Medical Supplies Company IT Security and Compliance Program

Introduction

As the Maxister Medical Supplies Company has grown its operations and its IT operation has become more important and with that the security needs have changed. This summary will talk about what aspects of the IT operations need to be looked at and improved on to ensure that the security needs are meet while still ensuring that business operations are quick an effective for customers. There are several changes that need to be implemented he help the IT operations meet with regulations set by compliance NIST 800-53 Standards. During my assessment of all the IT operations I have found several risk areas that I will be focusing in my Security and Compliance programs. The guideline for this paper will be as follows:

• Known risks
• Implementation of the risk management framework
• Overview of the new IT Security program
• Overview of the new IT Compliance program

Known Risks

At the end my evaluation of the IT security operations current state there were a few major risks areas that needed to be fixed in order to secure the network. Fixing these will be worked on as the compliance program is implemented and will help the Maxister Company meet with NIST 800-53 Standards.

Risk 1

The first problem I will point out is the network topology. The problem with this the way the network is set up is that there is only one firewall per site that helps to protect the network. This makes any site an easy target for anyone that would want to look around the whole network once in.

In order to improve this I suggest the implementation of a layer network topology. This could be done by have the first firewall for the webserver and then a second firewall behind that to put extra protection on the central network. This set up will help create an IT environment that will allow anyone that needs to access externally to do so while keeping attackers out of the company network. This will create a barrio for the company network so that it can’t be as easily attacked externally. In addition to having two separate firewalls separating the internal network form external resources, the internal network should be separate through a VPN to include a extra layer of protection. All this will only have a minimal impact on performance that could even go unnoticed, so the extra layer of security doesn’t affect business operations.

Risk 2

The next risk that I will be addressing is Maxistar’s network infrastructure. Having a consolidated network may have worked well in the past and not been a problem it has risks such as if someone were to get into the webserver then then could have access to other servers simultaneously and that risk could be reduced.

The best way to improve this is to separate the server functions though virtual machines on the physical server. By separating the servers you limit the risk of anyone having access to multiple servers and you also get closer in compliance with NIST 800-53 standards, which states the separation of duties per server.

Risk 3

A big problem that I have seen within Maxistar’s databases is the lack of encryption and this has been an increasing more important procedure that companies need to implement. Thought of curse not everything has to be encrypted on the databases, there are some things that should have already been encrypted. Encryption is one of the core components of the NIST 800-53 Standard and it is why it will be one of the primary focus once the new Security and Compliance Programs are implemented.

I recommend encryption anything that has any personal identification, payment information and company sensitive data with a minimum of 128-bit encryption. It is important to encrypt data so that any sensitive data is hard to read and protect the company’s assets.

Implementing a Risk Management Framework

Before being able to establish the Security and Compliance Programs the risk management framework needs to be designed to help assess what risks a business must worry about and mitigate. The risk management framework will allow for the IT security organization and the Security and Compliance Programs work towards the company’s business needs while protecting its IT infrastructure. This is done by define what the risk are to the company and figuring out how to be deal with these risks. I selected the NIST framework (NIST, 2015), which was established by the Federal Information Systems. The framework is flexible so it can be adjusted more specifically towards Maxistar’s business needs and will be a strong foundation for the new Security and Compliance Programs.

The framework has three tiers in its approach to risk management. It begins with organization, by lining up IT with the business and understanding how business works will then all the risk be fully determined and handled. Next is the mission and business process where you would see how to keep the business running towards it goal effectively. Finally the last tier is the information systems where the NIST framework focus on a Security Life Cycle to help the organization create a continuous feedback cycle. The implementation of a continuous feedback cycle will allow for the organization to be constantly improving its risk management.

The Security Program

The security plan that I will propose here is following the same mindset that was used in making the risk management framework to put the company needs and to create steps to meet the NIST 800-53 compliance needs. The program that I am proposing will have 5 phases and will take up to 10 months to fully get implemented and working.

Phase 1

This first phase for the IT security department is to immediately establish Encryption and Database security controls for their databases. This will also involve the use of access controls for software and hardware systems to correspond with employee job access permissions. Also will be implementing workstations security by increasing patching of business crucial systems every 2 months and non-business critical systems every 3 months.  This phase will take about the first month.

