Making security an integral part of IT decision making
Making Security an Integral Part of IT Decision Making
For this Group Project, consider a midsize bank that has never had a security manager before. The bank has only IT analysts who perform security tasks such as managing firewalls. As the bank grows, security is often seen as a roadblock because it is not considered until the end of a project and it often adds unplanned costs and delays. IT managers are concerned with networks, servers, and applications, but security is never involved in managerial discussions. The chief executive officer (CEO) feels that it would be prudent to take a holistic view of security. Formalizing the security function would allow security to be better planned.
The bank plans to set up some servers in the demilitarized zone (DMZ) for credit card processing. The IT operations team decides that hosting the credit card application in the DMZ, where it can leverage shared infrastructure, such as virtual servers, load balancing, and a shared database, would save the bank money.
This does not comply with payment card industry (PCI) rules because of the access controls placed on the credit card data and because of using shared hardware and services. In addition, DMZ will need everything in the bank to pass PCI audits. It is better to consider segmenting the credit card application off, behind a firewall, or using a third-party hosting service, which would allow transferring the PCI liability contractually. In this Group Project, you have the opportunity to provide expertise and potentially save the bank from making a costly mistake.
1. Explain how you will approach the bank’s IT management to make it see your perspective and consider a different way of deploying the credit card application. Be thorough, state your case, and explain how adding security to a business solution can save the bank money.