Use Security Policies And Controls To Overcome Business Challenges
Scenario
1. The organization is a regional XYZ Credit Union/Bank that has multiple branches and locations throughout the region.
2. Online banking and use of the Internet are the bank’s strengths, given its limited human resources.
3. The customer service department is the organization’s most critical business function.
4. The organization wants to be in compliance with the Gramm-Leach-Bliley Act (GLBA) and IT security best practices regarding its employees.
5. The organization wants to monitor and control use of the Internet by implementing content filtering.
6. The organization wants to eliminate personal use of organization-owned IT assets and systems.
7. The organization wants to monitor and control use of the email system by implementing email security controls.
8. The organization wants to implement this policy for all the IT assets it owns and to incorporate this policy review into an annual security awareness training program.
Using the scenario, identify four possible IT security controls for the bank and provide rationale for your choices.
Sample Solution
- Rationale: Since online banking and the internet are crucial strengths for XYZ, protecting access to these systems is paramount. MFA adds an extra layer of security beyond just passwords, making it significantly harder for unauthorized individuals to gain access even if they obtain a stolen password. This aligns with best practices and GLBA compliance for customer data protection.
Full Answer Section
Data Loss Prevention (DLP):
- Rationale: With customer service being the critical business function and the need to monitor internet usage, DLP software can help prevent sensitive data like financial information, personally identifiable information (PII), and intellectual property from being accidentally or intentionally leaked through email, web browsing, or file transfers. This ensures compliance with GLBA data privacy regulations.
3. Email Security Suite:
- Rationale: Monitoring and controlling email usage aligns with the bank's desire to eliminate personal use and implement email security controls. An email security suite can offer spam filtering, malware detection, phishing protection, and encryption to secure email communication and prevent data breaches or employee misuse.
4. Acceptable Use Policy (AUP):
- Rationale: To enforce the desired behavior regarding IT asset usage, a clearly defined and communicated AUP is crucial. This policy should outline acceptable and prohibited activities on organization-owned IT assets, including internet browsing, email usage, and software installation. Regularly incorporating policy review into security awareness training ensures employees understand and comply with the AUP, minimizing personal use and potential security risks.
These four IT security controls address the key concerns of XYZ Credit Union/Bank: protecting online banking, securing customer data, monitoring internet and email usage, and preventing unauthorized access or misuse of IT assets. Implementing these controls and incorporating them into ongoing security awareness training will help the bank maintain a secure digital environment and comply with GLBA regulations.
Additional considerations:
- User training: Regular security awareness training should educate employees on best practices for password hygiene, phishing identification, and responsible use of IT assets.
- Incident response: Having a clearly defined incident response plan will help the bank effectively respond to any security breaches or suspicious activity.
- Vendor management: Carefully vetting and monitoring third-party vendors who have access to the bank's systems is essential for maintaining overall security.
By implementing these controls and best practices, XYZ Credit Union/Bank can strengthen its IT security posture and protect its customers, employees, and data from cyber threats.