SECURITY POLICIES APPLICABLE to BANKS SOLUTIONS
Various bodies have come up with the development of laws, policies, regulations and standards that define the utilization of acceptable levels of security and interoperability among other factors. There are different policies and acts that that control the formulation and use of various technologies, standards and procedures (Choi, 2009).
Adherence to Federal Information Security Management Act (FISMA) is important for the company to develop an interoperable relationship in using federal information technology architectures. FISMA stipulates a comprehensive framework for protection and preserving of government information, assets and operations against natural and artificial in eventualities especially with private enterprises. FISMA and other information security regulations are contained in the National Institute of Standards and Technology Act Title 15 Chapter 7. NIST has the role of developing regulations and procedures that stipulates the operation of information systems run by federal agencies, contractors, enterprises and other sectors to ensure efficient detection and mitigation of national security threats.
NIST develops the guidelines and standards that include the minimum requirements for provision of information security in an agency. It also stipulates the responsibilities contained in the Computer Security Division and sets the minimum standards as envisaged in Title 44, section 3532 (b)(2). Section 1(a) defines the criteria and standards for categorizing information systems and information contained or collected by federal agencies, contractors and private entities as well as categories, guidelines and standards. In meeting its obligations, NIST has outlined nine that organizations must follow in order to comply with both FISMA and other standards. These steps include (Choi, 2009):
- Classification of information that require protection
- Determination of baseline controls necessary for agencies and organizations
- Evaluation and deliberation of risk assessment procedures and controls
- Documentation of controls
- Implementation of outlined security controls within the required information systems
- Assessment of the effectiveness and usability of the security controls prior and post implementation period
- Continuous monitoring and evaluation of the security controls for the purpose of ensuring adherence to the set goals
- Evaluation of the risks faced by the agency in respect to the business case and mission
- Authorization of information systems for processing
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY PUBLICATIONS
NIST special publication 800-53 Application provides the guidelines for organizations in the process of system audits to discover security and system needs. The guidelines are formalized and documented to facilitate the implementation of accountability and audit policies. Moreover, AU regulations stipulates the establishments of clear auditable events, documentations, auditing storage facilities, audit process mal-practices and failures, review, analysis and reporting. Other important essentials include information disclosure and monitoring, generation, non-repudiation, audit reduction, and session auditing. The above measures facilitate the detection of system vulnerabilities in an organization and subsequent development of control mechanisms and measures.
In the case of Banks Solutions, the problems faced include access authorization and privileges. This affects the events logging among other processes. The implementation of NIST SP 800 53 will facilitate the development, dissemination and update of formalized access policies and other procedures that gather for the management and coordination of the system. The Act stipulates the effective methods for account management, access enforcement, control of information flow, duty separation and least privileges. It will also manage other factors such as session controls, automatic marking, and management of publicly-accessible content, user-based collaboration and access control. The guidelines apply to specific and general use with clear implications on the system security status, forensic audit quality and effective controls.
Bank Solutions can ensure efficient continuity during changes and interoperability through implementation of configuration management guidelines. These guidelines and standards include the development of configuration procedures and policies, design of baseline configurations, control over configuration changes and control of access during changeover periods. The system analysis process prior to and after the changeover is taken into consideration. Other beneficial effects include design and development of management plans for configuration and other component inventories (Foreman, 2010).
Bank Solution is faced with poor awareness and management of DRBC plans among other complications. The implementation of the NIST SP 800-53 is the only viable solution to control and manage such inefficiencies. The Act will ensure the development of formal well documented steps for carrying out training and security awareness. Therefore, the training needs will be continuously implemented in the organization for the benefit of all users.
In addition, NIST SP 800-53 provides the much needed agency-level risk evaluation, assessment, and vulnerability scanning. These procedures ensure efficient management of security and proper mitigation of impending threats as a result of exposure. The controls provide the procedures and policies that guide the implementation of the highlighted security controls and enhancements in compliance with the federal laws (NIST, 2013).
Bank Solutions has inefficient back-up measures that prove unusable for disaster management and restoration. This renders the company’s disaster preparedness and planning inefficient and therefore needs a complete overhaul and redesign. The inefficiency can be managed through the use of NIST SP 800-53 contingency planning procedures and policies. The implementation of the Act will oversee the development of alternative processing sites, use of adequate telecommunication back-up services and redesign of information back up storage facilities. The controls become part of the company’s security policy and accounts for a major role in restoration of the systems in case of an emergency (NIST, 2013)
In conclusion, it is evident that the selection and implementation of necessary security controls for an organization is an important exercise that poses major implications on the operation of personnel and security of assets. Security controls are the fundamental parameters that define the managerial, operational and technical safeguards and counter measures deployed to an organizations information system. The fundamental aim is to preserve and restore the confidentiality, integrity and availability of information within the system. Banks Solution is facing major challenges in regard to protection and safeguard of its system. An implementation of the NIST SP 8000-53 is the only solution that will handle the technical, management, and operational aspects of its security.
References
Choi, J. P., Fershtman, C., & Gandal, N. (2009). Network Security: Vulnerabilities and Disclosure Policy#. Tal Aviv: CERT/CC.
Foreman, P. (2010). Vulnerability Management. London: Taylor & Francis.
IpSwitch File Transfer. (2012). SUPPORTING FISMA AND NIST SP 800 WITH SECURE MANAGED FILE TRANSFER.