Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Strategic Information System Policy for Commonwealth Bank

Verified

Added on 2023/06/04

AI Summary

This report discusses the need for a strategic information system policy for Commonwealth Bank to safeguard its information and identity against cyber-attacks. It covers the policies, security management program, organization of information security, security risk assessment, and more.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Information Security Report 1
A Strategic Information System Policy for Commonwealth Bank
Student
Course
Tutor
Institutional Affiliations
State
Date

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Information Security Report 2
Executive summary
In the recent past, Commonwealth Corporation has experienced a growing threat
concerning cyber-attacks and need to formulate policies that assist in safeguarding its
information and identity. Commonwealth is one of the major banks in Australia, the bank admits
a major cyber-attack that exposed financial records for over 20 million clients (BBC News,
2018). According to the bank’s stakeholders, two magnetic data tapes containing sensitive data
for customers including names, account numbers, addresses, as well as transaction details were
missing. The organization reported the issues at the Office of the Australian Information
Commissioner shortly after the occurrence.
Upon forensic investigation, it was found that only 150 people in the organization
including the senior specialist team and risk specialist team were a where of the security breach.
The bank, however, attempts to cover the information in vain as the revelation comes at a time
when all Australian banks are under the unexpected scrutiny for misconduct by a royal
commission in the country. With the inclined cybersecurity concerns, there is a need to
formulate, develop and implement a strategic security policy for the Commonwealth Corporation
in response to the security breach experienced in the organization.
This policy is formulated to secure the information assets including but not limited to
confidential information as well as personal information that is collected, stored, used, and
disseminated while serving customers. The policy is expected to be used as a basis for training
the organization’s security officials, the senior specialist team and other staffs.

Information Security Report 3
Table of Contents
Executive summary...................................................................................................................................2
Introduction...............................................................................................................................................4
Policy purpose........................................................................................................................................4
Scope.......................................................................................................................................................5
Policy formulation.....................................................................................................................................5
The information system policies of Commonwealth bank..................................................................5
Security management program........................................................................................................6
Organization of information security...............................................................................................6
Security risk assessment....................................................................................................................7
Security risk treatment......................................................................................................................7
Staff and contractor access...............................................................................................................7
Environmental and physical security...............................................................................................7
Property management.......................................................................................................................8
The potential threats and vulnerability of security of Commonwealth.................................................8
How the threats and vulnerabilities of the Commonwealth organization can be mitigated................9
Conclusion..................................................................................................................................................9
Reference list............................................................................................................................................11

Information Security Report 4
Introduction
The Commonwealth Bank of Australia has reportedly experienced a considerable cyber-
attacks which are alleged to have compromised personal data for millions of its clients. BBC
news has come up with a report revealing more details concerning the attack. According to the
report, the corporate lost personal information for more than 20 million clients and attempts to
cover the breach to its customers (BBC News, 2018). As such, it is essential for the organization
to have policies in place and in effect if they will offer a reasonable assurance to clients that the
security concerns in the organization are addressed. The commonwealth organization needs to
exercise its due diligence in formulating, documenting and implementing security governance
and achieve compliance with the overall goals of information security laws as well as standards
to which there data including but not limited to personal information are used.
As stated by Abawajy, (2014, pp.237-248), the information security policy is an umbrella
that defines the security programs at the Commonwealth Corporation. It also offers the
foundation where security programs will be designed and adopted by each department within the
Commonwealth organization. Based on the nature of the organization and its stakeholders, this
article seeks to research, formulate, and document a strategic information security policy for the
Corporation. The information policy system will be formulated with the policy statements which
are supported by the high-level description of the requirements for implementations of the laws.
Policy purpose
The main purpose for the system security policy is to outline the security goals and
objectives regarding protection of the corporate’s information assets such as technology
resources, personal information, and confidential information among other sensitive data as a
step into creating the programmatic controls, policies and procedures that protect the
organization’s sensitive information from threats whether deliberate or accidental and whether
internal or external threats. Along with the three guiding principles of information security i.e.
integrity, confidentiality, and availability, the corporate must consider the implementation of all
security controls against the applicable policies, standards, laws, and regulations (Dittrich, and
Kenneally, 2012, pp.27-33; Dubois, Heymans, Mayer, and Matulevičius, 2010, pp. 289-306).

