Project Part 6
jimpop1998
ProjectPart1.docx1
Project Part 1: Plan
Plan Section
Introduction:
This security management program is designed for Mara Investment Bank, which operates in the financial industry. The organization provides various financial services, including banking, investment, and insurance. This program aims to ensure the confidentiality, integrity, and availability of the organization's critical assets and data by following the 5-phase risk management process: Plan, Protect, Detect, Respond, and Adjust.
Scope:
This security management program includes all the organization's physical and logical boundaries. The program covers all business processes, including customer data management, financial transaction processing, internal communication, and IT infrastructure management.
Goal/Objective:
This security program aims to build a comprehensive security framework that safeguards vital assets, data, and infrastructure from cyber threats. The goal is to identify potential security threats, install proper controls, and continuously monitor and enhance Mara Investments Bank's security framework.
Asset Inventory: The following three assets need to be protected:
Customer Data:
This asset comprises personal and financial information of the organization's clientele, such as the names, addresses, account details, and credit card details, as well as other sensitive data that must be kept confidential for legal and trust-related reasons. The Mara Investment Bank ought to ensure all client information is securely stored in a centralized database to which only authorized personnel has access. Additionally, whenever possible, the transmission and storage of sensitive client data must be encrypted. If this asset falls into the wrong hands, it could result in identity theft, fraudulent activity, and a loss of client confidence. The organization must use adequate security measures to protect customer data from unauthorized access, disclosure, or modification.
IT Infrastructure:
This asset includes the hardware and software components that support the organization's IT systems, such as servers, workstations, routers, firewalls, operating systems, databases, and applications (Andress & Leary, 2017). Securing this asset is critical because, if compromised, it can lead to disruptions in the organization's operations, data loss, and reputational damage. All these elements must be configured correctly to provide secure access while maintaining performance levels acceptable for their intended use cases (Andress & Leary, 2017). Furthermore, regular vulnerability scans should also be conducted on all IT systems to detect potential threats or vulnerabilities before they become problematic. The organization should also have policies regarding user authentication methods like passwords/PINs/biometric identification etc., physical security measures such as CCTV cameras & guards at entry points, etc., remote access regulations like VPN configurations & 2-factor authentication requirements, etc., and system updates & patching processes. The organization must implement appropriate security controls to protect its IT infrastructure from potential security threats.
Financial Transactions:
This asset covers all types of financial activities conducted within the organization's network, including payments made by customers through online banking portals or cards swiped at POS terminals or transfers from one account type into another, or loans taken out from banks using collateral provided by customers or investments made into various stocks/bonds offered by different institutions. It is vital for organizations handling a large number of funds digitally to safeguard their operations by implementing robust controls, such as setting up intrusion detection mechanisms capable of detecting suspicious activity happening across various endpoints. This should be done along with logging everything inside each node for future reference if required during investigations. Moreover, multi-factor authentication requirements should be enforced especially when dealing with external parties& additionally, strong encryption protocols must be implemented when transferring funds across different locations/countries.
Risk Assessment and Risk Management Strategy:
The following are the risks associated with each asset and the risk management strategy to mitigate those risks:
1. Customer Data: Data loss or theft due to a cyberattack or insider threat is the risk connected to this asset (Vashisht et al., 2022). Robust access controls, encryption of critical data, routine data backups, and personnel security awareness training are all part of the risk management plan.
2. IT Infrastructure: A cyber-attack, including malware infection, denial of service, or prohibited access, represents the many risks inherent to this asset. Implementing a robust network security architecture with firewalls, intrusion detection and prevention systems, antivirus software, regular vulnerability assessments, and penetration testing is part of the risk management strategy.
3. Financial Transactions: Fraud or theft due to a compromised system or unauthorized access is the risk associated with this asset (Vashisht et al., 2022). To detect and prevent fraud, the risk management plan comprises the implementation of robust access restrictions, transaction monitoring systems, and frequent security audits.
Security Metrics
They are crucial indicators intended to evaluate the effectiveness of security controls and an organization's overall security state. Two security metrics are associated with each asset to ensure security risks are adequately monitored and addressed.
