InfoSec or Information security is the proper practice for preventing from any kind of unauthorized or unauthenticated accessing, destruction, manipulation, recording, inspection, disclosure and using confidential or sensitive information or data (Von Solms and Van Niekerk 2013). The major focus in this case is provided to the effective as well as efficient implementation of procedures and policies and thus not hampering the overall productivity of any specific organization. Security policy and guidelines are required for the purpose of maintaining the proper security standards within the organizational information system (Peltier 2013).
The following report outlines the detailed description regarding the concept of information security for the most popular or famous bank in Australia and New Zealand, namely Commonwealth Bank of Australia. The report will provide a security policy for this Commonwealth Bank of Australia that the organization is following; after proper research and analysis. Furthermore, the probable threats or vulnerabilities will be identified for the organization and proper or suitable mitigation techniques will also be provided in this report.
a) Strategic Security Policy for Commonwealth Bank of Australia
CBA or Commonwealth Bank of Australia is a multinational bank in Australia that has customers in Australia, New Zealand, the United States, the United Kingdom and Asia (Commbank.com.au. 2018). The main financial and banking services of this bank are broking services, investments, funds management, retail banking, business banking, superannuation, institutional banking and insurance. More than 50000 employees are working in this organization and in 2017; the net income was 9.881 billion Australian dollars.
The security policy provides a set of strategies that the organization is been using for securing their assets and resources from any type of risk or vulnerability. The strategic security policy is mandatory for all organizations. The flow of functionality within the company is being measured with the security policy (Andress 2014). Commonwealth Bank of Australia is following their security policy according to the Privacy Act. The stakeholders of the bank are responsible for providing better efficiency to the ban processes. There are eight groups of stakeholders of CBA, which are customers, employees, investors’ community, suppliers, government or regulators, media, charities or community organizations or NGOs and service providers (Commbank.com.au. 2018). The security policy of this bank for the stakeholders is given below:
- Customer’s Privacy: The first priority is given to the customers’ privacy. The information is kept protected after following various steps. This particular policy is dependent on the significant handling of several credit reports and even other credit information (Webb et al. 2014). The customers’ while filling the application forms, have to sign or agree to the terms and conditions.
- Clarity of Information: The second factor in this strategic security policy of Commonwealth Bank of Australia is the clarity of the information collected (Layton 2016). The collect this information, whenever the products and services are being utilized by the customers. The major information that they collect are regarding the customers’ identities like name, address, date of birth, marital status, gender, tax residency status and tax file number. Moreover, the insurance related information as well as the financial or transactional information is also collected in this process (McIlwraith 2016). The bank is thus updated about their customers properly, so that there is no chance of data loss or unauthenticated data access from the respective information systems.
- Identification of Authenticated Members: Only the authenticated or the authorized members have the access of their ban details and data. The authenticated members of Commonwealth Bank of Australia are service providers, employers, brokers, agents, advisers, customers and many more (AlHogail 2015). In short, the stakeholders of the bank are the authenticated members.
- Utilization of Information: The confidential information of this bank is used with proper privacy and security (Cardenas, Manadhata and Rajan 2013). The collection, use and exchanging of this information is done by at first confirming the identity, irrespective of the fact that the information is of employees or customers of the bank. Then, the application for the product or service is being assessed. The next step is to design, manage, price and finally provide the respective products and services. The minimization of risks or identification of fraud or illegal activities is the next step (Laszka, Felegyhazi and Buttyan 2015). Finally, Commonwealth Bank of Australia manages the information after complying with laws and then assisting the government and law enforcement agencies.
- Sharing of Information: The Commonwealth Bank of Australia is extremely careful about their information and makes sure that the information is being accessed or used by only the authorized users (Da Veiga and Martins 2015). The service providers like product distributors, loyalty program partners and insurers are the first people, who have the access to this type of information. Moreover, the guarantors, security providers, auditors, brokers, agents, advisers, assessors, investigators, card holders, law enforcement agencies, regulators, government agencies and many more also have the access of sensitive information (Tamjidyamcholo et al. 2014). These above mentioned are extremely safe and secured and hence there is less chance of data loss or data theft.
- Maintaining Information Security: There are certain methods followed in this organization to maintain the confidentiality and integrity of their confidential data. The first method is to train the staffs and the secure the handling and storage. Next, they have put various security mitigation techniques within their systems like firewalls, virus scanning tools, intrusion detection for stopping the viruses and unauthorized data access (Lebek et al. 2014). Secured networks and encryption techniques are being used for system security. Moreover, cameras, alarms, armed guards and other controls are installed within the building.
