Tuesday, May 22, 2018

Conducting a Security Self-Assessment


Executive Summary
Flash Courier Inc. has one of the largest computer networks in the world due to its "32,000 facility with over 500,000 employees engaged in various activities and roles at this facility. Also, with so much employee conducting different activities in its facilities, it is imperative for Flash Courier Inc. to have a secure and reliable security system coupled with the nature of its' business and its constituent data it collects.

Introduction
As mentioned earlier, Flash Courier Inc. has one of the world’s largest computer network and also one of the biggest employer of labor in the United States. Furthermore, Flash Courier Inc. has one of the biggest customer data base in The United States not mentioning the over 700,000 employees both career and non-career employees. In the course of this security assessment, we will be looking at the measure taken by Flash Courier Inc. in securing it Systems. We will look at areas such as:
Management Control
Operational Control and
Technical Control.
            Further, at the end of this research, we should be able to tell how effective this security tools are in mitigating or curtailing threats to its infrastructures. The organizational chart of Flash Courier Inc. shows the Chief Information Officer reports directly to the VP Chief Executive Officer, while the Chief Information Security Officer reports to the CIO. This trend shows a healthy hierarchical reporting structure in the information department of firm.
Management Control
 As stated in his Text, " management controls security processes that are designed by the strategic planners and executed by the security administration of the organization" Whitman, M., E., & Mattord, H., J., (2010). For us to comprehend Flash Courier Inc. strategic plan on its security, it is imperative to examine its mission statement. Flash Courier Inc. mission statement states its strategically poised to

Provide courier services to bind the nation together through the personal, educational, literary, and business correspondence of the people. It shall provide prompt reliable, and efficient services to patrons in all areas and shall render courier services to all communities Flash Courier Inc.

An audit of Flash Courier Cyber security culture in 2015 shows the firm has not made adequately provision for proper Cybersecurity culture as a core part of its security procedures. " Cybersecurity culture is demonstrated when staff members consider the security of information while using it" U.S.P.S (2015). Furthermore, in its security audit, there were strong indication that Flash Courier fell well below average in its Security awareness training.

The guiding security policy principles of Flash Courier Inc. are: (a), Information is a critical asset that must be protected, Information is restricted to authorized personnel for authorized use. (b), Information Security is a cornerstone of maintaining public trust. Security is a business issue- not a technology issue, Information Security is risk based and cost effective, Information security is aligned with Flash Courier priorities, industry-prudent practices, government requirement, and federal laws, information security, is directed by policy but implemented by business owners and Information is everybody's business. Flash Courier information data base is subject to The United States Privacy Act of 1974.
The Privacy Act requires all federal agencies, including the Postal Service, to adhere to a minimum set of standards for the collection and storage of personal data and restricts the disclosure of such Privacy Act information. Agencies are required to establish appropriate administrative, technical, and physical safeguards to protect Privacy Act data. These safeguards ensure the integrity and confidentiality of information resources containing Privacy Act data and protect against unauthorized disclosure of such data, which could result in substantial harm, embarrassment, unfairness, or inconvenience to an individual.


Operational Control
Under the Operation Control, we will be taking a look specific issues at Flash Courier Inc. like disaster recovery plan, Incident Response Plan which are all embodied under Contingency planning and also, Personnel security.
Flash Courier Inc. Incident Response Plan: In the case of a Data compromise, damaged or destroyed, Flash Courier Inc. requires that all information security incident be reported to the Computer Incident Response Team (CIRT).  Some of the process of Incident Response by Flash Courier includes security incident identification, prevention, reporting, and containment. The reporting of incident allows Flash Courier to review the security controls and procedures, establish appropriate corrective measures when necessary, in some cases, reduce the likelihood of recurrence.
Disaster Recovery Plan, Personnel/Physical Security: As stated in their Disaster Recovery statement, the DRP must meet the following requirements; Each application must have a disaster recovery plan documentation stored in the Technical Solution Life-cycle IT library. The Disaster Recovery Plan must be certified by the development organization and the executive sponsor. Application designated as Critical-High and Critical-Moderate must be tested within 180 days of going into production, Application designated as critical-High must complete an actual test 18 month, Application designated critical- Moderate must complete either a tabletop walk through or an actual every 36 months and lastly, all recovery plan documents must be protected as restricted information. Furthermore, some of the Personnel security procedure put in place by Flash Courier Inc. includes employees maintaining security clearance depending on their level of authorization, Finger printing, and background investigation to vet employee's credibility.



