• Home

430 W7 Benchmark – Developing Contingency Strategies for Information System UG

4

Across the State Bank Information Security Risk Strategies

Student Name

Course Instructor

Institutional Affiliation

Date

PART 1 Prepare for Risk Management

Corporate security requirements and Impacts of non-compliance

· The corporate requirements for banking information security include:

· Perimeter for banking security.

· User authentication and authorization measures

· Multi-factor authentication

· Mobile and internet banking security protocols.

· Compliance with ISO information security standards.

· In-house information security systems

· Information security and audit practices to keep the data safe and identify security threats

· Risk assessment and mitigation practices.

Failure to have all these requirements will lead to various consequences for the bank. The federal government could withdraw the licenses of operations due to non-compliance. They could also be facing reputation al damage in case of any security threats (Ron rat & Senivongse, 2017). There will legal fees and penalties for failing to abide the federal security risk protocols for industries to protect the institutions and its customers.

Categories of information systems:

· Storage systems used for storage of customer and company data.

· Privileged access which is used for the bank cloud systems such as back up web servers.

· General use systems: Commonly used by such as bank tellers.

· End user systems such as ATM which help customers.

· Managerial information systems

Categories of people, processes, systems and hardware

· Categories of people: Junior employees, managers, senior level managers, IT specialists, IT contractors, non-banking personnel such as security officers.

· Processes: Transaction, data storage, data backup, cash transfers, data entry and processing, checks processing and clearance.

· Hardware: ATM, teller computers, CCTV cameras, vaults, data centers, cash registers, authentication machines such as biometric systems.

· Software: bank security ND authentication software, bank SAPs, mobile and internet services software, SWIFT, transaction processing software, decision making and report generation software, market research software.

· Data: Customer information, employee data, supplier’s data, partners’ data, history of cash transaction, accounts data, safety deposit data.

The data classification schemes

According to Fenz et al. (2018) the criteria for creating the data classification scheme will be based on the value of the data and levels of accessibility. This refers to data classification based on how important it is and who is having access to such data. Therefore, the scheme will include:

· Highly confidential: Only to be shared with named recipient

· Confidential: Data for limited distribution maybe to be distributed only between managers

· General: data to be shared amongst employees for normal banking transactions

· Public data: Data to be shared with the public such as financial statements.

Part 2: Identify Risk

Bank assets and value to the bank

Category

Asset

Value to the company

Business Impact Analysis

Data

Financial statement

Moderate

Competitive Advantage

Customer data

Critical

Customer satisfaction

Investment data

Critical

Competitive advantage

Cash management and transfers

High

Business compliance

Market research

Moderate

Competitive advantage

People

Contractors

Low

Business productivity

Junior employees

Moderate

Business productivity

Managers

High

Business productivity

Senior level managers

Critical

Business productivity and competitive advantage

Systems

Servers

Critical

Customer satisfaction and competitive advantage

Security systems

Critical

Business productivity and customer satisfaction

Banking software

Critical

Business compliance and competitive advantage

Communication software

High

Business productivity

Cash transfers

Critical

Business compliance and competitive advantage

Hardware

Cash

Critical

Customer satisfaction

Computers

High

Business productivity and compliance

Furniture

Moderate

Business productivity

Security Systems

High

Compliance and productivity

Bank building

High

Customer satisfaction and business productivity

Cash vaults

High

Competitive advantage and business compliance

ATMs

Critical

Customer satisfaction

Processes

Cash transfer and movement

Critical

Business compliance

Check processing

High

Competitive advantages

Cash deposit and withdrawal

High

Business compliance and customer satisfaction

Financial data and information processing

High

Competitive advantage

Part 3: Assess Risk

Mitigating key information technology risks.

· User authentication and access systems. This refers to installation of computer security measures and firewalls to mitigate the chances of hacking. It is ideal for preventing unauthorized system entry using password and biometrics.

· Use of firewalls and computer security. It is applicable for hacking and cyber security risks., It identifies potential threats and stops them.

· Cloud systems: It reduce the risk vulnerabilities in data centers and servers. It eliminates risks related to data centers and servers. It involves transferring the organization data to cloud instead of using hardware and drives to store data.

· Scenario analysis. This involves developing a cyber-security breach incidence then developing measures to curb such threats. It involves drills and training employees to deal with threats.

· Email handling practices and regulations. They include security measure such as redirecting non-work email to spam box.

Optimal risk assessment methodology

The risk assessment methodology for the bank will be the risk matrix assessments. It rates all the types of organization risks then determining the impact they have on the organization. It also includes measuring the impact of the risk to the organization (Goel & Chen, 2016. It is ideal for dealing with both qualitative and quantitative analysis methods. It can also help the organization to identify risks before occurrence (Bojanc & Jerman-Blažič, 2018). However, it is not ideal for quantitative data and if it used for quantitative data assessment.

