Security System Evaluation & Remediation: Protecting Sensitive Data, Study notes of Genetics

A detailed analysis of security risks and mitigation strategies for a system called fmc phoenix. It outlines the importance of implementing robust security controls, including access control, risk management, and endpoint protection, to ensure compliance with regulatory requirements like fisma and pci dss. The document also includes a comprehensive policy for pci dss compliance, addressing network security, system security, antivirus protection, access control, and information security policy.

Typology: Study notes

2023/2024

Uploaded on 03/28/2025

jossef-sobo
jossef-sobo 🇺🇸

2 documents

1 / 15

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
lOMoARcPSD|48165054
Security System Evaluation and Remediation
lOMoARcPSD|48165054
Security System Evaluation and Remediation
Governance, Risk, and Compliance (Western Governors University)
Security System Evaluation and Remediation
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff

Partial preview of the text

Download Security System Evaluation & Remediation: Protecting Sensitive Data and more Study notes Genetics in PDF only on Docsity!

Security System Evaluation and Remediation

lOMoARcPSD|

Security System Evaluation and Remediation

Governance, Risk, and Compliance (Western Governors University)

Security System Evaluation and Remediation

Security System Evaluation and Remediation

  • Overview of Gaps Table of Contents
  • Identified Risks
  • Remediation Plan
  • PCI-DSS Compliance Policy
  • Purpose
  • Scope
  • Policy Requirements......................................................................................................................................
  • Network Security...........................................................................................................................................
  • System Security
  • Antivirus Protection
  • Access Control
  • Enforcement and Compliance
  • References

Security System Evaluation and Remediation

based on duties

and systems.

system access and

permissions will

lead to

unauthorized

access and data

breaches

in order to

guarantee

adherence to the

access control

guidelines and

recommendations

outlined in NIST

800 - 53. This

standard mandates

that individuals

are granted only

the necessary

rights and

permissions to

fulfil their roles

and

responsibilities,

thereby preventing

unauthorized

access, accidental

damage from user

errors, and

malicious actions.

(Goulding, 2024)

CA- 5 Plans of Action and

Milestones

Develop and

track planned

remediation

actions.

High; the absence

of procedures to

track remediation

actions will result

In order to

comply with

security best

practices. A

Security System Evaluation and Remediation

in inconsistent

remediation

actions and

persistent control

gaps.

remediation plan

and checklist will

be defined with

clearly defined

control owners,

timelines and

monitor the status

of remediation to

ensure that

remediation

actions are

followed through

and enforced.

(Tyler, 2024)

CA- 7 Continuous

Monitoring

A continuous

monitoring

strategy is

required to

support

business needs

and the new

system.

Medium; lack of a

monitoring strategy

will leave FMC

blind to threats and

control gaps that

may come with the

implementation of

new systems

FMC will

implement a

centralized

network and

system level

montoring to

ensure that

existing and new

systems controls

are adequately

monitored for

compliance with

FMC security

policy. (Vanta,

Security System Evaluation and Remediation

FMC resources to

address risks that

have a significant

impact on FMC's

operations.

alignment with

FMC policy and

regulatory

guidelines. (Tyler,

Other risks identified include:

  • Antivirus: Workstations that are connected to switches have not been equipped with licensed

antivirus protection. This poses a high risk to the business, as the finding indicates that

workstations are not adequately safeguarded against a variety of cyber-attacks that effectively

bypass network security controls. An attacker who is capable of introducing malware to these

systems or an oblivious user who inadvertently introduces an infected file onto these systems

places systems at risk of malware infection and data exfiltration.

  • FMC decision. FMC accepts this finding and has deemed it necessary to address this risk in

order to reduce the business’ attacks surface and prevent data breaches from malware attacks

in alignment requirements from PCI DSS to secure

  • Endpoint Protection: The current FMC network lacks a firewall or endpoint protection

solution to detect and prevent intrusion attempts by internal and external threat actors. The

FMC infrastructure is at a high risk of exposure to a variety of cyber threats, including

malware, data intrusions, denial of service, and system compromise, due to the absence of

endpoint protection.

  • Multifactor Authentication: As part of identity and access management controls, the FMC

infrastructure does not presently implement multifactor authentication. This poses a

significant risk to FMC, as a compromised credential can provide unauthorized access to

sensitive systems and data in the absence of MFA. In conjunction with the absence of

stringent password security requirements, attackers will have the ability to effortlessly access

credentials and compromise systems and accounts.

  • PCI Non Compliance: FMC is currently noncompliant with the PCI DSS requirements due to

the absence of the requisite network security controls and segmentation in the present

network infrastructure, despite the implementation of a point-of-sale system to facilitate the

Security System Evaluation and Remediation

processing of purchase payments. The implementation of a point-of-sale (POS) system at FMC's

physical location raises numerous security concerns. A network that is not secure and lacks

essential protections, such as a firewall, appropriate configuration, and antivirus (AV) solutions, is

at a high risk of potential compromise. Ultimately, this will result in sanctions imposed by PCI-

DSS regulators.

  • Inadequate Identity and Access Management for FMC web portal: The current

implementation of identity and access management for the FMC web portal does not offer

sufficient security measures to enable government agencies and physicians to securely access

sensitive information and authenticate doctors before accessing or uploading sensitive

documents, respectively. The secure access to and use of PII is not guaranteed, which poses a

high risk to FMC and could result in significant data breaches.

Remediation Plan

It is important that FMC defines a clear remediation strategy and plan to address the control gaps

identified, taking into consideration the financial status of FMC as well as the compliance

requirements defined by FISMA and PCI DSS.

