Home > Sample essays > Creating a Governance and Management Plan for Information Security at Bank of Abiaad

Essay: Creating a Governance and Management Plan for Information Security at Bank of Abiaad

by

Essay details and download:

  • Subject area(s): Sample essays
  • Reading time: 7 minutes
  • Price: Free download
  • Published: 1 April 2019*
  • Last Modified: 23 July 2024
  • File format: Text
  • Words: 1,961 (approx)
  • Number of pages: 8 (approx)

Text preview of this essay:

This page of the essay has 1,961 words.



Table of Contents

Executive Summary 6

Section 1: Value Proposition Strategic Assessment 7

1.1 Information Security Vision 7

1.2 Information Security Mission 7

1.3 Drivers, Goals, and Benefits of Security Governance and Management 7

1.3 Table 1 8

Section 2: Roles and Responsibility 9

2.1 Table 2 9

Section 3: Liabilities 10

3.1 Safety of employees and customers 10

3.2 Private Information 10

3.3 Client Personal Belongings and Money 10

Section 4: Physical Security 11

4.1 Biometrics 11

4.2 Convergence 11

4.3 Risk Assessment 11

Section 5: Cyber Security 12

5.1 Internet of Things 12

5.2 Multiple Vendors 12

Section 6: 7 Layers of a Mature Security Program 13

6.1 Table 3 13

7.1 Metrics 14

7.2 Measurements 14

Section 8: Security Appliance 15

8.1 Security Appliance 15

8.2 Firewall 15

8.3 Vulnerability Assessment 15

Section 9: Antivirus 16

9.1 Antivirus 16

9.1 Table 4 16

Section 10: Log Management 17

10.1 Log Management 17

10.2 Phases of Log Management (Sumologic, 2018). 17

10.2 Table 5 17

Section 11: Patch Management 19

11.1 Patch Management 19

Section 12: Security Awareness Training 20

12.1 Security Awareness Training 20

12.2 Provided by the Organization 20

12.3 Security Awareness Activity 20

Section 13:  Policies and Procedures 21

13.1 Policies and Procedures 21

13.2 PCI DSS 21

Section 14: Strategy 22

14.1 Strategy 22

14.2 Breach Plan 22

14.3 Termination of Employee Process 22

14.4 Business Continuity 22

Section 15: Risk Assessment 23

15.1 Risk Assessment 23

15.2 Threat Hunters 23

15.3 Risk Management Framework 23

15.3 Table 3 23

Section 16: Protocol 24

16.1 Social Media 24

16.2 Robbery Safety 24

Section 17: Critical Security Controls (SANS) 25

17.1 Inventory of Authorized and Unauthorized Devices 25

17.2 Controlled Use of Administrative Privileges 25

17.3 Email and Web Brower Protections 25

17.4 Data Protection 25

Section 18: Auditing 26

18.1 How often? 26

18.2 Internal Audits 26

18.3 External Audits 26

References 27

Executive Summary

Bank of Abiaad is a bank located in the state of Michigan. It has a total of 80 employees within the two bank branches as well as 30 head office employees which is located Downtown, Michigan. The purpose of the governance and management plan is to allow assurance there will be an alignment with the business and security aspect. This document allows for the clarification of the goals, protocols, and procedures of the business. This document provides information in so that all employees and stakeholders have an understanding of requirements, assurance, process, and implementations.   

Section 1: Value Proposition Strategic Assessment

1.1 Information Security Vision

Bank of Abiaad is devoted to providing the confidentiality and integrity in order to create the availability of a safe

1.2 Information Security Mission

The mission of Information Security is to create, implement, and uphold an information security program that shields the Hospital’s systems, services, and data against unauthorized use, disclosure, modification, damage, and loss.

1.3 Drivers, Goals, and Benefits of Security Governance and Management

  • Strategic Alignment: aligning security activities with business strategy in order to provide support to the organizational objectives (Brotby, 2006).

    o Support business initiatives

  • Risk Management: implementing the appropriate measures to manage risk and possible impacts to an acceptable level (Brotby, 2006).

    o Safety from the potential for civil or legal liability which is a result of information inaccuracy, improper disclosure, or the absence of due care in its protection.

    o Accountability for protecting information during critical business activities.

    Business Strategic Goal

    Information Security Objectives

    Risk mitigation and asset protection

  • Provide confidence to leadership in the effective and efficient execution of information security responsibilities

  • Keep up with ever-emerging security threats

  • Protect assets and mitigate information security risk

    o Meet the operating needs of the organization in a secure manner

  • Safeguard the confidentiality, integrity, and availability of the network, systems, and applications

  • Move from a reactive to a more proactive response model

  • Provide secure computing training and education to the organization

    Operational and cost efficiency

  • Improve cap expense and operational expenditures

  • Due diligence for Vendors

    Compliance obligation

  • Meet legislative and regulatory requirements, and audit recommendations

  • Monitor and validate regulatory compliance

    1.3 Table 1

    Section 2: Roles and Responsibility

    Duty

    Owner

    Others Involved

    Ensuring proper protection for all physical and technical aspects of the organization (SANS)

