Describe the importance and objectives of information security for above financial organization using open network/internet.
Answer:
Introduction:
Technology advancement is helping in paving the easy and much efficient flow for the operational activities of the financial industries across the world. With this advancement in the data management related to the consumers and the operational activities, cyberspace containing information of the financial industries has become the most appealing targets for the hackers. Application of information technology is enabling this advancement however, there are certain threats and risks related to the application of IS/ IT within the financial industries. The aim of this report is to present a thorough research on the information security aspects related to the data management within the financial industries. HSBC Bank Oman S.A.O.G is the chosen organization for this report in manner to present a much practical responses and argument related to the aspects of information security. This report put emphasis on laying out a map in manner to enhance the security of the data or information stored in the database of the HSBC.
HSBC Bank Oman S.A.O.G
It has been in the Oman since from 1948 and it has been the only bank in the Oman operating since from then till next two decades. HSBC has also assisted in the first issue of the Omani currency and thus supported the economic condition of the country. It has provided many initial services and provided the first ATMs, international ATM cash withdrawals, online banking system, and offered commercial electronic banking by using “Hexagon” product. It has implemented information system as the basic need for executing the operational activity within the organization (Hsbc.co.om 2018). Most of the organizational operational activity is being executed through information technology.
Importance and Objectives of Information Security
HSBC has been using the open network/ internet in manner to provide better financial services to its consumers and this could lead to certain threats and risks and thus need to enhance the information security of the organization. Information security aims at identifying and eliminating the threats those are capable of affecting the proper functioning of he organization through manipulating, exposing or loss of data related to the stakeholders of the HSBC bank (Webb et al. 2014). The information security aims at delivering the glitch and bug free hardware and software for the organization.
Integrity, Confidentiality, and availability are the major objectives of the information security and can be explained as:
Integrity: This section will be emphasizing on the means of guarding the data or information saved from being destroyed or modified through an unauthorized user. Information security will be helpful in ensuring that the data or information saved in the database of the financial industry is safe and cannot be accessed by an unauthorized user. It is
also helpful in ensuring that the information or data saved is accurate, authenticate, and non-repudiatable (Agrawal 2017). Data integrity includes both the system and data integrity.
Confidentiality: This section is about the means of preserving the stored data or information from being disclosed or accessed by an unauthorized user in manner to maintain the confidentiality of the stored data. Information security is capable of ensuring the protection of proprietary and privacy information saved in the database related to its operational activities and stakeholder’s related information (Cavusoglu et al. 2015). For the proper functioning and assistance providing to the consumers, all banks collect personal information and expose of this data will no doubt affect the privacy and security of the individual availing services.
Availability: Last objective that the information security put emphasizes is on providing easy, timely, and reliable access of the information to the authorized users. It will ensure that the services offering and service availing is not bothered by the stakeholders.
Threats/Risks and Vulnerabilities
It can be stated that the banking industry would never been so much advanced without implication of the information system in the place of the traditional way of the system (Agrawal, Campoe and Pierce 2014). Following is the list of the threats and the vulnerabilities for the financial industries using open network for the availability of the services.
Mobile banking risks: Mobile banking is the easiest way for consumers of the banks and it has been continuously increasing with this digital era and it has became a challenging sector for the banks to provide better and efficient mobile security for them. Various crucial files related to the sensitive information of the user remain saved in the smartphone in the form of hidden files that can be easily accessed by a known programmer and can be used for personal benefits. This also leads to the privacy and financial insecurities for the users installing the application.
Web 2.0 and Social Network: It has been estimated that almost every individual with Smartphone and internet connectivity is connected with social media that can be a threat factor for the users installing banking application on the same phone connected with the social media (Peltier 2016). There is not yet any social networking policy for the users connected with the banks and social media and thus unauthorized and unwanted users might get vital information related to the user through manipulation and thus, will affect the privacy of the individuals in all ways.
Botnets, Malware, and DDoS attacks: This neither a very rare nor a very common type of intrusion that happens to the data or information stored to the finance industries. This type of breaches can be happened to any of the industry using internet for the better availability of the products and services (Feng et al. 2014).
Phishing: This type of attack generally made effective through executing vulnerable codes in the name of the advertisement or any promoting ad via mail. This in general provides access of the stored data and information to unauthorized user.
Corporate Account Takeover (ACH Fraud): This type of threat has become one of the trending issues for the banking industries and could cause serious harm to the consumers availing services. Such threats could cause vulnerability to the two factor authentication process and could manipulate or expose the personal information to the real world.
Cloud Computing: Cloud computing has become the most applicable technology in the current era however; it is also not immune from cyber attacks and possibly lead to the expose of information or data of the financial industries (Bodie, Kane and Marcus 2014). There are many types of attacks that could be executed by an unauthorized user to gain access to the files stored in the database.
