Information Security Report: CBA Security Policy & Threat Analysis

Verified

Added on 2023/06/07

AI Summary

This report delves into the critical aspects of information security for the Commonwealth Bank of Australia (CBA). It highlights the importance of safeguarding sensitive data through confidentiality, integrity, and availability, achieved via cryptography, user authentication, and access restriction. A strategic security policy tailored for CBA is presented, emphasizing customer privacy, information clarity, authorized access, responsible information usage, secure information sharing, and continuous data maintenance. The report identifies and assesses potential threats and vulnerabilities, including Denial of Service (DoS) attacks, phishing, eavesdropping, Trojan horses, and malicious software, further detailing mitigation techniques such as over-provisioning, IP access lists, antivirus software, employee training, encryption, and regular software updates. This comprehensive analysis provides a framework for enhancing information security within CBA and similar organizations.

Running head: INFORMATION SECURITY
Information Security: Commonwealth Bank of Australia
Name of the Student
Student ID
Subject
Date
Author’s Note:
Word Count: 2095

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1
INFORMATION SECURITY
Executive Summary
The main aim of the report is to learn about information security for Australian organization,
namely, Commonwealth Bank of Australia. The significant risk management is possible with
the help of information security and the sensitive information should be maintained properly
so that the data is not changed, transferred or altered under any circumstance. The three
characteristics of this confidential information or data should be protected or kept secured by
information security. The data confidentiality, integrity and availability are ensured with
certain factors like cryptography, strong user’s authentication, restriction of data access and
by restricting the number of places, in which the data could appear. This report has proper
explained the importance of information security within Commonwealth Bank of Australia. A
security policy is provided for them and the various threats and vulnerabilities are identified
and assessed. Mitigation techniques are also provided for these risks.

2
INFORMATION SECURITY
Table of Contents
Introduction................................................................................................................................3
Discussion..................................................................................................................................3
a) Strategic Security Policy for Commonwealth Bank of Australia......................................3
b) Identification and Assessing of Potential Threats and Vulnerabilities with Mitigation
Techniques.............................................................................................................................5
Conclusion..................................................................................................................................8
References..................................................................................................................................9

3
INFORMATION SECURITY
Introduction
IS or information security is eventually designed for the protection of availability,
integrity and confidentiality of the system data or information from any kind of malicious
activity (Crossler et al. 2013, p. 90). These three factors are subsequently referred to the
major factors of information security. The authenticity, utility and availability are strongly
affected with this type of information security (Von Solms & Van Niekerk 2013, p. 102).
Implementation of cryptographic algorithms is one of the major requirements in data security.
This report will be explaining the importance of information security for
Commonwealth Bank of Australia. It is one of the most important banks in New Zealand and
Australia. A strategic security policy will be given in this report after a basic analysis or
research. The vulnerable threats or risks that could be dangerous for the business of the bank
will also be documented here with relevant techniques of mitigation.
Discussion
a) Strategic Security Policy for Commonwealth Bank of Australia
The Commonwealth Bank of Australia or CBA is the popular multinational bank
within Australia and is providing the services to their clients in New Zealand, United
Kingdom, Asia, Australia and United States (Commbank.com.au. 2018). They have been
providing several banking as well as financial services such as retail banking, broking
services, insurances, superannuation, funds management, investments, business banking and
institutional banking. Over fifty thousand staffs are the parts of this bank and according to a
survey; the net income of Commonwealth Bank of Australia was more than 9.881 billion
Australian dollars in 2017 (Commbank.com.au. 2018).
The strategic security policy is responsible for providing the set of few strategies,
which any company has been utilizing with the purpose of securing the resources or assets
from all kinds of risks and vulnerabilities (Peltier 2013, p. 2). This type of security policy
helps to secure or protect the organizational resources and the functional flow is measured
with this strategic policy. The Commonwealth Bank of Australia or CBA is subsequently
following the security policy as per Privacy Act. Stakeholders of this bank can easily provide
better effectiveness or efficiency for the ban procedures. CBA has segregated their

