Question

Please no plagiarism and must be your own work

Describe the financial organizations (Banks/Investment) and the considerations that will influence information security

Define and describe the associated information security policies in a financial organization (e.g. Acceptable Use Policy, Remote Access Policy, Employee Training Policy)

Define and describe the security processes that will be used to implement and enforce this security policy in a financial organization (e.g. Incident Response Process, Risk Assessment Process)

Define and describe the standards that are relevant and will govern the implementation of information security within the financial organization (e.g. NIST, HIPPA).

Answer 1

Question 1 : Answer

Data is becoming the world’s most valuable asset, and financial institutions gather, process, and store massive quantities of it; they have been described as “information technology companies with balance sheets.” Yet banks, insurers, and asset managers are in the early stages of taking full advantage of data. As technology and technological transformation expand institutions’ ability to profit from data, it ushers in new vulnerabilities. Protecting data remains among the most pressing issues facing financial institutions. As one director observed, “Security is the foundation of the business. Whether it is holding your money in the best vault or providing promised aid during difficult times, financial institutions are premised on trust and security.” New regulations provide greater access to third parties and increase compliance risk around violating customer privacy. Directors are working hard to keep up with rapid developments in the field.A host of new cyber and privacy requirements have gotten the attention of boards and have opened discussions about data governance to include data usage, privacy considerations, and information security. Taken together, these laws and regulations make companies and their boards more accountable for breaches and compliance failures related to data. One director noted, “Having regulators set a clear direction forces the board to start discussing data protection.Analytics and security professionals agree that centralizing data into fewer locations creates significant advantages, but it is not without risk. One noted, “Not even Google knows how to run analytics well across multiple places. The data has to be in the same place.” With respect to security “Data is easier to protect in one place. Security tends to like a homogenous environment.” Despite the myriad advantages, “It makes me nervous if it is all in one place. It can be easier to steal … The consequences of an insider attack go up if the insider can access more data.” Indeed, a key security flaw in the recent Equifax breach was the colocation and connection of many data pools. Several participants suggested that in the future, decentralized blockchain applications, which would not be subject to single points of failure, could offer better solutions.

impact of certain types of security incidents (e.g. system intrusion, fraud, denial of service, leak of confidential information) on several types of industries, we will see that the impact will be higher on financial institutions than any other organization.the security issues surrounding information technology dependency financial institutions' weakest security areas . Although this type of dependency is an up and coming trend in most industries, it is not new for financial institutions. This is because financial institutions are able to automate most services and operations. E-banking is reshaping the way people and organizations do business, and new services based on e-banking and electronic processing capabilities are created and deployed at very high speeds. Many of these services could not be created and maintained without the information technology infrastructure that exists today, and if this infrastructure was to fail, these institutions would be unable to function.nstitutions batch processes have also been upgraded to real time operations. Consequently, some of these processes need to be working constantly in order to provide availability for operations. These operations will soon be more critical as electronic processes and services replace their manual counterparts Additionally, decrease in speed to exploit vulnerabilities is another trend that has had a significant impact on these systems availability. Massive propagation of threats like viruses and worms take advantage of improvements in exploit developments. Worms like Blaster and the more recent Zotob have shown the importance of having effective security controls to deal with these threats.inancial institutions are some of the most heavily affected organizations by targeted attacks. The steady increase of e-banking systems attacks through Phishing is alarming. Phishing poses serious problems for institution's security strategies because some Phishing attack techniques are hard to detect. This is because certain techniques never involve the institution's infrastructure, they effected through infected through outside sources. Vulnerabilities of computer systems, and the personal property of customers and employee data, pose a large risk for institution's operation.any institutions need an almost complete redefinition of their security processes and functions. The good news is that in the end, implementing stricter controls and procedures will not only allow institutions to comply with Sarbanes-Oxley and Basel II Accord, but it will also provide these institutions with a more robust security architecture (i.e. a more efficient way to select, implement and manage security controls). The bad news is that timetables are tight and many institutions are rushing to comply with these legal requirements.

Data breaches lead to an abnormal high churn rate of the customer base. Additionally, in the financial industry, there will be investigations by the responsible regulatory bodies following a data breach, which could also lead to license termination for the affected organizations. Therefore, data breaches and security incidents require a rapid response to mitigate the impact on these institutions and to demonstrate due care. Banks and financial institutions need to strengthen their incident response teams to make sure appropriate encryption is used with all data, and also train their staff on a regular basis to acquire and maintain their BCM and DR capabilities, just to name the most efficient measures. To alleviate purely the financial impact of security threats, also insurance protection can be bought.The information security strategy needs to support the business objectives of the organization. Employing effectiveness and efficiency need to be improved in order to provide a better service for the customers. When performing security operations, a significant attention should be allocated to the necessary information that institution needs to provide to the employees, and this should be done appropriately and timely manner. Banks and financial institutions should be strongly committed on implementing a management system to deal with the security of information by employing people who are experienced and know how to deal with security issues.

