IT Audit and Controls: NBA Data Breach Investigation Report
VerifiedAdded on 2023/01/12
|10
|2639
|56
Report
AI Summary
This report provides an in-depth IT audit of the National Australian Bank (NAB), focusing on a significant data breach involving the exposure of customer data. The report begins with an overview of the breach, detailing the circumstances and the bank's initial response. It identifies key security issue...
IT AUDIT AND CONTROLS
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
TABLE OF CONTENTS
INTRODUCTION...........................................................................................................................3
MAIN BODY..................................................................................................................................3
Overview......................................................................................................................................3
Security Issues to be investigated................................................................................................4
NAB’s response to data breach....................................................................................................5
Information Security measures that NBA can adopt...................................................................6
Role of cloud computing in information security........................................................................7
CONCLUSION................................................................................................................................7
REFERENCES................................................................................................................................9
INTRODUCTION...........................................................................................................................3
MAIN BODY..................................................................................................................................3
Overview......................................................................................................................................3
Security Issues to be investigated................................................................................................4
NAB’s response to data breach....................................................................................................5
Information Security measures that NBA can adopt...................................................................6
Role of cloud computing in information security........................................................................7
CONCLUSION................................................................................................................................7
REFERENCES................................................................................................................................9
INTRODUCTION
IT Audit is basically audit of the robustness of the IT systems that are implemented in the
organisation (Pasquier and et.al., 2018). In the current report, the case study of National
Australian Bank has been evaluated. The report will highlight what are the different issues that
needs to be considered during audit and will also provide adequate recommendations that can be
adopted by NBA.
MAIN BODY
Overview
National Australian Bank is one of the most prominent bank in Australia coming at the 4th
position in the country. Recently, on July 26th, 2019, the company uploaded the personal data of
13000 customers on the servers of two data servicing companies. This was a major fraud which
was incurred by the bank which purported so much about its secured and protected systems and
the value that it gave to the privacy of the customers. It was further revealed by the Chief data
officer of NBA that the data was uploaded by a human error and was not a part of any cyber
security crime. They assured the customers that the data that had been erroneously leaked did not
contain any critical details such as log- in passwords etc. However, they still took the
responsibility stating that the name, contact numbers, birth detail and in some cases government
issued identification numbers were the only details that had been uploaded. They further stated
that all the data that had been uploaded due to human error had been positively taken down
within the two hours. Although, the bank too all the corrective actions immediately where they
contacted each customer whose data had been uploaded, they were ready to bear costs of re-
issuing of the government identification numbers or the cost incurred in the fraud detection
services should this be availed by any customer. They also developed a special team full of
experts who reviewed every detail critically and was working on this for 24/ 7 (Diamantopoulou,
Tsohou and Karyda, 2019).
Despite all the efforts, a major question was raised on the robustness of the systems used
by NBA where the bank was questioned that in the increasing trends of cyber crimes and frauds,
how credible or trustworthy is the system of the bank. The CEO himself agreed that the bank
finds it difficult to invest a larger portion of the money on development of better IT systems
similar to the companies such as Google or Microsoft because of the lack of adequate funds.
3
IT Audit is basically audit of the robustness of the IT systems that are implemented in the
organisation (Pasquier and et.al., 2018). In the current report, the case study of National
Australian Bank has been evaluated. The report will highlight what are the different issues that
needs to be considered during audit and will also provide adequate recommendations that can be
adopted by NBA.
MAIN BODY
Overview
National Australian Bank is one of the most prominent bank in Australia coming at the 4th
position in the country. Recently, on July 26th, 2019, the company uploaded the personal data of
13000 customers on the servers of two data servicing companies. This was a major fraud which
was incurred by the bank which purported so much about its secured and protected systems and
the value that it gave to the privacy of the customers. It was further revealed by the Chief data
officer of NBA that the data was uploaded by a human error and was not a part of any cyber
security crime. They assured the customers that the data that had been erroneously leaked did not
contain any critical details such as log- in passwords etc. However, they still took the
responsibility stating that the name, contact numbers, birth detail and in some cases government
issued identification numbers were the only details that had been uploaded. They further stated
that all the data that had been uploaded due to human error had been positively taken down
within the two hours. Although, the bank too all the corrective actions immediately where they
contacted each customer whose data had been uploaded, they were ready to bear costs of re-
issuing of the government identification numbers or the cost incurred in the fraud detection
services should this be availed by any customer. They also developed a special team full of
experts who reviewed every detail critically and was working on this for 24/ 7 (Diamantopoulou,
Tsohou and Karyda, 2019).