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

Information Security Report 5
Scope
The policies to be formulated in this following section are based on but not limited to the
three guiding principle of the information security mentioned in the previous section as well as
other information that is collected, processed, stored, handled, and disseminated by the
organization and its stakeholders. The policies must also be incorporated into all its contractual
agreements made with regards to the policy as well as all its inter-agencies.
Policy formulation
Due to the increased profile of cybersecurity threats witnessed by the organization, the
policy of Commonwealth will be to ensure that all information including but not limited to
personal data, private information, and confidential information that is collected, handled, stored
and disposed while providing services to consumers are safeguard against all threats whether
accident or deliberate, and internal or external threat. This information security policy covers the
following three guiding principles of information security.
Integrity: this principle applies to protect the accuracy and completeness of data as well as
methods of processing the information and hence needs to be protected against deliberate or
accidental, distraction or unauthorized modification, partial or complete of the media containing
the data whether electronic or physical.
Confidentiality: this principle ensures that the information is accessible to the rightful user
therefore preventing the deliberate or accidental unauthorized access to the sensitive information.
Availability: involves providing the information and assets to the authorized user whenever
required by the user. The assets may include but not limited to hardware, software, and networks
according to the defined level of service defining the availability requirements. It is therefore
important for the organization adhere to an appropriate continuity of business plans serving to
improve the availability of the strategic assets.
The information system policies of Commonwealth bank
The policies incorporate information security objectives of the organization such that the
security objectives are stated after which the policy pertaining to the objectives is defined within
it.

Information Security Report 6
Security management program
The security system management program representing the policies and controls has been
adopted and implemented by the Commonwealth organization. Security management program
provides both management staffs as well as customers with a clear understanding of the
approaches, goals as well as the implemented controls for safeguarding the organization’s assets.
The organization shall review the security policies at least one in a year to ensure the
adequacy, suitability, and effectiveness of the controls. Amendments shall also take place when a
significant change that may have a negative impact on the policy occur.
Organization of information security
Commonwealth corporate shall document the specific duties of its staffs inclusive of third
parties to maintain the security of the organization’s data as well as information processing
facilities that are accessed, handled and presented by employees, third parties and onsite-
contractors as follows:
i. The need for confidentiality as well as agreements concerning non-disclosure that reflects
the organization’s responsibility of protecting information shall be identified and
reviewed.
ii. The Commonwealth’ strategies for managing information system security and
implantation including but not limited to procedures for information security, control
objectives, policies and controls shall get reviewed independently at a set interval or
when there is occurrence of important changes to the security implementation.
iii. All agreements made by the corporate with the third party concerning but not limited
accessing, managing, communicating and processing shall cover all necessary security
requirements.
iv. Also, management team shall uphold the system security of the organization through a
clear direction as well as knowledge concerning responsibilities of information security.

Information Security Report 7
Security risk assessment
The Commonwealth organization shall construct policies to identify, quantify and
prioritize the possible risk to information system against operational and security objectives and
implement the controls that with the realistic assurance that the security objectives will be
achieved (Sarker, Xiao, and Beaulieu, 2013, pp.6-9; Linetsky, Check Point Software Tech Inc,
2012, pp. 47-79). This process shall include identification of the risk factors by finding out the
vulnerability of the system i.e. unknown changes that may occur in the information system
making the information to be no longer reliable, loss of the data within the system that may occur
accidentally or for malicious reasons. The process shall also include identification of threats such
us assessing the likelihood as well as impacts of potential threats i.e. appraisal of the chances of
occurrence of each threat.
Security risk treatment
The specific controls that must be adopted to achieve the defined security objectives shall
be monitored and evaluated by the Commonwealth organization (Siponen, and Vance, 2010,
pp.487-502). This policy identifies the security controls to be adopted as well as details regarding
their appropriateness.
Staff and contractor access
The Commonwealth corporate organization shall ensure all its shareholders, employees, the third
party users and contractors understand the policies as well as the necessary knowledge and skills
to ensure that the policies are implemented effectively to reduce the security risk (Ifinedo, 2012,
pp.83-95). This include unauthorized access to the system assets including: risk assessment to
find out the applicable level of employee screening before change of responsibility during
employment, removal of access rights during after contract ends, return of the organization assets
and or equipment upon change or termination of contract, disabling the rights to access the
corporates system during after a long period of inactivity.
Environmental and physical security
The commonwealth organization shall safeguard against physical access, interference and
damage to its assets including but not limited to the organization’s information system resources
as well as personal information by implementing facility access to its security resources, secure
disposal or reuse of resources, physical security of the organization’s departments shall be

