IT Security Risk Management Plan for Emirates Future Investment Bank

Verified

Added on 2022/12/27

AI Summary

This project focuses on developing a risk management plan for Emirates Future Investment Bank (EFIB) in the UAE. As IT security consultants, the team addresses the bank's need for a revised plan, considering its expansion, website, and various IT systems (EFIB_NET, ATM_NET, EFIB App, EasyOB, and Dashboard). The project identifies threats like social engineering and non-compliance with financial regulations, followed by a detailed analysis of potential threats, their likelihood, and impact. The plan includes a threat-likelihood-impact matrix, categorizing threats as critical, normal, and minor, with suggestions for mitigation. Objectives include preventing data loss, customer loss, and internet threats. The team's role involves creating risk management strategies, examining internal controls, and assessing internal capacity. Specific threats, such as hacking, malware, and data corruption, are analyzed, along with mitigation strategies. The project provides a comprehensive framework for understanding and managing IT security risks in a banking environment.

Purpose
This project provides an opportunity to apply the competencies gained in this course to develop a risk management plan for a fictitious organization to
replace its outdated plan. The project allows you to fulfill the role of an consultant/intern participating in the risk management process of developing a
risk management plan for a specific business situation.
Learning Objectives, Outcomes and Resources
You will gain an overall understanding of risk management, its importance, and critical processes required when developing a formal risk
management plan for an organization. The following tools and resources that will be needed to complete this project namely course textbook, class
lectures, project tutorials, labs and Internet access for research.
Case Scenario
You and your team at Cyber Security Risk Management Consultants LLC (CRMC) have been appointed as the IT security consultant for an upcoming
bank (Emirates Future Investment Bank - EFIB) in the UAE with branches in Dubai, Abu Dhabi and Sharjah. In this first year, they plan to have 100
employees with projected 5000 customers. The numbers are expected to double in the few following years. In this respect, the bank will have a full-
fledged website hosted in UAE. The bank will have an extranet and intranet supporting the following services for the bank management, employees
and customers.
Employees : EFIB_NET, ATM_NET
Management : EFIB Dashboard
Customers : EFIB App, EasyOB, ATM_NET
System Description
EFIB App is the bank app for customers to interact with their accounts from their smart
devices, as well as to submit feedback and follow up on complaints
EasyOB is a Web portal for online banking, which provides customers with access via
the web to their personal and account data. It also allow customers to apply for
services and perform banking transactions
EFIB_NET is the bank application running on accountants and tellers machines. It provides a
wide range of account management services, such as customer account creation,
cheque clearance, cash withdrawal and deposit, etc
ATM_NET is the bank software that runs on bank ATM machines and connects with the UAE
central bank ATM network
Dashboard A web portal for managers to check the overall performance of the various
systems and services. It visualizes customers interaction and provides real time
alerts
Threats Identified (Please read ‘Classification of security threats in information systems’
Though EFIB has limited information security knowledge and experience, they have identified few threats (for guidance), such as Social
Engineering and lack of compliance with UAE financial regulations. In consultation with EFIB management, and with your knowledge of tertiary
institutions, you need to identify relevant threats to the EFIB IT infrastructure

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Introduction
The main point of this project is to focus on the risk management plan for Emirates Future Investment Bank (EFIB) as an
IT security consultant. The details of this organization along with the need for the need risk management plan will be evaluated in this
paper considering the security threats faced by this business organization and also from the financial regulations .The objectives of the
risk management plan and the role of the team which will be working dedicatedly to mitigate the risks will be also be presented in this
paper
Summary of the organization
The selected organization for this paper is EFIB which is a banking organization based in UAE having branches in Dubai, Abu
Dhabi and Sharjah. There are about 100 employees working in this organization with 5000 customers. The business reach of this
organization is improving each day as a result the existing security plan has to be revised with a new one. This banking organization is
looking forward to having a new full-fledged website hosted on UAE only. The banking management system considering the
employees and the customers of this organization has to deal with the intranet and the extranet facility of the organization. All the
stakeholders of this organization have to consider all the security measures so that the desired results are obtained from the new
website as it will have three different modules to deal with the employees, management and customers.
Need for Risk management plan for the Problems faced by EFIB
The exposure of the details can lead to numerous threats such as the threat coming from the social engineering attacks and the
threat coming from the UAE financial regulations which have to be maintained by most of the UAE based business
organizations .Thus the risk management plan can be very much important for the growth and progress of this organization.

Aims and the objectives of the proposed risk management plan
The risk management plan will aim to deal with all the probable social engineering risks associated with this banking
organization along with that the financial regulations followed in UAE will be also considered in the risks management plan.
Role of the team and the expected tasks
The primary role of the team dedicatedly working for the risk management plan for this organization will be to understand the
risks in a detailed manner and form a risk management to deal with the discussed risks of this organization.
The tasks which are expected to be done by the team are as followings:
 Creation and implementation of the risk management strategies after a thorough examination of the organizational
structure .
 The internal control systems have to be examined thoroughly so that there are no compatibility issues with the new risk
management plan.
 Internal capacity adequacy assessment has to be also done regarding the financial regulations started from the
governing bodies before the implementation of the plan.
Objective
Preventing any issues faced by the company that is related to IT
 Data loss, that can occur when the hardware is detached from the production system.
 Information loss due to misplaced or stolen assets. That may include laptops, tablets, and mobile devices.
 Customer loss that can be caused by production outage due to multiple events for example change of management and
natural disasters.
 Internet threats that is caused by the availability of the company’s products on the internet

