IT Audit and Controls: Data Security at National Australian Bank
VerifiedAdded on 2023/01/12
|10
|2580
|25
Report
AI Summary
This report provides an IT audit of the National Australian Bank (NAB), examining a data breach that exposed customer data. It investigates common data security issues, such as system integrity, data privacy, and data protection policies. The report details NAB's response to the breach, including communication with affected customers and regulatory bodies, and outlines essential data security measures like encryption, data tracking, and secure deletion. Furthermore, it explores the crucial role of cloud computing in information security, highlighting its advantages in centralizing security processes and streamlining network monitoring. The conclusion emphasizes the importance of robust data protection and security for financial institutions in the digital age.
IT Audit and Controls
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Table of Contents
INTRODUCTION...........................................................................................................................3
Data Security and Privacy Issues at National Australian Bank...................................................3
Common Data Security Issues to be Investigated by an Auditor................................................4
National Australian Bank’s Response to the Data Breach..........................................................5
Data Security Measure that National Australian Bank Needs to Adopt......................................6
Role of Cloud Computing in Information Security.....................................................................7
CONCLUSION................................................................................................................................8
REFERENCES................................................................................................................................9
INTRODUCTION...........................................................................................................................3
Data Security and Privacy Issues at National Australian Bank...................................................3
Common Data Security Issues to be Investigated by an Auditor................................................4
National Australian Bank’s Response to the Data Breach..........................................................5
Data Security Measure that National Australian Bank Needs to Adopt......................................6
Role of Cloud Computing in Information Security.....................................................................7
CONCLUSION................................................................................................................................8
REFERENCES................................................................................................................................9
INTRODUCTION
The security and privacy of consumer data has become a major concern for business
organisations in the digital age. Business organisations always have to keep updating their
methods of protection and systems to ensure no lapses in data security and privacy occur (Zhang,
2018). This report audits the data security and privacy efforts of the National Australian Bank
(NAB) which is amongst the four largest financial institutions on the basis of customer share,
revenue and market capitalisation in Australia. NAB was founded in 1982 and operates from its
headquarters in Melbourne, Australia. As per the latest estimates, the NAB employs around
35,063 individuals for its operations.
Data Security and Privacy Issues at National Australian Bank
Business organisations can only function successfully in the consumer markets if their
customers and the general public have trust and confidence in their operations. This is especially
true for the banking and financial service industries, as consumers have to provide their personal
as well as financial information to businesses for their operations, showing trust and confidence
in the business organisation’s ability to protect and secure the data from external forces. On 26th
July, 2019, the National Australian Back which is amongst the four largest financial service
institutions in Australia, found out that there had occurred a data breach in its systems through
which the personal data of more than 13,000 of their customers had been uploaded to the servers
of two data service organisation without the explicit authorisation of NAB (Bertino and Ferrari,
2018). This was a major blunder for the NAB’s operations and effectively was a betrayal of the
trust and confidence that customers showed in the NAB to protect and secure their private
personal data.
As the data had been uploaded without the appropriate authorisation of the NAB’s
leadership and management, it was a breach in their data security policies and systems. Through
this data breach, the personal information of more than 13,000 of their trusting customers was
leaked to the servers of external data service companies. This personal data contained personal
information that NAB collected from its customers when they set up their financial account such
as the customer’s official name, date of birth, contact details, government issued identification
The security and privacy of consumer data has become a major concern for business
organisations in the digital age. Business organisations always have to keep updating their
methods of protection and systems to ensure no lapses in data security and privacy occur (Zhang,
2018). This report audits the data security and privacy efforts of the National Australian Bank
(NAB) which is amongst the four largest financial institutions on the basis of customer share,
revenue and market capitalisation in Australia. NAB was founded in 1982 and operates from its
headquarters in Melbourne, Australia. As per the latest estimates, the NAB employs around
35,063 individuals for its operations.
Data Security and Privacy Issues at National Australian Bank
Business organisations can only function successfully in the consumer markets if their
customers and the general public have trust and confidence in their operations. This is especially
true for the banking and financial service industries, as consumers have to provide their personal
as well as financial information to businesses for their operations, showing trust and confidence
in the business organisation’s ability to protect and secure the data from external forces. On 26th
July, 2019, the National Australian Back which is amongst the four largest financial service
institutions in Australia, found out that there had occurred a data breach in its systems through
which the personal data of more than 13,000 of their customers had been uploaded to the servers
of two data service organisation without the explicit authorisation of NAB (Bertino and Ferrari,
2018). This was a major blunder for the NAB’s operations and effectively was a betrayal of the
trust and confidence that customers showed in the NAB to protect and secure their private
personal data.
