This report gives you the opportunity to research, formulate, develop and document a basic security policy for a specific organization in Australia. Moreover, you are required to analyze, record, resolve security incidents and identify and assess the threats to, and vulnerabilities of the organisation’s networks. This report will use many of the concepts and techniques discussed in this unit throughout the semester.
You will need to either choose from the list of examples of the industries provided below or come up with your own idea for a chosen specific organisation.
Please discuss your chosen organisation and or ideas with your lecturer before you start your research. You might NOT be allowed to choose the same or similar specific organisation as other student in your class. You should aim at research, develop, and document answers to questions (a.) and (b.) below. Do not copy the examples of information security policies used in class.
(a.)Research, formulate, develop and document a strategic security policy for your chosen organisation based on the nature of the organisation and the stakeholders in the organisation.
(b.)Based on the security policy you have researched, formulated, developed and documented in the item (a.) above, identify and assess the potential threats and vulnerabilities of the company’s network and discuss how such threats and vulnerabilities can be mitigated based on your research.
Strategic Security Policy of Commonwealth Bank of Australia
Information security is the procedure to keep the confidential information extremely safe and secured (Crossler et al. 2013, p. 93). The availability, integrity and privacy of the information are maintained properly with the information security. The various methods like the intrusion detection systems, firewalls as well as vulnerability scanners help to maintain type of security with utmost priority (Andress 2014, p. 3). These above mentioned methods of information security are responsible to provide better efficiency and effectiveness to the products and services of that specific organization.
This report will be providing a detailed image of the information security for the most popular banks in Australia, known as Commonwealth Bank of Australia or CBA. This is one of the oldest banks in Australia and New Zealand and is quite popular for its unique strategies. The report will also demonstrate the strategic security policy of this bank with relevant details. The various threats will be identified and the mitigation techniques will be given properly.
a) Strategic Security Policy for Commonwealth Bank of Australia
CBA or Commonwealth Bank of Australia is the largest Australian bank and they have been providing several services to the customers in various countries like Australia, Asia, New Zealand, and United Kingdom and even in United States (Commbank.com.au. 2018). Various services related to banking are provided by them. Moreover, the financial services like broking services, funds management, retail banking, superannuation, institutional banking, investments, business banking and various others. The number of employees in this organization is not less than fifty thousand and hence as per a significant recent survey, the total income of the Commonwealth Bank of Australia was around 9.881 billion Australian dollars in the entire year of 2017 (Commbank.com.au. 2018).
The strategic security policy is the document that eventually states the procedure of protection of the organization’s physical as well as information technology assets (Van Deursen, Buchanan & Duff 2013, p. 33). This security policy is also considered as the most important and significant part of an organizational information system. This particular strategic security policy is updated periodically so that the organization does not face any issue related to the information security. The stakeholders of the organization are majorly involved and also have a strong impact on this type of policy. The Commonwealth Bank of Australia has properly divided the list stakeholders to eight sub divisions. These eight divisions are media, regulator or government, community organization or NGO, employees, customers, service providers, investor community and suppliers (Commbank.com.au. 2018). The basic strategic security policy of this particular bank is provided below:
Potential Threats and Vulnerabilities
i) Security of Clients: The clients of the Commonwealth Bank of Australia are always kept on first priority and thus they can secure the information easily and promptly (Von Solms & Van Niekerk 2013, p. 100). The strategic security policy depends on the handling of several credit information and credit reports. When the clients will be filling the application forms, they would be agreeing to the terms or conditions of the bank.
ii) Clarity of Information: The second factor in the strategic security policy of Commonwealth Bank of Australia is the clarity of information. To collect the confidential information, this bank subsequently checks the products or services, which are utilized by the customers (Peltier 2013, p. 2). The confidential information that is collected by this bank is majorly regarding the personal identities of those clients like name, address, date of birth, tax residency status and even the tax file numbers. This information that is related to finance, transaction or insurance could be easily collected by the procedure. This particular bank also updates these data about their customers, with the purpose to not lose data and hence stopping the unauthorized data access.
iii) Recognizing the Authenticated Members: The third factor of the strategic security policy for Commonwealth Bank of Australia is the recognizing of all the authenticated and authorized members. The respective sensitive data or information is only accessed by these specific members (Chen, Ramamurthy & Wen 2015, p. 15). The stakeholders of this bank can only access these data and these stakeholders are brokers, agents, customers, service providers, owners, employers and various others.
iv) Utilizing the Information: The next important and significant factor of the strategic policy of this particular organization of Commonwealth Bank of Australia is the proper usage of the information (Lee 2014, p. 29). This type of confidential information is used only after the successful implementation of several privacy or security measures. This collection, utilization or exchanging of information is easily done when the identities of the clients or staffs of the bank are eventually confirmed or verified. Then, the assessment of the applications related to services and products are also completed in this case. The next step for using the information is to design, manage and finally provide these several services or products. Thus, these various vulnerable threats or risks can be easily reduced and all the illegal activities could be recognized by this (Sommestad, Karlzén & Hallberg 2015, p. 213). The Commonwealth Bank of Australia has implemented few laws to manage the sensitive information.