Despite all the efforts, a major question was raised on the robustness of the systems used
by NBA where the bank was questioned that in the increasing trends of cyber crimes and frauds,
how credible or trustworthy is the system of the bank. The CEO himself agreed that the bank
finds it difficult to invest a larger portion of the money on development of better IT systems
similar to the companies such as Google or Microsoft because of the lack of adequate funds.
3
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Security Issues to be investigated
With the gradual changes in the constantly developing environment the cyber crimes and
frauds have increased significantly. Every organisation needs to take steps at their own level to
protect their data and valid getting caught n the cyber crime activities. The role of auditors in this
field increases immensely where they have to undergo and check all the activities and
programmes in the company so that any indication towards cyber criminal activities can be
discovered whether intentional or unintentional. While evaluating the system of NBA, the key
considerations or issues that the auditor needs to focus upon can be enumerated as follows:
Resources and Training: In order to manage a proper system, technically skilled and expert
employees are required on a permanent basis. Evaluation of this issue will help the auditor
in highlighting that whether the employees in the bank are adequately trained or not.
Additionally the training aspect will help in analyse that how frequently the employees are
trained regarding the methods to avoid the attacks or cyber crimes (Albugmi and et.al.,
2016). It is necessary that employees are prepared to avoid any such attacks on the system or
the company.
System’s Vulnerability: This is the most important security issue that the auditor needs to
analyse in order to rate the robustness of the system that exists. Through this factor the
auditor can identify that how accessible the system is to the external users and how easily
the unauthorised users can gain access in the system. This aspect also highlights that
whether the system has been compromised by such unauthorised users in the past and what
effective measures are adopted to maintain the integrity and comprehensiveness of this
system. Therefore, evaluation of this issue highlights that whether the system of NBA is
credible or not.
Risk Management and Response system: The degree up to which the organisation and its
employees are aware of the types of risk that the cyber crime purports is an important issue
to be analysed and more crucial is the identification of the response system that has been
developed by the company (Thota and et.al., 2017). The phishing attacks, unauthorised
access etc. are the various kinds of risk that are constantly faced. It is necessary to assess
these risks regularly and develop and upgrade the response system towards such risk
regularly. Through this issue, the auditor of NBA can identify their response system and risk
assessment level.
4
With the gradual changes in the constantly developing environment the cyber crimes and
frauds have increased significantly. Every organisation needs to take steps at their own level to
protect their data and valid getting caught n the cyber crime activities. The role of auditors in this
field increases immensely where they have to undergo and check all the activities and
programmes in the company so that any indication towards cyber criminal activities can be
discovered whether intentional or unintentional. While evaluating the system of NBA, the key
considerations or issues that the auditor needs to focus upon can be enumerated as follows:
Resources and Training: In order to manage a proper system, technically skilled and expert
employees are required on a permanent basis. Evaluation of this issue will help the auditor
in highlighting that whether the employees in the bank are adequately trained or not.
Additionally the training aspect will help in analyse that how frequently the employees are
trained regarding the methods to avoid the attacks or cyber crimes (Albugmi and et.al.,
2016). It is necessary that employees are prepared to avoid any such attacks on the system or
the company.
System’s Vulnerability: This is the most important security issue that the auditor needs to
analyse in order to rate the robustness of the system that exists. Through this factor the
auditor can identify that how accessible the system is to the external users and how easily
the unauthorised users can gain access in the system. This aspect also highlights that
whether the system has been compromised by such unauthorised users in the past and what
effective measures are adopted to maintain the integrity and comprehensiveness of this
system. Therefore, evaluation of this issue highlights that whether the system of NBA is
credible or not.
Risk Management and Response system: The degree up to which the organisation and its
employees are aware of the types of risk that the cyber crime purports is an important issue
to be analysed and more crucial is the identification of the response system that has been
developed by the company (Thota and et.al., 2017). The phishing attacks, unauthorised
access etc. are the various kinds of risk that are constantly faced. It is necessary to assess
these risks regularly and develop and upgrade the response system towards such risk
regularly. Through this issue, the auditor of NBA can identify their response system and risk
assessment level.
4
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Monitoring System: Apart from the response system, the auditor must also identify the
effectiveness of the monitoring system that is being used by the organisation. When the
response system is weaker and the employee base is not adequately rained, the risk or this
issue increases. Often, lack of proper risk assessment and response signifies lack of
monitoring where the chances of attacking the system of the company becomes easier.
Auditor of NBA needs to analyse that whether the monitoring systems that are being
implemented are proper or not and whether they can be easily compromised or not can also
be taken into consideration.