As the data had been uploaded without the appropriate authorisation of the NAB’s
leadership and management, it was a breach in their data security policies and systems. Through
this data breach, the personal information of more than 13,000 of their trusting customers was
leaked to the servers of external data service companies. This personal data contained personal
information that NAB collected from its customers when they set up their financial account such
as the customer’s official name, date of birth, contact details, government issued identification
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
number including driving license information. As this data is highly sensitive and confidential in
nature, NAB audited their data security and policies and systems in order to assess how the
breach took place.
After thorough checking of their internal systems and data security policies, NAB judged
that the data breach through which customer’s sensitive information was uploaded to external
servers without the company’s explicit authorisation occurred due to a human error of its
employees that breached the NAB’s data security policies and that the lapse in data security and
privacy of consumer’s information did not occur due to any kind of malicious cyber-attack on
the operational systems of NAB, which are completely secure and in control of NAB.
Common Data Security Issues to be Investigated by an Auditor
As the number and even the quality of cyber attacks around the world keeps increasing,
making use of even more sophisticated tools and diverse methods, the auditing task of assessing
whether a given operational system can effectively protect and secure its operational data also
becomes increasingly harder for the IT auditors. There are various data security issues that an
auditor needs to investigate in order to assesses the vulnerability or protection capability of any
operational system against cyber attacks or data breaches and lapses. Some of these are as
follows:
Integrity of the System: One of the first data security issues that any auditor needs to investigate
is if the organisational systems implemented is still in control of the business organisation or has
been compromised to external forces. In the event of cyber attacks and data breaches it becomes
highly likely that in addition to procuring sensitive data, attackers also gain control of the
established system in order to profit even further in the future (Esposito and et.al., 2018). Hence,
before any changes can be implemented, the auditor needs to assess whether the system’s
functions have been compromised to external sources or not.
Data privacy and protection capabilities: Another major data security issue that an auditor needs
to investigate is the systems, framework and methods implemented by the business for the
purposes of protecting and securing their operational data from external forces. This relates to
who in the business can access sensitive data, reviewing if the measures are in accordance with
nature, NAB audited their data security and policies and systems in order to assess how the
breach took place.
After thorough checking of their internal systems and data security policies, NAB judged
that the data breach through which customer’s sensitive information was uploaded to external
servers without the company’s explicit authorisation occurred due to a human error of its
employees that breached the NAB’s data security policies and that the lapse in data security and
privacy of consumer’s information did not occur due to any kind of malicious cyber-attack on
the operational systems of NAB, which are completely secure and in control of NAB.
Common Data Security Issues to be Investigated by an Auditor
As the number and even the quality of cyber attacks around the world keeps increasing,
making use of even more sophisticated tools and diverse methods, the auditing task of assessing
whether a given operational system can effectively protect and secure its operational data also
becomes increasingly harder for the IT auditors. There are various data security issues that an
auditor needs to investigate in order to assesses the vulnerability or protection capability of any
operational system against cyber attacks or data breaches and lapses. Some of these are as
follows:
Integrity of the System: One of the first data security issues that any auditor needs to investigate
is if the organisational systems implemented is still in control of the business organisation or has
been compromised to external forces. In the event of cyber attacks and data breaches it becomes
highly likely that in addition to procuring sensitive data, attackers also gain control of the
established system in order to profit even further in the future (Esposito and et.al., 2018). Hence,
before any changes can be implemented, the auditor needs to assess whether the system’s
functions have been compromised to external sources or not.
Data privacy and protection capabilities: Another major data security issue that an auditor needs
to investigate is the systems, framework and methods implemented by the business for the
purposes of protecting and securing their operational data from external forces. This relates to
who in the business can access sensitive data, reviewing if the measures are in accordance with
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
the legal laws such as GDPR for UK, and if the measures implemented are up to date in order to
counter the latest sophisticated cyber attacks.
Data protection policies: Another major data security issue that needs to be investigated by
auditor is the data protection policies set in place by the business organisation for securing their
confidential operational data from external forces (Huang and et.al., 2017). This relates to
whether the employees have been trained properly and follow guidelines provided by the
business with the intention to securing data. Checking if there are any vulnerabilities in the data
protection policies themselves, and whether the business’s third-party partners and collaborators
are also adhering strictly to the data protection policies implemented by the business.
