Executive Summary
Flash Courier Inc.
has one of the largest computer networks in the world due to its "32,000
facility with over 500,000 employees engaged in various activities and roles at
this facility. Also, with so much employee conducting different activities in
its facilities, it is imperative for Flash Courier Inc. to have a secure and
reliable security system coupled with the nature of its' business and its
constituent data it collects.
Introduction
As mentioned
earlier, Flash Courier Inc. has one of the world’s largest computer network and
also one of the biggest employer of labor in the United States. Furthermore, Flash
Courier Inc. has one of the biggest
customer data base in The United States not mentioning the over 700,000
employees both career and non-career employees. In the course of this security
assessment, we will be looking at the measure taken by Flash Courier Inc. in
securing it Systems. We will look at areas such as:
Management
Control
Operational
Control and
Technical
Control.
Further, at the end of this research,
we should be able to tell how effective this security tools are in mitigating
or curtailing threats to its infrastructures. The organizational chart of Flash
Courier Inc. shows the Chief Information Officer reports directly to the VP
Chief Executive Officer, while the Chief Information Security Officer reports
to the CIO. This trend shows a healthy hierarchical reporting structure in the
information department of firm.
Management Control
As stated in his Text, " management controls security processes that are designed
by the strategic planners and executed by the security administration of the
organization" Whitman, M., E., & Mattord, H., J., (2010). For us to comprehend Flash Courier Inc. strategic plan on its
security, it is imperative to examine its mission statement. Flash
Courier Inc. mission statement states its strategically poised to
Provide courier services
to bind the nation together through the personal, educational, literary, and
business correspondence of the people. It shall provide prompt reliable, and efficient services to patrons in all areas and
shall render courier services to all communities Flash Courier Inc.
An audit of Flash Courier Cyber security culture
in 2015 shows the firm has not made adequately provision for proper
Cybersecurity culture as a core part of its security procedures. "
Cybersecurity culture is demonstrated when staff members consider the security
of information while using it" U.S.P.S (2015). Furthermore, in its
security audit, there were strong indication that Flash Courier fell well below
average in its Security awareness training.
The guiding
security policy principles of Flash Courier Inc. are: (a), Information is a
critical asset that must be protected,
Information is restricted to authorized
personnel for authorized use. (b), Information Security
is a cornerstone of maintaining public trust. Security is a business issue- not
a technology issue, Information Security is risk based and cost effective,
Information security is aligned with Flash Courier priorities, industry-prudent
practices, government requirement, and federal laws, information security, is
directed by policy but implemented by business owners and Information is
everybody's business. Flash Courier information data base is subject to
The United States Privacy Act of 1974.
The Privacy Act
requires all federal agencies, including the Postal Service, to adhere to a
minimum set of standards for the collection and storage of personal data and
restricts the disclosure of such Privacy Act information. Agencies are required
to establish appropriate administrative, technical, and physical safeguards to
protect Privacy Act data. These safeguards ensure the integrity and
confidentiality of information resources containing Privacy Act data and
protect against unauthorized disclosure of such data, which could result in
substantial harm, embarrassment, unfairness, or inconvenience to an individual.
Operational Control
Under the
Operation Control, we will be taking a look specific issues at Flash Courier
Inc. like disaster recovery plan, Incident Response
Plan which are all embodied under Contingency planning and also, Personnel
security.
Flash
Courier Inc. Incident Response Plan: In the case of a Data compromise, damaged
or destroyed, Flash Courier Inc. requires that all information security
incident be reported to the Computer
Incident Response Team (CIRT). Some of
the process of Incident Response by Flash
Courier includes security incident identification, prevention, reporting, and
containment. The reporting of incident allows Flash Courier to review the
security controls and procedures, establish appropriate corrective measures
when necessary, in some cases, reduce the likelihood of recurrence.