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Information Security Report 8
designed and implanted and equipment security i.e. protection to reduce the risks from security
threats as well as environmental hazards (Ifinedo, 2012, pp.83-95).
Property management
In order for the organization to maintain security for its assets, the corporate will formulate
policy to meet the following needs:
i. The organization will implement a policy to apply a classification to information to
ensure that the controls are adequately applied to protect the organization’s sensitive
information including but not limited to personal data and the information about the
organization.
ii. The organization shall identify, document, and implement the rules for legitimate use
information and other related assets.
iii. All organization’s assets shall be branded and inventory of all useful properties shall be
identified and maintained as defined by policy.
The potential threats and vulnerability of security of Commonwealth
As far as cybersecurity is concerned, vulnerability often applies to the specific weakness
within a system. Despite the fact that banks are often on the forefront of the preparations for
cybersecurity, they are continuously becoming the targets of cybercriminals (Yuan, Xing, Chen,
and Zang, 2011, p. 6; Lim, Yeow, and Yuen, 2010, pp.39-62). This particular threat is associated
with Commonwealth bank as the corporation does not perceive itself as a target on the same
scale as other international banks as its current policies do not stress on that aspect. The reality,
however, is that banks should prioritize cybersecurity due to the fact that data breaches can lead
to severe consequences not only on the solvency of the organization but also on confidence in its
financial system at large. Cybersecurity is a matter of international importance and the
organization should have a high understanding of the vulnerable cyber-attacks (Lim, Yeow, and
Yuen, 2010, pp.39-62; Zhang, Wuwong, and Li, 2010, pp. 1328-1334). This awareness is a
critical issue that should not be taken for granted more so in banking domain.
Another potential threat to cyber-attack in Commonwealth organization is shortages in
cyber-security skills; the bank provides a warning that insufficiency in the cybersecurity skilled
personnel could lead to an increasingly high profile and damaging cyber-attacks. The

Information Security Report 9
commonwealth bank has called for a shakeup in various institutions over the issue as there is a
continuous growth in cyber threats to the corporate’s computer system arguing that cybersecurity
courses should focus on the practical experience than theory.
Moreover, treating cybersecurity as an “afterthought” is one vulnerability that has been
taken for advantage by the hackers (Roman, Lopez, and Mambo, 2018, pp.680-698). This leaves
the bank vulnerable to cyber-attack as it opens the way for criminals to infiltrate the outer line of
defense of the organization’s system and gain access to the corporate’s information.
How the threats and vulnerabilities of the Commonwealth organization can be
mitigated
There are various ways through which commonwealth can mitigate the above-stated
risks. One way is by setting a strategic agenda in every cybersecurity meeting that
commonwealth organization holds (Hoy, Fenkner, and Farren, L3 Technologies Inc, 2018;
Spears, and Barki, 2010, pp.503-522). The meeting will help in aligning the key initiatives of
cyber security objectives and tackle the cybersecurity problems, this initiative will discard the
illusion that has consumed the corporate hence enhancing security. Another way is by sponsoring
a research on cybersecurity for the organization to better understand the cost of the cyber-crimes.
In order to mitigate the threat concerning insufficiency of skilled cyber-security
personnel, Commonwealth corporate needs to liars with higher learning institutions in Australia
to establish a center of expertise for cyber-security which focus on the practical experience than
theory. The corporate has a long focus investment, moreover, this is a potential
commercialization and collaboration that will help the organization to align itself with innovation
that will solve cybersecurity related issues. The most crucial mitigation strategy for the above-
mentioned security threats, however, lies in information security system policy (Bulgurcu,
Cavusoglu, and Benbasat, 2010, pp.523-548). The organization should adhere to the policies in
order to avoid such cyber-crimes.
Conclusion
At a glance, in this study, we have formulated, designed, and documented a strategic
policy for the Commonwealth organization. All responsibilities to ensure that this policy is
adhered to is therefore left on the shoulders of the organization’s staff. On the side of the third
party, the customers should ensure that all information system assets including hardware and

