Question

Regional Bank has been growing rapidly. In the past two years, it has acquired six smaller financial institutions. The long-term strategic plan is for the bank to keep growing and to “go public” within the next three to five years. FDIC regulators have told management that they will not approve any additional acquisitions until the bank strengthens its information security program. The regulators commented that Regional Bank’s information security policy is confusing, lacking in structure, and filled with discrepancies.

• What are some first steps for this project?
• Is it feasible to use any material from the original document?
• Should other materials should be requested?
• Is it wise to interview the author of the original policy?
• Who else should interviewed?
• Should the bank work toward ISO certification?
• Which ISO 27002:2013 domains and sections should be included?
• Would you use NIST’s Cybersecurity Framework (CIA security model) and related tools?
• Which methods of communication would be best for sending the policy?
• What other criteria should be considered?

Answer 1

Answer a) The project is to provide strengthens in information security program of the regional bank for better performance .The banks always have threat to be victim of cyber attack , information theft , illegal money transaction , and other security related issues. The bank should act as per guide line given in  CPMI-IOSCO framework by BIS. The purpose of this information security is to meet the need of business , Strengthen information assurance and minimize the risk of noncompliance. The project framework would be like :

Step 1: identification of information issues

Step 2. Detection of problem

Step 3; Response the problem

Step 4: recover asap.

Answer b)Yes, we can use material from the original document, like information of existing business need , client data , any past threat of information. etc.

Answer c) Yes , the other materials and information is need based information for the project.

Answer d) Yes , it is also required to get information from the key person before implementation of project idea.

re-post remaining questions please.