Information System Security Plan for a Bank
Executive Summary
The information security plan applies to AmeriBank, its auxiliaries, employees, information, system, processes, data, and networks collectively referred to as the Bank. AmeriBank is committed to protecting critical assets and securing information to ensure the confidentiality, integrity, and availability (CIA) of the information, preventing damage to the network and systems that are vital to the bank’s business to ensure business continuity, and minimize risk to the businesses. This is achieved by implementing administrative, technical, and physical controls such as information security policies, software, and hardware controls, which have to be implemented, monitored, and improved upon to meet the bank’s security and business objectives.
This plan ensures the CIA of data. The information policies and procedures will be defined, developed, and documented so that the bank's legal and ethical responsibilities, which are the foundation of the bank's ISP. The controls ensure checks and balances to prevent fraud and abuse. By consistently applying these policies, procedures, and controls in the bank, it can be assured that the information assets are protected from threats to ensure business continuity. This helps in maintaining the bank's stewardship of protecting sensitive personal and critical business information, and fulfilling legal obligations. This plan will be reviewed on an annual basis or as necessary.
Primary Functions
Existing laws and regulations mention information security requirements implicitly rather than explicitly. The regulations that have implicit information security requirements are the anti-money laundering act, consumer data protection acts, identity theft regulations, Sarbanes-Oxley act, Basel requirements, U.S Federal Reserve payment security (Operating circulars 5&6), DDoS reporting, HIPAA requirements, PCI-DSS requirements, Office of Foreign Assets Control (OFAC), Gramm-Leach-Bliley act, and other applicable regulations. This plan applies to the entire bank’s computing resources, network, software, data, and communications networks as well as BYOD devices. The ISP also includes policies for Access Control, Asset Management, Password management, E-mail, Application, Operating system, and Network security. Remote access management, Mobile computing, Backup and archival management, DBA security, Physical security, Incident response, and management, handling malicious software, IT asset/media management, Change Management, Patch Management, Encryption, as well as other applicable policies are also included. This plan covers the following:
Data Privacy
Integrity of data
Integrity of service
Legal issues
Unauthorized use of the bank’s computing and network resources
Each department within the bank will adopt the security standards specified by the Information Security Board (ISB) that is included in this ISP as a minimum though they are encouraged to exceed those standards. All individuals at the bank have to comply with the Federal and state laws as well as the bank policies for the security of highly confidential information. Any employee or non-bank individual who participates in unauthorized access, use, destruction, or disclosure of data will be subject to proper disciplinary action and/or subject to termination.
Senior Management must ensure that they are committed to the ISP and must support by providing the necessary resources for the success of the ISP.
Chief Information Officer is responsible for IT planning, budgeting, and performance as well as information security components.
Data Owners are responsible for ensuring that the required controls are in place for protecting the CIA of the data.
Business and Functional managers must ensure that their decisions will enhance the CIA of the data and comply with the ISP.
Data Custodians will ensure that access controls are properly applied based on asset classification and least privilege.
IT Security practitioners are responsible for implementing, maintaining, reviewing, and improving the security controls.
Information Assets
Risk management processes in a bank must consider the robustness of information. Subpar data can induce errors in decision-making. To ensure data quality processes, procedures, and methods for managing information are required. This will support the fundamental qualities that are required for maintaining accuracy, integrity, consistency, completeness, validity, timeliness, accessibility, usability and auditability of the data. This is the reason why information has to be treated as a critical asset and managed proactively.
Vulnerabilities increase the likelihood that a threat will cause a harm resulting in a risk and this has an impact, which can be the loss of CIA of data as well as other losses (lost income, loss of life, loss of property). Information Security Management's (ISM) core competency is a risk assessment, which will identify the combination of threats and vulnerabilities that are likely to impact of CIA of each asset within its scope. As part of risk management process, assets are identified and their value estimated. A threat assessment is followed by a vulnerability assessment and the probability that each vulnerability may be exploited is calculated. Existing controls are evaluated and the impact that each threat would have on each asset through qualitative or quantitative analysis is performed. Appropriate controls are selected and implemented to mitigate the risks after considering the cost effectiveness compared to the value of the asset.
Figure 1: Risk Assessment Process for a financial institution
Source:
Risk assessment (Figure 1) is an iterative process and is ongoing. The information asset inventory consists of a distinct identification of the asset, it value, location, classification, asset group, owner, and a designated custodian. A database in an example of an information asset whereas individual records in the database need not be treated as individual information assets. For a bank, the customer financial and personally identifiable information, employee information, and other financial information such as stock price information are some of the information assets that have to be protected. The bank has three information asset classifications, which are confidential, internal/private, and public. Information whose unauthorized disclosure, destruction, or compromise could result in severe damage to the bank is classified as confidential. Internal use information has ramifications to privacy and ethics if it is not guarded properly. Public information may not be publicly disseminated but is available to the public. Access controls are used to restrict accesses based on the asset classification and the user’s authorization levels. Identification and classification of information assets are done through an audit involving representatives from all sections of the bank. Previous audits may have designated Information Asset Owners (IAO), who can help with the classification.