Mitigation Techniques
v) Information Sharing: This CBA is extremely careful about the customer’s data and thus it is being ensured by them that the data is only used by all the authorized users. The several providers of service in this bank like the insurers, product distributors or the loyalty program partners gets the first priority for data access (Vacca 2013, p. 4). Moreover, the other people like security providers, investigators, brokers, law enforcement agency, government agencies, card holders, auditors, advisers, assessors and various others get the second priority for accessing any type of confidential data or information.
vi) Maintaining Relevant Information Security: The several methods that are easily followed in the particular organization of Commonwealth Bank of Australia for the perfect maintenance of integrity and confidentiality of information are also updated periodically by them (Harkins 2013, p. 4). The most effective and efficient method for this particular scenario is the proper training provided to the staffs for understanding the importance of information security and usage of the security measures. This particular bank is utilizing some of the major techniques for mitigating the issues of data security like antivirus software, firewall software, intrusion detection system for detecting and preventing the virus attacks. Moreover, encryption technique is also used by them for the purpose of securing the systems and encoding the data into cipher texts (Allam, Flowerday & Flowerday 2014, p. 62). The AI based security controls are the latest versions of security installed in this company.
vii) Proper Actions to the Privacy Complaints: The bank ensures that the customers are getting security to their confidential information. When the client will be complaining about the security issues, this particular organization is responsible for taking proper actions against these complaints and thus all the issues could be mitigated.
I) Threats or Vulnerabilities: The threats as well as vulnerabilities for the respective network of the Commonwealth Bank of Australia are extremely vulnerable for these bank information or details (Ö?ütçü, Testik & Chouseinoglou 2016, p. 85). The several possible threats or risks for the computer network of this specific bank are listed below:
i) Phishing: The first and the foremost threat or vulnerability for the respective computer network of the Commonwealth Bank of Australia is phishing. This is considered as the most dangerous and the most common threat for any type of banking system (Zhang et al. 2016, p. 2510). It is the respective fraudulent attempt that is responsible to obtain the complete access of the confidential data such as passwords, usernames or even the details of credit cards. This type of malicious activity is usually executed by acting as a major trustworthy entity for the users. Emails are the most and the most popular modes of spreading these data. Email spoofing and the instant messaging are the most common modes of spreading phishing for any specific user. The various significant hackers are responsible for directing all of these authorized users by simply entering sensitive data within the forged websites (Ahmad, Maynard & Shanks 2015, p. 720). The most significant methods for communicating with the authenticated users for executing phishing threat are online payment processing, social websites, banks or even the auction sites.
Conclusion
ii) Eavesdropping: The next significant and important threat for the threat to the computer network of the Commonwealth Bank of Australia is the eavesdropping. The authenticated communication within two intended users is being monitored in an authenticated way by this threat (Wang, Kannan & Ulmer 2013, p. 210). The hackers could easily access the confidential communication secretly without even taking any permission from the authenticated people. The respective vulnerability of eavesdropping could be easily carried out by instant messaging. The VoIP protocol is also used for executing the threat.
iii) Malicious Software: The malicious software is the third popular type of threat or vulnerability for the CBA network. This is also termed as the computer virus that can easily steal the data by entering into the specific system and by replicating itself as many viruses and thus modifying the rest of the computer software within that system.
iv) Denial of Service Attacks: Another common vulnerability for the network of CBA is the denial of service attack. Within this particular attack, the attacker can promptly get into the network resources or machines with the major purpose of making the systems or network resources absolutely unavailable or inaccessible for the authenticated users (Von Solms & Van Niekerk 2013, p. 98). The services are completely disrupted by the hacker and hence the user cannot access the data at any cost.
v) Trojan Horse: It is the specific malicious program, which is majorly responsible to mislead the intended or authenticated users. The network of CBA might face this vulnerability in their information security. This is usually spread by the attack of social engineering and is always sent by emails (Peltier 2013, p. 1). The user is duped by the attacker in such a manner that the victim is bound to click on the link sent by that attacker and the Trojan enters the system.