Inside attacks: This type of threat generally occurs from the side of the banking industries as most of the times old employees leaving the organization has access to the network and could possibly use that access for the personal use under influence or revenge mentality (Moncayo and Montenergo 2016).
First Party Fraud: This can be represented as an “advances fraud” or many others and this involves “a customer applying for and accepting credit with no intention of repayment.” Misrepresent or synthetic identification can used in the first-party fraud and could harm the organization and connected stakeholders through manipulating the real identities.
Skimming: ATM cards are the most usable product presented by the banking industry as every client carries nowadays ATM for the transaction process and card skimming is a major issue in this sector. Such type of attack could affect the user financially through blitz or flash attacks. Oppliger (2015) states, “Blitz or flash attacks involve the simultaneous withdrawal of funds from multiple ATMs in different locations, sometimes scattered throughout the world.”
Information Security Policy
Almost every banking and finance industry is using open network for the accomplishment of the operational activities and providing innovating services to the customers. However, there are certain drawbacks of such application and it is the need of the time to implement an information system policy that is favorable for both the organization and the customers (Mai et al. 2017). It is important that the information security policy comply with the policies set for the organization for the effective and efficient working of the organization. It can be defined as the systemization of the policies and approaches in relation with the formulation of the measures for the information security (de Gusmão et al. 2016). Information security policy basically aims at considering proper precaution in manner to make sure that the data and information stored in the information system is safe. Basically, it can be represented as “in most cases it consists of a “basic approach to information security measures (basic policy)” and “measures and standards applicable throughout the organization (standards).”
Information Security Monitoring Parameters and its Metrics
It can be described as one of the crucial aspects of the risk management framework in
manner to identify and eliminate the bugs that might affect the effective risk management strategy. Its metrics can be a definitive guide for the effective security measurement and monitoring of the information security within the banking industries (Dotcenko, Vladyko and Letenko 2014). It is capable of offering a radical approach for the implementation and development of the security metrics those are essential for supporting the information risk management and business activities (Sommestad et al. 2014). Information security metrics is helpful in measuring the severity of the identified risk and the identifiable aspects are easy to manage.
Scope and Domain of Information Security Policy
According to Ifinedo (2014), there are ten domains of the information security that can be listed as
- Telecommunications and Network Security
- Access Control
- Information Security Governance and Risk Management
- Cryptography
- Software Development Security
- Security Architecture and Design
- Business Continuity and Disaster Recovery Planning
- Operations Security
- Physical (Environmental) Security
- Legal, Regulations, Investigations and Compliance
The scope of the information security policy can be represented to the enhancement in the information security through considering both the customer and industry perspective. This put emphasis on the monitoring and analyzing of the data and information collected about the stakeholders and its operational activities.
Policies and Traditional standards
Information Security Standard, ISO/IEC 27001:2013 (ISO 27001) can be recommended as the appropriate security standard for the HSBC organization in manner to successfully implement the information security within the HSBC. This standard will be helpful in determining the threats and bugs and eliminating the threats at the same time in manner to let it flow in an effective and efficient manner. According to Siponen, Mahmood and Pahnila (2014), “Achieving accredited certification to ISO 27001 demonstrates that your company is following information security best practice, and provides an independent, expert verification that information security is managed in line with international best practice and business objectives.”
Remote Access Policy
The purpose of this policy within the HSBC should be to explain the requirements for the remote access the resources of the computing being hosted at the HSBC through using the VPN Virtual Private Network technology (Bauer and Bernroider 2017). HSBC can implement this policy in manner to corporate the essential network for maintaining the productivity of the team and accomplish the objectives related to the information security analyzing and
monitoring of the data and information saved into the database. This should target the consumers regarding the usability and accessibility of the data and information saved in the system.
Email Usage Policy
This policy should be kept less complex as most of the individuals who can be easily manipulated are the top target for such intrusion. Cyberattacks such as DDoS, Phsing, Ransomware and many other intrusions can be executed that could affect the privacy and security of the individual using email services within the organization. On the other hand misuse of the email can lead to many privacy, security, and legal issues that could affect the reputation of the organization. It is important to deploy email usage policy for the staffs and employees working in the same organization (Kim, Yang and Park 2014). Misuse of the email by internal employee could possibly lead to the leakage of information that could affect the competitive environment of the HSBC.
Network Configuration Policy
Router and switching controls should be made in an appropriate way so that same network cannot be accessible by any other third party as it could provide access to the data or information that is travelling or saved on the same network. Monitoring the internet usage and website access is a general approach that each organization follows however, this is a serious privacy concern for the individuals who are being monitored (Bansal, Hodorff and Marshall 2016). This leads to the need of implementation of an appropriate policy for the network configuration and internet monitoring.