Once the organizational and technical vulnerabilities are identified, they are ranked based on the impact to the business with respect to the security objectives, which are CIA as well as assurance and accountability. The current controls are identified and it is determined if there are any gaps by filling which the risks can be mitigated. A security control matrix is developed that identifies the security requirements, required controls, and identify the gaps in the present control framework. A vulnerability assessment using automated tools can reveal any vulnerabilities that were missed in the earlier stages. Penetration testing uses automated tools to bypass the existing controls and enables the organization sees the system through the eyes of the hacker. A penetration testing differs from a vulnerability scan in that it the latter identifies vulnerabilities while the former attempts to exploit those vulnerabilities.
Auditing compares the existing practices against a set of guidelines, policies, or standards that are formulated by a regulatory agency or an institution. Audits should not only look into technical aspects but also the process for information security governance. Auditing records will show that bank has followed due professional care, which is a legal requirement. Banks have monitoring tools incorporated to ensure transaction monitoring, fraud detection, alert generation, and exceptional transactions.
Vulnerabilities
Digital certificates have a vulnerability due to which A1 certificates can be exported remotely and used while A3 certificates can be used by more than one user so that hackers can use the stolen certificates. OTP token can be captured in real-time or through social engineering, OTP card can be captured by malware, browsers security can be circumvented by using phishing websites thereby capturing user credentials, and virtual keyboards can be compromised by the use of screen loggers, mouse loggers, or use of decryption techniques to exploit flaws in encryption can be used. Device registering and device identification can be compromised by spoofing the device registration or identification, CAPTCHA uses simple methods to scramble the information so OCR techniques can be used to extract the information, and SMS security can be overcome by altering the mobile phone number. Pass-phrase information can be captured by using screen loggers, key loggers, mouse loggers, or using decryption techniques. Positive identification can be circumvented by social engineering or the user may inadvertently leak the information on the internet. Malware can be used to create behavior profiles to impersonate a person and bypass transaction monitoring. Credential theft or complete device control using any of the above methods can be used to attack the bank’s systems and perpetrate banking frauds (Peotta et al, 2011).
Business Continuity and Disaster Recovery Plan
Ameribank is committed to providing safe, secure, and stable IT environment to its customers, ensure stability and continuity of business so that customers are confident about the bank being able to continuously provide services, and be able to recover quickly from disasters. A business impact analysis will be done to correlate the critical IT systems to the services that are being provided by them and the impact of disruption to these services. This has to be performed by the data owner and the data custodian. To identify the critical IT resources, it is necessary to identify the internal users or departments who receive or provide data to/from external entities. Any contacts supporting these systems are to be identified. The system resources such as electric power, telecommunications connections, and environmental controls needed to support such critical components such as application server, database servers, and authentication servers are determined. The data owners and custodians have to analyze the impact of the critical resources identified earlier and the impact of a disruption to those resources that results in an outage is determined. By tracking the impact over a time, maximum allowable time that a resource can be unavailable before it affects the performance of a critical or essential function. It is determined if there are any cascading effects. The loss of revenues and cost expenditures due to the impact of the non-availability of the critical function because of disruption to the system resources is determined. This is used to determine the optimum point of recovering the IT system before the cost of resources required for recovering the essential functions becomes more than the loss due to the non-availability of the critical function. This can allow the data owners and custodians to prioritize the recovery of resources as high, medium, or low. High priority resources can be targeted for recovery within the allowable outage times while the others can wait longer periods.
Figure 2: Disaster Recovery plan development
Source:
Figure 2 shows the development of the disaster recovery plan. Disaster recovery includes planning, developing, and implementing disaster recovery management processes to ensure the resumption of critical functions after a disaster. The supporting information provides information to make this plan comprehensive. The notification/activation phase is immediately following a disaster, recovery phase is when the critical functions are recovered, reconstitution phase is when the original site is restored, and business, as usual, is achieved.
References
Brock, J. L. (1999). Information security risk assessment. Washington D.C.: United States General Accounting Office.
MTU. (2011). Information security plan. Houghton, MI: Michigan Technology University.
Peotta, L., Holtz, M. D., David, B. M., Deus, F. G., & Rafael, d. T. (2011). A formal classification of internet banking attacks and vulnerabilities. International Journal of Computer Science & Information Technology (IJCSIT), 3(1), 186-197. doi:10.5121/ijcsit.2011.3113
RBI. (2007). Guidelines on information security, electronic banking, technology risk management and cyber frauds. Mumbai, India: Reserve Bank of India.
SANS. (2002). Security assessment guidelines for financial institutions. Boston, MA: SANS Institute Reading Room.
