Commonwealth Bank Data Breach: Risk Management Failure
Verified
Added on 2023/06/10
|6
|2277
|446
AI Summary
This annotated bibliography discusses the Commonwealth Bank data breach and the failure of risk management. It includes articles on IDM machines, COBIT, agile practices, and mitigation of data breaches.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: INFORMATION SYSTEMS FOR BUSINESS PROFESSIONAL Information Systems for Business Professional: Annotated Bibliography Name of Student- Name of University- Author’s Note-
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1 Assignment 1 Annotated Bibliography Introduction The Commonwealth Bank failed to take actions on suspicions that the Intelligent Deposit Machines (IDMs) network was facing data breach. The network of IDMs were used by the drug syndicates to take millions and millions of dollars. Austrac (Australian Transaction Reports and Analysis Center) is a financial agency of intelligence said that it is suing money laundering act and counter-terrorism-financing laws for the Commonwealth bank for all the 53,700 data breaches that has taken place. This case study deals with using of IDM (Intelligent Deposit Machines), which is a type of Automated Teller Machine that was launched in the year 2012. These IDM machines allows the customers to deposit as well as transfer cash anonymously at any time even the banks are closed. The Commonwealth Bank was not able to provide detailed report to Austrac about the loss of about suspicious transaction $77 million that took place in the data breach. Even when the bank came to know about the money laundering in their IDM machines, Commonwealth bank failed to take the necessary steps for mitigating and managing the risk that was associated. Commonwealth bank came to know about the suspicious account hack in May 2015 itself. But the organization was failed to take proper actions by which they can alert the authorities about the big transactions that are taking place. All such risk management issues are explained in this report that the Commonwealth bank failed to take. Even after identifying the unusual pattern transactions taking place in some accounts, the officials still did not inform the authorities and allowed all transactions. All such details about what could have been done during the data breach is explained in this report. Knaus, C. (2017).Commonwealth Bank accused of money laundering and terrorism-financingbreaches.[online]theGuardian.Availableat: https://www.theguardian.com/australia-news/2017/aug/03/commonwealth- bank-accused-of-money-laundering-and-terrorism-financing-breaches [Accessed 25 Jul. 2018]. The Commonwealth Bank has started using Intelligent Deposit Machines (IDMs) was launched in the year 2012, which are similar to Automated Teller Machines (ATMs). IDM is actually high speed machine with large capacity of cash deposit. According to Knaus 2017, IDM has extra features like banknote validation as well as can sort cash or can track by serial number. There are many advantages that Intelligent Deposit Machines offers. Provides self-service reinvention for all financial institutions. Reduces the cost compared to ATMs and also has more efficiency than ATMs. The IDM machines usually uses new technology that helps to drive the value-added services as well as improves the experience of the customer of using the IDM machine. The channel of IDM is central to the banks and so the banks are opting for IDM machines. This is done because so that the work is made self- service and all the works can be one automatically. The Intelligent Deposit Machines generates streams of new revenue. In the month of April 25, Commonwealth bank came to know about the suspicious money transfers and repeated connected patterns of all cash that were deposited. But the bank
2 Assignment 1 Annotated Bibliography took no such initiative for preventive measures (Question 1). Commonwealth Bank, after suspecting also continued all the transactions of the individuals on the accounts. But the suspects were arrested on January 19, 2015 (Question 2). The commonwealth bank failed to show the details of the reports which are commonly known as Threshold Transaction Report. Almost 95% of threshold transaction mostly occurred in the bank in the duration of November 2012 and September 2015. In this article, Austrac stated that the Commonwealth bank failed to address the risk management factors for the IDM machines for the money laundering that took place or for the terror financing before the year 2012. CBA (Commonwealth Bank of Australia) took no such steps to stop the terror financing or money laundering risk until 2015. After three years they took preventive measures for mitigating the risks. Isaca.org.(2015).[online]Availableat:https://www.isaca.org/Knowledge- Center/cobit/Documents/COBIT4.pdf [Accessed 25 Jul. 2018]. COBIT stands for Control Objectives for Information and Technology. The Cobit provides good practice in all domain of an organization and the process all the frameworks included in the Commonwealth bank are involved in Cobit. Cobit also provides activities in some manageable structure as well as logical structure. The Cobit involved in Commonwealth bank involves good practice that represents expert consensus (Question 3). Cobit strongly focuses on the control of the process rather than execution. As stated by Isaca.org, the practices involved in Cobit helps to optimize the investments of the IT enabled practices that ensures the service delivery and also provides measure about the things that goes wrong in the bank. FortheInformationtechnologytobesuccessfulintheCommonwealthbankfor successful delivering of all the business requirements, the bank should provide framework in the organization or provide internal control system. There are many reasons for the CBA bank to have a control COBIT framework in the organization. The needs are stated below: Making link to business requirements. Organizing the IT activities in process model. Identify the major resources of IT that is to be leveraged. Define management for control objectives that is to be considered. The CBA business orientation included in COBIT includes linking the business goals with maturity models for measuring the achievement as well as identifying all responsibilities of the business and the owners of the IT process. The main aim of using the AML/CTF guide is helping the bookmakers to meet requirements of AML/CTF Act (Anti-Money Laundering and Counter-Terrorism Financing Act 2006) and AML/CTF Rules (Anti-Money Laundering and Counter-Terrorism Rules Instrument 2007) (Question 2). Money laundering is a process where the criminals tries to hide the origin or the true ownership of proceedings of criminal activities so that they can avoid prosecution, confiscation, as well as avoid conviction. So, these acts and rules were needed by CBA.