 Threats from inside the company
The main objective is to create a plan with its budget and all the material risks
Timeline

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Threat Threat
agent
Asset Vulnerability Impact Mitigation Cost/effort Cost Justification
Employee
access
customer
accounts
Database
administrator
Customers
Database
Database can
be accessed
by the admin
High; Database
admin discover
customers with
huge savings
Security Policy
specifying
when DBA can
access
customer
records
Developing
policy,
publishing
policy to
extranet
Deploying the policy to
the extranet will enhance
its reachability by the
employees
Account
holder
information
being
accessed and
modify by
unauthorized
entities
Hackers Account
holder’s
database
This
important
database can
be accessed
by
unauthorized
third party
High; The
company can
have difficult
time locating
lost customer
information.
There is high
probability of
lawsuit by the
concerned
regulators when
such incidences
occur
Develop clear
database
management
practices and
standards that
must be
adhered to by
the developers
Developing
system
development
standards and
best practices
and
publishing to
the web
(Yang, 2018)
Standards and best
practices shall be the back
bone when dealing with
systems and application
hence needs to be
published by the bank
Erroneous
update of
account
holder
banking
accounts
information
Bank
Employee
Account
holder’s
database
Medium, the
untrained
personnel’s in
the company
can possible
update
account
holder
information
erroneously
leading to
either loss or
illegal profit
by the bank
Medium,
although such
occurrences
have low
probability of
occurring, the
bank can
possible lose
millions in a
single
transaction due
to errors in data
entry
Have an
elaborate
onboarding
and induction
training for
new hires,
develop bank’s
user manual
that are clear
and more
precise
Including
onboarding
sessions in
the
recruitment
process,
revision of
the bank’s
user manual
Having onboarding
sessions when a new hire
comes into the bank gives
the employer opportunity
to intensively orient the
new hire to the new
workspace and their
expectations clarified prior
before they commence
their dutie

Unauthorized
person
accessing
another
customer’s
banking
credential
General
public
Account
holder’s
credential
information
The ATMs
don’t have a
well close up
strategies to
reduce
shoulder
surfing
High, there is
high probability
that a member
of the public can
use shoulder
surfing to obtain
another person’s
login credentials
for the ATM
while doing the
ATM
transaction. This
can possible
lead to
personification
Redesign the
ATM machine
premises to
have one-
person
transaction at a
time to reduce
should surfing,
create
awareness to
the general
public to be on
the watch out
when doing
ATM
transactions
Redesigning
the ATM
premises,
awareness
messages
dissemination
ATM can severely be
compromised especially if
they located in non-closed
set up. This mechanism
will reduce shoulder
surfing since most
instances, the ATM shall
be used by one person at a
time and none will be able
to shoulder surf what the
other customer is doing
Deliberate
software
threats
Virus The entire
bank database
Unpatched
banking and
operating
system
software
poses a great
risk to the
normal
operation of
these
software
High, if
exploited, the
bank could lose
Millions due to
compromised
banking
software’s
which can make
deliberate
transactions that
benefit the
engineers of the
virus
Have software
update
standers and
procedures in
place, install
and configure
next
Generation
firewalls.
Formulating
and
publishing
software
update
standards and
procedures,
purchasing
and
configuration
of Next
Generation
firewall.
(Ilvonen,
2013)
Having proper procedure
for handling operating
system updates and key
banking software updates
shall enable the company
avoid zero day attacks
which often crimples
banking sectors

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Here is the question what I need :
1.1. Threats that are critical, normal and minor
Critical
Hacking is one of the major system security threats because it exposes organizational data to unauthorized people.
Data corruption damages entire organizational data making it unsuable.
Malware infection which creates vulnerability for other unathorised users to access the system.
Normal
Internal data access by some employees might no have much impact on the organization.
Employees understand ing of some security measures undertaken by organization to secure its data.
Minor
Transmitting unencrypted files over the internet.
However,in data security, there is no minor threat because what regarded as minor can result to severe data breaches.
1.2. Use a threat – likelihood – impact matrix (Excel)

Possible Threat Likelihood Impact Level of risk
Hacking Possible Critical High
Malware infection Possible Critical High
Data corruption Possible Critical High
Internal data
access Possible Normal Minimal
Unencrypted files unlikely Minor Low
1.3. Interpretation of 1.2 with suggestions
The threat matrix representation show the possibility of suggested threats affecting an organization.
In the matrix, the vertical axes indicates the likelihood of the threat occurring while horizontal axes indicates the impact
a threat has if it occurs in an organization.
The risk of occurance can be rated as minor if it is easy to recover affected data, system stores public data or data
provides non-critical data. In case of minor threats, user level protection with authentication and authorization measures
can be adopted.
Threat can be rated to have normal impact if the subjected ystem can be trusted internally by other interconnected
system.
System provides normal services or service offered are not critical. For Normal category, network protection should be
strong enough.
Threats that are of higher impact are believed to offer very sensitive services such as banking and data is quite critical.
Also, system is difficult to recover. For critical system, protection should be offered both at network and data level.