Unit3casestudy

docx

School

Columbia Southern University *

*We aren’t endorsed by this school

Course

4320

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

7

Uploaded by briandjones127

Report
Running head: UNIT III CASE STUDY 1 Unit III Case Study Brian Jones Columbia Southern University
UNIT III CASE STUDY 2 Unit III Case Study – Regional Bank After two years of rapid growth and the acquisition of smaller financial institutions, Regional Bank is looking to expand further. The goal is to acquire other smaller banks and continue their growth with an end goal of becoming a publicly traded company in the next three to five years. A major roadblock appeared in the form of regulators from the Federal Deposit Insurance Corporation (FDIC) who will not approve further acquisitions at this time. Pursuant to FDIC Act section 18(c), the FDIC can block further acquisitions until certain criteria are met (FDIC, 2019). In this case, the issue is the information security policy that Regional Bank has in place. Regulators have stated that the policy is confusing, lacking structure, and filled with discrepancies. Research and Interviews To begin to fix the issues that the regulators have noted, the first step should be reviewing the policies already in place. A thorough review will highlight exact areas that the regulators have mentioned. After the review, the individual tasked with correcting the issues can make determinations as to what sections need to be reworked or reworded and which sections need to be scrapped completely and started over. It would also be wise to ensure that the security policies are standardized across all the institutions that have been acquired already. It would create more problems if the policies were not carried over into each new acquisition. It would also be extremely beneficial to review the logs and findings from previous audits. The previous audits may have exposed inadequacies that were not properly addressed and may be part of the larger issue. In addition to reviewing the policies, interviewing the individual, or group, that drafted the original policies would offer some insight into the original intent of the policies. Those
UNIT III CASE STUDY 3 individuals could also review the documented policies to verify if any revisions or changes have been made. Often, policies can be amended or added “on the fly” and may go unnoticed by the policy writers. Interviewing the Board of Directors of the bank would also add a layer of information to the findings. The Board will have their own opinions as to what the ultimate goals for the company will be and may have input into changes that need to be made. After reviewing the documentation and conducting interviews with the key decision makers, decisions can then be made as to whether any material from the original policies can be useful moving forward. At the very least, the original goals and objectives of the company should be taken into consideration along with the outline or framework of the original security policies. The goals and objectives of the company are generally set by the board of directors and give guidance as to where the company is headed. Writing New Policies ISO Domains and Certification When drafting the updated policies, using the recommendations and domains set forth by the International Organization for Standardization (ISO) would greatly benefit the company. Of the multitude of domains and sections used by ISO, there are a few that would be the most beneficial. First, and foremost, is the ISO 27002:2013 Code of Practice. The Code of Practice is a comprehensive set of recommendations relating to information security. The intent of this code is to act as a single point of reference for identifying the range of controls needed by any organizations, regardless of size. The Code does not mandate specific controls but allows each organization to use a risk assessment-based process to identify the controls that best suit their requirements (Santos, 2019). The sections that should be used are:
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
UNIT III CASE STUDY 4 Section 5 - Information Security Policies. This section focuses on policy requirements and the importance of managerial support. Section 8 – Asset Management. Section 8 focuses on the accurate inventorying of data and devices. Section 9 – Access Control. This section is aligned with steps that need to be taken to prevent unauthorized access to the system or network and manage authorized access. This section will be critical as there are already multiple branches and more will be added later. Section 10 – Cryptography. The section on Cryptography will ensure that the sensitive data and information used by the bank will be kept private and secure. Section 11 – Physical and Environmental Security. This section not only outlines how to keep each location safe, but also how to deal with the destruction of sensitive documents that are no longer needed. Section 12 – Operations Security. Operations security entails, among other areas, managing data loss and proper logging of incidents including attacks or malware. Section 13 – Communications Security. With more and more business taking place via the Internet, this section is of great importance. Section 18 – Compliance Management. Finally, this section relates to conformity of internal policy with local, state, and federal laws (Santos, 2019). By utilizing the information provided by ISO in their domains and subsections, the company should absolutely work toward an ISO certification. Certification will go to prove that the company is committed to keeping their customers information as secure as possible. After his company acquired ISO certification, Yasser Ramirez (2014) was quoted as saying, “ Our existing
UNIT III CASE STUDY 5 and new clients tell us how reassuring it is for them to know they are dealing with a company that offers the highest quality services.”. Gaining this accreditation will not be a quick process and will require on-going maintenance, but it will pay off in the end. NIST Framework The National Institute of Standards and Technology (NIST) offers a security framework that relies on the CIA security model and should be used to ensure that the data that the company and its customers rely on. The CIA model rests on three separate, but vital, areas; Confidentiality, integrity, and availability. Confidentiality simply means that the data and information is kept secure from unauthorized individuals. Integrity ensures that the data or system that houses that data has not been altered or compromised in any way. Finally, availability means that the data is there and ready when it needs to be accessed by authorized users. By using these three areas as a backbone, the new policies should take into consideration what steps will need to be taken to ensure that the criteria are met. A breakdown in one or more of these areas would lead to loss of confidence from customers and may ultimately hinder the future plans of the company to acquire more institutions. Communicating the New Policy Once the new policies are drafted in accordance with the criteria issued by the FDIC regulators, getting the policies into the hands of the employees will take a multilevel effort. First, a presentation of the new policies should be made to the Board of Directors to educate them and see if any addendums or modifications are needed. After the Board approves, a meeting of the heads of the various branches needs to be held to educate them on the policies. This can be accomplished with a PowerPoint accompanied by a hard copy of the policies. Following the meeting with the branch managers, in person training at each branch can be conducted giving the
UNIT III CASE STUDY 6 employees face-to-face instruction, again, using a PowerPoint and hard copy. This will also allow the trainer a chance to address any questions the employees may have. Conclusion In conclusion, while the future plans of the company may have been halted, with research and planning the plans can proceed. It is important to note that it will be a lengthy process and will require the attention and best efforts of everyone involved, but it is attainable. Not only will the new security policies help to reach the company’s goal of acquiring other institutions and becoming a public company, but will also serve to strengthen the confidence of the existing customers. References
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
UNIT III CASE STUDY 7 FDIC (2019). Mergers. Retrieved from https://www.fdic.gov/regulations/applications/resources/apps-proc-manual/section-04- mergers.pdf Ramirez, Y. (2014, May 2). ISO accreditation, what value? Retrieved from https://www.globalbankingandfinance.com/iso-9001-accreditation-what-value/ Santos, O. (2019). Developing cybersecurity programs and policies (3rd ed.). Upper Saddle River, NJ: Pearson

Related Documents

unit 6 homework.docx
unit 2 homework.docx
unit 5 homework.docx
unit 3 homework.docx
Untitled 2.pdf
ACC 531 Final Exam-8.docx
unit8finalproject.docx
Unit4casestudy.docx
Unit7casestudy.docx
unit6research paper.docx
CSS110 Externship Journal 5.docx
CSS110 Externship Journal 2.docx