Question 2 : Answer.

Information security policy is the focal point for establishing and conveying security requirements. It sets the tone for the information security practices within an organization, defining appropriate behavior and setting the stage for the security program. A consistently applied policy development framework exists that guides formulation, rollout, understanding and compliance.A good policy document includes the overall importance of security within the organization, identifies what is being protected, identifies key risks and mechanisms for dealing with those risks and provides for ongoing and regular monitoring and feedback to ensure the polices are enacted and enforced. Regular updates are needed to reflect changing business needs and practices. The policy enumerates the roles and responsibilities of all information systems users for protecting the confidentiality, availability and integrity of information assets. It must set out management.objectives and expectations for information security in clear, unambiguous terms, along with the implications of noncompliance. Its existence also demonstrates management.commitment to information security. To ensure ongoing applicability and relevance, the policy statement needs to be reviewed and updated on an annual basis. Failure to update may demonstrate a lack of management commitment to information security, or the general lack of processes to manage organizational governance.he policy clearly states overall objectives and requirements for information security, scope (organization units, information assets), roles and responsibilities for each relevant party (e.g., asset owners, users, trustees), and any possible conditions for exceptions. The information security policy framework serves to support more extensive statements of information security standards, practices and procedures.The information security standards document considers what needs to be done to implement security measures. This document covers the physical, administrative, and technical controls designed to secure information assets. It is important that in detailing security controls, end-user productivity is considered. Controls should be designed to maximize both information protection and employee efficiency. Much like the policy document, the information security standards document will unlikely be altered. Only the introduction of new systems, applications, or regulations would require amendments to this document.

Acceptable Use Policy

An acceptable use policy or access agreement should been adopted to ensure uniform and appropriate use of an organization’s network, computer, information assets, and other electronic resources. The rules, obligations, and standards described in this policy and other policies/procedures should apply to all employees, temporary workers, independent contractors, vendors, and other electronic users wherever they may be located. The guidance and best practices in this article may be incorporated into your own template to create your own version of the acceptable use policy for your organization.The purpose of this policy should be to define end-user acceptable use criteria for organizational systems. Information systems provide access to both data and processes required to support most business functions. They have contributed to substantial improvements in both productivity and customer service; however, the use of information systems to access customer or financial data, electronic mail (E-mail), the Internet, and remote access to business systems introduces risk.Computers and networks can provide access to information resources both internal and external networks. To ensure this data is handled responsibly, users are to respect the rights of other users, protect the confidentiality and integrity of the systems and related physical resources, and observe all relevant laws, requirements, and regulations. It is the responsibility of every users, independent contractor, vendors, and other electronic users to use information systems and information assets, including protected health information, in a professional, ethical, and lawful manner. In addition, users are to ensure the security of information systems and information assets. All employees (and others) agree to assist in investigating any potential or actual violations of policies and procedures.

Remote Access Policy.

Traditional finance is being disrupted by newcomers that offer high-level, rapid financial services. To remain economically competitive, the finance industry must continuously adapt their technology to offer new services—and remain compliant. To do that, financial IT needs access to networks to stay ahead of threats and ensure a fluid working environment.Staying competitive and compliant is possible through the use of a secure remote access platform. The ability to manage access, privileged and otherwise, for multiple vendors on your network. create a standard remote support policy across all of your vendor partnerships.Use of two-factor authentication and access practices that eliminate the use of untracked credentials sharing.The ability to create a granular audit trail to understand in real-time, and via recording, information such as who was on your network, what files were accessed, and what work was accomplished.The risk of data loss and non-compliance increases with the adoption of new technology or experimentation with new consumer services. A platform that delivers secure remote access helps you remain competitive without risking the liability and other damage of a devastating data breach.

Employee Training Policy.

employees will be required to complete a mandatory information security awareness training course upon accepting employment Every year, employees will be required to review and complete the training material again as part of a comprehensive inf ormation security program.A security policy is only as valuable as the knowledge and efforts of those who adhere to it, whether IT staff or regular users. Understanding the importance of computer and network security and building accountability for these concepts are critical for achieving organizational goals. With this in mind, establishing principles for security awareness and conducting subjective security training are integral endeavors for any business regardless of size. Security awareness ensures that users are familiar with potential threat mechanisms, while training teaches them the strategies they must employ to prevent or respond to these threats.A meaningful security awareness and training program explains areas of caution, identifies appropriate security policies and procedures that need to be followed, and discusses any sanctions that might be imposed due to lack of compliance. Accountability originates from a well-informed, well-trained workforce.

