Response for Case 1 : Control Analysis Assignment

CASE 1 : Control Analysis 

 Q 1 : Explain and support information assurance controls for access to sensitive client banking information by HMC employees?
My Response  : 

1.    In this case, the key task is to ensure sufficient access control mechanism exist to protect sensitive  client banking information . The key concerns here are:-
·          Distinct separation of duties.
·         How to network access to servers is protected.
·         Who has to access to what information ?
·         How to audit these access ?
2. To address these concerns firstly it is necessary to carry out the risk assessment of the system .  This would  involve assuring the prevent security and access controls present as well as the new risks raced  due to use of  Tbilsi DBAs and shifting of data center to Georgia.  Ones the risk assessment has been completed, various  IA  controls  can be applied to address the risks. The key risk factors are as under 
·         Access to client info to Tbilisi DBAs and related chance of misuse of data.
·         Lack of privacy laws in Georgia or limited protection vis-a vis USA.  
·         Low level of network security at Georgia Data Centre
·         Increased chances of network tapping and hacker attacks as information is stored in a different country and would have to be accessed onine.
·         Percieved threat and loss of customer trust due to shifting of operations.
·         Increased cost of security infrastructure and training.

 3. The key information assurance controls for this include
·         Ensure background checks of all employees having access to sensitive information.
·         In case of employees based out of Georgia  stricter checks  to be ensured using  dual checks form both law enforcement as  well as private agencies.
·         The system  should have role based access control ensuring only people who require to access data for their work are allowed     to handle to data.
·         Before shifting the data center to Georgia, it would be prudent to check the privacy laws of  Georgia.
·         All access to the database should be logged and audited both internally  by internal audit team and externally by clients
·         The internal audit team  should not be involved or be a part of the DBA team and not under the same head.
·         All data bases and servers should be protected by mandatory controls such as firewalls, IDS, IPS, password protectors, audit logs and physical security.

Q2. Explain and support information assurance controls for how access control is handled administratively?

My response : 

1.    The key issue  to be dealt with in this case is the protection of info assets of banking clients. This can be carried out by carrying out a risk assessment and then identifying the key access controls required to     be put. Access controls can be administrative, logical and physical. Administrative access control are the polices and procedures defined by an     organization's  security policy and other regulation or requirements.

2.    The way to implement the access controls administratively is as under :-
·         Have proper polices inn place on who will access the data, who will audit and how will segregation of duties will be implemented.
·         Have proper procedures  on how to do the above activities.
·         Proper hiring procedures especially in Tbils with proper background checks, as well as ensuring qualified people are only hired.
·         All information be classified and accessed by personnel  based on their  authorised classification level.
·         Proper security awareness training  of all employees to access resources.  All DBAs in Tbilsi to be trained on security of  client info.
·         Regular rotation of employees  to ensure no one employee  has  access to all data.
·         Periodic testing of all security control, mechanisms and procedures. 

3.  The specific issues related to this case can be handled as under 
·         Ensuring uniformity of security policies across both centres.
·         Security training of Tbilisi DBAs
·         Third party audits of all secrity aspects.
·         Regular briefing and proper reports and reviews to clients in USA and management in  Georgia.

Comments

Post a Comment

Popular posts from this blog

API Security - A risk based approach for CISOs

       APIs or Application Programming Interfaces are the building blocks of modern applications. As the usage of APIs  and API traffic increases it is likely to be the major attack vector for hackers. APIs are utilised for a variety of purposes such as - share data with partners, customers, and other third parties. As per Akamai, 83 % of internet traffic is driven by APis. While APIs are a powerful enabler of digital transformation, they also present new security challenges. In fact, Gartner predicts that in 2023, API abuses will be the most frequent attack vector. To substantiate that prediction, OWASP has come out with a separate OWASP Top 10 for APIs in 2019. Also multiple organisations such as Coinbase and IRCTC have been affected by API security vulnerabilities in their applications.  To tackle this emerging attack vector, CISOs should understand the key risks associated with APIs. These include: Data Breaches or Data Leakages -  Risk of data le...
Read more

2024 Year Review and thoughts

  My review of 2024.  The year was a mixed bag with a overall positive outlook and a few hiccups. My ratings on key parameters  Health - Average  Family - Good  Professional - Good  Career - Good  Finances - Average  Health -  My health has been a mixed bag with several notable improvements and some setbacks. Exercise - I was able to regularly attend Gym and do strength training.  Due to improved leg strength I was able to run a 10 k run in Dec in a time of 67 mins . I was 40th out of 120 runners in the Veteran category which I am satisfied with keeping in mind the several issues I had been having at the start of the year.  Gut Health : My stomach and gut issues continued which led me to a take a nutritionist led meal plan. This has helped but I still continue to have gas and loose motions intermittently  and outside food does not suit me at all. The worry is that my weight has reduced from 68 Kg to 63 Kg in las...
Read more

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection In today's world, data is often referred to as the new oil, given its immense value to organisations. Companies have access to vast amounts of data, from customer information to intellectual property and strategic plans.  Over the last decade cyber criminals have targeted organisations repeatedly related to multiple breaches. Some organisations like Uber have faced multiple breaches and even government organisations are not spared as we observed in the Snowden case where confidential data of US  govt was leaked online. Protecting this data has become essential, and having an effective data protection program is crucial to achieving this requirement.  In my role as a CISO for the last five years I have found data protection as the most complex initiative yet most closely related to business enablement. This can be related to protecting customer data to prevent c...
Read more