- Data Update: The confidential data of the customers are updated periodically and checked whether the confidentiality and integrity are maintained properly (Safa and Von Solms 2016). When any type of incorrect information is provided to them, they cross check the data within 30 days and change the data accordingly.
- Maintaining Privacy Complaint: When any type of concern or complaint is registered regarding the privacy, the CBA takes this on a serious note and handle the complaint and try to fix the problem (Zhao and Ge 2013). A couple of steps are followed for this.
b) Identification and Assessing of Potential Threats and Vulnerabilities with Mitigation Techniques
- Threats or Vulnerabilities: The various important and dangerous threats and vulnerabilities for the computer network of Commonwealth Bank of Australia are extremely vulnerable for the sensitive information (Van Deursen, Buchanan and Duff 2013). These threats or vulnerabilities for the CBA network are given below:
- Trojan Horse: The first potential risk or vulnerability to the computer network of Commonwealth Bank of Australia is the Trojan horse. It is a malicious program, which eventually misleads every intended or authenticated user. These malicious programs are spread through social engineering attacks like duping the user to open an attachment sent to him via emails (Chen, Ramamurthy and Wen 2015). These emails usually act as the unsuspicious in nature and even by clicking on any fake advertisement or link provided while using social media account. As soon as the user clicks on that link, the programs enters into the device and all the data are being hacked by the attacker.
- Denial of Service Attacks: DoS or denial of service attack can be defined as the kind of attack, in which the attacker gets into the machine or network resources with the core purpose for making it absolutely unavailable for each and every authenticated user by the temporary or permanent disruption of services of the specified host, which is being connected to the Internet (Shamala, Ahmad and Yusoff 2013). The denial of service attacks are usually accomplishment by the flooding of target machine or resource with the core purpose of overloading the information systems and hence preventing legalized requests from being fulfilled. The second version of this threat is the DDoS or distributed denial of service attack where numerous systems are involved.
- Malicious Program: Another popular and significant threat or vulnerability for the information system of CBA is the presence of a malicious program. This type of program or software is also termed as computer virus (Von Solms and Van Niekerk 2013). The malicious program, whenever or wherever executed, replicates itself after proper modifications of all other computer programs of that particular device. The own code is being inserted in the next process and when this replication is completed; the respective affected areas could be termed as extremely infected by this virus.
- Phishing: This is the fourth popular threat or vulnerability to the computer network of Commonwealth Bank of Australia (Cardenas, Manadhata and Rajan 2013). It is fraudulent attempt to gain the access of confidential information such as usernames, passwords and even the credentials of credit cards for any type of malicious reason after acting as a trustworthy entity for the users in the electronic communications. This phishing risk or vulnerability could be easily carried out by two methods, which are spoofing of the electronic mails and instant messaging (Peltier 2013). The various hackers are responsible for directing the authorized users to enter their sensitive information within any fake website. The major ways for communication are social websites, auction sites, banks, online payment processors and many others.
- Eavesdropping: The next significant risk to the computer network of CBA is eavesdropping. It is the basic method for unauthenticated monitoring of authenticated peoples’ communications. The hacker secretly listens or accesses the private communications or data without even taking proper consent (Da Veiga and Martins 2015). The instant messaging and emails are the most basic methods for executing this threat. VoIP communications are the most important forms of eavesdropping with Trojan horse.
- Mitigation Techniques for the Threats or Vulnerabilities: The above mentioned threats or vulnerabilities could be mitigated with proper techniques for the respective network of the Commonwealth Bank of Australia (Laszka, Felegyhazi and Buttyan 2015). These mitigation techniques are as follows:
- Mitigation Techniques for Trojan horse: The best technique for mitigating this particular threat for Commonwealth Bank of Australia’ computer network is the implementation of firewalls (Safa and Von Solms 2016). These firewalls are effective as they could detect and prevent the vulnerabilities or attacks.
- Mitigation Techniques for Denial of Service Attacks: The are two techniques to mitigate this type of attack. The first technique is by using over provisioning of brute force defence and the second mitigation technique is by configuring the respective IP accessing list or the windows firewalls (AlHogail 2015). The detection as well as prevention of these attacks are possible only with the presence of firewalls.