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4
INFORMATION SECURITY
stakeholders into eight sub groups and these are NGOs or community organizations, media,
service providers, regulators and government, suppliers, investor’s communities, employees
and customers (Commbank.com.au. 2018). The respective strategic security policy of
Commonwealth Bank of Australia is as follows:
i) Privacy of Customers: The customers are the first and foremost priority of this bank
and hence they make sure that the information is secured properly. The security policy is
completely dependent for handling of various credit reports or credit information (Andress
2014, p. 1). When these customers are filling their application forms, should agree to few
terms and conditions.
ii) Information Clarity: The next factor within the security policy is getting
information clarity (Disterer 2013, p. 92). For the proper collection of information or data, the
bank checks the services or products that are used by their respective clients. The data, which
is being collected by them, are mainly about their customers’ personal identities such as date
of birth, name, gender, marital status, address, tax file number and tax residency status.
Furthermore, the information related to insurance, transactions and finances are collected in
the process (Jouini, Rabai & Aissa 2014, p. 492). Commonwealth Bank of Australia even
upgrades their data regarding the clients, with the core purpose of not losing data and
stopping the unauthenticated access of data.
iii) Identifying the Authorized Members: The confidential data or the bank details
could be accessed only by the authorized or authenticated members (Ahmad, Maynard &
Park 2014, p. 360). These authorized staffs of the Commonwealth Bank of Australia or CBA
are employers, agents, service providers, customers, advisers, brokers and many others. Thus
this bank’s stakeholders are termed as the only authorized members.
iv) Using Information: The respective sensitive information of the bank is utilized
after involving perfect security and privacy measures (Tamjidyamcholo et al. 2013, p. 229).
The collection, utilization and finally exchange of data could be done after the confirmation
of identities of both employees and customers. Next, the products and services’ applications
are eventually assessed. The third step is the designing, managing and providing products or
services. Hence, the dangerous risks and threats could be minimized and the illegal actions
are identified here (Layton 2016, p. 2). CBA has applied certain laws for managing their
confidential information. Moreover, they are assisting law enforcement agency and the
government of Australia.

5
INFORMATION SECURITY
v) Sharing their Information: The CBA is quite careful regarding their sensitive
information and hence ensures that this information is only utilized by the authenticated
users. The various service providers such as loyalty program partner, product distributor and
insurer are termed as the first persons to access data (McIlwraith 2016, p. 1). Furthermore,
the auditors, brokers, guarantors, investigators, law enforcement agency, security providers,
assessors, card holders, agents, government agencies, advisers and many others have the
significant access of their confidential information.
vi) Maintenance of Information Security: Various methodologies are followed
within the organization for the significant maintenance of confidentiality as well as integrity
of information (AlHogail 2015, p. 571). The first and the foremost methodology in this case
is the training of staffs for securely storing or handling that data. Several mitigation
techniques are also applied in this organization such as intrusion detection to stop virus
attacks, firewalls, and antivirus software. The safe and secured networks or techniques of
encryption are utilized to secure the systems. Furthermore, alarms, cameras, AI based
security controls are being implemented in their bank’s buildings (Cavelty & Mauer 2016, p.
2).
vii) Updates of Data: CBA often updates their data so that they get proper follow ups
of their customers and employees. This data up gradation stops the data from getting lost at
any cost.
viii) Maintenance of Privacy Complaints: If any client complains against the privacy
issues, the Commonwealth Bank of Australia takes serious actions against them and hence
these issues are stopped (Shamala, Ahmad & Yusoff 2013 p. 47).
b) Identification and Assessing of Potential Threats and Vulnerabilities
with Mitigation Techniques
I) Threats and Vulnerabilities: The several dangerous and vulnerable threats or
vulnerabilities for the network of CBA are absolutely dangerous for the bank details or
information (B. Kim 2014, p. 117). The various probable threats and vulnerabilities to the
network of CBA are provided below:
i) Denial of Service Attack: The first and the foremost vulnerability for CBA’s
network is the denial of service or DoS attack (Sommestad, Karlzén & Hallberg 2015, p.
203). In this attack, the hacker could easily get within the machines and network resource