Network Protocols policy
The purpose of this policy should be to establish a standard that is easy for the communications and network access control in manner to be applicable on every information technology systems those use case network infrastructure and connected to the same network (Mai et al. 2017). SMTP (Simple Mail Transfer Protocol), DNS (Domain Name Services Protocol), and DHCP (Dynamic Host Configuration Protocol) are some of the protocols those could be implemented within the organization in manner to manage the network access and its requirement.
Network access policy
The purpose of this policy should be to subdivide the level of access for the individuals who are accessing the data or information saved in the system or database. Multi-factor authentication can be recommended for the HSBC that could be helpful in ensuring the proper implementation of a policy that could alternatively contribute in the enhancement of the information security within the financial industries (Peltier 2016).
Effectiveness of Information Security
The procedures stated in this report can be the much effective way for the proper and efficient implementation of the information security within the financial industries. As mentioned policies, hardware, and software could enhance the security of the data or information saved in the databases of the financial industry using open network.
Training
In manner to implement a successful information security system it is necessary to aware the staffs or employees about the types of attack, not to disclose personal and sensitive information, use strong passwords, and how to manage and disconnect the systems from the network whenever they feel not safe. This will help in exposing the threat at very early stage and thus it will be far better than exposing later (Lange, Von Sloms and Gerber 2016). This will help in saving rest of the data and blocking the intruder from getting deeper to the network and stopping them from accessing those data or information.
Timeline and work breakdown:
|
Task Name
|
Duration
|
Start
|
Finish
|
|
Development of system to monitor and analyze risks in financial industries
|
212 days
|
Fri 1/12/18
|
Mon 11/5/18
|
|
Project Initiation
|
27 days
|
Fri 1/12/18
|
Mon 2/19/18
|
|
Analysis of Requirement for the information system
|
10 days
|
Fri 1/12/18
|
Thu 1/25/18
|
|
Analyzing existing threats
|
12 days
|
Fri 1/26/18
|
Mon 2/12/18
|
|
Analyze beneficial aspects of proposed system
|
2 days
|
Tue 2/13/18
|
Wed 2/14/18
|
|
Monitor and Analyze risks in financial industries
|
3 days
|
Thu 2/15/18
|
Mon 2/19/18
|
|
preparing draft of the project
|
3 days
|
Thu 2/15/18
|
Mon 2/19/18
|
|
Project Planning
|
43 days
|
Tue 2/20/18
|
Thu 4/19/18
|
|
Appoint stakeholders for the project
|
7 days
|
Tue 2/20/18
|
Wed 2/28/18
|
|
Evaluate and enlist the objectives of the project
|
2 days
|
Thu 3/1/18
|
Fri 3/2/18
|
|
Meeting session with the stakeholders
|
10 days
|
Mon 3/5/18
|
Fri 3/16/18
|
|
Estimating budget of the project
|
6 days
|
Mon 3/19/18
|
Mon 3/26/18
|
|
Estimating expected schedule
|
7 days
|
Tue 3/27/18
|
Wed 4/4/18
|
|
Prepare project’s draft
|
4 days
|
Thu 4/5/18
|
Tue 4/10/18
|
|
Chose development team
|
7 days
|
Wed 4/11/18
|
Thu 4/19/18
|
|
Project Development
|
64 days
|
Fri 4/20/18
|
Wed 7/18/18
|
|
Resource allocating
|
15 days
|
Fri 4/20/18
|
Thu 5/10/18
|
|
Analyzing expected hardware for the system
|
14 days
|
Fri 5/11/18
|
Wed 5/30/18
|
|
Analyzing expected software for the system
|
14 days
|
Thu 5/31/18
|
Tue 6/19/18
|
|
Initiate the development
|
3 days
|
Wed 6/20/18
|
Fri 6/22/18
|
|
Devising Information security policies
|
6 days
|
Mon 6/25/18
|
Mon 7/2/18
|
|
Analyze the information security monitoring parameters
|
5 days
|
Tue 7/3/18
|
Mon 7/9/18
|
|
Identifying the domain and scope of the policies
|
4 days
|
Tue 7/10/18
|
Fri 7/13/18
|
|
Selection of appropriate information security standard
|
3 days
|
Mon 7/16/18
|
Wed 7/18/18
|
|
Project Testing
|
21 days
|
Thu 7/19/18
|
Thu 8/16/18
|
|
Evaluate the proposed system
|
7 days
|
Thu 7/19/18
|
Fri 7/27/18
|
|
Test the software
|
7 days
|
Mon 7/30/18
|
Tue 8/7/18
|
|
Hardware testing
|
7 days
|
Wed 8/8/18
|
Thu 8/16/18
|
|
Project Execution
|
34 days
|
Fri 8/17/18
|
Wed 10/3/18
|
Conclusion
Based on the above report it can be concluded that information security is an important concern for the banking industry as information technology has become the integral part of the industries and threats and vulnerabilities have become the tail of the development. HSBC bank had been chosen as the case study for this report in manner to craft the theory into the real world. This report presents a thorough research on the objectives related to the information security that is capable of explaining that it is the greatest concern for the banking industry after implementing information system within the organization. Implementation of a proper policy can be helpful in enhancing the information security and complying with the existing policy is other important concern for the enhancement in the output of a banking industry. A better policy is the need for the current situation as it can be beneficial aspect for the monitoring and enhancing the information security for the data or information collected and stored by the banking industry.