3 Assignment 1 Annotated Bibliography Aljazeera.com.(2016).Australia'sCommonwealthBankadmits2016data breach.[online]Availableat: https://www.aljazeera.com/news/2018/05/australia-commonwealth-bank- admits-2016-data-breach-180503081105883.html [Accessed 25 Jul. 2018]. The Commonwealth Bank of Australia lost all its records that comprises of about 20 million people and the CBA bank decided not to reveal the situation of data breach to the customers upon when they came to know about the data breach in 2016.This article shows almost 12 million people that is half of the population of Australia were hampered by the data breach. The Commonwealth bank is the biggest bank of Australia revealed that there are two magnetic tapes of data in the organization that helps to store the names, addresses, phone numbers, account numbers as well as transaction details from the year 2000 to 2016 (Question 4). The magnetic tapes were destroyed by subcontractor but the bank never confirmed that by documentation. The bank officials assured their customers that the passwords and the pin that were used by the customers were intact. The bank also emphasized that there is no evidence of losing customer information. The bank officials almost denied the fact of data breach. The executive of the CBA bank Angus Sullivan said that they take appropriate protection for keeping the data of the bank safe and the losing the customer data were not at all accepted by them. They assured their customers that they had taken preventive measures and all such protective measures to keep the information of the customer safe and had apologized if such incidents had taken place. But as such no preventive measures were not taken by the bank before 2016. Aljazeera states that the forensic team of the bank formulated that the data were almost destroyed even without evidence. Only 150 officials in the bank that includes risk specialists or senior executive team were only aware of data breach that took place in Australia (Question 4). The risk of discovery of data and misuse of data was low according to the bank. So, they did not inform the customers about the breach. This data breach had shaken the financial industry of Australia. Winterford, B. and Winterford, B. (2017).Winning CommBank over to agile. [online]iTnews.Availableat:https://www.itnews.com.au/news/winning- commbank-over-to-agile-388500 [Accessed 25 Jul. 2018]. Liza Frazier is executive general manager of the digital channels in the Commonwealth Bank. She is the only one official who has introduced the agile practices in the bank that confines the retail bank into teams that develop small business as well as wealth clients. Without knowing the rules of the bank, Liza Frazier decided not to risk with brand or play with regulations. She introduced agile method in the organization by providing training courses to everyone associated with the office. According to Winterford 2017, the teams worked with their environments and Liza mitigated all the hurdles. In a large organization like Commonwealth Bank, it is very difficult to manage the hurdles (Question 5). Frazier dealt with such hurdles and also allowed digital teams to go on an agile route. The agile technology was enabled to close many projects of the organization which were not needed in the bank but were still on progress. Those project were only wasting the resource of the organization and decreasing the manpower of the bank. The Commonwealth bank of Australia also had added many extra features in its services that is Kaching, a social payment application. This application attracted almost three quarters of
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4 Assignment 1 Annotated Bibliography the million users to the bank. The application was absolutely very useful for the customers. This app processed about billions dollars of payments per day. Ha also stated many features of Kaching in this article. Kaching is considered to be a disruptive innovation that was rolled out in the Commonwealth Bank’s online application banking. Kaching makes the company to be an innovative, prove values proposition, and grows beyond expectations in the bank. Kaching helps to make the system innovative and bought the innovation in the main stream. Frazier also stated that during the two stints she was involved in, she made the business of the bank an effective one by introducing the agile method in the bank. OnRamp. (2018).How to Mitigate and Respond to Data Breaches | OnRamp. [online]Availableat:https://www.onr.com/blog/how-to-mitigate-and- respond-to-data-breaches/ [Accessed 25 Jul. 2018]. According to the article OnRamp, there are many ways in which the data warehouse can be used for mitigating the data breaches. Compliance requirements includes different policies that the Commonwealth bank should follow (Question 6). But the compliance requirements are most often uncorrelated as well as confusing. Below stated arethe some mitigation processes that the bank should have followed to prevent the data breach. Risk management Risk management is the main parameter of mitigating the risk in data breach and security. In most of the organization that comes to a count of 60 %, there are less risk management done. Due to which there is disaster in the organization and finally leads to closing down of the organization. In an organization, from large to small, all the risks are to be identified as well as assessed related with cost and prioritize the operational criticality accordingly. Asset Classification The asset classification defines the most appropriate protection level that are necessary for the keep data set safe. Asset classification determines cost of securing the assets that are based on the value, impact they have on organization and the reputation that it is associated with. Asset classification includes business opportunities that might be lost if there is no asset in the bank. Classifying means prioritize which asset is to be protected first. Security for Information System The security policy of the Information System mainly defines the security control that should be executed for different information system including the physical security, accessing the management, as well as network security. The security policy should also be updated with the new risks that are introduced and update the technology. Assessment and authorization of Information System This policy is the main key for securing the operation in an organization. This policy mainly ensures new systems that are adopted in the organization and the systems should be properly protected. All the users should understand the standards and should follow those standards.