6
INFORMATION SECURITY
with a significant purpose to make these completely inaccessible or unavailable for all the
authorized users by either temporarily or permanently disrupting the services of any specific
host that is linked with Internet. These types of attacks could be accomplished by either
flooding the target machines and resources or by overloading the respective information
systems (Layton 2016, p. 2). Distributed denial of service attack or DDoS attack is higher
level of denial of service attack, in which the attacker involves various systems.
ii) Phishing: The next vulnerable threat for the computer network of this CBA is
phishing (Ahmad, Maynard & Park 2014, p. 361). The phishing can be solely defined as the
fraud attempt for obtaining the overall access of sensitive data like credit card details,
passwords, usernames or similar information for the malicious activities only after acting as
the most trustworthy entity to the intended user within electronic communication. The
phishing threat can be easily and promptly carried out either by instant messaging or by email
spoofing. The several attackers eventually direct the authenticated users by entering the
confidential data in the fake websites (Von Solms & Van Niekerk 2013, p. 101). The main
methods to communicate with the users are auction sites, online payment processor, banks
and social website. Phishing is extremely dangerous for the banks since the details are stolen.
iii) Eavesdropping: The third specific vulnerability to CBA’s network is
eavesdropping. This is one of the major methodologies to monitor the unauthenticated
communication of authenticated people. The attacker secretly accesses private data and
communication with taking consent from the authorized users (Jouini, Rabai & Aissa 2014, p.
489). Eavesdropping vulnerability can be easily and promptly carried out either by instant
messaging or by email spoofing. The voice over internet protocols is also utilized to execute
this particular threat.
iv) Trojan Horse: This is another popular type of computer network threat for
Commonwealth Bank of Australia. This is the malicious software that is responsible for
misleading all the authenticated and intended users (Ahmad, Maynard & Park 2014, p. 358).
The Trojan horse is generally spread by social engineering attack such as duping a user for
opening an unnamed attachment that is being sent through email. When the victim clicks on
the attachment, the malicious software gets into the machine and hacks the data.
v) Malicious Software: The fifth type of vulnerability for Commonwealth Bank of
Australia is malicious software. The other name of this software is computer virus (Cavelty &
Mauer 2016, p. 1). These malicious programs, whenever executed, eventually replicate

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7
INFORMATION SECURITY
themselves after significant modifications of computer software. As soon as the replication is
done, the areas are infected and the virus starts working.
II) Mitigation Techniques for Threats and Vulnerabilities: These above mentioned
risks and vulnerabilities can be easily mitigated with significant techniques or measures to the
network of CBA (Crossler et al. 2013, p. 96). The respective mitigation techniques are given
below:
i) Mitigation Technique for Denial of Service Attack: There are two specific
techniques for the perfect mitigation of DoS attack. The most important technique is by
utilizing the over provisioning of brute force defence and the next technique for mitigation is
by the configuration of IP access list on windows firewalls (Peltier 2013, p. 3).
ii) Mitigation Technique for Phishing: This is one of the most significant threat or
vulnerability that should be mitigated on time. A continuous update of the respective
antivirus software is required here. Moreover, a basic training is also needed for the staffs and
employees of this particular Australian bank (Disterer 2013, p. 92). The trained employee
would never take an action of clicking the unnamed emails or websites. The daily updates of
the software are also required for the purpose of detecting and preventing against fraud
activities.
iii) Mitigation Technique for Eavesdropping: This threat of eavesdropping could
bring major vulnerability within the bank’s information system. The hackers should not get
the access of confidential bank details and for this purpose, encryption could be extremely
effective (AlHogail 2015, p. 574). All the data should be encrypted so that the hackers could
not hack the data at any cost.
iv) Mitigation Technique for Trojan horse: The mitigation technique for the threat of
Trojan horse is by implementing the firewalls. Firewalls are extremely efficient since, the
attacks and vulnerabilities could be easily detected as well as prevented.
v) Mitigation Technique for Malicious Software: The malicious software are
extremely vulnerability to the computer network of the Commonwealth Bank of Australia or
CBA (Shamala, Ahmad & Yusoff 2013, p. 46). There are two specific types of security
measures that are efficient for mitigating the threat. The most important mitigation technique
is by the implementation of antivirus software and as soon as this implementation is
completed, the respective updates should be downloaded for fixing the latest virus (B. Kim

