Assignment Content Using the financial services scenario from the Week 2 Learning Team assignment, "Financial Service Security Engagement," create an 8- to 10-page Disaster Recovery and Business Cont

0

Financial Service Security Engagement

John Fulcher , Latoya Davis, Renita Garland, William Crabb, Logan Hampton

CMGT 400

October 1, 2019

Financial Service Security Engagement

Customers are a critical stakeholder to every business organization across the globe. As the learning team for a financial service company specializing in sales and management of an investment portfolio for high net-worth individuals, the team has a responsibility to ensure safety. As a measure to improve confidentiality, integrity, and availability of information, the company migrated to cloud-based, customer relationship management. However, the chief information security officer (CISO) is concerned about the new system security. This paper aims to address the concern of new cloud-based CRM by formulating a plan for usage of mobile devices, recommending physical and environmental controls for data center, audit assessment process, developing an identity and access policies, and recommending cryptography and public key infrastructure.

Mobile Device Security Plan

The progress and growth of a business rely on a business developing a healthy relationship with customers to foster business success. After migrating to cloud-based, customer relationship management (CRM), the company expects the cybersecurity engineering team to guarantee the security of customer information. The management objectives of migrating to cloud-based, CRM integrated with the on-site software application are to manage the investment portfolio and customer account. As a result, the organization hopes to improve customer service, reduce the cost of sales, and thus generate more leads, increase sales, and improve revenues.

The account managers' enthusiasm for the use of a new system because of its ability to support mobile devices is growing exponentially. The use of mobile devices enables managers to operates seamlessly from anywhere at any given time (Sammons & Cross, 2017). Mobile devices are vulnerable to a security breach. However, through planning, IT organizations can account for threats relating to intrusive applications and stolen devices' security issues. Securing corporate and private-owned mobile devices such as tablet computers, laptops, universal serial bus (USB) memory sticks, and smartphones are the major challenge for the IT department. A best practice for mobile devices' security plan contains guidelines and safeguards that protect the use of mobile devices in the company. The policy plan for the secure use of mobile devices by both internal and external employees includes technical and user requirements.

Technical requirements

Mobile devices' security plan is a document that highlights measures to protect mobile devices against vulnerabilities and business risks. The use of the mobile device in a financial company ensures managers remain reachable when away from the office or home. Adhering to company acceptable use policy is the best practice for ensuring internal and external employees remain cautious about the issues emanating from the use of mobile devices. The following are technical requirements for securing mobile devices.

• All devices must store all user-saved passwords in an encrypted password store.

• Devices must use the following operating system, android version 5.1.1 or later and IOS4x or later.

• All devices must have antivirus software

• The CRM application is accessible from the app stores

• The devices must comply with the company password policy.

• Devices must comply with company password management rules on security features

User Requirements

The concerns of the chief information security officer remain valid as the mobile devices are the source of security incidents. The issue ranges from device loss, external breaches, and malware infection. Given the fact that cloud-based, CRM integration with the onsite application has an immense benefit to business operation, the use of mobile devices will continue to increase (Vacca, 2013). The usage of mobile devices warrants for proper risk management. User requirements for security plan are as follows:

• Users must report stolen or lost devices promptly.

• Users must regularly update devices OS with security patches.

• Users may only download and store corporate data relating to their task at hand only.

• All devices must be disconnected from Wi-Fi when not in use.

• Avoid jailbreaks

• Keep the device in close possession at all times.

Physical Security and Environmental Controls for Data Center

The data center is the epicenter of the financial services company. Data centers host on-site application that plays a vital role in the daily operation of the company. The physical security and environmental control of the data center are fundamental to the corporation for remote storage and processing of data. Organization data centers require security measures and control against loss of connectivity caused by fire, theft, intention destruction, flood, equipment failures, unintentional damage, and power failure.

The cloud service providers should provide detailed physical and operational security to secure network and server infrastructure. Erecting physical security helps to deal with foreseeable threats. Building and the room that houses the information technology system must be secured from unauthorized access to avoid damage to systems and information. Perimeter security is the first line of defense to deter trivial attackers. Data centers should have physical elements such as fences, gates, berms, bollards, and lighting to deter unauthorized access. The data center should be fitted with hardware locks to protect equipment theft. All entry points should have mantraps to detect an illegal access to the facility. The use of detection systems such as video surveillance, motion detectors, alarms, closed-circuit TV, and security guards should visible to enhance physical security.

In addition to physical security, environmental aspects relating to data centers should be managed properly because if not, they can cause interruption of services. Data centers should be separate from the other operation building to maintain optimum heating and cooling. The data center should have a fully functioning heating, ventilating, and air conditioning (HVAC) system to keep the environment at a constant temperature. Separating the data room form the rest of the building helps to manage overheating effects such that it does not affect the rest of the building.

Water should not be nearby when working in areas with a computer and power systems. However, the organization should maintain a little fire suppression system that relies on water. The data room should be fitted with smoke, heat, and fire detection system to enhance suppression. Chemicals that environmentally friendly should be used to suppress fire rather than water. Electromagnetic Interferncingf (EMI) shielding should be put in place to protect users of computers and mobile devices. Another environmental control for data centers is a hot and cold aisle. The design of a data center is essential to ensure cold and hot air circulation to improve server optimization. Environmental monitoring should be done regularly to ensure data centers are fully functional.

Audit Assessment for Cloud-Based CRM Software Provider

The financial service company will benefit immensely by investing in cloud-based, CRM. Auditing is an essential part of the company's overall security plan to ensures that the cloud service provider has established proper physical security and environmental control. The audit assessment proposal highlights the minimum requirements to ensure the CRM software application is in line with company goals. The results of the audit assessment can help the company to put forth an elaborate measure to ensure the information system is secure from threats.

