Across the State Bank Information Security Risk Strategies
Student Name
Course Instructor
Institutional Affiliation
Date
PART 1 Prepare for Risk Management
Corporate security requirements and Impacts of non-compliance
- The corporate requirements for banking information security include:
- Perimeter for banking security.
- User authentication and authorization measures
- Multi-factor authentication
- Mobile and internet banking security protocols.
- Compliance with ISO information security standards.
- In-house information security systems
- Information security and audit practices to keep the data safe and identify security threats
- Risk assessment and mitigation practices.
Failure to have all these requirements will lead to various consequences for the bank. The federal government could withdraw the licenses of operations due to non-compliance. They could also be facing reputation al damage in case of any security threats (Ron rat & Senivongse, 2017). There will legal fees and penalties for failing to abide the federal security risk protocols for industries to protect the institutions and its customers.
Categories of information systems:
- Storage systems used for storage of customer and company data.
- Privileged access which is used for the bank cloud systems such as back up web servers.
- General use systems: Commonly used by such as bank tellers.
- End user systems such as ATM which help customers.
- Managerial information systems
Categories of people, processes, systems and hardware
- Categories of people: Junior employees, managers, senior level managers, IT specialists, IT contractors, non-banking personnel such as security officers.
- Processes: Transaction, data storage, data backup, cash transfers, data entry and processing, checks processing and clearance.
- Hardware: ATM, teller computers, CCTV cameras, vaults, data centers, cash registers, authentication machines such as biometric systems.
- Software: bank security ND authentication software, bank SAPs, mobile and internet services software, SWIFT, transaction processing software, decision making and report generation software, market research software.
- Data: Customer information, employee data, supplier’s data, partners’ data, history of cash transaction, accounts data, safety deposit data.
The data classification schemes
According to Fenz et al. (2018) the criteria for creating the data classification scheme will be based on the value of the data and levels of accessibility. This refers to data classification based on how important it is and who is having access to such data. Therefore, the scheme will include:
- Highly confidential: Only to be shared with named recipient
- Confidential: Data for limited distribution maybe to be distributed only between managers
- General: data to be shared amongst employees for normal banking transactions
- Public data: Data to be shared with the public such as financial statements.
Part 2: Identify Risk
Bank assets and value to the bank
| Category | Asset | Value to the company | Business Impact Analysis |
| Data | Financial statement | Moderate | Competitive Advantage |
| Customer data | Critical | Customer satisfaction | |
| Investment data | Critical | Competitive advantage | |
| Cash management and transfers | High | Business compliance | |
| Market research | Moderate | Competitive advantage | |
| People | Contractors | Low | Business productivity |
| Junior employees | Moderate | Business productivity | |
| Managers | High | Business productivity | |
| Senior level managers | Critical | Business productivity and competitive advantage | |
| Systems | Servers | Critical | Customer satisfaction and competitive advantage |
| Security systems | Critical | Business productivity and customer satisfaction | |
| Banking software | Critical | Business compliance and competitive advantage | |
| Communication software | High | Business productivity | |
| Cash transfers | Critical | Business compliance and competitive advantage | |
| Hardware | Cash | Critical | Customer satisfaction |
| Computers | High | Business productivity and compliance | |
| Furniture | Moderate | Business productivity | |
| Security Systems | High | Compliance and productivity | |
| Bank building | High | Customer satisfaction and business productivity | |
| Cash vaults | High | Competitive advantage and business compliance | |
| ATMs | Critical | Customer satisfaction | |
| Processes | Cash transfer and movement | Critical | Business compliance |
| Check processing | High | Competitive advantages | |
| Cash deposit and withdrawal | High | Business compliance and customer satisfaction | |
| Financial data and information processing | High | Competitive advantage |
Part 3: Assess Risk
Mitigating key information technology risks.
- User authentication and access systems. This refers to installation of computer security measures and firewalls to mitigate the chances of hacking. It is ideal for preventing unauthorized system entry using password and biometrics.
- Use of firewalls and computer security. It is applicable for hacking and cyber security risks., It identifies potential threats and stops them.
- Cloud systems: It reduce the risk vulnerabilities in data centers and servers. It eliminates risks related to data centers and servers. It involves transferring the organization data to cloud instead of using hardware and drives to store data.
- Scenario analysis. This involves developing a cyber-security breach incidence then developing measures to curb such threats. It involves drills and training employees to deal with threats.
- Email handling practices and regulations. They include security measure such as redirecting non-work email to spam box.
Optimal risk assessment methodology
The risk assessment methodology for the bank will be the risk matrix assessments. It rates all the types of organization risks then determining the impact they have on the organization. It also includes measuring the impact of the risk to the organization (Goel & Chen, 2016. It is ideal for dealing with both qualitative and quantitative analysis methods. It can also help the organization to identify risks before occurrence (Bojanc & Jerman-Blažič, 2018). However, it is not ideal for quantitative data and if it used for quantitative data assessment.
