Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Information Security Risk Assessment

Verified

Added on 2020/03/16

AI Summary

This assignment delves into the critical field of information security risk assessment. It examines different methods and models used to identify, analyze, and evaluate potential threats to information systems. The assignment encourages the exploration of established frameworks such as ISO 27001 and NIST Cybersecurity Framework, alongside emerging trends in cyber risk management. Students are tasked with understanding the complexities of assessing risks in diverse computing environments, including cloud computing and mobile devices.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: STRATEGIC INFORMATION SECURITY
Strategic Information Security
Name of the Student
Name of the University
Author’s note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

1
STRATEGIC INFORMATION SECURITY
Executive Summary
The main aim of this report is to develop a security program for enhancing the information
security of Nabil Bank. This report gives an over about the concept of information security. It
discusses about the different titles of security personnel in the bank. It also gives suggestion
regarding the improvement of the present security infrastructure of Nabil Bank. This report
discusses about the several threats that can be identified along with the risk assessment
methodology. It gives an overview of the training requirements of the employees for effective
implementation of the security program that is developed. This report also gives
recommendation regarding the improvement of the current information security of Nabil Bank.

2
STRATEGIC INFORMATION SECURITY
Table of Contents
1. Introduction......................................................................................................................3
2. Literature on Information Security..................................................................................3
3. Current Security Situation and Titles of the Security Personnel.....................................4
3.1 Risk Assessment and Threat Identification...............................................................6
3.2 Security Models.........................................................................................................8
4. Development of Security Program..................................................................................9
5. Roles and Responsibilities.............................................................................................11
6. Improvement Plan..........................................................................................................11
7. Training Requirements..................................................................................................12
8. ISO Standards and Models............................................................................................12
9. Conclusion.....................................................................................................................13
10. Recommendations........................................................................................................14
11. References....................................................................................................................15

3
STRATEGIC INFORMATION SECURITY
1. Introduction
Information is considered to be the most valued asset of any sector. Information is
susceptible to various types of risks as well as threats. With the emergence of information
technology, the cyber threats are increasing at a fast pace. Information security focuses on
protecting the valuable and sensitive data of an organization. Information security is involved in
protecting the integrity, confidentiality and availability of the information. Banking sectors deal
with financial data that needs to be protected. Nabil Bank is known as the first commercial
private bank of Nepal (Nabilbank.com 2017). Nabil Bank is involved in providing wide range of
banking services via its 52 representation points.
This report discusses and plans a security program for providing information security to
Nabil Bank. It tries to improve the present security structure of Nabil Bank. This report gives a
brief overview of information security. It gives suggestion about the kinds of security models
that can be adopted by Nabil Bank for better and secure operations. Threat identification along
with risk assessment is also carried out in this report. This report discusses about the ISO
standards as well as modes that will be suitable for Nabil Bank with proper reasoning. The
training requirements are also provided in this report for adopting security programs in an
effective manner. This report recommends certain steps and procedures that can be taken by
Nabil bank for improving its security infrastructure and for making the system of information
security strong.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

4
STRATEGIC INFORMATION SECURITY
2. Literature on Information Security
Information security can be considered to be a practice of defending and protecting
information from any kind of unauthorized access, misuse, disclosure, modification and
disruption (Vacca 2012). The modern generation is completely dependent on the information and
communication technology for confidential as well as commercial purposes. There are several
risks as well as threats that are associated with information technology like safety risk,
environmental risk, physical risk and financial risk. Security concerns that are related to ICT are
gaining major importance with time. All the organizations in every sector face some kind of
security issues (Webb et al. 2014). Strong information security structure as well as risks can be
adopted in an organization to protect it from risks and threats. Risks can be mitigated and
prevented by several methods and techniques.
Information security has certain aspects like confidentiality, availability and integrity.
When the information cannot be accessed by any unauthorized user then the confidential aspect
of information is achieved (Von Solms and Van Niekerk 2013). When the information cannot be
misused, destructed or modified by an attacker or user than the integrity of the information is
maintained. When the right information is available to the right or authorized person at the
correct time with no such interference or obstruction then the availability of information is
achieved. Banking sectors have been a major target for the hackers, crackers as well as the cyber
criminals. Information security aims at identifying the risks and mitigating it for protecting
sensitive information.

