To: Chief Information Security Officer
From: VICKYSON J, Merger & Acquisitions Team
Date: March 30, 2020
Subject: Gap Analysis and Security Controls Assessment
Several events which have been identified as contributing factors towards the bankruptcy of Island Banking Services (IBS) where able to occur due to ineffective or non-existent internal controls at the IBS. The lack of effective internal controls enabled criminal conduct to occur unnoticed and prevented the reestablishment of operations after law enforcement personnel removed essential equipment and data for examination. A gap analysis has since been performed as a means of identifying applicable categories or families of security controls to remediate the risk of such events reoccurring and resulting in a shutdown of business operations.
The criminal investigation into IBS was initiated due to criminal activity that occurred at the company and went undetected. This behavior was able to go undetected due to the lack of audit and accountability controls being implemented at IBS. The audit and accountability family of security controls is defined in NIST Special Publication (SP) 800-53, Rev. 4. This family of controls requires the retention and independent review of activities and system records to ensure compliance, detect violations and performance issues, and report unlawful or inappropriate activity (Nieles, Dempsey & Pillitteri, 2017, p. 60). Controls in this family not only require the retention of systems records, but also ensure non-repudiation. This means that users actions can be uniquely traced to ensure accountability (Nieles, Dempsey & Pillitteri, 2017, p. 60). The integrating audit and accountability controls will enable auditors to detect and unlawful activity performed at IBS in the future.
When the law enforcement investigation was initiated, many of IBS’ workstations and servers were seized for forensic examination. This resulted in the halting of financial services provided by the company as IBS did not have a backup hot or cold site identified for continuity of operations. Moreover, the storage media that law enforcement seized as evidence was not backed up. This left IBS with no was to recover the data from the incident. IBS did not have proper contingency plans or incident response plans in place which resulted in a worst-case scenario situation. Having a contingency plan in place would have ensured the company were prepared for this type of incident and would have been to take steps to recover operations and minimize the damage (Nieles, Dempsey & Pillitteri, 2017, p. 61-62). For instance, IBS should have had an off-site processing facility identified with backup equipment available to restart essential operations. Moreover, as part of their contingency planning efforts, IBS also should have developed incident response plans, enabling the company to train employees and test their coop measures (Nieles, Dempsey & Pillitteri, 2017, p. 64). Both Contingency Planning and Incident Response designated security controls are identified under the Cybersecurity Framework as protective controls for information protection (NIST, 2018, p. 35). Having internal controls in place to develop and test contingency plans and incident response efforts may have very well prevented IBS from filing for bankruptcy.
To summarize, security controls from the following families (Audit and Accountability, Contingency Planning, and Incident Response) have been identified as critical gaps in the information security program for IBS. The controls that IBS currently has in place have been deemed ineffective or missing all-together. To remediate the risk of a future shutdown of operations and to deter unlawful actions, such as the that occurred under previous ownership, PBI-FS must look to immediately integrate the appropriate controls into the information security program.
Merger & Acquisitions Team
Nieles, M., Dempsey, K., & Pillitteri, V. Y. (2017, June). NIST special publication 800-12, revision 1: An introduction to information security. Retrieved from https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final
NIST (2018, April 16), Framework for improving critical infrastructure cybersecurity. Version 1.1. Retrieved from https://doi.org/10.6028/NIST.CSWP.04162018