Technical Control
To protect Flash Courier Inc. from unauthorized access, disclosure, modification including; supporting identity management such that Flash Courier can enforce identity and access control policies on authorized and public users. The access control also includes the capability for the firm to access to its data selectively available to other users. Some of the access control measures put in place includes: 15 characters’ alphanumeric password, uses of a secondary security system (PIN), the use of Tokens.
 Furthermore, the use of peripheral device like Bluetooth requires authorization from either the Vice President or assignee's written approval. Flash Courier approves the use of encryption software to encrypt sensitive and sensitive-enhanced information sent by e-mail and give recipient the recovery keys and decryption instructions. There is a required password change every six months, Flash Courier deploys access control and intrusion detection systems at the Contingency Plan and conduct an independent assessment to verify that they are in place.
Analysis of Result
  Although Flash Courier has made adequate provision to counter and mitigate threats to is data infrastructure, there are strong indications of a weak information security culture within the organization. Among the issue found out during this assessment include fewer users completing security awareness training which is below industrial standard. As mentioned earlier, weak cybersecurity culture on the part of the organization. Furthermore, inadequate risk information on majority of the company's systems. And lastly, In the review of the organization’s network, there are indications of maintenance of weak and outdated operating systems and software.
Recommendation.
There are strong indications of a perpetual neglect on the part of management in meeting up with recent technological advancement especially in the area of Information security. It is imperative to state that for a company which engages in collection of data of its constituencies should make appropriate provision to protect such data from both internal and external threat and breach the gap thereof. To breach these gaps, the management of Flash security first, needs to update its systems and software to meet current trends especially in this age of data reaches and espionage on the part of employees. Also, management should en-devour emphasis regular security awareness program and concurrent security policy update to meet up with current security threats. Furthermore, emphasis should be placed on changing the organization’s security culture from top to down. Lastly, management should perform regular security audit to be informed on gaps within the security infrastructures and make necessary changes to eradicate such gap or mitigate the threat.




References
 Miller, J., (2012). USPS fighting back against the insider threat. Retrieve from:http://federalnewsradio.com/in-depth/2012/07/usps-fighting-back-against-the-insider-threat/
Usps.com, (2015). Information Security Requirement for All Personnel. Retrieved from: https://about.usps.com/handbooks/as805c.pdf
USPS.com, (2001). Mission Statement. Retrieved from: https://about.usps.com/strategic-planning/cs01/c4a-2.htm
USPS.com, (2016). About. Retrieved from: https://about.usps.com/handbooks/as805/as805c13_002.htm
Usps.com, (2015). Information Resource Certification and Accreditation(C&A) Process. Retrieved from: https://about.usps.com/handbooks/as805a.pdf
USPS.com, (2015). About; Size and Scope. Retrieved from: https://about.usps.com/who-we-are/postal-facts/size-scope.htm
Usosoig.gov, (2015). U.S Postal Service Cybersecurity Functions. Audit Report. Retrieved from: https://www.uspsoig.gov/sites/default/files/document-library-files/2015/usps_cybersecurity_functions.pdf
 Usosoig.gov, (2015). Address Management System Data. Retrieved from: https://www.uspsoig.gov/document/address-management-system-data
Whitman, M., E., & Mattord, H., J., (2010). Management of Information Security (Page 85). Cengage Textbook. Kindle Edition.

No comments:

Post a Comment

Insider threats to security

I find this article, titled, “Are your biggest security threats on the inside? ", by David Weldon particularly interesting.   The ar...