Executive Summary
Bank of Abiaad is a bank located in the state of Michigan. It has a total of 80 employees within the two bank branches as well as 30 head office employees which is located Downtown, Michigan. The purpose of the governance and management plan is to allow assurance there will be an alignment with the business and security aspect. This document allows for the clarification of the goals, protocols, and procedures of the business. This document provides information in so that all employees and stakeholders have an understanding of requirements, assurance, process, and implementations.
Section 1: Value Proposition Strategic Assessment
1.1 Information Security Vision
Bank of Abiaad is devoted to providing the confidentiality and integrity in order to create the availability of a safe
1.2 Information Security Mission
The mission of Information Security is to create, implement, and uphold an information security program that shields the Hospital’s systems, services, and data against unauthorized use, disclosure, modification, damage, and loss.
1.3 Drivers, Goals, and Benefits of Security Governance and Management
- Strategic Alignment: aligning security activities with business strategy in order to provide support to the organizational objectives (Brotby, 2006).o Support business initiatives
- Risk Management: implementing the appropriate measures to manage risk and possible impacts to an acceptable level (Brotby, 2006).o Safety from the potential for civil or legal liability which is a result of information inaccuracy, improper disclosure, or the absence of due care in its protection.o Accountability for protecting information during critical business activities.
Business Strategic Goal
Information Security Objectives
Risk mitigation and asset protection - Provide confidence to leadership in the effective and efficient execution of information security responsibilities
- Keep up with ever-emerging security threats
- Protect assets and mitigate information security risko Meet the operating needs of the organization in a secure manner
- Safeguard the confidentiality, integrity, and availability of the network, systems, and applications
- Move from a reactive to a more proactive response model
- Provide secure computing training and education to the organizationOperational and cost efficiency
- Improve cap expense and operational expenditures
- Due diligence for VendorsCompliance obligation
- Meet legislative and regulatory requirements, and audit recommendations
- Monitor and validate regulatory compliance1.3 Table 1Section 2: Roles and Responsibility
Duty
Owner
Others Involved
Ensuring proper protection for all physical and technical aspects of the organization (SANS)
CISO
CEO
Leading the development and execution of the long term strategy (Petrotal, 2017)
CEO
Shareholders
In charge of all background responsibility including technical support
Head Office
CEO, CISO
Ensure all locations of bank are up to standards
District Manager
CEO
Ensure all employees are completing job correctly
Manager
District Manager, CEO, CISO
Provide assistance to clients and information on savings and investments. (Writer, 2017)
Banker
District Manager, CEO, CISO
2.1 Table 2
Section 3: Liabilities
3.1 Safety of employees and customers - If robbery is to occur, immediate alert to police station button is to not be pressed until robber is out of the building to ensure the safety of employees and customers.3.2 Private Information
- The information which is collected from clients become a liability as they are personal.3.3 Client Personal Belongings and Money
- The money of customers become a liability as the bank is the one holding on to it, if funds are placed into the hands of the wrong person, it will come back for the bank.
- The personal belongings left in the banks safe become a liability as well due to the ensurance of safety.Section 4: Physical Security4.1 Biometrics
- Fingerprints and personal identification in order to secure systems and transactions (Field, 2008).4.2 Convergence
- Puts physical and logical security program all in one (Field, 2008).4.3 Risk Assessment
- How to work and mitigate the banks physical vulnerabilities (Field, 2008).Section 5: Cyber Security5.1 Internet of Things
- The IOT has taken cyber security to a new level due to risk of breaches being able to happen through anything connected through wifi.5.2 Multiple Vendors
- Due to the use of many different vendors, the different technologies end up clashing amongst one another (Yurcan, 2017).Section 6: 7 Layers of a Mature Security Program6.1 Table 3
7.1 Metrics - Produced from the analysis of measurements. Involve the comparison of a minimum of two measurements that have been taken over a specific time frame and compared to a baseline which has been predetermined (Gardner & Thomas, 2014).7.2 Measurements
- How many times employees change their password?
- How many times data has been backed up?o Critical in case of ransomware
- When is one to backup?Section 8: Security Appliance8.1 Security Appliance
- A server appliance which is created to prevent unwanted traffic from the computer network (Gardner & Thomas, 2014).8.2 Firewall
- Monitors network traffic and chooses what is allowed in and what is not depending on security rules (Cisco, 2018).8.3 Vulnerability Assessment
- Self-conducted assessment is extremely beneficial when used against one’s own enterprise. The assessment can lead to the discovery of exposures before a possible attacker finds it (SANS)Section 9: Antivirus9.1 Antivirus
- This system detects intruders which monitors and analyze the computing system internally (Gardner & Thomas, 2014).
- This is required for all computers used in the bank as well as recommended for clients to have an antivirus system on their home banking computer.9.1 Table 4Section 10: Log Management
10.1 Log Management - This approach deals with large volumes if computer generated log messages (Gardner & Thomas, 2014).10.2 Phases of Log Management (Sumologic, 2018).
- Instrument and Collect – collects data
- Centralize and Index – allows for easy access and visibility
- Search and Analyze – allows for program to search and analyze information
- Monitor and Alert – allows for in time alerts
- Report and Dashboard – allows for sharing of reports to team members10.2 Table 5Section 11: Patch Management
11.1 Patch Management - This systems management involves collection, testing, and installation of multiple patches that use code changes to an administered computer system (Gardner & Thomas, 2014).