Disaster Recovery Plan, Personnel/Physical Security: As
stated in their Disaster Recovery statement, the DRP must meet the following
requirements; Each application must have a disaster recovery plan documentation
stored in the Technical Solution Life-cycle IT library. The Disaster Recovery
Plan must be certified by the development organization and the executive
sponsor. Application designated as Critical-High and Critical-Moderate must be
tested within 180 days of going into production, Application designated as
critical-High must complete an actual test 18 month, Application designated
critical- Moderate must complete either a tabletop walk through or an actual
every 36 months and lastly, all recovery plan documents must be protected as
restricted information.
Furthermore, some of the Personnel security procedure put in place by Flash
Courier Inc. includes employees maintaining security clearance depending on
their level of authorization, Finger printing,
and background investigation to vet employee's credibility.
Technical Control
To
protect Flash Courier Inc. from unauthorized access, disclosure, modification including; supporting
identity management such that Flash Courier can
enforce identity and access control policies on authorized and public users.
The access control also includes the capability for the firm to access to its
data selectively available to other users. Some of the access control measures
put in place includes: 15 characters’ alphanumeric password, uses of a
secondary security system (PIN), the use of Tokens.
Furthermore, the use of peripheral device like
Bluetooth requires authorization from either the Vice President or assignee's
written approval. Flash Courier approves the use of encryption software to
encrypt sensitive and sensitive-enhanced information sent by e-mail and give
recipient the recovery keys and decryption instructions. There is a required
password change every six months, Flash Courier deploys access control and intrusion
detection systems at the Contingency Plan and conduct an independent assessment
to verify that they are in place.
Analysis of Result
Although Flash
Courier has made adequate provision to counter and mitigate threats to is data
infrastructure, there are strong indications of a weak information security
culture within the organization. Among the issue found out during this assessment include fewer users
completing security awareness training which is below industrial standard. As mentioned earlier, weak cybersecurity culture on
the part of the organization. Furthermore, inadequate risk information
on majority of the company's systems. And lastly, In the review of the
organization’s network, there are indications of maintenance of weak and
outdated operating systems and software.
Recommendation.
There are strong
indications of a perpetual neglect on the part of management in meeting up with
recent technological advancement especially in the area of Information
security. It is imperative to state that for a company which engages in
collection of data of its constituencies should make appropriate provision to
protect such data from both internal and external threat and breach the gap
thereof. To breach these gaps, the management of Flash security first, needs to
update its systems and software to meet current trends especially in this age
of data reaches and espionage on the part of employees. Also, management should en-devour emphasis regular security
awareness program and concurrent security policy update to meet up with current
security threats. Furthermore, emphasis should be
placed on changing the organization’s security culture from top to down.
Lastly, management should perform regular security audit to be informed on gaps
within the security infrastructures and make necessary changes to eradicate
such gap or mitigate the threat.
References
Miller, J., (2012). USPS fighting back against
the insider threat. Retrieve
from:http://federalnewsradio.com/in-depth/2012/07/usps-fighting-back-against-the-insider-threat/
Usps.com, (2015). Information
Security Requirement for All Personnel. Retrieved from:
https://about.usps.com/handbooks/as805c.pdf
USPS.com, (2001).
Mission Statement. Retrieved from:
https://about.usps.com/strategic-planning/cs01/c4a-2.htm
USPS.com, (2016).
About. Retrieved from: https://about.usps.com/handbooks/as805/as805c13_002.htm
Usps.com, (2015).
Information Resource Certification and Accreditation(C&A) Process.
Retrieved from: https://about.usps.com/handbooks/as805a.pdf
USPS.com, (2015).
About; Size and Scope. Retrieved from: https://about.usps.com/who-we-are/postal-facts/size-scope.htm
Usosoig.gov,
(2015). U.S Postal Service Cybersecurity Functions. Audit Report. Retrieved
from:
https://www.uspsoig.gov/sites/default/files/document-library-files/2015/usps_cybersecurity_functions.pdf
Usosoig.gov, (2015). Address Management System
Data. Retrieved from:
https://www.uspsoig.gov/document/address-management-system-data
Whitman, M., E.,
& Mattord, H., J., (2010). Management of Information Security (Page 85).
Cengage Textbook. Kindle Edition.
No comments:
Post a Comment