    CISO

    CEO

    Leading the development and execution of the long term strategy (Petrotal, 2017)

    CEO

    Shareholders

    In charge of all background responsibility including technical support

    Head Office

    CEO, CISO

    Ensure all locations of bank are up to standards

    District Manager

    CEO

    Ensure all employees are completing job correctly

    Manager

    District Manager, CEO, CISO

    Provide assistance to clients and information on savings and investments. (Writer, 2017)

    Banker

    District Manager, CEO, CISO

    2.1 Table 2

    Section 3: Liabilities

    3.1 Safety of employees and customers

  • If robbery is to occur, immediate alert to police station button is to not be pressed until robber is out of the building to ensure the safety of employees and customers.

    3.2 Private Information

  • The information which is collected from clients become a liability as they are personal.

    3.3 Client Personal Belongings and Money

  • The money of customers become a liability as the bank is the one holding on to it, if funds are placed into the hands of the wrong person, it will come back for the bank.

  • The personal belongings left in the banks safe become a liability as well due to the ensurance of safety.

    Section 4: Physical Security

    4.1 Biometrics

  • Fingerprints and personal identification in order to secure systems and transactions (Field, 2008).

    4.2 Convergence

  • Puts physical and logical security program all in one (Field, 2008).

    4.3 Risk Assessment

  • How to work and mitigate the banks physical vulnerabilities (Field, 2008).

    Section 5: Cyber Security

    5.1 Internet of Things

  • The IOT has taken cyber security to a new level due to risk of breaches being able to happen through anything connected through wifi.

    5.2 Multiple Vendors

  • Due to the use of many different vendors, the different technologies end up clashing amongst one another (Yurcan, 2017).

    Section 6: 7 Layers of a Mature Security Program

    6.1 Table 3

    7.1 Metrics

  • Produced from the analysis of measurements. Involve the comparison of a minimum of two measurements that have been taken over a specific time frame and compared to a baseline which has been predetermined (Gardner & Thomas, 2014).

    7.2 Measurements

  • How many times employees change their password?

  • How many times data has been backed up?

    o Critical in case of ransomware

  • When is one to backup?

    Section 8: Security Appliance

    8.1 Security Appliance

  • A server appliance which is created to prevent unwanted traffic from the computer network (Gardner & Thomas, 2014).

    8.2 Firewall

  • Monitors network traffic and chooses what is allowed in and what is not depending on security rules (Cisco, 2018).

    8.3 Vulnerability Assessment

  • Self-conducted assessment is extremely beneficial when used against one’s own enterprise. The assessment can lead to the discovery of exposures before a possible attacker finds it (SANS)

    Section 9: Antivirus

    9.1 Antivirus

  • This system detects intruders which monitors and analyze the computing system internally (Gardner & Thomas, 2014).

  • This is required for all computers used in the bank as well as recommended for clients to have an antivirus system on their home banking computer.

    9.1 Table 4

    Section 10: Log Management

    10.1 Log Management

  • This approach deals with large volumes if computer generated log messages (Gardner & Thomas, 2014).

    10.2 Phases of Log Management (Sumologic, 2018).

  • Instrument and Collect – collects data

  • Centralize and Index – allows for easy access and visibility

  • Search and Analyze – allows for program to search and analyze information

  • Monitor and Alert – allows for in time alerts

  • Report and Dashboard – allows for sharing of reports to team members

    10.2 Table 5

    Section 11: Patch Management

    11.1 Patch Management

  • This systems management involves collection, testing, and installation of multiple patches that use code changes to an administered computer system (Gardner & Thomas, 2014).

  • Patch Management allows for consistent monitoring of the network during a time of vulnerability. This allows for instantaneous action to take place if a patch hasn’t already been released (Thrive, 2017).

    Section 12: Security Awareness Training

    12.1 Security Awareness Training

  • Covers security awareness program (Gardner & Thomas, 2014).

    12.2 Provided by the Organization

  • Security Awareness Training will be provided immediately upon hiring, during training

  • Employees are to complete updated training every four months

    12.3 Security Awareness Activity

  • Lifelike stimulations will be conducted at random times and days

    Section 13:  Policies and Procedures

    13.1 Policies and Procedures

  • Foundation and critical for all aspects of security program (Gardner & Thomas, 2014).

    13.2 PCI DSS

  • PCI DSS – Payment Card Industry Data Security Standard

    o Three steps for adhering to PCI DSS (PCI, 2010).

    ♣ Assess – identify cardholder data, inventory, and analyzation of IT assets and business processes for card payment processing in order to find vulnerabilities that could render cardholder data.

    ♣ Remediate – repair vulnerabilities and only keeping cardholder data needed.

    ♣ Report – accumulating and submitting required remediation records and presenting compliance reports to the bank and card brands business is done with.