8
INFORMATION SECURITY
2014, 121). The second mitigation technique is by ensuring that the antivirus software could
easily scan the emails.
Conclusion
Therefore, conclusion could be drawn that information security is the basic practice to
defend digitalized information from any type of unauthorized or unauthenticated accessing,
using, recording, disruption, modification or destruction with the help of proper security
measures. The three features are confidentiality, integrity and availability. Confidentiality
refers to the fact that only authenticated users could easily view the information. The next
factor is integrity, which refers to the fact that the information is accurate and hence could not
be changed in the complete life cycle. Finally, the third factor is availability, which solely
refers to fact that the confidential data could be accessed by the authorized and authenticated
users whenever it is required. The data integrity is eventually ensured with strong users’
authentication, restriction of access and cryptography. Data availability is eventually ensured
with the help of an anti DDoS system, data recovery process and backup process. The above
report has properly described the information security for Commonwealth Bank of Australia.
Threats and vulnerabilities are identified and mitigation techniques are provided for CBA.

9
INFORMATION SECURITY
References
Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an
organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2),
pp.357-370.
AlHogail, A., 2015. Design and validation of information security culture
framework. Computers in Human Behavior, 49, pp.567-575.
Andress, J., 2014. The basics of information security: understanding the fundamentals of
InfoSec in theory and practice. Syngress.
B. Kim, E., 2014. Recommendations for information security awareness training for college
students. Information Management & Computer Security, 22(1), pp.115-126.
Cavelty, M.D. and Mauer, V., 2016. Power and security in the information age: Investigating
the role of the state in cyberspace. Routledge.
Commbank.com.au. 2018. Privacy Policy-CommBank. [online] Available at:
https://www.commbank.com.au/content/commbank-neo/security-privacy/general-security/
privacy-policy-html-version.html [Accessed 17 Sep. 2018].
Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M. and Baskerville, R.,
2013. Future directions for behavioral information security research. computers &
security, 32, pp.90-101.
Disterer, G., 2013. ISO/IEC 27000, 27001 and 27002 for information security
management. Journal of Information Security, 4(02), p.92.
Jouini, M., Rabai, L.B.A. and Aissa, A.B., 2014. Classification of security threats in
information systems. Procedia Computer Science, 32, pp.489-496.
Layton, T.P., 2016. Information Security: Design, implementation, measurement, and
compliance. Auerbach Publications.
McIlwraith, A., 2016. Information security and employee behaviour: how to reduce risk
through employee education, training and awareness. Routledge.
Peltier, T.R., 2013. Information security fundamentals. CRC Press.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

10
INFORMATION SECURITY
Shamala, P., Ahmad, R. and Yusoff, M., 2013. A conceptual framework of info structure for
information security risk assessment (ISRA). Journal of Information Security and
Applications, 18(1), pp.45-52.
Sommestad, T., Karlzén, H. and Hallberg, J., 2015. The sufficiency of the theory of planned
behavior for explaining information security policy compliance. Information & Computer
Security, 23(2), pp.200-217.
Tamjidyamcholo, A., Baba, M.S.B., Tamjid, H. and Gholipour, R., 2013. Information
security–Professional perceptions of knowledge-sharing intention under self-efficacy, trust,
reciprocity, and shared-language. Computers & Education, 68, pp.223-232.
Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber
security. computers & security, 38, pp.97-102.