Privacy and Protection of Consumer Data: Investigation of this issue helps the auditor in
deriving whether the data is protected or not i.e. under this the framework that is used to
protect the consumer’s data is evaluated (Bertino and Ferrari, 2018). The number of people
having access to the customer’s data, the steps or procedure that is followed to protect the
data, the policies and guidelines that are implemented, etc., all are evaluated through this
issue. This helps the auditor in gaining the insight into the internal systems of the company
and the value that the bank actually gives towards protection of the consumer data.
NAB’s response to data breach
The case study helps in evaluation that the response that were adopted by NBA when it
was found that the data of their 13000 customers has been compromised. The bank took all the
corrective actions that were needed to be taken in order to control the situation before it got out
of hand. The first thing that the bank did was to communicate with the two data security
companies with whom the breach had occurred (Diamantopoulou, Tsohou and Karyda, 2019).
They were assured that all the data had been conclusively removed. The officials of the company
personally ensured that all the data was actually deleted. The next step was to communicate with
every customer whose data had been compromised with. They were assured that no cyber crime
had occurred and this was a case of data breach which was taken under control by the bank. The
last step that was taken was that the company promised to bear all the costs that customers would
have incurred in order to retain them such as cost of reclaiming government identification
numbers etc. Overall, the approach and attitude of bank was conclusive where they convinced
the customers that their systems were efficient and could not be easily attacked.
5
effectiveness of the monitoring system that is being used by the organisation. When the
response system is weaker and the employee base is not adequately rained, the risk or this
issue increases. Often, lack of proper risk assessment and response signifies lack of
monitoring where the chances of attacking the system of the company becomes easier.
Auditor of NBA needs to analyse that whether the monitoring systems that are being
implemented are proper or not and whether they can be easily compromised or not can also
be taken into consideration.
Privacy and Protection of Consumer Data: Investigation of this issue helps the auditor in
deriving whether the data is protected or not i.e. under this the framework that is used to
protect the consumer’s data is evaluated (Bertino and Ferrari, 2018). The number of people
having access to the customer’s data, the steps or procedure that is followed to protect the
data, the policies and guidelines that are implemented, etc., all are evaluated through this
issue. This helps the auditor in gaining the insight into the internal systems of the company
and the value that the bank actually gives towards protection of the consumer data.
NAB’s response to data breach
The case study helps in evaluation that the response that were adopted by NBA when it
was found that the data of their 13000 customers has been compromised. The bank took all the
corrective actions that were needed to be taken in order to control the situation before it got out
of hand. The first thing that the bank did was to communicate with the two data security
companies with whom the breach had occurred (Diamantopoulou, Tsohou and Karyda, 2019).
They were assured that all the data had been conclusively removed. The officials of the company
personally ensured that all the data was actually deleted. The next step was to communicate with
every customer whose data had been compromised with. They were assured that no cyber crime
had occurred and this was a case of data breach which was taken under control by the bank. The
last step that was taken was that the company promised to bear all the costs that customers would
have incurred in order to retain them such as cost of reclaiming government identification
numbers etc. Overall, the approach and attitude of bank was conclusive where they convinced
the customers that their systems were efficient and could not be easily attacked.
5
Information Security measures that NBA can adopt
Despite the claim of the bank that the breach was simply due to a human error and had
nothing to do with the system's integrity, there are various issues that have been identified
regarding the data protection system of NBA. In accordance with the data security and breach
issues that have been identified, there are various measures that the NBA can adopt in order to
increase the data protection and minimize chances of such errors (Pasquier and et.al., 2018).
These are:
Access of few authorized personnel: The bank should develop a system where only some
members of the bank or committee have direct access to the system who are having proper
authority and are responsible. Additionally, the bank should also ensure that such few
individuals who have access are also regularly monitored and have to verify the reasons
before access i.e. they must also be supervised by someone. This will ensure that the people
who are handling such sensitive information are aware of the importance of their actions and
therefore act accordingly. Additionally, when the employees are fewer, then the chances fir
error will also nullify thus improving bank's image and avoiding such crisis.
Secure Deletion: This is a technique where the system automatically deletes the data that is
redundant or no longer important for the organization. The benefit of this technology is that
the process of manual deletion sometimes exposes the data to risks by external theft where
data can be recovered even from empty hard drives that have been thrown (Maguire and
et.al., 2018). Therefore, adopting such advanced technologies of data management is a
necessity for the NAB. This will reduce the chances of cyber attacks and help the bank in
controlling correct disposal of its sensitive data where the risk to piracy or leak gets
minimized.