Question 3 : Answer

Incident Response Planning is now a requisite exercise for smaller financial institutions. In order to create an effective incident response capability a number of broad areas must be considered. These areas include incident classification, the role and responsibilities of a Computer Incident Response Team, incident discovery and reporting, the incident response process, and reducing exposure to future incidents.nformation security has become a growing focus for financial services companies. In most financial institutions, the staff recognizes the importance of protecting customer data and the issues involved if the data are compromised. However, few employees have adequate training to properly detect or prevent all possible information security incidents.Theorganization’s Incident Response Plan is to be used when an information security breach is detected or suspected. Preventative activities based on periodic Vulnerability Assessments can lower the number of incidents, but not all incidents can be prevented. NIST Special Publication 800-61states“Anincident response capability is necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computingservices.Due to the high volume and variety of attacks, incidents occur in countless ways. It is not practical to address each attack individually, so, incident classification and severity ratings may be used as the basis for creating a manageable set of procedures for incident handling.any access to the network, hosts, data or physical locations without permission. This also covers using an account or credentials that do not belong to the user. Often, the intention is to steal information or disrupt business operations. Weak passwords, shared passwords and social engineering are typical examples of how this may occur. Phishing, trying to trick people into giving out personal data like passwords and account numbers has increased in popularity on the internet. As corporate security grows tighter and the intruders find it harder to penetrate a network, customers become a more frequent vector for data theft.–Behavior in violation of employee policies can be one of the most frequent causes for an incident. Examples include: downloading or installing software from the internet, Peer to Peer file sharing programs such as Kazaa and Morpheus, bringing in infected media or hosts like laptops and workstations from the outside, and setting up VPN or modem connections to bypass firewalls without the permission or review of the Information Security group

Risk assessments measure exposure to critical compliance, financial and operating activities – both within a financial institution’s internal environment and those stemming from external events. Weaver’s disciplined approach to risk management helps financial institutions identify vulnerabilities and develop key strategies for risk mitigation.A risk assessment for a financial institution measures and helps manage compliance, financial and operational risks associated with significant activities and events, both internal and external. While some risks are inherent to an institution, some may be eliminated or mitigated by identifying key risk indicators which prompt management action when certain criteria are met.Upon identification and measurement of a financial institution’s risk universe and priorities, strategies are developed to establish effective internal controls and monitoring. These activities help create a strong internal control environment, including a secure information systems environment.The first step in the risk assessment process is to identify the specific products, services, customers, entities, and geographic locations unique to the financial institution.Typical products and services might include automated clearing house (ACH), automated teller machines (ATM), electronic banking, foreign exchange, lending, monetary instruments, private banking, and trust services.Customers and entities can include business entities, cash-intensive businesses, nonbank financial institutions, nongovernmental organizations, and charities and professional service providers.The next step is to measure the inherent risk associated with products, services, customers, and geography and identify the specific policies, procedures, systems, and controls that serve to mitigate the inherent risk identified. This exercise can be of particular value in identifying potential gaps in internal controls or in identifying possible inefficiencies or redundancy in processes.

Question 4 : Answer

IT security governance is the system by which an organization directs and controls IT security . IT security governance should not be confused with IT security management. IT security management is concerned with making decisions to mitigate risks; governance determines who is authorized to make decisions. Governance specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks. Management recommends security strategies. Governance ensures that security strategies are aligned with business objectives and consistent with regulations

The National Institute of Standards and Technology (NIST) has developed a Cyber Security Framework which they define as: “a policy framework of computer security guidance for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks.”nce the assessment process is complete, NIST provides a risk-based action plan and cyber security insights that are appropriate for both board and executive-level review and implementation. The information generated is also easily quantifiable.he NIST process is made up of three stages, each building upon the other to help a business to assess its current systems and draw up a plan. It includes five functional areas to consider: Identify, Protect, Detect, Respond and Recover. We will dive into more detail on these areas shortly.The NIST Framework helps companies to: ‘better understand, manage, and reduce their cybersecurity risks’. Completing the assessment means you can identify your individual priorities when it comes to cyber security and business continuity.NIST framework, you can build a Risk Management system that will allow your business to reach top-level security and compliance. Plus, the best part: it’s easy to understand and verify progress.

Risk Analysis The HIPAA Security Rule requires covered entities and business associates to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security.HIPAA requires covered entities including business associates to put in place technical, physical, and administrative safeguards for protected health information (PHI). These safeguards are intended to protect not only privacy but also the integrity and accessibility of the data.he HIPAA Privacy Rule establishes standards for protecting patients’ medical records and other PHI. It specifies what patients rights have over their information and requires covered entities to protect that information. The Privacy Rule, essentially, addresses how PHI can be used and disclosed. As a subset of the Privacy Rule, the Security Rule applies specifically to electronic PHIDefined as the technology and the policies and procedures for the technology’s use that collectively protect ePHI as well as control access to it. refers to the ability/means to read, write, modify, and communicate the data and includes files, systems, and applications. Controls must include unique user identifiers and automatic logoffs and could include access procedures during emergencies as well as data encryption.mechanisms for recording and examining activities pertaining to ePHI within the information systems.requires policies and procedures for protecting the data from being altered or destroyed in an unauthorized manner.