See the source image

Potential threats, likelihood of occurrence, impact on the organization and the vulnerability scan.

People risks

Likelihood of occurrence

Impact to the organization

Remediation measures

Employee colluding with hackers to gain access to company database

Minor

Loss of reputation and image.

Financial complications

Employee incentive.

Use of AI to identify employee behavior and potential threat to organization

Employee sabotaging computer systems

Moderate

Disrupted business activities.

Loss of money due to disruptions

System access levels permission to ensure employees to not have authority to execute certain system alterations.

Employee sharing data access details with fellows

Moderate

Breach of IT protocols, illegal data access sand potential beginning to a hack.

Assigning every system and limiting access to only one password and no guest access.

Senior manager resignation

Moderate

Disrupted business operation and loss of competitive advantage.

Use of incentives to ensure the managers do not resign.

Junior employee resignation

High

Loss of key talents and sharing of business secrets

Motivating employees to stay through cash and promotion incentives.

Data risks

Hacking

High

Negative impact on image and reputation

Loss of customer trust

Business disruption

Compensation, ransom fees and expenses

Use of firewall and cloud services to prevent hacking

Data loss and mix ups

High

Business disruption

Impact on customer satisfaction

Data analysis, sorting and entry measures to prevent mix ups and loss.

Data classification to prevent loss.

Software risks

Virus attack

High

Business disruption and impact on image

Potential gateway to cyber attack

Use of firewalls and anti-virus

Upgrade challenges

Moderate

Business disruption

Use of system backups to cover during upgrades

Unresponsive system

Moderate

Business disruption

Losses due to loss of time

System testing before implementation.

Hardware risks

Power outage or brown outs

Moderate

Business disruption

Loss of productive time

Use of backup power systems

Facility breach

Low

Organization security threat

Loss of security integrity

Use of CCTVs and employ security personnel to guard the bank.

Hardware incompatibility

Moderate

Increased hardware replacement expenses

Buying all hardware from one supplier to ensure compatibility.

Natural disasters

Moderate

Business disruption

Use of cloud servers to ensure operations continue even during disaster.

Fire break outs

Moderate

Business disruption

Loss of hardware

Fire response systems.

Part 4: Risk Appetite

Across The States Bank Risk Appetite Statement

Across The States Bank is responsible for ensuring safety of all customer cash deposits and investments. Therefore, we are committed to balancing our risks based on the: The need to ensure safety deposit and cash security, consumer and organization data security to ensure customer satisfaction, data security and organization’s success. Therefore, our risk appetite is towards all types data security risks and we will transfer higher risks to other organizations. We will implement all security measure to cover all sorts of risks including high and critical risks. Annually, we will increase or decrease our risk appetite for data and our assets.

Across The States Bank Risk Tolerance

Our risk tolerance will be based on various measures: The first will depend on assts. We will cover all the risks related to consumer and organization data. We will cover all sorts of data security risks but still have insurance coverage for any disruptions and losses. We will also be in charge of people risks. The software and hardware risks will only be tolerated up to moderate levels. Risks above the moderate levels shall be transferred to insurance companies and third party contractors.

Part 5: Control Risk

The risk control measures at the company shall involve a series of activities. The first shall be risk and system audits. The audits will be conducted after certain durations. They will involve assessments of all the organization systems and assets to determine the levels of risks and the potential sources of risks (Fenz et al., 2017). The audit measures shall also involve risk classification to show the severity of risks and determine the levels of response such as risk retention, mitigation or transfer. The audit and risk assessments will also involve recommendations to help the organization deal with the potential risks.

The second risk management strategy is risk retention. This means that the organization shall deal with certain types of risks without transferring or eliminating them. Such risks will involve employee misconduct, data hacks, software related problems and those risks that cannot be transferred or insured. The organization shall then implement various measures such as mitigation measures to reduce the impacts of such risks to the organization. For a risk to be retained, it must within the tolerance levels and must not exceed organization appetite.

The third strategy is risk insurance. It will involve dealing with the risks beyond the organization appetite and tolerance levels. The organization shall transfer asset related risks to insurance companies so that in case of fires, natural disasters, stolen hardware, the insurance company shall compensate the company for such losses and the related damages (Zhang et al., 2018). The organization will also transfer certain risks related to people, for example, the death or resignation of key employee such as the CEO will be the subject to key person’s insurance. This will enable the organization acquire similar talent in case of such risks.

Finally, the organization shall engage in risk elimination. This involves elimination of certain systems, processes, software and people considered a security threat to the organization (Stoneburner et al., 2020). Such risks have limited impact and eliminated them will not affect the organization. They must be within the tolerance levels and eliminating them will not have adverse effects on the organization.