Encryption: Encryption is the technique where the data is coded and can be read only by
those persons who have proper authority to access and view such data. Although this
technique is not very efficient in protecting the data alone but nevertheless it can be used as
an added measure by the companies where the chances of minimizing the risk of cyber
crimes can increase. Adoption of this technique by NBA will ensure that the data is not
easily traceable and the chances of data leak will be minimized. Using the encryption
algorithms and data protection mechanisms will reduce the chances of breach that might
occur again in the future.
6
Despite the claim of the bank that the breach was simply due to a human error and had
nothing to do with the system's integrity, there are various issues that have been identified
regarding the data protection system of NBA. In accordance with the data security and breach
issues that have been identified, there are various measures that the NBA can adopt in order to
increase the data protection and minimize chances of such errors (Pasquier and et.al., 2018).
These are:
Access of few authorized personnel: The bank should develop a system where only some
members of the bank or committee have direct access to the system who are having proper
authority and are responsible. Additionally, the bank should also ensure that such few
individuals who have access are also regularly monitored and have to verify the reasons
before access i.e. they must also be supervised by someone. This will ensure that the people
who are handling such sensitive information are aware of the importance of their actions and
therefore act accordingly. Additionally, when the employees are fewer, then the chances fir
error will also nullify thus improving bank's image and avoiding such crisis.
Secure Deletion: This is a technique where the system automatically deletes the data that is
redundant or no longer important for the organization. The benefit of this technology is that
the process of manual deletion sometimes exposes the data to risks by external theft where
data can be recovered even from empty hard drives that have been thrown (Maguire and
et.al., 2018). Therefore, adopting such advanced technologies of data management is a
necessity for the NAB. This will reduce the chances of cyber attacks and help the bank in
controlling correct disposal of its sensitive data where the risk to piracy or leak gets
minimized.
Encryption: Encryption is the technique where the data is coded and can be read only by
those persons who have proper authority to access and view such data. Although this
technique is not very efficient in protecting the data alone but nevertheless it can be used as
an added measure by the companies where the chances of minimizing the risk of cyber
crimes can increase. Adoption of this technique by NBA will ensure that the data is not
easily traceable and the chances of data leak will be minimized. Using the encryption
algorithms and data protection mechanisms will reduce the chances of breach that might
occur again in the future.
6
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Data tracking: In the gradually changing times the threat of cyber security and leaks have
increased tremendously. Despite a variety of measured being adopted by organizations, the
phishing attacks etc. are very common (La Torre and et.al., 2019). In order to avoid these,
data tracking is another technology that can be used by NBA. Data tracking helps in
integration of updated technological systems where the flow of data in the bank can e traced
continuously. This will help in easy identification of the flow of data to ant unauthorized
system and will further prompt the data tracking manager or any other authorized person
regarding the interruption of such external source.
Banning Removable Storage devices: Removable storage devices are the most lucrative
source of data leak or exposition to risk. Since these are not easily distinguishable, if any
external Removable device is used in the organization, the data and system's integrity can be
easily compromised (Ujcich, Bates and Sanders, 2018). NBA can take the step of totally
banning these devices from the organization so that any chance of data hacking etc. can be
avoided.
Therefore, adopting the recommended techniques above will help the NBA in minimizing
such enhanced risk of human errors or cyber crimes and attacks thus increasing the robustness of
the data protection system that the company uses.
Role of cloud computing in information security
Cloud computing is an important technique that can be used by the NAB and is currently
being used as the CEO of the bank himself quoted. Cloud computing is basically the extended
storage space that can be used by any individual or organisation. The cloud security can be
customised thus increasing the security and helps in avoiding data theft by their continuous
monitoring (Bergman and et.al., 2018). They analyse the traffic regularly and implement various
web filtering tools that helps in identification of any unauthorised intrusion in the system
quickly. Therefore, NBA will additionally be able to give further protection by using this
technique of cloud computing in a more enhanced manner.
CONCLUSION
The report above helps in concluding that the data breach and cyber security are some very
serious issues in the present context. The report, through the case study of NBA concluded that
carelessness regarding sensitive data can become a major issue for the company. the report
7
increased tremendously. Despite a variety of measured being adopted by organizations, the
phishing attacks etc. are very common (La Torre and et.al., 2019). In order to avoid these,
data tracking is another technology that can be used by NBA. Data tracking helps in
integration of updated technological systems where the flow of data in the bank can e traced
continuously. This will help in easy identification of the flow of data to ant unauthorized
system and will further prompt the data tracking manager or any other authorized person
regarding the interruption of such external source.
Banning Removable Storage devices: Removable storage devices are the most lucrative
source of data leak or exposition to risk. Since these are not easily distinguishable, if any
external Removable device is used in the organization, the data and system's integrity can be
easily compromised (Ujcich, Bates and Sanders, 2018). NBA can take the step of totally
banning these devices from the organization so that any chance of data hacking etc. can be
avoided.