References
Agrawal, M., Campoe, A. and Pierce, E., 2014. Information security and IT risk management. Wiley Publishing.
Agrawal, V., 2017. A Comparative Study on Information Security Risk Analysis Methods. JCP, 12(1), pp.57-67.
Bansal, G. and Shin, S.I., 2016. Interaction Effect of Gender and Neutralization Techniques on Information Security Policy Compliance: An Ethical Perspective.
Bansal, G., Hodorff, K. and Marshall, K., 2016. Moral Beliefs and Organizational Information Security Policy Compliance: The Role of Gender. Proceedings of the Eleventh Midwest United States Association for Information Systems, pp.1-6.
Bauer, S. and Bernroider, E.W., 2017. From information security awareness to reasoned compliant action: analyzing information security policy compliance in a large banking organization. ACM SIGMIS Database: the DATABASE for Advances in Information Systems, 48(3), pp.44-68.
Bodie, Z., Kane, A. and Marcus, A.J., 2014. Investments, 10e. McGraw-Hill Education.
Cavusoglu, H., Cavusoglu, H., Son, J.Y. and Benbasat, I., 2015. Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources. Information & management, 52(4), pp.385-400.
D’Arcy, J., Herath, T. and Shoss, M.K., 2014. Understanding employee responses to stressful information security requirements: a coping perspective. Journal of Management Information Systems, 31(2), pp.285-318.
deGusmão, A.P.H., e Silva, L.C., Silva, M.M., Poleto, T. and Costa, A.P.C.S., 2016. Information security risk analysis model using fuzzy decision theory. International Journal of Information Management, 36(1), pp.25-34.
De Lange, J., Von Solms, R. and Gerber, M., 2016, May. Information security management in local government. In IST-Africa Week Conference, 2016 (pp. 1-11). IEEE.
Dotcenko, S., Vladyko, A. and Letenko, I., 2014, February. A fuzzy logic-based information security management for software-defined networks. In Advanced Communication Technology (ICACT), 2014
16th International Conference on (pp. 167-171). IEEE.
Feng, N., Wang, H.J. and Li, M., 2014. A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis. Information sciences, 256, pp.57-73.
Graves, J.T., Acquisti, A. and Christin, N., 2016. Big data and bad data: on the sensitivity of security policy to imperfect information. The University of Chicago Law Review, pp.117-137.
Hsbc.co.om. 2018. Personal Banking | HSBC Oman. [online] Available at: https://www.hsbc.co.om/1/2/om/ [Accessed 13 Jan. 2018].
Ifinedo, P., 2014. Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51(1), pp.69-79.
Kim, S.H., Yang, K.H. and Park, S., 2014. An integrative behavioral model of information security policy compliance. The Scientific World Journal, 2014.
Mai, B., Parsons, T., Prybutok, V. and Namuduri, K., 2017. Neuroscience Foundations for Human Decision Making in Information Security: A General Framework and Experiment Design. In Information Systems and Neuroscience (pp. 91-98). Springer International Publishing.
Moncayo, D. and Montenegro, C., 2016, October. Information security risk in SMEs: A hybrid model compatible with IFRS: Evaluation in two Ecuadorian SMEs of automotive sector. In Information Communication and Management (ICICM), International Conference on (pp. 115-120). IEEE.
Oppliger, R., 2015. Quantitative risk analysis in information security management: a modern fairy tale. IEEE Security & Privacy, 13(6), pp.18-21.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.
Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information security policies: An exploratory field study. Information & management, 51(2), pp.217-224.
Sommestad, T., Hallberg, J., Lundholm, K. and Bengtsson, J., 2014. Variables influencing information security policy compliance: a systematic review of quantitative studies. Information Management & Computer Security, 22(1), pp.42-75.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management. Computers & security, 44, pp.1-15.
