Attijariwafa Bank: Information Assets Audit and Access Control Policy

Verified

Added on 2022/07/29

AI Summary

This report presents an audit of the information system access control policy of Attijariwafa Bank of Morocco. The audit examines the bank's access control policy, user access management, and user responsibilities concerning information security. The report highlights the importance of a robust access control policy, including physical and logical measures, such as passwords and biometrics. It details user registration and de-registration processes, privilege management, and password allocation and reallocation procedures. The audit also covers user responsibilities, emphasizing password hygiene, awareness of security threats, and adherence to clear desk policies. The report concludes with a positive assessment of the bank's information security management, recommending further enhancements like the use of firewalls and increased awareness of cyber-crimes.

Running head: INFORMATION ASSETS AUDITING 1
Information assets audit
Institutional affiliation
Date

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

INFORMATION ASSETS AUDITING 2
Table of Contents
Introduction.................................................................................................................................................2
Access control policy...................................................................................................................................2
User access management............................................................................................................................3
User responsibilities....................................................................................................................................4
Conclusion...................................................................................................................................................5
References...................................................................................................................................................6

INFORMATION ASSETS AUDITING 3
Introduction
Information is a critical asset to any organization hence requires trustworthy and reliable
management like any other resource of the organization. Organizational information system
deserves the protection of equal magnitude to that of financial and human resource details. This
document is an audit of the information system access control policy of Attijariwafa bank of
morocco.
Access control policy
Commendable security on information systems is fundamental, every organization strive
to keep the systems secure. Data insecurity is highly linked to unauthorized and malicious access
to the system hence need for a solid access control policy. Access control policy is a high level
access control specification on information system in organization.
Attijariwafa bank deserves credit on the formulation and implementation of access
policies to the information system. The first step access control policy is to have a registered
active account in the organization's system. Without an account, you can’t access the information
in the bank system. The accounts available are distinct while some are privileged to access the
entire system information, meant for employees; others are limited, meant for clients; however,
the use of the password is a must (Al-Hashimi, & et al 2019). Access control policy in the
organization assumes both physical and logical control measures.
The passwords and biometrics comprise the logical control mechanism, while physical
measures controls the access to rooms and machines forms the physical regulation mechanism
adopted. A human guard, stable doors, and locks play the role of the password in the physical
access control. The service providers in the organization, as well as the clients, are sufficiently

INFORMATION ASSETS AUDITING 4
conversant with the security and access control measures used by the organization (Steinbart,
Raschke, Gal, & Dilla, 2018). The awareness on this subject is, to some extent, borrowed from
standard security measures used by most organizations and homes hence no challenge to
understand why.
User access management
Data access management is a primary is primary instance in the access control policy.
The registration of the persons into the bank system begins right after the declaration of interest
of being an account holder in the bank. The account links the client to the bank; hence able to
access the information, deregistration of account cuts the individual access of the information in
the bank system (Bélanger, Collignon, Enget, & Negangard, 2017). The bank system has several
access interfaces, the client and the bankers interface; the bank interface is privileged in the sense
that the teller accesses the information on a client in the bank information system. This is a major
access control of the information in the system. The client information access is limited to access
to his details only. This is a security measure to secure individuals with financial information
breaches.
The use of a password is central to data access control policy hence system secure system
access. The passwords are allocated and reallocated from a central passwords management body.
The system users can't change the password. The password allocation and reallocation is meant
to mitigate data breach by the system users, mostly employees of the bank. The employees using
the system are required to sign a statement of the declaration on maintaining the password
private. The employees assure the organization to do anything possible to ensure the passwords
don't leak willingly or accidentally (Gupta, Sharman, Walp, & Mulgund, 2017). The passwords

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

INFORMATION ASSETS AUDITING 5
acts as gate pass to the system hence access control. The repercussions of password leakage are
also well documented, and the employees are required to agree with the terms and conditions.
The information and software department exercise a three months regular monitoring of
privileged access to ensure that unauthorized privileged access person has access.
User responsibilities
Passwords are the gates to the information system. Organizational information system
passwords are centrally managed. The privileged access persons to the system are given the
password to the system, and it is regularly changed. The clients have to select passwords they are
comfortable with; they are, however, advised by the information department on the practice of
password hygiene, such as avoiding obvious passwords such as sequential numbers like 1234.
The use of individuals for passwords is also highly discouraged, as well as passwords sharing
(Halabi, & Bellaiche, 2017). Most information organizational information breaches are by 80%
caused by the employees, both willingly and unwillingly. Passwords hygiene contributes
significantly to controlled access of the system hence security.
To cope with this challenge, the organization exercises the creation of awareness to the
contractor on the need and the security mechanisms installed on unattended equipment. The
organization, at times, goes the extra mile to train the users on security measures on program
attacks by virus and malware (Mushtaq, & et al 2017). The organization has a firm policy on a
clear desk policy. The employees are required to ensure their desks are clear hence limiting the
likelihood of password and information access by illegal persons. The organization also has a
strong policy that dictates that the employees should ensure they log out and clear their screens
before leaving, all this as security measures.

INFORMATION ASSETS AUDITING 6
Conclusion
In summary, Attijariwafa bank deserves credit on information security management. The
organization ensures information available to any user is that he has the authority of access. The
use of the password and privileged access are the primary security policies used along with clear
screen and clear desk policies. It is, however, recommendable for the organization to assume the
use of firewalls and provide sufficient awareness on cyber-crimes to the clients and the
employees.

INFORMATION ASSETS AUDITING 7
References
Al-Hashimi, M., Al-Nidawi, W. J., Othman, M., Shakir, M., & Sulaiman, H. (2019). Evaluate
Information Security Governance Frameworks in Cloud Computing Environment Using
Main and Sub Criteria. Journal of Computational and Theoretical Nanoscience, 16(3),
996-1006.
Bélanger, F., Collignon, S., Enget, K., & Negangard, E. (2017). Determinants of early
conformance with information security policies. Information & Management, 54(7), 887-
901.
Gupta, M., Sharman, R., Walp, J., & Mulgund, P. (Eds.). (2017). Information Technology Risk
Management and Compliance in Modern Organizations. IGI Global.
Halabi, T., & Bellaiche, M. (2017). Towards quantification and evaluation of security of Cloud
Service Providers. Journal of Information Security and Applications, 33, 55-65.
Mushtaq, M. O., Shahzad, F., Tariq, M. O., Riaz, M., & Majeed, B. (2017). An efficient
framework for information security in cloud computing using auditing algorithm shell
(AAS). arXiv preprint arXiv:1702.07140.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

INFORMATION ASSETS AUDITING 8
Steinbart, P. J., Raschke, R. L., Gal, G., & Dilla, W. N. (2018). The influence of a good
relationship between the internal audit and information security functions on information
security outcomes. Accounting, Organizations and Society, 71, 15-29.