Potential threats, likelihood of occurrence, impact on the organization and the vulnerability scan.
| People risks | Likelihood of occurrence | Impact to the organization | Remediation measures |
| Employee colluding with hackers to gain access to company database |
Minor | Loss of reputation and image. Financial complications |
Employee incentive. Use of AI to identify employee behavior and potential threat to organization |
| Employee sabotaging computer systems |
Moderate | Disrupted business activities. Loss of money due to disruptions |
System access levels permission to ensure employees to not have authority to execute certain system alterations. |
| Employee sharing data access details with fellows |
Moderate | Breach of IT protocols, illegal data access sand potential beginning to a hack. | Assigning every system and limiting access to only one password and no guest access. |
| Senior manager resignation | Moderate | Disrupted business operation and loss of competitive advantage. | Use of incentives to ensure the managers do not resign. |
| Junior employee resignation | High | Loss of key talents and sharing of business secrets | Motivating employees to stay through cash and promotion incentives. |
| Data risks | |||
| Hacking | High | Negative impact on image and reputation Loss of customer trust Business disruption Compensation, ransom fees and expenses |
Use of firewall and cloud services to prevent hacking |
| Data loss and mix ups | High | Business disruption Impact on customer satisfaction |
Data analysis, sorting and entry measures to prevent mix ups and loss. Data classification to prevent loss. |
| Software risks | |||
| Virus attack | High | Business disruption and impact on image Potential gateway to cyber attack |
Use of firewalls and anti-virus |
| Upgrade challenges | Moderate | Business disruption | Use of system backups to cover during upgrades |
| Unresponsive system | Moderate | Business disruption Losses due to loss of time |
System testing before implementation. |
| Hardware risks | |||
| Power outage or brown outs | Moderate | Business disruption Loss of productive time |
Use of backup power systems |
| Facility breach | Low | Organization security threat Loss of security integrity |
Use of CCTVs and employ security personnel to guard the bank. |
| Hardware incompatibility | Moderate | Increased hardware replacement expenses | Buying all hardware from one supplier to ensure compatibility. |
| Natural disasters | Moderate | Business disruption | Use of cloud servers to ensure operations continue even during disaster. |
| Fire break outs | Moderate | Business disruption Loss of hardware |
Fire response systems. |
Part 4: Risk Appetite
Across The States Bank Risk Appetite Statement
Across The States Bank is responsible for ensuring safety of all customer cash deposits and investments. Therefore, we are committed to balancing our risks based on the: The need to ensure safety deposit and cash security, consumer and organization data security to ensure customer satisfaction, data security and organization’s success. Therefore, our risk appetite is towards all types data security risks and we will transfer higher risks to other organizations. We will implement all security measure to cover all sorts of risks including high and critical risks. Annually, we will increase or decrease our risk appetite for data and our assets.
Across The States Bank Risk Tolerance
Our risk tolerance will be based on various measures: The first will depend on assts. We will cover all the risks related to consumer and organization data. We will cover all sorts of data security risks but still have insurance coverage for any disruptions and losses. We will also be in charge of people risks. The software and hardware risks will only be tolerated up to moderate levels. Risks above the moderate levels shall be transferred to insurance companies and third party contractors.
Part 5: Control Risk
The risk control measures at the company shall involve a series of activities. The first shall be risk and system audits. The audits will be conducted after certain durations. They will involve assessments of all the organization systems and assets to determine the levels of risks and the potential sources of risks (Fenz et al., 2017). The audit measures shall also involve risk classification to show the severity of risks and determine the levels of response such as risk retention, mitigation or transfer. The audit and risk assessments will also involve recommendations to help the organization deal with the potential risks.
The second risk management strategy is risk retention. This means that the organization shall deal with certain types of risks without transferring or eliminating them. Such risks will involve employee misconduct, data hacks, software related problems and those risks that cannot be transferred or insured. The organization shall then implement various measures such as mitigation measures to reduce the impacts of such risks to the organization. For a risk to be retained, it must within the tolerance levels and must not exceed organization appetite.
The third strategy is risk insurance. It will involve dealing with the risks beyond the organization appetite and tolerance levels. The organization shall transfer asset related risks to insurance companies so that in case of fires, natural disasters, stolen hardware, the insurance company shall compensate the company for such losses and the related damages (Zhang et al., 2018). The organization will also transfer certain risks related to people, for example, the death or resignation of key employee such as the CEO will be the subject to key person’s insurance. This will enable the organization acquire similar talent in case of such risks.
Finally, the organization shall engage in risk elimination. This involves elimination of certain systems, processes, software and people considered a security threat to the organization (Stoneburner et al., 2020). Such risks have limited impact and eliminated them will not affect the organization. They must be within the tolerance levels and eliminating them will not have adverse effects on the organization.
References
Bojanc, R., & Jerman-Blažič, B. (2018). A quantitative model for information-security risk management. Engineering management journal, 25(2), 25-37.
Fenz, S., Heurix, J., Neubauer, T., & Pechstein, F. (2017). Current challenges in information security risk management. Information Management & Computer Security.
Goel, S., & Chen, V. (2016, May). Information security risk analysis-a matrix-based approach. In Proceedings of the Information Resource Management Association (IRMA) International Conference (pp. 1-9).
Rongrat, K., & Senivongse, T. (2017, July). Risk Assessment of Security Requirements of Banking Information Systems Based on Attack Patterns. In International Conference on Applied Computing and Information Technology (pp. 117-133). Springer, Cham.
Stoneburner, G., Goguen, A., & Feringa, A. (2020). Risk management guide for information technology systems. Nist special publication, 800(30), 800-30.
Zhang, X., Wuwong, N., Li, H., & Zhang, X. (2018, June). Information security risk management framework for the cloud computing environments. In 2010 10th IEEE international conference on computer and information technology (pp. 1328-1334). IEEE.
