Central Washington University Gap Analysis Remediation Discussion

To: Padgett-Beale CISO

From: K. Sondu

Date: March 31, 2020

Subject: Gap Analysis – Remediation

As the company is in the process of migrating Island Banking Services, we needed to review why the company went bankrupt. One of the ways to do this is by performing a Gap Analysis to fully understand what the current state of their IT infrastructure and where we want it to be, to ensure updated security standards are in place. (Rouse, 2014) After reviewing the root causes of Island Banking’s bankruptcy from the Migration & Acquisition team, I have gathered the best actions moving forward to adjust their IT infrastructure so that Padgett-Beal would be protected from those incidents reoccurring. These control remedies include Audit and Accountability and Recovery Planning. I believe implementing these controls will have Island Banking’s current ineffective and missing IT security controls be updated to our security posture.

With guidance with the National Institute of Standards and Technology’s (NIST) Special Publication 800-53, the first control that should be implemented is Audit and Accountability. Under this control is AU-6 Audit Review, Analysis, and Reporting. (NIST, 2013) This control will require the organization to review and further analyze events that may be considered malicious activity as well as how to report them. To perform this objective we would be implementing some kind of Intrusion Detection System that will monitor traffic. It’ll create a baseline with normal activity and any odd activity will notify personnel to further investigate the activity. The outcome of this audit should would be to ensure the organization is keeping its complying with regulatory and legal requirements, identify possible problems, and to ensure controls are working as attended. (Schreider, Svetcov, Williams, Fitzgerald, & Baklarz, n.d.)

Another reason why Island Banking went bankrupt was due to the fact that they didn’t have a disaster recovery plan. Once their servers and workstations were seized by law enforcement, they couldn’t continue to operate due to not having the hardware to complete any tasks. The function that should be implemented is Recovery Planning (RC.RP) from NIST’s Framework for Improving Critical Infrastructure Cybersecurity (NIST, 2018). The recovery planning function will help strategies what needs to be executed to ensure vital systems are restored to continue operations. To perform this objective is by creating a Disaster Recovery Plan that will identify key hardware items that the organization needs to continue operations. (Ready, n.d.) This control not only creates a recovery plan if hardware is seized, but in case of other scenarios that might occur such as a power outage or severe weather that might destroy the building.

Lastly, not only did Island Banking not have recovery plan for their hardware, but also their data. If they were able to obtain servers and workstation to continue operations, they didn’t have any of the data to keep operating. The control that should be used is within the Incident Response family in NISTs 800-53 titled IR-8 Incident Response Plan. (NIST, 2013) This control creates a guide to meet the requirements needed for the company to operate fully in case of an incident that would degrade or destroy their services. With their data, it would be required to have some sort of automated schedule to backup data of necessary information to another location where it could be stored safely and securely from any cyber and physical destruction.

The Migration & Acquisition team has identified root causes of why Island Banking went bankrupt. In order to identify and correct these causes a gap analysis was performed to identify Island Bankings information system infrastructure and provide guidance to update these systems to be compliant to proper security standards. I believe my recommendations will close the gap to ensure that Padgett-Beal is protected as the company moves forward with the acquisition of the bank. We’ve identified their mistakes, and in order for us to continue to grow we must make changes to protect the company and its future.

References

NIST. (2013). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved from

https://nvlpubs.nist.gov/nistpubs/SpecialPublicati…

NIST. (2018). Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. Retrieved from

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.0…

Ready. (n.d.). IT disaster recovery plan. Retrieved from

https://www.ready.gov/business/implementation/IT

Rouse, M. (2014, December). What is a gap analysis? Retrieved from

https://searchcio.techtarget.com/definition/gap-an…

Schreider, T., Svetcov, E., Williams, K., Fitzgerald, T., & Baklarz, R. (n.d.). Certified Chief Information Security Officer [Version 3]. Retrieved from

https://evantage.gilmoreglobal.com/#/