Question: Identify three policies a bank should implement to help it improve information security?

Answer:

Any information security policy identifies the protocols needed for maintenance of information security. The focus of banks while executing security plans to protect information should encompass various factors. Some are mentioned below:

• Recognition and risk assessment of customer information
• Assurance of security and confidentiality of protected information
• Prevention of interception of data during transmission and avoiding loss of data integrity
• Consideration on physical loss of data in a disaster, system introduced errors, data system corruption, unauthorized access or transfer of data or information by/to a third party user(Thomson & von Solms, 1998)

It is also well known that customers are of utmost priority and protecting any information helps in ensuring trust in the banks and also protection against all sorts of threats as well as prevention of identity thefts.(Haag)

As per the case, the three policies that a bank should implement are given below:

1. Association with independent service providers:

The objective of hiring third party independent service providers is to ensure that lucidity and clarity in the system prevails. These service providers perform examinations of information technology, loan reviews and financial audits. Further, the bank will be purchasing processing services for data from multiple organizations. They will be sending checks, making wire transfers as well as transactions of ACH type with the non-affiliated banks simultaneously working with credit bureaus in multiple regions.(Whitman, Townsend, & Aalberts, 2001)

In almost every case, these independent service providers are requested to provide a written statement attesting to the fact that the security program provided to them meets the specific security objectives initially specified in this policy. The exception remains when the service provider is a government body. The contract is rescinded if the service provider rejects the proposal to provide the statement of this type.(Eloff & Eloff)

1. Policy measures to prevent identity theft or prevent stealing of customer information:

In general, the customer information is a boon for multiple organizations as well as other individuals. The customer information is generally used to steal customer money and in multiple cases now, the customer’s identity. (REES, Bandhopadhyaya, & Spafford, 2003)

The magnitude of problem can be encompassed from the fact that US registered about cases of identity theft in the year. Also, information access can be piracy into personal life of an individual, his assets and his memories. To prevent instances of this sort and to discourage any malicious activity, banks must take steps. Some of these steps are mentioned below:

1. Secure storage of all eliminated, discarded or any confidential reports and information should be kept in a separate storage systems and destroyed. It is often observed that the thieves get access to information from trash or the bills being thrown away by individuals. Thus, precautions are necessary.
2. As a part of employee charter, it should be ensured that employees must be securing any report and document which has been in their possession during the day to prevent illegal access to them. Any such information cannot be carried back to a personal place or leave the organization’s premises.
3. Limited information access: It is very important that access of information should be limited to very few individuals. This information access should be eased yet strictly available to people in need of it. Thus, secure transmission protocols should be established.
4. Mainframe access through system passwords and automatic cancellation of any idle system sessions: It is important that the mainframe access is available to a few individuals accessible through a secure medium of access. The medium can be a thermal scan, finger print scan, a system password or even a retinal scan. Also, system sessions which are idle for more than a stipulated time say 5-10 sec should automatically be cancelled to prevent any malicious or suspicious activity.(Gaunt, 1998)
5. Any electronic media or personal computers should be wiped clean and reformatted before disposal: Whenever a used system is disposed, the hard disk should be destroyed with exposure to sun or even formatted constantly to remove any information traces from it. It has often been observed that hackers or thief have used reconstruction or recovery software to attain information from these disks and misused it.(Höne & Eloff, 2002)
6. A criminal background check is run on all potential new employees,prior to them being hired: Hiring is an important practice and it is to be ensured that any personnel or criminal background should not be hired into the system. Hiring of such type can cause system vulnerability and information leakage as well as unwanted access can result. Thus, background checks become very important. (Wayne)
7. Ensuring latest state of the art technology barriers to prevent any theft:

The banks today have gone from cashless transactions to various other formats of transaction. Bit-coin is one such type. Also, banks have put security measures to make the system effective. Two-step verification has been put in picture and multiple check points have been established by the bank authorities to ensure that thefts are eliminated to all extends. Out-of-wallet questions are asked as security questions to ensure that any form of information access if any personal details are even available to any external personnel even then access is not easy. (Von Solms, 2002)

Security Id’s have been the trend in the past years. To make the process secure, banks while transaction request an OTP or one time password send to customer’s mobile as a part of verification. Then the customer is requested to enter a secure password being generated by the customer and entered on merchant bank’s portal. To avoid phishing, customers have to enter a 6 digit self-generated image code to ensure a human access and not a machine access.

Often, banks review all the online transactions independently once they occur and any dormant accounts are strictly limited. Also, the location of access is also monitored. Thus, if an account is accessed from two separate locations at the same time, the banks can generally prevent or delay such transactions in order to detect and monitor fraudulent activities.(Bulgurcu, Cavusoglu, & Benbasat, 2010)

Works Cited

1. Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness, retrieved on 16^th August 2015 from MIS Quarterly.
2. Eloff, J. H., & Eloff, M. (n.d.). Information security management: a new paradigm retrieved on 16^th August 2015
3. Gaunt, N. (1998). Installing an appropriate information security policyretrieved on 16^th August 2015 fromInternational Journal of Medical Informatics.
4. Haag. (n.d.). retrieved on 16^th August 2015 from Business Driven Technology. Tata Mcgraw Hill.
5. Höne, K., & Eloff, J. H. (2002). What makes an effective information security policy? retrieved on 16^th August 2015 from Network Security.
6. REES, j., Bandhopadhyaya, S., & Spafford, E. (2003) retrieved on 16^th August 2015 from PFIRES: a policy framework for information security. Communications of the ACM.
7. Thomson, M. E., & von Solms, R. (1998). Information security awareness: educating your users effectively retrieved on 16^th August 2015 fromInformation management & computer security.
8. Von Solms, B. (2002). Information security—a multidimensional disciplineretrieved on 16^th August 2015 fromComputers and Security.
9. Wayne, B. (n.d.)retrieved on 16^th August 2015 fromInformation Security Policy.
10. Whitman, M. E., Townsend, A. M., & Aalberts, R. J. (2001)retrieved on 16^th August 2015 from Information systems security and the need for policy.