5
STRATEGIC INFORMATION SECURITY
3. Current Security Situation and Titles of the Security Personnel
Nabil Bank was founded in July, 1984. Their main objective is to extend the services of
modern banking to different sectors of the society. Nabil Bank provides several banking and
financial services via its 52 representation points. It has introduced several innovative and
modern marketing concepts and products in banking sector. Their main objective is customer
satisfaction. Highly qualified personnel are responsible for managing the daily operations.
Sensitive financial information is handled by the bank. Risk management is carried out by highly
experienced and qualifies management team. Nabil Bank is totally equipped with advanced
technology that consists of banking software of international standard for supporting E-
transactions and E-channels. Their aim is to provide a complete and secure financial solution to
their customers. The risk management team is highly efficient in assessing the risk and providing
information security to the organization (Sandberg, Amin and Johansson 2015). There are many
security personnel present in the risk management team. They are as follows:
Chief Risk Officer: The main duty of the Chief Risk Officer is to implement risk
functions, tools as well as systems for identifying, assessing, measuring, monitoring and
reporting risks. They identify main risk areas and enhance the function of security architect.
They are also responsible for implementing security program.
Head of Credit Risk Management: They are responsible for implementing procedures and
policies for the purpose of reducing credit risk. They are also involved in building financial
models that have the capability to predict any type of credit risk that can affect the organization.
The credit risk management team reports to their head regarding daily operations and activities.

6
STRATEGIC INFORMATION SECURITY
Senior Credit Analyst: They are responsible for reviewing and assessing financial history
of a company or an individual for the purpose of determining whether the candidate is eligible
for getting loan. They evaluate financial statements like balance sheets as well as income
statements for understanding the default risk level.
Compliance and Operational Risk Manager: They are responsible for handling the risk
related to legal sanctions, financial loss or loss of bank’s reputation. They ensure that the bank
complies with the government laws, standards and its own code of ethics and conducts. They
also manage any type of risk arising because of failure of internal processes, systems, people as
well as external events.
3.1 Risk Assessment and Threat Identification
. Risk assessment deals with a number of steps and procedures for understanding the
asset values, possible threats, system vulnerabilities, and predictable impacts of threats along
with the likelihood of threats (Kit et al. 2014). Risk can be defined as vulnerability functions as
well as the expected impacts of threats. Risk depends on the probability of the occurrence of
threat. System characterization is the first step in risk assessment. Information about the
software and hardware involved is initially found out (Aloini, Dulmin and Mininno 2012). NIST
framework of risk management involves assessment of risk after all the risks have been framed.
This framework integrates business processes, company goals, mission, SDLC processes and
information security infrastructure for effective risk assessment. The methodology of risk
assessment includes a process, risk model, an approach for assessment and analysis approach (Lo
and Chen 2012). After risk identification is carried out, the risks are monitored. ENISA
framework will be effective in the E-transaction processes of Nabil Bank for the purpose of

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

7
STRATEGIC INFORMATION SECURITY
assessing risks (Theoharidou, Mylonas and Gritzalis 2012). This model identifies the risk and
analyses it for the purpose of evaluation.
Information security can be enhanced in an organization only by identifying the possible
threats and risks. Threat can be considered to be a potential for some kind of trouble or damage
to IT infrastructure. After proper identification of threats a well planned security program can be
carried out in order to protect the bank from any data and security breach. Nabil Bank provides
several financial and banking services. It also provides online banking facilities to the customers.
There are two broad categories of threats that are identified initially. These are the internal and
external threats.
Internal threats: Business practices and processes of a financial institute have a huge
influence on internal threats. If more number of employees is able to access sensitive customer
information then the probability of threats will be more. The intensity of internal threats is less as
they are under the control of the bank.
External threats: These threats have a greater intensity as they are not under the control of
the bank. External threats can be reviewed by listing the reasons and ways in which personal
data can be accessed, identifying the ways by which the bank’s system is connected to outside
world via emails and networks, identifying service providers that have access to the data. Then
the exposure of the threat is identified.
Some of the threats that have been identified in the internet banking system of Nabil
Bank are phishing, spyware, viruses, Trojan horses as well as key loggers. In phishing attack
hoax mails are used for committing a fraud activity (Hong 2012). Online thieves can steal
sensitive data of the customers to misuse it. Spyware is a type of malicious software that collects

