Download Security System Evaluation & Remediation: Protecting Sensitive Data and more Study notes Genetics in PDF only on Docsity!
Security System Evaluation and Remediation
lOMoARcPSD|
Security System Evaluation and Remediation
Governance, Risk, and Compliance (Western Governors University)
Security System Evaluation and Remediation
Security System Evaluation and Remediation
- Overview of Gaps Table of Contents
- Identified Risks
- Remediation Plan
- PCI-DSS Compliance Policy
- Purpose
- Scope
- Policy Requirements......................................................................................................................................
- Network Security...........................................................................................................................................
- System Security
- Antivirus Protection
- Access Control
- Enforcement and Compliance
- References
Security System Evaluation and Remediation
based on duties
and systems.
system access and
permissions will
lead to
unauthorized
access and data
breaches
in order to
guarantee
adherence to the
access control
guidelines and
recommendations
outlined in NIST
800 - 53. This
standard mandates
that individuals
are granted only
the necessary
rights and
permissions to
fulfil their roles
and
responsibilities,
thereby preventing
unauthorized
access, accidental
damage from user
errors, and
malicious actions.
(Goulding, 2024)
CA- 5 Plans of Action and
Milestones
Develop and
track planned
remediation
actions.
High; the absence
of procedures to
track remediation
actions will result
In order to
comply with
security best
practices. A
Security System Evaluation and Remediation
in inconsistent
remediation
actions and
persistent control
gaps.
remediation plan
and checklist will
be defined with
clearly defined
control owners,
timelines and
monitor the status
of remediation to
ensure that
remediation
actions are
followed through
and enforced.
(Tyler, 2024)
CA- 7 Continuous
Monitoring
A continuous
monitoring
strategy is
required to
support
business needs
and the new
system.
Medium; lack of a
monitoring strategy
will leave FMC
blind to threats and
control gaps that
may come with the
implementation of
new systems
FMC will
implement a
centralized
network and
system level
montoring to
ensure that
existing and new
systems controls
are adequately
monitored for
compliance with
FMC security
policy. (Vanta,
Security System Evaluation and Remediation
FMC resources to
address risks that
have a significant
impact on FMC's
operations.
alignment with
FMC policy and
regulatory
guidelines. (Tyler,
Other risks identified include:
- Antivirus: Workstations that are connected to switches have not been equipped with licensed
antivirus protection. This poses a high risk to the business, as the finding indicates that
workstations are not adequately safeguarded against a variety of cyber-attacks that effectively
bypass network security controls. An attacker who is capable of introducing malware to these
systems or an oblivious user who inadvertently introduces an infected file onto these systems
places systems at risk of malware infection and data exfiltration.
- FMC decision. FMC accepts this finding and has deemed it necessary to address this risk in
order to reduce the business’ attacks surface and prevent data breaches from malware attacks
in alignment requirements from PCI DSS to secure
- Endpoint Protection: The current FMC network lacks a firewall or endpoint protection
solution to detect and prevent intrusion attempts by internal and external threat actors. The
FMC infrastructure is at a high risk of exposure to a variety of cyber threats, including
malware, data intrusions, denial of service, and system compromise, due to the absence of
endpoint protection.
- Multifactor Authentication: As part of identity and access management controls, the FMC
infrastructure does not presently implement multifactor authentication. This poses a
significant risk to FMC, as a compromised credential can provide unauthorized access to
sensitive systems and data in the absence of MFA. In conjunction with the absence of
stringent password security requirements, attackers will have the ability to effortlessly access
credentials and compromise systems and accounts.
- PCI Non Compliance: FMC is currently noncompliant with the PCI DSS requirements due to
the absence of the requisite network security controls and segmentation in the present
network infrastructure, despite the implementation of a point-of-sale system to facilitate the
Security System Evaluation and Remediation
processing of purchase payments. The implementation of a point-of-sale (POS) system at FMC's
physical location raises numerous security concerns. A network that is not secure and lacks
essential protections, such as a firewall, appropriate configuration, and antivirus (AV) solutions, is
at a high risk of potential compromise. Ultimately, this will result in sanctions imposed by PCI-
DSS regulators.
- Inadequate Identity and Access Management for FMC web portal: The current
implementation of identity and access management for the FMC web portal does not offer
sufficient security measures to enable government agencies and physicians to securely access
sensitive information and authenticate doctors before accessing or uploading sensitive
documents, respectively. The secure access to and use of PII is not guaranteed, which poses a
high risk to FMC and could result in significant data breaches.
Remediation Plan
It is important that FMC defines a clear remediation strategy and plan to address the control gaps
identified, taking into consideration the financial status of FMC as well as the compliance
requirements defined by FISMA and PCI DSS.
The table below defines clear remediation actions recommended for the full closure of identified
control gaps.
Control Identifier Control / Control Enhancement Notes Remediation Plan
AC- 6 Least Privilege Least privilege needs
to be employed based
on duties and systems.