The table below defines clear remediation actions recommended for the full closure of identified

control gaps.

Control Identifier Control / Control Enhancement Notes Remediation Plan

AC- 6 Least Privilege Least privilege needs

to be employed based

on duties and systems.

The principle of least

privilege dictates that

users should only have

the minimum level of

access required to

execute their job

functions.

The following actions

are recommended:

  • Define Roles and

job functions

within FMC

  • Conduct role and

access reviews for

all systems

  • Implement Role-

Security System Evaluation and Remediation

requirements

(identify critical

systems, scope and

objectives)

  • Develop a

continuous

monitoring

strategy

(framework,

policies,

procedures and

tools)

  • Develop

Continuous

Improvement Plan

  • Track system and

control status

against

remediation and

compliance

requirements

RA- 3 Risk Assessment An updated risk

assessment that

identifies and

determines the

likelihood and impact of

risks associated to the

new system is required.

The following actions

are recommended to

effectively conduct

risk assessments at

FMC

  • Develop a risk

assessment plan

  • Identify all risks
  • Analyze risks

(likelihood and

impact)

  • Evaluate and

prioritize risks

  • Remediate and

track risk status

RA- 7 Risk Response Justification or

rationale on mitigation

risk strategies based

on either remediation

or acceptance of risk is

required.

The following actions

are recommended to

define a justification

framework for

addressing risks to

FMC.

  • Define FMC risk

mitigation

PAGE 10

Security System Evaluation and Remediation

procedure

  • Develop a

justification

framework that

takes into

consideration risk

impact, likelihood

and compliance

breach

  • Document and

communicate

justification

PCI-DSS Compliance Policy The PCI DSS compliance policy aims to address the key concerns identified in the SAR report as well as roles and responsibilities in line with the requirement of the standard as well as recommendations from the SAR report. The defined policy mandates the need for the recruitment of a compliance officer as well as the formalizations of FMC’s IT security team. PCI DSS Compliance Policy for Point-of-Sale (POS) System

Policy Number: 001 Effective

Date: 06/08/2024 Review

Date: 06/08/2025 Approved

By: CISO

Purpose The purpose of this policy is to ensure that FMC’s point-of-sale (POS) system meets PCI DSS compliance requirements, including the implementation of a secure network, proper configuration, and the installation of essential security measures Scope This policy applies to all systems, processes, and personnel involved in the deployment, operation, and maintenance of FMC’s POS system, web portal, as well as related network infrastructure and security controls. Policy Requirements

Network Security

Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data

Security System Evaluation and Remediation

o Network Administrators: Ensure that encryption is applied to all network communications involving cardholder data. o Compliance Officer: Verify encryption compliance and effectiveness through periodic reviews.

Antivirus Protection

Requirement 5: Use and Regularly Update Anti-Virus Software or Programs

  • Policy: FMC will deploy anti-virus (AV) solutions on all systems that handle cardholder data and ensure that they are regularly updated and maintained.
  • Responsibilities: o IT Security Team: Select and deploy AV solutions across all relevant systems. o System Administrators: Regularly update AV software and perform system scans. o Compliance Officer: Ensure that AV solutions are in place and updated through regular inspections

Access Control

Requirement 6: Develop and Maintain Secure Systems and Applications

  • Policy: FMC will develop and maintain secure systems and applications by applying secure coding practices, performing regular security testing, and addressing vulnerabilities.
  • Responsibilities: o Development Team: Follow secure coding practices and conduct regular security testing. o IT Security Team: Address and remediate identified vulnerabilities in systems and applications. o Compliance officer: Ensure that secure development practices are adhered to through audits. Requirement 7: Restrict Access to Cardholder Data by Business Need to Know
  • Policy: FMC will restrict access to cardholder data based on the need to know, ensuring that only authorized personnel have access to sensitive information.
  • Responsibilities: o Access Control Team: Implement and manage access control policies and procedures. o HR Department: Provide information on role-based access requirements. o Compliance Officer: Review and verify access controls and user permissions regularly. Requirement 8: Identify and Authenticate Access to System Components

Security System Evaluation and Remediation

  • Policy: FMC will implement robust identification and authentication mechanisms to ensure that only authorized users can access system components and cardholder data.
  • Responsibilities: o IT Security Team: Implement multi-factor authentication (MFA) and strong password policies. o System Administrators: Manage and review user authentication processes. o Compliance Officer: Ensure proper identification and authentication controls through audits. Requirement 9: Restrict Physical Access to Cardholder Data
  • Policy: FMC will restrict physical access to cardholder data and systems to prevent unauthorized personnel from gaining access.
  • Responsibilities: o Facilities Management: Implement physical security controls such as access cards and surveillance. o IT Security Team: Ensure that physical security measures are aligned with PCI DSS requirements. o Compliance OfÏcer: Perform physical security reviews and ensure compliance with access restrictions. Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data
  • Policy: FMC will track and monitor access to network resources and cardholder data to detect and respond to security incidents promptly.
  • Responsibilities: o IT Security Team: Implement and manage logging and monitoring systems. o System Administrators: Regularly review access logs and monitor system activities. o Compliance OfÏcer: Conduct audits to ensure that tracking and monitoring processes are effective. Requirement 11: Regularly Test Security Systems and Processes
  • Policy: FMC will regularly test the security of systems and processes to ensure their effectiveness in protecting any cardholder data.
  • Responsibilities: o IT Security Team: Conduct regular security testing, including vulnerability assessments and penetration testing.