    Section 14: Strategy

    14.1 Strategy

  • Building a good security culture within the organization

    14.2 Breach Plan

  • Having a plan and statement ready in case of breach

  • Having a professional spokesperson speaking on behalf of company during situation

    14.3 Termination of Employee Process

  • Ensuring that termination is complete and former employee no longer has access

    o Ensures that former employee will not have the ability to cause a breach or loss of information as a way of retaliation.

    14.4 Business Continuity

  • Business Continuity Management identifies potential threats to the organization, and the possible impacts it may have on the business operations if those threats may cause (DRI, 2018).

  • Provides a framework for a resilient organization who has the ability of an effective response which defends the welfare of stakeholders, standing of the company, and brand and value-creating activities (DRI, 2018).

    Section 15: Risk Assessment

    15.1 Risk Assessment

  • Preparation for any possibly common incident

    o Data breach, fire, robbery, shooting, and any possible natural disasters

  • Resources required in order to protect company are constantly put in place and reiterated.

    o IT Support (Head Office)

    o CEO

    o CISO

    o District Manager

  • Acceptance of loss

    o CEO and CISO are to inform district manager what is the acceptance rate.

    15.2 Threat Hunters

  • Respond to incident

  • Perform threat landscaping

    15.3 Risk Management Framework

    15.3 Table 3

    Section 16: Protocol

    16.1 Social Media

  • Colleagues should know what is appropriate for social media and what is not.

  • Colleagues are to be held accountable for any/everything inappropriately submitted to social media

    16.2 Robbery Safety

  • In the instance of a robbery, employees are to only give money from the first drawer immediately and only the second one if robber is to ask for it.

  • Employees are not to press the alarm until robber has exited the building in order to ensure the safety of clients and employees.

    Section 17: Critical Security Controls (SANS)

    17.1 Inventory of Authorized and Unauthorized Devices

  • Active management of all hardware devices included in the network in order to ensure access is given only to authorized devices

    17.2 Controlled Use of Administrative Privileges

  • Tracing, regulating, averting, and adjusting the correct use and assignment of administrative privileges on computers, applications, and networks

    17.3 Email and Web Brower Protections

  • Minimize the surface of possible attacks and opportunities which allow for attacks to manipulate human behavior.

    17.4 Data Protection

  • Prevents and mitigates possible data exfiltration while ensuring the privacy and uprightness of sensitive data.

    Section 18: Auditing

    18.1 How often?

  • Auditing should take place every two weeks in order to lessen the large amount of numbers required to go through, also to prevent risks

    18.2 Internal Audits

  • Internal audits are required in order to ensure that all internal mistakes are taken care of and to ensure that employees are not a risk

    18.3 External Audits

  • External audits are to be done

    References

    Brotby, K. (2006). Information security governance: A practical development and implementation approach. Hoboken, New Jersey: John Wiley & Sons, Inc.

    Cisco, What Is a Firewall? (2018, June). Retrieved from https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html

    DRI What is Business Continuity Management? (2018). Retrieved from https://drii.org/what-is-business-continuity-management

    Field, T. (2008, February). Focus on Physical Security. Retrieved from https://www.bankinfosecurity.com/focus-on-physical-security-a-706

    HHS Office of the Secretary, Office for Civil Rights, & OCR. (2013, July 26). Summary of the HIPAA Security Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

    Official PCI Security Standards Council Site – Verify PCI Compliance, Download Data Security and Credit Card Security Standards. (2010, October). Retrieved from https://www.pcisecuritystandards.org/

    Role and Responsibilities Chief Executive Offier – (2017). Retrieved from http://www.petrotal-corp.com/docs/RolesAndRespCEO.pdf

    SANS Critical Security Control. (n.d.). Retrieved from https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf

    SANS Vulnerability Assessments  (n.d.) Retrieved from https://www.sans.org/reading-room/whitepapers/threats/vulnerability-assessments-pro-active-steps-secure-organization-453

    Sumologic. (2018, May). What is Log Management? Retrieved from https://www.sumologic.com/what-is-log-management/

    Thrive, Importance of Patch Management. (2018, January 16). Retrieved from https://www.thrivenetworks.com/blog/patch-management

    Writer, J. M. (2017, June 22). The many roles and responsibilities of a Banker. Retrieved from http://www.jobmail.co.za/blog/the-many-roles-and-responsibilities-of-a-banker/

    Yurcan, B. (2017, August 01). Bank cybersecurity may need a new mindset. Retrieved from https://www.americanbanker.com/news/bank-cybersecurity-may-need-a-new-mindset

    • About this essay:

    If you use part of this page in your own work, you need to provide a citation, as follows:

    Essay Sauce, Creating a Governance and Management Plan for Information Security at Bank of Abiaad. Available from:<https://www.essaysauce.com/sample-essays/2018-6-19-1529375182-2/> [Accessed 11-04-26].

    These Sample essays have been submitted to us by students in order to help you with your studies.

    * This essay may have been previously published on EssaySauce.com and/or Essay.uk.com at an earlier date than indicated.