- Mitigation Techniques for Malicious Programs: The malicious programs are the most dangerous or vulnerable vulnerabilities for the computer networks of Commonwealth Bank of Australia (Layton 2016). Two distinct types of the security measures are effective to mitigate this kind of threat. The first and the foremost mitigation technique for computer virus is by implementing the best antivirus software and when the implementation process is being completed, the updates are to be downloaded so that each and every latest fix of virus is possible (Peltier 2013). The next technique to mitigate these programs is to ensure that this software can scan emails.
- Mitigation Techniques for Phishing: A continuous up gradation of antivirus software or providing proper training to the employees or staffs of Commonwealth Bank of Australia is the best technique to mitigate the basic issue of phishing. A trained IT person will never click on any unnamed or suspicious electronic mails or websites (McIlwraith 2016). He should be careful enough in this case for reducing these issues. Moreover, regular up gradation of software has the ability to detect or prevent against any such fraudulent attempts.
- Mitigation Techniques for Eavesdropping: The eavesdropping threat is yet another significant threat for computer networks. This could be mitigated by using encryption technique for the messages (Van Deursen, Buchanan and Duff 2013). Each and every message or datum that is to be sent to the user should be in encrypted or hidden format, so that the unauthenticated users do not get the hold of it.
Therefore, from the above report, conclusion can be drawn that the information security is the most important and significant requirement for each and every organization. The most significant and vital need of this information security can be stated as that it is helpful for the proper establishment of setting the business processes and hence protecting or preventing the assets or resources from risks and vulnerabilities. The data modification, without taking the consent from the authorized or intended users, could be easily detected as well as prevented by taking the significant help from risk management plan and hence eradicating the various probable vulnerabilities and threats. There is a significant process to manage the probable risks for identifying assets, risks, vulnerabilities, mitigation techniques for controlling these risks and the major impact of the risks in an information system. This report has perfectly described the proper information security or InfoSec for the most popular bank in Australia, known as Commonwealth Bank of Australia. The strategic security policy of this bank is provided in the report for helping them to identify the existing risks or threats for their information systems. Moreover, the various risks are also identified for this particular bank with their relevant mitigation techniques.
AlHogail, A., 2015. Design and validation of information security culture framework. Computers in Human Behavior, 49, pp.567-575.
Andress, J., 2014. The basics of information security: understanding the fundamentals of InfoSec in theory and practice. Syngress.
Cardenas, A.A., Manadhata, P.K. and Rajan, S.P., 2013. Big data analytics for security. IEEE Security & Privacy, 11(6), pp.74-76.
Chen, Y.A.N., Ramamurthy, K.R.A.M. and Wen, K.W., 2015. Impacts of comprehensive information security programs on information security culture. Journal of Computer Information Systems, 55(3), pp.11-19.
Da Veiga, A. and Martins, N., 2015. Improving the information security culture through monitoring and implementation actions illustrated through a case study. Computers & Security, 49, pp.162-176.
Laszka, A., Felegyhazi, M. and Buttyan, L., 2015. A survey of interdependent information security games. ACM Computing Surveys (CSUR), 47(2), p.23.
Layton, T.P., 2016. Information Security: Design, implementation, measurement, and compliance. Auerbach Publications.
Lebek, B., Uffen, J., Neumann, M., Hohler, B. and H. Breitner, M., 2014. Information security awareness and behavior: a theory-based literature review. Management Research Review, 37(12), pp.1049-1092.
McIlwraith, A., 2016. Information security and employee behaviour: how to reduce risk through employee education, training and awareness. Routledge.
Peltier, T.R., 2013. Information security fundamentals. CRC Press.
Safa, N.S. and Von Solms, R., 2016. An information security knowledge sharing model in organizations. Computers in Human Behavior, 57, pp.442-451.
Shamala, P., Ahmad, R. and Yusoff, M., 2013. A conceptual framework of info structure for information security risk assessment (ISRA). Journal of Information Security and Applications, 18(1), pp.45-52.
Tamjidyamcholo, A., Baba, M.S.B., Shuib, N.L.M. and Rohani, V.A., 2014. Evaluation model for knowledge sharing in information security professional virtual community. Computers & Security, 43, pp.19-34.
Van Deursen, N., Buchanan, W.J. and Duff, A., 2013. Monitoring information security risks within health care. computers & security, 37, pp.31-45.
Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber security. computers & security, 38, pp.97-102.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management. Computers & security, 44, pp.1-15.
Zhao, K. and Ge, L., 2013, December. A survey on the internet of things security. In Computational Intelligence and Security (CIS), 2013 9th International Conference on (pp. 663-667). IEEE.