8
STRATEGIC INFORMATION SECURITY
valuable information of the users in a secretive manner for misusing and modifying it
(Giannetsos and Dimitriou 2013). Viruses can get attached to another program like spreadsheets
for replicating itself. Trojan horses are another type of threat where an application acts like a
secure application and harms the system in which it is downloaded or injected. Key logger
software is considered to be the most harmful threat of Nabil Bank (Dadkhah and Jazi 2014). If
key logger software is installed in the electronic device of the customer from where the customer
accesses online banking services, then it tracks all the information that is used by the customers.
This information can be used by the attackers in order to steal money from the bank. The
financial database of the bank can be hacked to access sensitive financial data (Martins, C.,
Oliveira and Popovič 2014). Deliberate and external threats are extremely harmful for the
banking sector as it causes huge financial loss. After identifying the threats, their exposure must
be determined to rank them based on their intensity. This will be extremely helpful for the bank
to mitigate risk in an efficient manner.
3.2 Security Models
Security models are responsible for providing standards for the purpose of comparison
and reference. Nabil Bank uses the NIST access control model for the purpose of identification
of access mechanism that is used in different levels that exist in the bank. Management level is
involved in dealing with information that will help in the strategic planning process. The level
that deals with administration work will be responsible for controlling operational data. The
technical layer of the bank deals with daily operational data that is needed for running the
business.

9
STRATEGIC INFORMATION SECURITY
NIST framework is responsible for describing the present cyber security posture, their
target state, find out ways to improve risk management and fosters the process of communication
between the external and internal stakeholders of the bank. The present risk management
procedure is not replaced when the bank uses NIST framework. Rather the NIST framework tries
to complement the present security structure (Chang, Kuo and Ramachandran 2016). The bank
can use its current structure and leverage NIST framework for the purpose of identifying
opportunities for improving the current risk security management. The security models of NIST
framework will be highly beneficial for Nabil Bank as their documents are available at free of
cost. It can also be updated by government. Risk assessment guidelines, security plans and
privacy control plans are provided NIST framework (Malik and Nazir 2012). Strong information
security policies can be implemented for protecting the bank’s valuable information.
4. Development of Security Program
Nabil Bank is a large sized company having 52 points of representation across Nepal.
The organization structure that is present in the bank is hierarchical in nature. The organization
has code of ethics and conducts incorporated in its culture. The main objective of the bank is to
provide a single and secure financial solution to its customers. Nabil Bank gives first priority to
its customer. The employees follow a code of ethics in the organization (Peltier 2016). They act
in an honest manner to protect the interest of their clients (Hu et al. 2012). The bank takes major
action against any employee who commits any misconduct. Strong information security policies
can be implemented for protecting the bank’s valuable information. A well planned security
program can be effective for protecting the bank from any security risks and threats. Financial
data breach will cause loss to the clients and also will affect the reputation of the bank. The
following steps can be taken in order to develop an efficient security program:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

10
STRATEGIC INFORMATION SECURITY
Risk assessment: The first step in this process is to identify what department deals with
what information. The bank also needs to find out who has access to what sensitive information.
The second step will be to identify external and internal threats and determine its probability of
occurrence. The last step is to determine whether the existing policies are adequate for protecting
the information.
Current policy adjustments: A security policy must be designed to protect the customer
information. This policy must be approved by the board of directors in order to carry enhance the
information security of the bank.
Security control design: The management should focus on developing security control
plans for all the business units. There must be security guidelines present. Access controls need
to be designed where authentication procedures like passwords, PINs, electronic tokens are used.
Biometric identification and firewalls can be implemented for protecting the databases that store
sensitive financial data. The networks can be protected by implementing firewalls. The customer
details can be encrypted to protect it from any unauthorized access.
Response plan: The management team must develop and design a response plan for
overcoming a security breach situation. The person who is in charge of maintaining customer
information must design this plan. It must be well written. The plan needs to include the contact
details of law agencies for taking appropriate steps.
Service provider: The contract between the bank and service provider must contain
effective response plans. The bank must ensure that the contract contains appropriate standards
for information security.