The principle of least
privilege dictates that
users should only have
the minimum level of
access required to
execute their job
functions.
The following actions
are recommended:
job functions
within FMC
access reviews for
all systems
Security System Evaluation and Remediation
requirements
(identify critical
systems, scope and
objectives)
continuous
monitoring
strategy
(framework,
policies,
procedures and
tools)
Continuous
Improvement Plan
control status
against
remediation and
compliance
requirements
RA- 3 Risk Assessment An updated risk
assessment that
identifies and
determines the
likelihood and impact of
risks associated to the
new system is required.
The following actions
are recommended to
effectively conduct
risk assessments at
FMC
assessment plan
- Identify all risks
- Analyze risks
(likelihood and
impact)
prioritize risks
track risk status
RA- 7 Risk Response Justification or
rationale on mitigation
risk strategies based
on either remediation
or acceptance of risk is
required.
The following actions
are recommended to
define a justification
framework for
addressing risks to
FMC.
mitigation
PAGE 10
Security System Evaluation and Remediation
procedure
justification
framework that
takes into
consideration risk
impact, likelihood
and compliance
breach
communicate
justification
PCI-DSS Compliance Policy The PCI DSS compliance policy aims to address the key concerns identified in the SAR report as well as roles and responsibilities in line with the requirement of the standard as well as recommendations from the SAR report. The defined policy mandates the need for the recruitment of a compliance officer as well as the formalizations of FMC’s IT security team. PCI DSS Compliance Policy for Point-of-Sale (POS) System
Policy Number: 001 Effective
Date: 06/08/2024 Review
Date: 06/08/2025 Approved
By: CISO
Purpose The purpose of this policy is to ensure that FMC’s point-of-sale (POS) system meets PCI DSS compliance requirements, including the implementation of a secure network, proper configuration, and the installation of essential security measures Scope This policy applies to all systems, processes, and personnel involved in the deployment, operation, and maintenance of FMC’s POS system, web portal, as well as related network infrastructure and security controls. Policy Requirements
Network Security
Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data
Security System Evaluation and Remediation
o Network Administrators: Ensure that encryption is applied to all network communications involving cardholder data. o Compliance Officer: Verify encryption compliance and effectiveness through periodic reviews.
Antivirus Protection
Requirement 5: Use and Regularly Update Anti-Virus Software or Programs
- Policy: FMC will deploy anti-virus (AV) solutions on all systems that handle cardholder data and ensure that they are regularly updated and maintained.
- Responsibilities: o IT Security Team: Select and deploy AV solutions across all relevant systems. o System Administrators: Regularly update AV software and perform system scans. o Compliance Officer: Ensure that AV solutions are in place and updated through regular inspections
Access Control
Requirement 6: Develop and Maintain Secure Systems and Applications
- Policy: FMC will develop and maintain secure systems and applications by applying secure coding practices, performing regular security testing, and addressing vulnerabilities.
- Responsibilities: o Development Team: Follow secure coding practices and conduct regular security testing. o IT Security Team: Address and remediate identified vulnerabilities in systems and applications. o Compliance officer: Ensure that secure development practices are adhered to through audits. Requirement 7: Restrict Access to Cardholder Data by Business Need to Know
- Policy: FMC will restrict access to cardholder data based on the need to know, ensuring that only authorized personnel have access to sensitive information.
- Responsibilities: o Access Control Team: Implement and manage access control policies and procedures. o HR Department: Provide information on role-based access requirements. o Compliance Officer: Review and verify access controls and user permissions regularly. Requirement 8: Identify and Authenticate Access to System Components
Security System Evaluation and Remediation
- Policy: FMC will implement robust identification and authentication mechanisms to ensure that only authorized users can access system components and cardholder data.
- Responsibilities: o IT Security Team: Implement multi-factor authentication (MFA) and strong password policies. o System Administrators: Manage and review user authentication processes. o Compliance Officer: Ensure proper identification and authentication controls through audits. Requirement 9: Restrict Physical Access to Cardholder Data
- Policy: FMC will restrict physical access to cardholder data and systems to prevent unauthorized personnel from gaining access.
- Responsibilities: o Facilities Management: Implement physical security controls such as access cards and surveillance. o IT Security Team: Ensure that physical security measures are aligned with PCI DSS requirements. o Compliance OfÏcer: Perform physical security reviews and ensure compliance with access restrictions. Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data
- Policy: FMC will track and monitor access to network resources and cardholder data to detect and respond to security incidents promptly.
- Responsibilities: o IT Security Team: Implement and manage logging and monitoring systems. o System Administrators: Regularly review access logs and monitor system activities. o Compliance OfÏcer: Conduct audits to ensure that tracking and monitoring processes are effective. Requirement 11: Regularly Test Security Systems and Processes
- Policy: FMC will regularly test the security of systems and processes to ensure their effectiveness in protecting any cardholder data.
- Responsibilities: o IT Security Team: Conduct regular security testing, including vulnerability assessments and penetration testing.