For the first asset, which is the customer database, the following two security metrics can be used:
· The number of successful login attempts by authorized personnel: This metric tracks the number of successful logins to the customer database, such as customer service representatives and managers (Andress & Leary, 2017). By monitoring the number of successful logins, the organization can ensure that access controls to the database are effective and there are no unauthorized login attempts that could indicate a security breach. This metric can be used as a current metric.
· Percentage of customer data backup completed: This metric tracks the percentage of customer data successfully backed up according to the organization's backup and recovery policy. By monitoring the percentage of data backup completed, the organization can ensure that critical customer data is protected against data loss and can be quickly restored in case of an unexpected event. This metric can be used as a projected metric.
For the second asset, which is the IT infrastructure, the following security metrics can be used:
· Mean Time To Detect (MTTD) a cyber-attack: This metric tracks the average time it takes for the organization to detect a cyber-attack (Courtemanche, 2018). By monitoring the MTTD, the organization can ensure that security controls and incident response processes are effective and efficient (Courtemanche, 2018). A low MTTD indicates that cyber threats are detected quickly, allowing the organization to respond promptly and minimize the attack's impact. This metric can be used as a current metric.
· Percentage reduction in MTTD after implementing the risk management strategy: This metric tracks the percentage reduction in MTTD after implementing the risk management strategy (Courtemanche, 2018). By monitoring the reduction in MTTD, the organization can measure the effectiveness of the risk management strategy and the improvement in incident response capabilities. This metric can be used as a projected metric.
For the third asset, which is financial transactions, the following security metrics can be used:
· Number of fraudulent transactions per month: This metric tracks the number of fraudulent transactions detected monthly (Vashisht et al., 2022). By monitoring the number of fraudulent transactions, the organization can ensure that its fraud detection and prevention controls are effective. This metric can be used as a current metric.
· Percentage reduction in fraudulent transactions after implementing the risk management strategy: This metric tracks the percentage reduction in fraudulent transactions after implementing the risk management strategy (Vashisht et al., 2022). By monitoring the reduction in fraudulent transactions, the organization can measure the effectiveness of the risk management strategy and improve fraud detection and prevention capabilities. This metric can be used as a projected metric.
Governance and Organizational Structure:
The following is the organization chart showing the security roles and responsibilities:
Executive Leadership:
· CEO: The CEO is ultimately responsible for the security program and ensuring it aligns with its overall goals and objectives. They set the tone for security culture and ensure the security program is adequately resourced.
· CISO (Chief Information Security Officer): The CISO is responsible for overseeing the security program and ensuring that security policies, guidelines, and objectives are developed, implemented, and enforced.
· CFO (Chief Financial Officer): The CFO ensures the security program is adequately budgeted and funded.
Business Management:
· Business Unit Managers: Business unit managers ensure that their respective business units comply with security policies and guidelines. They work with the security team to identify and assess risks and ensure appropriate controls are in place to mitigate them.
· Human Resources Manager: The HR manager ensures that employees receive regular security awareness training and that security policies are communicated effectively.
Systems Management:
· IT Manager: They are responsible for the implementation and management of the security infrastructure, which includes firewalls, antivirus software, and intrusion detection and prevention systems.
· Security Analysts conduct routine vulnerability assessments and penetration testing to detect and resolve IT infrastructure problems.
· Network Administrators: they form an essential part of the entire hierarchy since they are responsible for implementing and maintaining the network's infrastructure, which includes routers and switches, and assuring appropriate security controls.
References
Andress, J., & Leary, M. R. (2017). Building a Practical Information Security Program. Elsevier EBooks. https://doi.org/10.1016/c2014-0-01691-7
Courtemanche, M. (2018, October 29). mean time to detect (MTTD). IT Operations. https://www.techtarget.com/searchitoperations/definition/mean-time-to-detect-MTTD
Vashisht, S., Sarva, M., & Mundi, H. S. (2022). Risks measurement in banking: A bibliometric and content analysis. International Social Science Journal, 72(246), 955–977. https://doi.org/10.1111/issj.12371
