Assignment 1: Using Security Policies and Controls to Overcome Business
Challenges
Learning Objectives and Outcomes
Understand the importance of information security policies and the role they play in business
activities to ensure sound, secure information.
Identify four IT security controls for a given scenario.
Scenario
The organization is a regional XYZ Credit Union/Bank that has multiple branches and locations
throughout the region.
Online banking and use of the Internet are the bank’s strengths, given limited its human
resources.
The customer service department is the organization’s most critical business function.
The organization wants to be in compliance with Gramm-Leach-Bliley Act (GLBA) and IT security
best practices regarding its employees.
The organization wants to monitor and control use of the Internet by implementing content
filtering.
The organization wants to eliminate personal use of organization-owned IT assets and systems.
The organization wants to monitor and control use of the e-mail system by implementing e-mail
security controls.
The organization wants to implement this policy for all the IT assets it owns and to incorporate
this policy review into an annual security awareness training program.
Assignment Requirements
Using the scenario, identify four possible information technology (IT) security controls for the bank and
provide rationale for your choices
Information security controls are measures that will help in protecting and securing the IT system from outside and inside attacks. Cyberattacks in financial institutions account for the theft of millions of dollars. For a banking or financial organization, as most of the operations are carried out online, utmost care and security control measures should be in place to avoid any kind of cyberattacks.
IT security controls for the bank and the rationale for their inclusion:
Based on the given scenario for the XYZ Credit Union/Bank, the following five Information technology(IT) security controls namely securing data using encryption control, preventing misuse through access control user policies, hardening of all available systems, hardware and software controls using hardware Firewalls, and Communication and Email security controls are identified for the bank and the rationale for the choices is also described below:
1) Securing data using encryption controls:
All banking data is critical and needs to be stored and operated in a highly secure environment. Only authorized persons should have access to data. Proper encryption technologies should be used to encrypt the data stored in the database server. Encrypted data, when transferred across networks, will also be safe from data theft. Technologies such as asymmetric or symmetric encryption should be adopted using appropriate algorithms. Some of the commonly used algorithms include AES, RSA, and DES.
2) Preventing misuse through access control user policies :
As a large number of employees work in the bank and access the systems and IT assets on a day-to-day basis, user policies must be in place to control access to the critical data stored across the banking system. Data theft from insiders can be controlled by framing and implementing access control user policy documents. Enterprise-level strong passwords must be used by all users and should be periodically changed. Similarly, external access into the banking systems through bank customers form outside should be controlled using strict customer use and access policies. User policies can be adopted that will prevent the employees from using the IT assets of the bank for personal use.
3) Hardening of all available systems:
All systems purchased from the vendors comes with default configurations and settings. Some of the systems come with default passwords and default built-in user accounts too. System hardening will ensure that all insecure services, accounts, and configurations are removed and passwords are reset as per the password policy set by the organization. Hardening of all systems will reduce the vulnerability of these systems and will help the bank in securing the IT assets and systems.
4) Hardware and Software controls using Hardware Firewalls and Anti-virus and malware software
IT security controls should be in place to prevent malicious codes from getting into the system. These malicious codes can steal critical customer and banking data, destroy or delete the data, disrupt the network services or even prevent customers from accessing the banking system for their normal operations. Technologies such as hardware firewall, software firewall, Enterprise level commercially available anti-virus, and anti-malware software should be installed in the premises. Content filtering can be implemented using hardware and software firewalls. Firewalls can be configured to block certain websites or even block content based on different categories and keywords.
5) Communication and Email security controls:
Organization-wide communication channels and policies must be in place to ensure that there is no breach in the data through communication channels. Email security control measures should be adopted to ensure that all employees are only using banking domain-based email services and account provided by the organization. Virus scanning technologies should be adopted for incoming and outgoing mails that will scan all attachments for any possible security threats.
Assignment 1: Using Security Policies and Controls to Overcome Business Challenges Learning Objectives and Outcomes ...