the company system outside of a work hour to be discrete from other employees, but audit management software would record the login information, and that user will be questioned.
- CP-2 Contingency Plan – This control enforces a company to have a practical contingency plan and recovery plans that will help the business to function in a disruptive event such as loss of servers and workstations. The continency plan must identify the essential business mission and be tested and reviewed periodically. During an incident, everybody should know their roles and responsibility and carry out an objective that is written on the contingency plan to sustain the critical mission and operation.
- CP-6 Alternate Storage Site – This control focus on implementing storage site off the premises in case of an emergency where on-premises storage data fails to provide support business operation. The cloud technology is recommended for alternate storage because the cloud service provider offers robust security, reliability, and accessibility (KeepItSafe, n.d.).
Summary
The M&A team has identified three events that occurred in the IBS, and that played a big part in IBS go bankruptcy. This was a result of not having adequate internal control and contingency plan. The NIST SP 800-53 was incorporated to suggest controls that may help deter mentioned deficiencies, and they are AU-3 (Content of Audit Records), CP-2 (Contingency Plan), and CP-6 (Alternate Storage Site). The team suggests employing audit management software, strategically written contingency plans, and cloud service. They will help fight officers and managers using the company’s IT for criminal activities and to be able to sustain essential business operation after servers, workstations, and storage media has been disrupted.
Resources:
KeepItSafe. (n.d.). ON-PREMISES VS OFFSITE BACKUP. Retrieved March 31, 2020, from https://www.keepitsafe.com/docs/default-source/whi…
NIST Special Publication 800-53 (Rev. 4). (n.d.). Retrieved March 31, 2020, from https://nvd.nist.gov/800-53/Rev4/control/AU-3
Security and Privacy Controls for Federal Information Systems and Organizations. (2013). doi: 10.6028/nist.sp.800-53r4