National Australian Bank’s Response to the Data Breach
As the data breach that occurred in the systems of National Australian Bank on 26th July,
2019 effectively betrayed the trust, faith and confidence that their customers had shown in the
business organisation till then, NAB’s leadership knew that they would have to act fast and
assure the customers that NAB is doing everything possible in its powers to make sure their
sensitive and confidential information that was uploaded without NAB’s authorisation to the
servers of external data service companies, remains secure and that no harm would come to their
consumers on account of the data breach that happed in NAB’s systems.
The first task by NAB in response to the data breach by was to set up proper
communication channels between its security teams and the two data security companies to
which the data had been leaked. NAB’s security team advised the companies to delete all
sensitive, confidential information about their customers from their servers in order to avoid
legal issues (Kitchin, 2016). In addition, NAB’s leadership also notified and collaborated with
industry regulators in order to control the damage from the data leaks. NAB also worked closely
with the Office of Australian Information Commissioner towards this end.
In addition to these operational measures, NAB’s leadership and management also
personally contacted all 13,000 affected customers either by phone, email or written letter to
express to them how profusely sorry NAB is for the breach of consumer data and that it is doing
everything possible to make sure no harm come to them on account of these leaks. Further the
NAB assured customers that they are constantly reviewing the account activity of these
counter the latest sophisticated cyber attacks.
Data protection policies: Another major data security issue that needs to be investigated by
auditor is the data protection policies set in place by the business organisation for securing their
confidential operational data from external forces (Huang and et.al., 2017). This relates to
whether the employees have been trained properly and follow guidelines provided by the
business with the intention to securing data. Checking if there are any vulnerabilities in the data
protection policies themselves, and whether the business’s third-party partners and collaborators
are also adhering strictly to the data protection policies implemented by the business.
National Australian Bank’s Response to the Data Breach
As the data breach that occurred in the systems of National Australian Bank on 26th July,
2019 effectively betrayed the trust, faith and confidence that their customers had shown in the
business organisation till then, NAB’s leadership knew that they would have to act fast and
assure the customers that NAB is doing everything possible in its powers to make sure their
sensitive and confidential information that was uploaded without NAB’s authorisation to the
servers of external data service companies, remains secure and that no harm would come to their
consumers on account of the data breach that happed in NAB’s systems.
The first task by NAB in response to the data breach by was to set up proper
communication channels between its security teams and the two data security companies to
which the data had been leaked. NAB’s security team advised the companies to delete all
sensitive, confidential information about their customers from their servers in order to avoid
legal issues (Kitchin, 2016). In addition, NAB’s leadership also notified and collaborated with
industry regulators in order to control the damage from the data leaks. NAB also worked closely
with the Office of Australian Information Commissioner towards this end.
In addition to these operational measures, NAB’s leadership and management also
personally contacted all 13,000 affected customers either by phone, email or written letter to
express to them how profusely sorry NAB is for the breach of consumer data and that it is doing
everything possible to make sure no harm come to them on account of these leaks. Further the
NAB assured customers that they are constantly reviewing the account activity of these
consumers for unusual activity and that no such activity for any customer has been identified as
of yet as there is no evidence present of any confidential customer data to have been copied or
compromised further.
In a last effort to show the customer how much NAB values them and to show their
commitment to rectifying their mistakes, NAB decided to reimburse their customers of any
charges incurred should any of their leaked government identification documents needed to be
reissued. NAB also announced that it would cover the charges of independent, enhanced fraud
detection identification services for the 13,000 customers who have been negatively affected due
to the data breach.
Data Security Measure that National Australian Bank Needs to Adopt
National Australian Bank can adopt various data security measure and implement them
into their operations in order to be better prepared against any operational lapses or external
cyber attacks that aim to threaten the security and privacy of their and their customers data for
the future. Some of the measures that NAB needs to adapt are as follows:
Encryption: Encryption is the process of scrambling data or information so that it cannot be
accessed or read by any individual that is not authorised to do so (Albugmi and et.al., 2016).
NAB needs to encrypt all of its stored operational data using sophisticated algorithms in order to
ensure that even if their data gets leaked or should their security measures get breached, no one
else but the authorities of NAB are able to access, read and make use of the stolen data for
nefarious purposes.
Data tracking: NAB should also invest into digital technologies and software that are able to
digitally track the flow of data dynamically, in order to be better prepared against any data leaks
or breaches in the future. Through data tracking, NAB would be able to identify when an
unauthorised device or user tries to access their system and data.
Secure Deletion: NAB needs to update its data security policies so that all its employees
securely delete the operational data that is judged to have served its purpose. Normally deleted
data can be recovered by external forces sometimes even from empty hard drives that are thrown
out as waste. This is why NAB needs to adopt secure deletion practices into its operations.
of yet as there is no evidence present of any confidential customer data to have been copied or
compromised further.