Running a significant portion of business in the cloud warrants for assessment to ensure the service provided helps the company serve the interest of the customers. Vetting cloud-based service provider is not an easy task as there are no clear guidelines, nevertheless, companies should not sigh away from auditing the service providers (Chen, Wu, Chu, Lin, & Chuang, 2018). The following is a proposed audit checklist for the hosting data center.

Scope of the Audit

• The scope of the cloud-based, CRM audit will include the procedures specific to hosting the data center. 

• Additionally, the audit will include physical security and environmental control relating to data center protection.

Site location

• Onsite visits to ensure the geographical location is safe from a natural disaster (such as flooding and earthquakes) and mandate threats such as civil disobedience, burglary, explosion, and fires.

Facility design

• Perimeter fence, locked doors and windows, guards, hardware lock, and mantrap

• The design of the room should resist damage emanating from natural disasters.

• Detection system; motion detectors, CCTV, alarms, etc.

• Availability of suppression system; smoke, heat, and fire detectors

• The data center should have the HVAC system

• A data center has environmental control

Identity and Access Mangement Policies

Technology resources serve as the most valuable resource for any company. As a company dealing with investment management for high net-worth individuals, the financial service company should give identity management the attention it deserves. According to information technology consultant John Vacca (2013), “identity and access management (IAM) refer to a set of information and technology for managing the use of digital identities” (p. 167). The identity and access management policies help to ensure that identities have the right access to resources within the context of their job responsibilities and roles. The AIM involves request, approval, creates, deletes, grants access, and revoke access, authentication, authorization, and deprovisoning for any identity to the system. The following are access and management policies for on-site systems and cloud-based for CRM.

The AIM policies can be categorized into two at the individual level and information system level. At the individual level, the policies strictly provide guidelines to account holders on ways to ensure proper use of their authorizations. Therefore, all account holder must:

• Create a password with a minimum of eight-character to conform with financial services company best practices.

• Not disclose or share a password related to the system with any other person.

• Not use a password related to the financial service system for non-business accounts.

• Use the privileged account for the intended purpose only.

• Use screen locking technologies for unattended devices.

Cloud AIM identity services come at no additional cost to the company The service provides a central location for managing identities of cloud administrator for the organization. The administrators are responsible for developing policies that configure and maintain devices and applications for the company. The policies include;

User accounts policy. The policy entails the requirement for requesting and maintaining an account on the cloud-based, CRM. The company has three distinct accounts, namely user accounts, shared accounts, and service accounts based on the nature of the operation. 

Authentication Policy. The cloud-based, CRM should use federated authentication over local accounts and passwords. The company password should be complex with a minimum of 8 characters containing numbers, special characters, lowercase, and uppercase letters. For restricted use, only users with multifactor authentication should have access to the system.

Authorization policy. Access to the system or application shall be role-based authorization. Authorization should have necessary approvals based on the principle of leaser privilege and separation of duties.

Deprovisiong policy. Individuals who cease to be employees of Finacial service company should not have an account.

Cryptography and PKI Recommendation

The security of the on-site system and cloud-based, CRM is vital to the future of the financial service company. Secure communication is at the heart of every company investing in information technology . The purpose of cryptography is to enhance the confidentiality of the transmitted message(Zhu, Jiang, & Zhou, 2018).. Data protection from unauthorized entails encryption and decryption of the message.

The financial service company must deploy the use of encryption and ciphers to enhance the security of the system. The three key traits for information security are confidentiality, integrity, and authentication. The cipher transforms the bits of the plaintext using key bits to ciphertext. The organization can use a symmetric cipher to encrypt and decrypt messages within the organization. Asymmetric cipher deploys the same key for encrypting and decrypting messages.

Another recommendation that a financial service company can improve security is the use of asymmetric cipher (Public-key cryptography). Public key infrastructure (PKI) allows the use of a private and public key to achieve security service. PKI ensures that the trust of the public key is maintained. Common PKI for improving information security includes HTTPS and SSL, which validate the identity of the Web Server. I recommend that the organization obtain a digital certificate for a cloud-based software application to prove identity in the electronic world. The organization should also deploy the use of the cryptographic hash function to improve data integrity.

In conclusion, information privacy is an essential element that every organization must pay close attention to at all times. To improve the optimization of services, the financial service company migrated to cloud-based, customer relationship management. To address concerns raised by the CISO, it is paramount to secure mobile devices by developing usage policies. Cloud-based services require the use of data centers that must be protected against threats using physical security measures and environmental controls. Data protection is a fundamental aspect of the organization. Developing an identity and access management regulates who, where, how, and when an identity has access to information. to secure and improve the security of information is essential to deploy public-key cryptography.

Chen, Y.-S., Wu, C., Chu, H.-H., Lin, C.-K., & Chuang, H.-M. (2018, March). Analysis of performance measures in cloud-based ubiquitous SaaS CRM project systems. The Journal of Supercomputing: An International Journal of High-Performance Computer Design, Analysis, and Use, 74(3), 1132-1156.

Halpert, B. (2013). Auditing Cloud Computing: A Security and Privacy Guide. Hoboken, N.J: John Willey & Sons.

Sammons, o., & Cross, M. (2017). The basics of cyber safety: Computer and mobile device safety made easy. Cambridge, MA: Syngress is an imprint of Elsevier.

Santos, O. (2018). Developing cybersecurity programs and policies (3rd ed.). London: Pearson Education.

Vacca, J. R. (2013). Computer and information security handbook. Amsterdam: Morgan Kaufmann is an imprint of Elsevier.

Zhu, S., Jiang, L., & Zhou, Z. (2018). Research on key techniques of cryptographic access control and properties optimisation in cloud storage. Int. J. of Information Technology and Management, 17(4), 257-274.