Phase 2

For this phase will create a security and compliance team that will group responsible for auditing and securing Maxistar’s IT systems and making sure that they are in compliance with company policies, industry regulations and laws, and any other market standards that Maxistars will do business in. This team will have to create a security management process that will focus on risk analysis, system activity review, and risk management. Will create a program for incident response and reporting to overhaul any security incidents or disaster recovery procedures. This phase will be part of month two and three.

Phase 3

This next phase will involve educating the employees on the new compliance standards the new security program. This will also include having an awareness training program and document for employees so that they can be better educated on how to spot and deal with socially engineered attacks. This will be part of month four.

Phase 4

There will be two arts to this phase, a software and a hardware part. For the software there will be a higher standard of quality control, with review and revision documentation of code internally before the release of the new code. And for the hardware this is where the implementation of the new layers of firewall will take place and testing of the new infrastructure will be one implemented to ensure that all access controls work correctly. This will be months five and six.

Phase 5

For the final phase of this new security program I suggest that that a service management solution be put in place to make shared knowledge be better accessible along with a trouble and issue tracking system. Add a website or service tab function for cataloging IT assets and services. This will be done during months seven to ten as all the service start to role out.

This whole plan focuses on implementing a new security groups and improving existing security teams and standards. During this whole process the mindset of maintaining compliance standards should be focused on as this will help the ensure that all compliance needs are meet while the security department implements its changes. This will help for new policies to be easier to constructe for the compliance program.

The Compliance Program

In order to be able to meet common elements of the NIST 800-53 standards I have compiled five compliance standards that the company should meet and follow. These plans should be incorporated as the phases for the security plan take places as they will hep to ensure that the company is creating a better security infrastructure.

Assessment 1

Verify that all software that involve file integrity monitoring and change detection have been installed on system logs and that all changes will have generated alerts. This will consist of system settings, files in data logs, and any other activities and applications that require monitoring.

Assessment 2

This one states that all security alerts are to be analyzed and sent to the right person for assessment of the situation. This will ensure that all security information is sent to the right security team member to deal with the situation accordingly.

Assessment 3

Ensure that all internal vulnerability scans are done according to their timeframe by the assigned security team member. This will also ensure that all high-risks vulnerabilities be rescanned to ensure that all viable threats that originated from it are gone.

Assessment 4

This one involves firewalls and routers, where configurations should eb set and checked to make sure that all inbound and outbound traffic is limited to what is necessary for the cardholder and that all non-necessary traffic be denied with an either deny all function or an implicit deny after allow statement.

Assessment 5

This one incorporate the training of all employees to be trained in security awareness annually with any new techniques that arise along with being trained upon hire to ensure that they have the awareness education that they need to be able to deal with social engineered attacks to the best of their abilities.

This program is to be to be set along side the security program to help ensure that it meets all the compliance needs with someone on each team of the phases stated making sure that they take the lead in ensuring that all the compliance needs are meet through the project. This will allow the company to be able to ensure that all its security focus is meet with all the compliance needs it needs to be able to the be NIST certified one all the new program roll outs are done.

Conclusion

In order for Maxistar to reach its goal of having a stronger security operation and being NIST complacent it will need to reply on a new risk management framework and the security and compliance programs that I outline. With the new programs the company will have a more secure infrastructure that will also guide them towards being compliance with the NIST compliance standard and certification. Though this process could take around an estimated 10 months the journey will allow for a smooth transition into be come more secure and complacent.

References

• Joint Task Force Transformation Initiative, (2010, December 10). Guide for Assessing the Security Controls in Federal Information Systems and Organizations, NIST. Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-53Arev1/sp800-53A-rev1-final.pdf
• NIST, (2015, July 1). Cybersecurity Framework, NIST Retrieved from: http://www.nist.gov/cyberframework/
• News Release. (2016). Archive-IT, Retrieved from: https://archive-it.org/collections/3926?
• Deloitte (2015). Building world-class ethics and compliance programs: Making a good program great Five ingredients for your program. Retrieved from: https://www2.deloitte.com/content/dam/Deloitte/no/Documents/risk/Building-world-class-ethics-and-compliance-programs.pdf