In a last effort to show the customer how much NAB values them and to show their
commitment to rectifying their mistakes, NAB decided to reimburse their customers of any
charges incurred should any of their leaked government identification documents needed to be
reissued. NAB also announced that it would cover the charges of independent, enhanced fraud
detection identification services for the 13,000 customers who have been negatively affected due
to the data breach.
Data Security Measure that National Australian Bank Needs to Adopt
National Australian Bank can adopt various data security measure and implement them
into their operations in order to be better prepared against any operational lapses or external
cyber attacks that aim to threaten the security and privacy of their and their customers data for
the future. Some of the measures that NAB needs to adapt are as follows:
Encryption: Encryption is the process of scrambling data or information so that it cannot be
accessed or read by any individual that is not authorised to do so (Albugmi and et.al., 2016).
NAB needs to encrypt all of its stored operational data using sophisticated algorithms in order to
ensure that even if their data gets leaked or should their security measures get breached, no one
else but the authorities of NAB are able to access, read and make use of the stolen data for
nefarious purposes.
Data tracking: NAB should also invest into digital technologies and software that are able to
digitally track the flow of data dynamically, in order to be better prepared against any data leaks
or breaches in the future. Through data tracking, NAB would be able to identify when an
unauthorised device or user tries to access their system and data.
Secure Deletion: NAB needs to update its data security policies so that all its employees
securely delete the operational data that is judged to have served its purpose. Normally deleted
data can be recovered by external forces sometimes even from empty hard drives that are thrown
out as waste. This is why NAB needs to adopt secure deletion practices into its operations.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Ban Removable Storage Devices: Although a harsh step, it has become increasingly essential for
businesses to ban the use of removable storage devices on business systems (Thota and et.al.,
2017). NAB should adopt this practise as removable storage devices are the most common factor
that can compromise the integrity of a business system or at least restrict its use to upper levels
of operations.
Role of Cloud Computing in Information Security
Cloud computing has grown on to have a significant impact on the security of
information, enough to have created new data security measures that make use of and implement
cloud computing into their operations and functions. Could computing security also know as
cloud security is designed to protect the infrastructure and information of cloud-based systems
using set of integrated controls, procedures, technologies and policies. Security measures
provided by cloud security are designed to support regulatory compliance, protect cloud data
from external forces and provide privacy to customer’s data stored on the cloud (Yan, Deng and
Varadharajan, 2017). Cloud computing security is highly customisable based on the needs and
requirements of the business organisation and can perform multiple distinct tasks from filtering
the overall traffic in the system to authenticating the access provided to multiple users by the
business. The exact security measures that cloud computing provides to businesses is dependent
on the business’s requirements and also on the service provider of the cloud-based security
solutions. But businesses need to also be part of the process and share responsibility with the
solution providers in order to effectively implement cloud computing security into their
operations.
As the security threats in the digital age are constantly evolving, using diverse
sophisticated methods and tools, the security measures also need to evolve at the same pace.
Cloud Computing information security provides businesses with various operational advantages
through their implementation. Cloud computing security centralises the various web filtering,
traffic analyses processes and makes it easier for businesses to manage (Potey, Dhote and
Sharma, 2016). Cloud security also streamlines the process of monitoring network events for the
business which effectively results in decreased policy and software updates that need to be
installed on every operational system and IoT device. As cloud security is entire based on using
cloud services, it eliminates the hardware costs of business significantly.
businesses to ban the use of removable storage devices on business systems (Thota and et.al.,
2017). NAB should adopt this practise as removable storage devices are the most common factor
that can compromise the integrity of a business system or at least restrict its use to upper levels
of operations.
Role of Cloud Computing in Information Security
Cloud computing has grown on to have a significant impact on the security of
information, enough to have created new data security measures that make use of and implement
cloud computing into their operations and functions. Could computing security also know as
cloud security is designed to protect the infrastructure and information of cloud-based systems
using set of integrated controls, procedures, technologies and policies. Security measures
provided by cloud security are designed to support regulatory compliance, protect cloud data
from external forces and provide privacy to customer’s data stored on the cloud (Yan, Deng and
Varadharajan, 2017). Cloud computing security is highly customisable based on the needs and
requirements of the business organisation and can perform multiple distinct tasks from filtering
the overall traffic in the system to authenticating the access provided to multiple users by the
business. The exact security measures that cloud computing provides to businesses is dependent
on the business’s requirements and also on the service provider of the cloud-based security
solutions. But businesses need to also be part of the process and share responsibility with the
solution providers in order to effectively implement cloud computing security into their
operations.
