Response to Case 3 : AgregGREAT!


Q1 Research the situation. Provide insights into the new IA risk incurred by having everyone’s banking and other financial services credentials. (500 words or less)

The new business idea plans to access personal financial information of clients from various online sources and present in a useful manner fo use by the clients. This is a form of web scraping where the application would access client information from multiple accounts and present analysed content to the user. Due to personal information being accessed by the company a number of IA risks arise. These risks exist at both the individual client and the organisation level.

The risks at the individual level are  : -
  • Chances of leaking information increase as an additional entity is given financial details
  • Identity theft as a single entity has all the personal and financial information 
  • The organisation may sell client information to other third parties.
  • Lax computer security measures at client end may result in leaking Aggregate's login information and would give access to all of client's information in one go.
The risks at organisation level are : -  
  • Leakage of financial information by employees and misuse of this information.
  • Hacking of the company's servers to access personal information.
  • Insecure software application leads to leakage of information.
  • Increased cost to implement security infrastructure.
  • Banks not allowing application to access records to perceived risk and use of captcha codes.
  • Dealing with data storage and access laws for non US clients.
  The key risks have been highlighted above. Besides these there may be new risks emerging as the idea is implemented and the company starts generating significant revenue. This would lead to increased exposure and attention to public and would generate new risks which would need to be addressed as they arise. This would also involve predicting these risks and taking timely action to mitigate them.

Q2 Provide a well-supported recommendation on how you can make these risks acceptable. (500 words or less)

   All new business ideas carry associated risks which if not addressed can lead to failure of the idea and expose the organisation to punitive damages for not complying with required rules and regulations. If is therefore imperatives that all IA risks are addressed. Though there are a large number of risks in this new application, careful thought and implementation can address these risks through various measures. 

 The risks mentioned above can be addressed by taking the following measures 

·         Proper background checks of all employees 
·         Proper network security for servers in terms of firewalls, IDS, IPS and anti-virus software.
·         Proper physical security with 24/7 security guards, biometric access control and fire safety precautions.
·         A well defined security policy
·         Implement proper security procedures in line with policy.
·         Role based access controls to prevent unauthorised access to data.
·         Regular audits by internal and third party teams to assess security measures.
·         Software Security - Ensure security is built in the software application which accesses data from various sources and stores on servers.
·         Security Education - Ensure clients are educated and informed on security measures which include password security, anti-virus, firewalls and anti-phishing measures.
·         Implement multifactor authentication for clients
·         Implement a read only connection to banks to ensure that no financial transaction can take place.
·         Secure Transmission - Ensure that all personal and financial information is transmitted securely to prevent potential hackers from "tapping" a data conversation.
·         Carry out regular penetration testing to check security lapses.
·         Being aware and implementing relevant international laws for clients outside US.

    In conclusion, the new business idea AgreGate can lead to large number of IA risks which can lead to negative impact on the organisation unless tackled by taking appropriate measures to address these risks.  

Comments

Post a Comment

Popular posts from this blog

API Security - A risk based approach for CISOs

       APIs or Application Programming Interfaces are the building blocks of modern applications. As the usage of APIs  and API traffic increases it is likely to be the major attack vector for hackers. APIs are utilised for a variety of purposes such as - share data with partners, customers, and other third parties. As per Akamai, 83 % of internet traffic is driven by APis. While APIs are a powerful enabler of digital transformation, they also present new security challenges. In fact, Gartner predicts that in 2023, API abuses will be the most frequent attack vector. To substantiate that prediction, OWASP has come out with a separate OWASP Top 10 for APIs in 2019. Also multiple organisations such as Coinbase and IRCTC have been affected by API security vulnerabilities in their applications.  To tackle this emerging attack vector, CISOs should understand the key risks associated with APIs. These include: Data Breaches or Data Leakages -  Risk of data le...
Read more

2024 Year Review and thoughts

  My review of 2024.  The year was a mixed bag with a overall positive outlook and a few hiccups. My ratings on key parameters  Health - Average  Family - Good  Professional - Good  Career - Good  Finances - Average  Health -  My health has been a mixed bag with several notable improvements and some setbacks. Exercise - I was able to regularly attend Gym and do strength training.  Due to improved leg strength I was able to run a 10 k run in Dec in a time of 67 mins . I was 40th out of 120 runners in the Veteran category which I am satisfied with keeping in mind the several issues I had been having at the start of the year.  Gut Health : My stomach and gut issues continued which led me to a take a nutritionist led meal plan. This has helped but I still continue to have gas and loose motions intermittently  and outside food does not suit me at all. The worry is that my weight has reduced from 68 Kg to 63 Kg in las...
Read more

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection In today's world, data is often referred to as the new oil, given its immense value to organisations. Companies have access to vast amounts of data, from customer information to intellectual property and strategic plans.  Over the last decade cyber criminals have targeted organisations repeatedly related to multiple breaches. Some organisations like Uber have faced multiple breaches and even government organisations are not spared as we observed in the Snowden case where confidential data of US  govt was leaked online. Protecting this data has become essential, and having an effective data protection program is crucial to achieving this requirement.  In my role as a CISO for the last five years I have found data protection as the most complex initiative yet most closely related to business enablement. This can be related to protecting customer data to prevent c...
Read more