References

Bojanc, R., & Jerman-Blažič, B. (2018). A quantitative model for information-security risk management. Engineering management journal25(2), 25-37.

Fenz, S., Heurix, J., Neubauer, T., & Pechstein, F. (2017). Current challenges in information security risk management. Information Management & Computer Security.

Goel, S., & Chen, V. (2016, May). Information security risk analysis-a matrix-based approach. In Proceedings of the Information Resource Management Association (IRMA) International Conference (pp. 1-9).

Rongrat, K., & Senivongse, T. (2017, July). Risk Assessment of Security Requirements of Banking Information Systems Based on Attack Patterns. In International Conference on Applied Computing and Information Technology (pp. 117-133). Springer, Cham.

Stoneburner, G., Goguen, A., & Feringa, A. (2020). Risk management guide for information technology systems. Nist special publication800(30), 800-30.

Zhang, X., Wuwong, N., Li, H., & Zhang, X. (2018, June). Information security risk management framework for the cloud computing environments. In 2010 10th IEEE international conference on computer and information technology (pp. 1328-1334). IEEE.

430 W7 Benchmark – Developing Contingency Strategies for Information System UG

430 W7 Benchmark – Developing Contingency Strategies for Information System UG

Review Details

Take a moment to review the details of this assignment below and gather any necessary files. Once you’re ready to submit your assignment, move on to Step 2.

Assessment Traits

Benchmark

Requires Lopeswrite

Assessment Description

24/7 monitoring of all network activity is an invaluable tool for enhancing your security posture. An effective Incident Response Plan (IRP) is essential to mitigation of attacks, while a Disaster Recovery Plan (DRP) provides support for unexpected environmental obstacles to information systems. For both IRP and DRP, a company must develop strategies to recover from unexpected interruptions, and exercise these plans to ensure all applicable personnel are prepped and aware of their roles. In Topic 5, a minor Business Impact Analysis (BIA) was conducted, which identified the critical assets to the company. These assets will be used to aid in the development of a contingency plan to ensure business continuity in the presence of an event.

This assignment exercises the analysis and development of a Lite Contingency Plan (BIA, IRP, DRP, and Business Continuity Plan: BCP). The development of a workflow diagram is essential in displaying the relationship between the four components. This is critical for the IRP and DRP, as an IRP can launch a DRP when a threat disrupts a system through ransomware, DDoS, or other malicious attacks against a system.

Use the following guidelines to create an 8- to 12-page report using the same corporate profile selected earlier.

Business Impact Analysis

1. In one to two paragraphs, summarize the objective of conducting a BIA for your selected company. Describe the benefits, potential outcomes, and company enhancements.

2. Obtain the list of threats against the assets identified in your Topic 5 assignment, “Risk Management Assessment and Control,” and place them in a table.

3. Prioritize this list from highest impact to lowest impact to the company.

4. Add a column and describe how loss of the process, system, data, etc., will impact the company.

5. Assuming worst-case scenario, add a column and describe the appropriate measures to recover from the threat.

Incident Response Plan (IRP)

In three to four pages, detail an IRP to include:

1. Brief overview

2. Roles and responsibilities (from Users to CISO)

3. Reporting guidelines

4. Example workflows diagram – Event to resolution

5. Explain the six stages of incident handling as it relates to the company

6. Escalation procedures with an associated chart

Disaster Recovery Plan (DRP)

Establish a DRP Policy in one to two pages that contains the following in alignment with the company:

1. Purpose

2. Scope

3. Roles and responsibilities

4. Resource requirements

5. Training requirements

6. Exercise and testing schedules (include IRP exercise and schedules)

7. Plan maintenance schedules

Business Continuity Plan (BRP)

In three to four pages, close out the assignment with a complete BC Plan that includes the following:

1. Describe which usage strategy (Hot site, Warm site, or Cold site) the company will use and why (explain the benefit to the company).

2. Explain how the company will use and sustain the usage strategy.

3. Detail the critical systems/assets recovery procedures.

4. Provide processes to reestablish business operations and security operations. Include disaster to alternate site and restoration back to original state.

5. Provide and describe a worst-case scenario timeline (disaster to recovery).

6. Describe readiness, training, exercises, and BC process reviews/updates.

Include diagrams, tables, and charts as directed by the instructor.

APA style is not required, but solid academic writing is expected.

This assignment uses a rubric. Review the rubric prior to beginning the assignment to become familiar with the expectations for successful completion.

You are required to submit this assignment to LopesWrite. Refer to the LopesWrite Technical Support articles for assistance. 


Benchmark Information

This benchmark assignment assesses the following programmatic competencies:

B.S. Cyber Security

6.2 Conduct an exercise to test the disaster recovery plan in a predetermined scenario.

7.2 Perform activities to mitigate possible or real-time threats (e.g., system monitoring and incidence response).