As the security threats in the digital age are constantly evolving, using diverse
sophisticated methods and tools, the security measures also need to evolve at the same pace.
Cloud Computing information security provides businesses with various operational advantages
through their implementation. Cloud computing security centralises the various web filtering,
traffic analyses processes and makes it easier for businesses to manage (Potey, Dhote and
Sharma, 2016). Cloud security also streamlines the process of monitoring network events for the
business which effectively results in decreased policy and software updates that need to be
installed on every operational system and IoT device. As cloud security is entire based on using
cloud services, it eliminates the hardware costs of business significantly.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
CONCLUSION
Based on this report, it can be concluded that ensuring the protection, security and
privacy of consumer data in the hands of business organisations like NAB is immensely essential
for maintaining positive customer relations and trust for the business’s operations. This report
first assesses the data security and privacy issues currently faced by NAB. Then the report
evaluates the common security problems which any capable auditor needs to investigate in a
business organisation. Further the report analyses NAB’s response to its operational data breach
and recommends information security measures which NAB should adopt so that data breaches
do not occur in the future. Finally, the report evaluates cloud computing’s role in information
security.
Based on this report, it can be concluded that ensuring the protection, security and
privacy of consumer data in the hands of business organisations like NAB is immensely essential
for maintaining positive customer relations and trust for the business’s operations. This report
first assesses the data security and privacy issues currently faced by NAB. Then the report
evaluates the common security problems which any capable auditor needs to investigate in a
business organisation. Further the report analyses NAB’s response to its operational data breach
and recommends information security measures which NAB should adopt so that data breaches
do not occur in the future. Finally, the report evaluates cloud computing’s role in information
security.
REFERENCES
Books and Journals
Albugmi, A. and et.al., 2016, August. Data security in cloud computing. In 2016 Fifth
International Conference on Future Generation Communication Technologies
(FGCT) (pp. 55-59). IEEE.
Bertino, E. and Ferrari, E., 2018. Big data security and privacy. In A Comprehensive Guide
Through the Italian Database Research Over the Last 25 Years (pp. 425-439). Springer,
Cham.
Esposito, C. and et.al., 2018. Blockchain: A panacea for healthcare cloud-based data security and
privacy?. IEEE Cloud Computing. 5(1). pp.31-37.
Huang, Z. and et.al., 2017. Insight of the protection for data security under selective opening
attacks. Information Sciences. 412. pp.223-241.
Kitchin, R., 2016. Getting smarter about smart cities: Improving data privacy and data security.
Potey, M.M., Dhote, C.A. and Sharma, D.H., 2016. Homomorphic encryption for security of
cloud data. Procedia Computer Science. 79(2016). pp.175-181.
Thota, C. and et.al., 2017. Big data security framework for distributed cloud data centers.
In Cybersecurity breaches and issues surrounding online threat protection (pp. 288-310).
IGI global.
Yan, Z., Deng, R.H. and Varadharajan, V., 2017. Cryptography and data security in cloud
computing.
Zhang, D., 2018, October. Big data security and privacy protection. In 8th International
Conference on Management and Computer Science (ICMCS 2018). Atlantis Press.
Books and Journals
Albugmi, A. and et.al., 2016, August. Data security in cloud computing. In 2016 Fifth
International Conference on Future Generation Communication Technologies
(FGCT) (pp. 55-59). IEEE.
Bertino, E. and Ferrari, E., 2018. Big data security and privacy. In A Comprehensive Guide
Through the Italian Database Research Over the Last 25 Years (pp. 425-439). Springer,
Cham.
Esposito, C. and et.al., 2018. Blockchain: A panacea for healthcare cloud-based data security and
privacy?. IEEE Cloud Computing. 5(1). pp.31-37.
Huang, Z. and et.al., 2017. Insight of the protection for data security under selective opening
attacks. Information Sciences. 412. pp.223-241.
Kitchin, R., 2016. Getting smarter about smart cities: Improving data privacy and data security.
Potey, M.M., Dhote, C.A. and Sharma, D.H., 2016. Homomorphic encryption for security of
cloud data. Procedia Computer Science. 79(2016). pp.175-181.
Thota, C. and et.al., 2017. Big data security framework for distributed cloud data centers.
In Cybersecurity breaches and issues surrounding online threat protection (pp. 288-310).
IGI global.
Yan, Z., Deng, R.H. and Varadharajan, V., 2017. Cryptography and data security in cloud
computing.
Zhang, D., 2018, October. Big data security and privacy protection. In 8th International
Conference on Management and Computer Science (ICMCS 2018). Atlantis Press.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 10
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.