Information Security Report 10
software developed by or for the organization conform to this policy in order to avoid the cyber-
security issues in the near future.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

Information Security Report 11
Reference list
Abawajy, J., 2014. User preference of cyber security awareness delivery methods. Behaviour &
Information Technology, 33(3), pp.237-248.
BBC News, 2018 May, Australia’s Commonwealth Bank lost data of 20m accounts, Available
at: <https://www.bbc.co.uk/news/business-43985233> [Accessed on 19 September 2018]
Bulgurcu, B., Cavusoglu, H. and Benbasat, I., 2010. Information security policy compliance: an
empirical study of rationality-based beliefs and information security awareness. MIS
quarterly, 34(3), pp.523-548.
Dittrich, D. and Kenneally, E., 2012. The Menlo Report: Ethical principles guiding information
and communication technology research. US Department of Homeland Security, pp. 27-33.
Hoy, R.B., Fenkner, M. and Farren, S.W., L3 Technologies Inc, 2018. Internet isolation for
avoiding internet security threats. U.S. Patent 9,942,198.
Ifinedo, P., 2012. Understanding information systems security policy compliance: An integration
of the theory of planned behavior and the protection motivation theory. Computers &
Security, 31(1), pp.83-95.
Lim, N., Yeow, P.H. and Yuen, Y.Y., 2010. An online banking security framework and a cross-
cultural comparison. Journal of Global Information Technology Management, 13(3), pp.39-62.
Linetsky, G., Check Point Software Tech Inc, 2012, Security system with methodology for
defending against security breaches of peripheral devices, pp. 47-79, U.S., Patent 8,281,114).
Roman, R., Lopez, J. and Mambo, M., 2018. Mobile edge computing, fog et al.: A survey and
analysis of security threats and challenges. Future Generation Computer Systems, 78, pp.680-
698.
Ross, R.S., McEvilley, M. and Oren, J.C., 2018. Systems Security Engineering: Considerations
for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems [including
updates as of 1-03-2018] (No. Special Publication (NIST SP)-800-160).

Information Security Report 12
Sarker, S., Xiao, X. and Beaulieu, T., 2013. Qualitative studies in information systems: a critical
review and some guiding principles. MIS quarterly, 37(4), pp.6-9.
Siponen, M. and Vance, A., 2010. Neutralization: new insights into the problem of employee
information systems security policy violations. MIS quarterly, pp.487-502.
Yuan, L., Xing, W., Chen, H. and Zang, B., 2011, July, Security breaches as PMU deviation:
detecting and identifying security attacks using performance counters, In Proceedings of the
Second Asia-Pacific Workshop on Systems, p. 6, ACM.
Zhang, X., Wuwong, N., and Li, H. 2010, June. Information security risk management
framework for the cloud computing environments. In Computer and Information Technology
(CIT), 2010 IEEE 10th International Conference on (pp. 1328-1334). IEEE.

1 out of 12

+13062052269

info@desklib.com

Strategic Information System Policy for Commonwealth Bank

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Related Documents

Cyber Security Threats and Data Flow Diagrams

JP Morgan Data Breach

Developing Information Security Policies for Xero

MGMT6013 Managing Information System | Security Policy

Information Security Breaches in Commonwealth Bank

Cyber Security Assignment- Business Research Methodology