Question

Regional Bank has been growing rapidly. In the past two years, it has acquired six smaller financial institutions. The long-term strategic plan is for the bank to keep growing and to “go public” within the next three to five years. FDIC regulators have told management that they will not approve any additional acquisitions until the bank strengthens its information security program. The regulators commented that Regional Bank’s information security policy is confusing, lacking in structure, and filled with discrepancies.

Should the bank work toward ISO certification?

Which ISO 27002:2013 domains and sections should be included?

Would you use NIST’s Cybersecurity Framework (CIA security model) and related tools?

Which methods of communication would be best for sending the policy?

What other criteria should be considered?

Which methods of communication would be best for sending the policy?

What other criteria should be considered?

Answer 1

1) Answer:-
The bank work towards iso certification because it satisfy some requirements.
they are:-
1) Need for fulfilling regulatory requirements
2) Need for sustaining and improving market faith
3) sustaining customer confidence
4) improving service level
5) Reducing transaction time
6) differentiation from other banks
7) efficiency improvement.
8) Greater customer satisfaction
9) Higher profitability and increased market share

!0 reasons for accquiring ISO certification:-

1) Meet customer requiremetns
2) Get more revenue and bussiness suggestions for new customers
3) Improve company and product quality
4) Increase customer satisfaction with the products
5) Describe,understand and communicate the company processes
6) Develop a professional culture and better emplloy relationship
7) Improve the consistency of operations
8) Focus management of employees
9) Improve efficiency,reduce waste and save money for the company
10) Achieve international quality recognition

2) Answer:-

ISO/IEC 27002 is a popular, internationally-recognized standard of good practice for information security.It is a massive monolithic standard cover a broad range of information with security controls.

The controls are divided into
1) Organizational controls:- controls involving management and the organization.
2) Technical controls :- controls involve or relate to technologies(cybersecurity)
3) People controls :- controls involve or relate to activities,behaviors,roles and their responsibilities
4) Physical controls:- touchable controls such as locks, and other types of environmental protection and controls such as fire and intruder alarms and uninterruptible power supplies(U.P.S) etc
5) External party controls :- controls involve or related to parties which is outside the scope of an ISMS (examples:- contracted cloud services, service level agreements,legal and regulatory obligations, privacy policies and other obligations to customers etc).
And some other alternative suppliers/sources of necessary information services, as well as data backups(example:- online or offline).

3) Answer
Yes we can use the NIST Cybersecurity model and any other tools related to that working of organization properly.
The five elements of NIST cybersecurity framework:-
1) Identify
2) Protect
3) Detect
4) Respond
5) Recover
these above 5 elements are related to the functions of the core framework.

3 parts of NIST cybersecurity framework:-
1) Functions
2) Categories and 3) Subcategories

Top 4 cybersecurity frameworks:-
1) PCI DSS (47%)
2) ISO 27001/27002 (35%)
3) CIS Critical Security Controls (32%)
4) NIST Framework for Improving Critical Infrastructure Security (29%)

NIST framework also follows CIA triad For better security concepts.
1) CIA means Confidentiality,Integrity and Availability
#Confidentiality:- It is a set of rules that limits the access to the secured information
# Integrity :- It is the assurance that the information is trustworthy,reliable and accurate.
#Availability:- It is a guarantee of reliable access to the information for the only authorized people not for unauthorized people.

Framework implemented in 5 steps:-
1) Select target goals
2) Create detailed profile
3) Assess current position
4) Analyze gaps and identify necessary actions
5) Implement action plan

Elements of cybersecurity:-
1) Information security
2) Application security
3) Disaster recovery
4) Network security
5) End user education
6) Operational security

4) Answer
By accepting this policy, you also agree that the Company can use your personal information to contact you for the marketing and marketing purposes.
By sending the emails
By the help of cookies and log files
By the help of third party cookies
Links and external websites
By the help of advertisements
By the help of social media links

5) Answer
Other criteria should be followed to maintain the security policy of the regional banks:-
1) Completed and assured transaction
2) proper notifications
3) A well managed password :- Should be well defined with strongness
4) Browser requirements and proper interfaces.
5) Cookies information:- Erase it in internal storage for security purposes.
6) Install the security upgrades for your system or device and keep them up to date.
7) Install recognised third party antivirus softwares.
8) Daily make backups of your important files.
9) Never leave your computer unattended or without lock.
10) Install a personal firewall or proper system security requirements.
11) Make sure the hard disk and the printer of your personal system components are not in shared mode.
12) Avoid unnecessary links or images (to avoid phishing attacks).
13) Use backup devices and other power supplies for your data privacy.
14) Don't connect to the internet unnecessarily.
15) Every time you should logout of every login session.

I hope you,you will like the answer.