11
STRATEGIC INFORMATION SECURITY
Testing: The testing of the security controls and plans must be done to make sure that the
bank is well protected from any type of security threat and risk (Shackelford et al. 2015). The
parties involved in the contract must conduct control testing. They must conduct ethical hacking
to find out the effectiveness of the security policies and plans.
5. Roles and Responsibilities
Chief Risk Officer: The main duty of the Chief Risk Officer is to implement risk
functions, tools as well as systems for identifying, assessing, measuring, monitoring and
reporting risks. They identify main risk areas and enhance the function of security architect.
They are also responsible for implementing security program.
Security Manager: The role of the security manager is to collect and utilize information in
an effective manner to achieve the goal of the organization. They are responsible for proper
communication of information among various layers.
Senior Credit Analyst: They are responsible for reviewing and assessing financial history
of a company or an individual for the purpose of determining whether the candidate is eligible
for getting loan. They evaluate financial statements like balance sheets as well as income
statements for understanding the default risk level.
6. Improvement Plan
Information security of Nabil Bank can be improved by adding more designations and
roles so that there is no overlap of responsibilities of the employees (Ahmad, Maynard and Park
2014). Some of the new titles that can play an effective role in improving information security
are:

12
STRATEGIC INFORMATION SECURITY
Technical security manager: The technical aspects of security will be looked after by
these managers. They will be involved in firewall implementation and encryption processes.
Program security manager: The third pert or vendor risks can be evaluated by these
managers.
CISO: The whole security policies can be looked after by CISO. CISO can take the
responsibility of design strong security policies for the organization.
Source code manager: The source codes can be reviewed by these managers for detecting
any type of vulnerability.
There can be many specialized roles like virus technicians whose responsibility will be to
detect new virus as well as develop a defense plan to fight the virus.
7. Training Requirements
The employees of Nabil Bank must be aware of the need of a strong information security
program. Employee training can be considered to be a critical component for the information
security of bank. Management must document the information regarding which employee has
access to what valuable information of the customers (Hu et al. 2012). The employees must be
made aware of the security policies of the bank. They must be trained to identify valuable
customer information. Employees must be given training on how to implement the written
policies that governs the disclosure of the information of the customers (Lebek et al. 2013).
There need to be regular meetings to discuss new policies and modify existing policies for
improving the present information security policy.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

13
STRATEGIC INFORMATION SECURITY
8. ISO Standards and Models
ISO model is used in most of the industries. ISO standards provide a common base to all
the organizations in order to develop security standards and policies (Disterer 2013).
Organizations are able to develop inter organizational deals by using ISO standards.
ISO/IEC 27001: This standard helps in implementing ISO/IEC 27002 in order to set up
ISMS (Susanto, Almunawar and Tuan 2012).
ISO/IEC 27002: This standard addresses the security needs of an organization. It also
helps in developing security policies (Ramanauskaite et al. 2013).
ISO model is well suited for Nabil Bank because it will assist the bank in developing
management system for managing information security. The ENISA model can also be suitable
for Nabil Bank for the purpose of securing the E-transaction and E-channel.
9. Conclusion
This report concluded that Nabil Bank can improve its information security by adopting a
well defined security program. This report discussed about the critical factors of information
security like confidentiality, availability and integrity. It said that the breach of data and
information security can lead to serious and potential losses. The main purpose of assessing risk
is to identify organizational threats and vulnerabilities. Internal threats can be identified by
finding out which staff has access to which information and overlapping information. It pointed
out that the security system of the bank is accessed by an unauthorized outsider then this result in
external threats. It gave a description about the security program that can be adopted by Nabil
Bank. This report discussed about the current roles and suggested an improvement plan for
making the information security of the organization strong. It suggested that the employees must

14
STRATEGIC INFORMATION SECURITY
be made aware of the security policies of the bank. This report concluded that ISO model is
suitable for the bank and ENISA model is suitable for its electronic transaction system. The
advanced technologies as well the communication channels need to be protected from attackers.
10. Recommendations
Nabil Bank can secure its information and data from unauthorized access by following
certain steps:
Encryption: Financial data must be encrypted so that the hackers cannot get access to it.
Employee training: Proper training must be imparted to the employees to enhance the
information security.
Updated software: Latest version of the software must be installed in the system. It must
be updated regularly.
Firewall: Firewall implementation will protect financial information from any external
intrusion.

