- Create an MS Word document containing your "short paper" (response) for the discussion topic. Use MS Word to spell check and grammar check your work! Then, submit this file . (For presentations, use Power Point format - .pptx)
Remediation - Ineffective / Missing Security Controls
As part of its due diligence efforts, the M&A team has determined that the following events contributed substantially to the bankruptcy of Island Banking services.
- Company officers and managers were able to conduct criminal activities using company IT assets without detection.
- The company did not have a disaster recovery / business continuity plan in place. It could not restart operations due to the loss of servers and workstations (seized by law enforcement agents).
- Storage media for servers and workstations had not been backed up to an off premises location leaving the company with no way to recover from the law enforcement seizure of storage media as evidence.
The root cause for each event listed above was determined to be: ineffective and/or missing IT security controls.
You have been asked to perform a gap analysis to assist in the identification and selection of IT security controls which could be implemented to remediate the situation ("close the gaps"). The CCISO has requested that you use the NIST Cybersecurity Framework and the NIST Security and Privacy Controls Catalog (NIST SP 800-53) as your source for IT security controls.
Choose 3 to 5 families or categories of controls ("framework functions") which should be implemented to remediate the above deficiencies (at least one family, e.g. AU Audit and Accountability, or category, e.g. Recovery Planning, for each event). Describe how the selected controls will prevent or deter such events in the future ("close the gaps").
Format your response as a business memorandum. For each control family or category, you should provide the following information (see Domain 2 Section 1.1.2 in CCISO):
• What it is
• What it does
• How the control performs its objective
You should have at least 5 strong paragraphs in your memo. Include citations and references (3 or more) to support your written work
Full Answer Section
To remediate the issue of company officers and managers conducting criminal activities using IT assets without detection, the Audit and Accountability (AU) control family from NIST SP 800-53 must be robustly implemented. Audit and Accountability controls focus on generating, protecting, and reviewing system audit records to track user activities, system events, and changes to system configurations. This family of controls provides the necessary mechanisms for accountability by ensuring that individual actions are traceable, thereby deterring unauthorized or suspicious activities and providing critical forensic evidence for post-incident investigations. By implementing comprehensive audit logging of all officer and manager activities on IT assets, establishing centralized log management, and performing regular, independent reviews of these audit logs for anomalies, Island Banking Services would create an immutable trail of actions. This heightened visibility and accountability would significantly deter criminal behavior due to the increased certainty of detection, directly closing the "without detection" gap.
Complementing Audit and Accountability, the Access Control (AC) family is essential for preventing unauthorized actions, even by seemingly authorized personnel, which was a core problem enabling criminal activities. Access Control defines and enforces rules governing access to information systems, networks, and information, ensuring that only authorized individuals or processes can perform specific functions. It establishes the principle of least privilege, meaning users are granted only the minimum access necessary to perform their job duties, and segregation of duties, preventing a single individual from controlling an entire critical process. Implementing strong AC controls, such such as mandatory multi-factor authentication for sensitive systems, granular permissions based on roles, regular access reviews, and strict segregation of duties for critical financial transactions, would prevent officers and managers from unilaterally conducting criminal activities. By limiting the scope of individual authority and ensuring that no single person has complete control over a sensitive process, the opportunity for undetected illicit activities is significantly reduced, thereby closing the gap in preventing unauthorized actions.
Addressing the lack of a disaster recovery/business continuity plan and the absence of off-premises data backups, the Contingency Planning (CP) control family is paramount. Contingency Planning controls are designed to establish comprehensive plans for responding to and recovering from system failures, disruptions, and disasters, thereby ensuring the continuity of essential business operations. This family encompasses the development, testing, and maintenance of disaster recovery plans (DRP), business continuity plans (BCP), and provisions for data backup and restoration. Implementing robust CP controls, including the development of a detailed DRP/BCP, regular and tested off-site data backups (e.g., daily incremental, weekly full backups), establishing geographically dispersed recovery sites, and defining clear Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), would directly address the organization's inability to restart operations and recover from data loss. In the event of a future seizure by law enforcement or any other major disruption, Island Banking Services would have documented procedures, redundant systems, and off-site data copies to quickly resume critical operations and recover vital information, preventing future operational paralysis and catastrophic data loss.
In conclusion, the bankruptcy of Island Banking Services serves as a stark reminder of the critical importance of robust IT security controls. The proposed implementation of the Audit and Accountability (AU), Access Control (AC), and Contingency Planning (CP) control families from NIST SP 800-53 directly addresses the identified root causes of undetected criminal activity, lack of operational resilience, and irreversible data loss. These controls are not merely compliance checkboxes; they are strategic investments in building a secure, resilient, and trustworthy IT infrastructure. Their comprehensive deployment will significantly enhance the organization's ability to protect its assets, ensure business continuity, and maintain the confidence of its stakeholders, safeguarding against future vulnerabilities.
References
National Institute of Standards and Technology. (2018). NIST Cybersecurity Framework: A Framework for Improving Critical Infrastructure Cybersecurity. U.S. Department of Commerce.
National Institute of Standards and Technology. (2020). NIST Special Publication 800-53, Revision 5: Security and Privacy Controls for Information Systems and Organizations. U.S. Department of Commerce.
Sample Answer
MEMORANDUM
TO: CCISO FROM: [Your Name/Role] DATE: May 25, 2025 SUBJECT: Gap Analysis and Remediation Plan: Ineffective/Missing IT Security Controls at Island Banking Services
The M&A team's findings regarding the bankruptcy of Island Banking Services underscore a critical failure in fundamental IT security controls. The root cause analysis correctly identified ineffective and/or missing controls as directly contributing to undetected criminal activities by company officers, the absence of a disaster recovery/business continuity plan, and the complete loss of data due to a lack of off-premises backups. To address these severe deficiencies and prevent similar catastrophic events, this memorandum outlines a gap analysis using the NIST Cybersecurity Framework and NIST Special Publication 800-53,