II) Mitigation Techniques for Threats or Vulnerabilities: The mentioned risks for CBA network could be eventually mitigated after the successful implementation of some mitigation techniques. These mitigation techniques are listed below:
i) Mitigation Technique for Phishing: The threat of phishing should be mitigated as soon as possible for any banking sector. The continuous up gradation of the antivirus software is the first and the foremost requirement (Andress 2014, p. 5). Furthermore, training is also needed for the employees for the proper usage of over provisioning of the various brute force defences within the information system. Another important technique to mitigate these issues is by avoiding clicking on the unauthorized emails and websites.
References
ii) Mitigation Technique for Eavesdropping: The only method to mitigate this type of vulnerability is implementation of encryption. The attackers do not get the proper access of the sensitive data if those data will be encrypted into hidden formats (Lee 2014, p. 29). Moreover, the technique of encryption is also cost effective and hence could be easily afforded.
iii) Mitigation Technique for Malicious Software: Two specific mitigation techniques are present for the purpose of mitigating this particular threat in CBA network. The first is to implement antivirus software in the systems and also taking regular updates from that software. The second technique for mitigating malicious software is by scanning all the emails regularly.
iv) Mitigation Technique for Denial of Service Attacks: The first and the foremost technique for mitigating DoS attack is the configuring the IP access lists on the windows firewalls (Crossler et al. 2013, p. 99). The next technique is by over provisioning the brute force defence.
v) Mitigation Technique for Trojan Horse: Implementation of firewalls is the best technique to prevent and mitigate the Trojan horse. It would help in detecting the vulnerabilities easily and promptly.
Conclusion
Therefore, from the above discussion, it can be concluded that the information security is the basic procedure for protecting the confidentiality, integrity as well as availability of the information or information assets, irrespective of the fact that they are kept in storage, transmission or processing. The authenticated or authorized users have the legalized access to the basic system, where the hackers do not get the access to such systems. Since, it protects from the intentional and unintentional attacks, most of the organizations have implemented information security in their businesses. The above report has properly outlined the strategic security policy of Commonwealth Bank of Australia with significant details. Moreover, the threats or risks for this company are identified and also the mitigation techniques are provided here.
References
Ahmad, A., Maynard, S.B. and Shanks, G., 2015. A case analysis of information systems and security incident responses. International Journal of Information Management, 35(6), pp.717-723.
Allam, S., Flowerday, S.V. and Flowerday, E., 2014. Smartphone information security awareness: A victim of operational pressures. Computers & Security, 42, pp.56-65.
Andress, J., 2014. The basics of information security: understanding the fundamentals of InfoSec in theory and practice. Syngress.
Chen, Y.A.N., Ramamurthy, K.R.A.M. and Wen, K.W., 2015. Impacts of comprehensive information security programs on information security culture. Journal of Computer Information Systems, 55(3), pp.11-19.
Commbank.com.au. 2018. Privacy Policy-CommBank. [online] Available at: https://www.commbank.com.au/content/commbank-neo/security-privacy/general-security/privacy-policy-html-version.html [Accessed 19 Sep. 2018].
Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M. and Baskerville, R., 2013. Future directions for behavioral information security research. computers & security, 32, pp.90-101.
Harkins, M., 2013. Managing risk and information security: protect to enable. Apress.
Lee, M.C., 2014. Information security risk analysis methods and research trends: AHP and fuzzy comprehensive method. International Journal of Computer Science & Information Technology, 6(1), p.29.
Ö?ütçü, G., Testik, Ö.M. and Chouseinoglou, O., 2016. Analysis of personal information security behavior and awareness. Computers & Security, 56, pp.83-93.
Peltier, T.R., 2013. Information security fundamentals. CRC Press.
Sommestad, T., Karlzén, H. and Hallberg, J., 2015. The sufficiency of the theory of planned behavior for explaining information security policy compliance. Information & Computer Security, 23(2), pp.200-217.
Vacca, J.R. ed., 2013. Managing information security. Elsevier.
Van Deursen, N., Buchanan, W.J. and Duff, A., 2013. Monitoring information security risks within health care. computers & security, 37, pp.31-45.
Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber security. computers & security, 38, pp.97-102.
Wang, T., Kannan, K.N. and Ulmer, J.R., 2013. The association between the disclosure and the realization of information security risk factors. Information Systems Research, 24(2), pp.201-218.
Zhang, Y., Zhang, L.Y., Zhou, J., Liu, L., Chen, F. and He, X., 2016. A review of compressive sensing in information security field. IEEE access, 4, pp.2507-2519.