15
STRATEGIC INFORMATION SECURITY
11. References
Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an
organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2), pp.357-
370.
Aloini, D., Dulmin, R. and Mininno, V., 2012. Risk assessment in ERP projects. Information
Systems, 37(3), pp.183-199.
Chang, V., Kuo, Y.H. and Ramachandran, M., 2016. Cloud computing adoption framework: A
security framework for business clouds. Future Generation Computer Systems, 57, pp.24-41.
Dadkhah, M. and Jazi, M.D., 2014. Secure payment in E-commerce: Deal with Keyloggers and
Phishings. International Journal of Electronics Communication and Computer
Engineering, 5(3), pp.656-660.
Disterer, G., 2013. ISO/IEC 27000, 27001 and 27002 for information security
management. Journal of Information Security, 4(02), p.92.
Giannetsos, T. and Dimitriou, T., 2013, April. Spy-Sense: spyware tool for executing stealthy
exploits against sensor networks. In Proceedings of the 2nd ACM workshop on Hot topics on
wireless network security and privacy (pp. 7-12). ACM.
Hong, J., 2012. The state of phishing attacks. Communications of the ACM, 55(1), pp.74-81.
Hu, Q., Dinev, T., Hart, P. and Cooke, D., 2012. Managing employee compliance with
information security policies: The critical role of top management and organizational
culture. Decision Sciences, 43(4), pp.615-660.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

16
STRATEGIC INFORMATION SECURITY
Hu, Q., Dinev, T., Hart, P. and Cooke, D., 2012. Managing employee compliance with
information security policies: The critical role of top management and organizational
culture. Decision Sciences, 43(4), pp.615-660.
Kit, R.I.S., Allen, K., Mazzotti, F.J. and Briggs-Gonzalez, V., 2014. Risk Assessment
Methodology.
Lebek, B., Uffen, J., Breitner, M.H., Neumann, M. and Hohler, B., 2013, January. Employees'
information security awareness and behavior: A literature review. In System Sciences (HICSS),
2013 46th Hawaii International Conference on (pp. 2978-2987). IEEE.
Lo, C.C. and Chen, W.J., 2012. A hybrid information security risk assessment procedure
considering interdependences between controls. Expert Systems with Applications, 39(1),
pp.247-257.
Malik, A. and Nazir, M.M., 2012. Security framework for cloud computing environment: A
review. Journal of Emerging Trends in Computing and Information Sciences, 3(3), pp.390-394.
Martins, C., Oliveira, T. and Popovič, A., 2014. Understanding the Internet banking adoption: A
unified theory of acceptance and use of technology and perceived risk application. International
Journal of Information Management, 34(1), pp.1-13.
Nabilbank.com. 2017. About Nabil Bank - Nabil Bank Limited – First Private Commercial Bank.
[online] Available at: http://www.nabilbank.com/intro/about-nabil-bank/11-product-services/
deposit-products [Accessed 5 Oct. 2017].
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. CRC Press.

17
STRATEGIC INFORMATION SECURITY
Ramanauskaitė, S., Olifer, D., Goranin, N. and Čenys, A., 2013. Security ontology for adaptive
mapping of security standards. International Journal of Computers, Communications & Control
(IJCCC), 8(6), pp.813-825.
Sandberg, H., Amin, S. and Johansson, K.H., 2015. Cyberphysical security in networked control
systems: An introduction to the issue. IEEE Control Systems, 35(1), pp.20-23.
Shackelford, S.J., Proia, A.A., Martell, B. and Craig, A.N., 2015. Toward a Global Cybersecurity
Standard of Care: Exploring the Implications of the 2014 NIST Cybersecurity Framework on
Shaping Reasonable National and International Cybersecurity Practices. Tex. Int'l LJ, 50, p.305.
Susanto, H., Almunawar, M.N. and Tuan, Y.C., 2012. Information security challenge and
breaches: novelty approach on measuring ISO 27001 readiness level. International Journal of
Engineering and Technology. IJET Publications UK, 2(1).
Theoharidou, M., Mylonas, A. and Gritzalis, D., 2012. A risk assessment method for
smartphones. Information security and privacy research, pp.443-456.
Vacca, J.R., 2012. Computer and information security handbook. Newnes.
Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber
security. computers & security, 38, pp.97-102.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for
information security risk management. Computers & security, 44, pp.1-15.

18
STRATEGIC INFORMATION SECURITY

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

19
STRATEGIC INFORMATION SECURITY

1 out of 20

+13062052269

info@desklib.com

Information Security Risk Assessment

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Related Documents

Information Security Fundamentals and Best Practices

Strategic Information Security Program Development for Yahoo Inc.

Strategic Information Security: ANSTO

Developing a security program in Banks of America

Comprehensive Risk Report for ABC Fitness Gym

Information Security Compliance Analysis