- Patch Management allows for consistent monitoring of the network during a time of vulnerability. This allows for instantaneous action to take place if a patch hasn’t already been released (Thrive, 2017).Section 12: Security Awareness Training12.1 Security Awareness Training
- Covers security awareness program (Gardner & Thomas, 2014).12.2 Provided by the Organization
- Security Awareness Training will be provided immediately upon hiring, during training
- Employees are to complete updated training every four months12.3 Security Awareness Activity
- Lifelike stimulations will be conducted at random times and daysSection 13: Policies and Procedures13.1 Policies and Procedures
- Foundation and critical for all aspects of security program (Gardner & Thomas, 2014).13.2 PCI DSS
- PCI DSS – Payment Card Industry Data Security Standardo Three steps for adhering to PCI DSS (PCI, 2010).♣ Assess – identify cardholder data, inventory, and analyzation of IT assets and business processes for card payment processing in order to find vulnerabilities that could render cardholder data.
♣ Remediate – repair vulnerabilities and only keeping cardholder data needed.
♣ Report – accumulating and submitting required remediation records and presenting compliance reports to the bank and card brands business is done with.
Section 14: Strategy
14.1 Strategy - Building a good security culture within the organization14.2 Breach Plan
- Having a plan and statement ready in case of breach
- Having a professional spokesperson speaking on behalf of company during situation14.3 Termination of Employee Process
- Ensuring that termination is complete and former employee no longer has accesso Ensures that former employee will not have the ability to cause a breach or loss of information as a way of retaliation.14.4 Business Continuity
- Business Continuity Management identifies potential threats to the organization, and the possible impacts it may have on the business operations if those threats may cause (DRI, 2018).
- Provides a framework for a resilient organization who has the ability of an effective response which defends the welfare of stakeholders, standing of the company, and brand and value-creating activities (DRI, 2018).Section 15: Risk Assessment15.1 Risk Assessment
- Preparation for any possibly common incidento Data breach, fire, robbery, shooting, and any possible natural disasters
- Resources required in order to protect company are constantly put in place and reiterated.o IT Support (Head Office)o CEO
o CISO
o District Manager - Acceptance of losso CEO and CISO are to inform district manager what is the acceptance rate.15.2 Threat Hunters
- Respond to incident
- Perform threat landscaping15.3 Risk Management Framework15.3 Table 3
Section 16: Protocol
16.1 Social Media - Colleagues should know what is appropriate for social media and what is not.
- Colleagues are to be held accountable for any/everything inappropriately submitted to social media16.2 Robbery Safety
- In the instance of a robbery, employees are to only give money from the first drawer immediately and only the second one if robber is to ask for it.
- Employees are not to press the alarm until robber has exited the building in order to ensure the safety of clients and employees.Section 17: Critical Security Controls (SANS)17.1 Inventory of Authorized and Unauthorized Devices
- Active management of all hardware devices included in the network in order to ensure access is given only to authorized devices17.2 Controlled Use of Administrative Privileges
- Tracing, regulating, averting, and adjusting the correct use and assignment of administrative privileges on computers, applications, and networks17.3 Email and Web Brower Protections
- Minimize the surface of possible attacks and opportunities which allow for attacks to manipulate human behavior.17.4 Data Protection
- Prevents and mitigates possible data exfiltration while ensuring the privacy and uprightness of sensitive data.Section 18: Auditing18.1 How often?
- Auditing should take place every two weeks in order to lessen the large amount of numbers required to go through, also to prevent risks18.2 Internal Audits
- Internal audits are required in order to ensure that all internal mistakes are taken care of and to ensure that employees are not a risk18.3 External Audits
- External audits are to be done
References
Brotby, K. (2006). Information security governance: A practical development and implementation approach. Hoboken, New Jersey: John Wiley & Sons, Inc.
Cisco, What Is a Firewall? (2018, June). Retrieved from https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html
DRI What is Business Continuity Management? (2018). Retrieved from https://drii.org/what-is-business-continuity-management
Field, T. (2008, February). Focus on Physical Security. Retrieved from https://www.bankinfosecurity.com/focus-on-physical-security-a-706
HHS Office of the Secretary, Office for Civil Rights, & OCR. (2013, July 26). Summary of the HIPAA Security Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
Official PCI Security Standards Council Site – Verify PCI Compliance, Download Data Security and Credit Card Security Standards. (2010, October). Retrieved from https://www.pcisecuritystandards.org/
Role and Responsibilities Chief Executive Offier – (2017). Retrieved from http://www.petrotal-corp.com/docs/RolesAndRespCEO.pdf
SANS Critical Security Control. (n.d.). Retrieved from https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf
SANS Vulnerability Assessments (n.d.) Retrieved from https://www.sans.org/reading-room/whitepapers/threats/vulnerability-assessments-pro-active-steps-secure-organization-453
Sumologic. (2018, May). What is Log Management? Retrieved from https://www.sumologic.com/what-is-log-management/
Thrive, Importance of Patch Management. (2018, January 16). Retrieved from https://www.thrivenetworks.com/blog/patch-management
Writer, J. M. (2017, June 22). The many roles and responsibilities of a Banker. Retrieved from http://www.jobmail.co.za/blog/the-many-roles-and-responsibilities-of-a-banker/
Yurcan, B. (2017, August 01). Bank cybersecurity may need a new mindset. Retrieved from https://www.americanbanker.com/news/bank-cybersecurity-may-need-a-new-mindset