Therefore, adopting the recommended techniques above will help the NBA in minimizing
such enhanced risk of human errors or cyber crimes and attacks thus increasing the robustness of
the data protection system that the company uses.
Role of cloud computing in information security
Cloud computing is an important technique that can be used by the NAB and is currently
being used as the CEO of the bank himself quoted. Cloud computing is basically the extended
storage space that can be used by any individual or organisation. The cloud security can be
customised thus increasing the security and helps in avoiding data theft by their continuous
monitoring (Bergman and et.al., 2018). They analyse the traffic regularly and implement various
web filtering tools that helps in identification of any unauthorised intrusion in the system
quickly. Therefore, NBA will additionally be able to give further protection by using this
technique of cloud computing in a more enhanced manner.
CONCLUSION
The report above helps in concluding that the data breach and cyber security are some very
serious issues in the present context. The report, through the case study of NBA concluded that
carelessness regarding sensitive data can become a major issue for the company. the report
7
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
identified different issues that need to be examined by auditors and the recommendations that
can be made.
8
can be made.
8
REFERENCES
Books and Journals
Albugmi, A. and et.al., 2016, August. Data security in cloud computing. In 2016 Fifth
International Conference on Future Generation Communication Technologies
(FGCT) (pp. 55-59). IEEE.
Bergman, L.D., and et.al., 2018. Enterprise-level data protection with variable data granularity
and data disclosure control with hierarchical summarization, topical structuring, and
traversal audit. U.S. Patent 9,959,273.
Bertino, E. and Ferrari, E., 2018. Big data security and privacy. In A Comprehensive Guide
Through the Italian Database Research Over the Last 25 Years (pp. 425-439). Springer,
Cham.
Diamantopoulou, V., Tsohou, A. and Karyda, M., 2019, August. General Data Protection
Regulation and ISO/IEC 27001: 2013: Synergies of Activities Towards Organisations’
Compliance. In International Conference on Trust and Privacy in Digital Business (pp.
94-109). Springer, Cham.
La Torre, M., and et.al., 2019. Protecting a new Achilles heel: the role of auditors within the
practice of data protection. Managerial Auditing Journal.
Maguire, M., and et.al., 2018. A review of behavioural research on data security.
Pasquier, T., and et.al., 2018. Data provenance to audit compliance with privacy policy in the
Internet of Things. Personal and Ubiquitous Computing. 22(2). pp.333-344.
Thota, C. and et.al., 2017. Big data security framework for distributed cloud data centers.
In Cybersecurity breaches and issues surrounding online threat protection (pp. 288-310).
IGI global.
Ujcich, B.E., Bates, A. and Sanders, W.H., 2018, July. A provenance model for the European
union general data protection regulation. In International Provenance and Annotation
Workshop (pp. 45-57). Springer, Cham.
9
Books and Journals
Albugmi, A. and et.al., 2016, August. Data security in cloud computing. In 2016 Fifth
International Conference on Future Generation Communication Technologies
(FGCT) (pp. 55-59). IEEE.
Bergman, L.D., and et.al., 2018. Enterprise-level data protection with variable data granularity
and data disclosure control with hierarchical summarization, topical structuring, and
traversal audit. U.S. Patent 9,959,273.
Bertino, E. and Ferrari, E., 2018. Big data security and privacy. In A Comprehensive Guide
Through the Italian Database Research Over the Last 25 Years (pp. 425-439). Springer,
Cham.
Diamantopoulou, V., Tsohou, A. and Karyda, M., 2019, August. General Data Protection
Regulation and ISO/IEC 27001: 2013: Synergies of Activities Towards Organisations’
Compliance. In International Conference on Trust and Privacy in Digital Business (pp.
94-109). Springer, Cham.
La Torre, M., and et.al., 2019. Protecting a new Achilles heel: the role of auditors within the
practice of data protection. Managerial Auditing Journal.
Maguire, M., and et.al., 2018. A review of behavioural research on data security.
Pasquier, T., and et.al., 2018. Data provenance to audit compliance with privacy policy in the
Internet of Things. Personal and Ubiquitous Computing. 22(2). pp.333-344.
Thota, C. and et.al., 2017. Big data security framework for distributed cloud data centers.
In Cybersecurity breaches and issues surrounding online threat protection (pp. 288-310).
IGI global.
Ujcich, B.E., Bates, A. and Sanders, W.H., 2018, July. A provenance model for the European
union general data protection regulation. In International Provenance and Annotation
Workshop (pp. 45-57). Springer, Cham.
9
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
10
1 out of 10
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.