Strategic Information Security Program for Nabil Bank
VerifiedAdded on 2020/03/16
|20
|4544
|57
Report
AI Summary
This report focuses on developing a comprehensive security program to enhance the information security of Nabil Bank. It begins with an executive summary outlining the report's objectives and content, followed by an introduction emphasizing the importance of information security in the banking sector, particularly for Nabil Bank, and the increasing cyber threats. The report then delves into a literature review on information security, covering key concepts such as confidentiality, integrity, and availability. It examines the current security situation at Nabil Bank, detailing the roles and responsibilities of security personnel within the risk management team, and providing an overview of risk assessment and threat identification, including internal and external threats like phishing, spyware, viruses, and keyloggers. The report discusses security models, specifically the NIST access control model, and its benefits for Nabil Bank. It then outlines the development of a security program, including roles, responsibilities, an improvement plan, training requirements, and relevant ISO standards. Finally, it concludes with recommendations for strengthening Nabil Bank's information security infrastructure.
Running head: STRATEGIC INFORMATION SECURITY
Strategic Information Security
Name of the Student
Name of the University
Author’s note
Strategic Information Security
Name of the Student
Name of the University
Author’s note
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1
STRATEGIC INFORMATION SECURITY
Executive Summary
The main aim of this report is to develop a security program for enhancing the information
security of Nabil Bank. This report gives an over about the concept of information security. It
discusses about the different titles of security personnel in the bank. It also gives suggestion
regarding the improvement of the present security infrastructure of Nabil Bank. This report
discusses about the several threats that can be identified along with the risk assessment
methodology. It gives an overview of the training requirements of the employees for effective
implementation of the security program that is developed. This report also gives
recommendation regarding the improvement of the current information security of Nabil Bank.
STRATEGIC INFORMATION SECURITY
Executive Summary
The main aim of this report is to develop a security program for enhancing the information
security of Nabil Bank. This report gives an over about the concept of information security. It
discusses about the different titles of security personnel in the bank. It also gives suggestion
regarding the improvement of the present security infrastructure of Nabil Bank. This report
discusses about the several threats that can be identified along with the risk assessment
methodology. It gives an overview of the training requirements of the employees for effective
implementation of the security program that is developed. This report also gives
recommendation regarding the improvement of the current information security of Nabil Bank.
2
STRATEGIC INFORMATION SECURITY
Table of Contents
1. Introduction......................................................................................................................3
2. Literature on Information Security..................................................................................3
3. Current Security Situation and Titles of the Security Personnel.....................................4
3.1 Risk Assessment and Threat Identification...............................................................6
3.2 Security Models.........................................................................................................8
4. Development of Security Program..................................................................................9
5. Roles and Responsibilities.............................................................................................11
6. Improvement Plan..........................................................................................................11
7. Training Requirements..................................................................................................12
8. ISO Standards and Models............................................................................................12
9. Conclusion.....................................................................................................................13
10. Recommendations........................................................................................................14
11. References....................................................................................................................15
STRATEGIC INFORMATION SECURITY
Table of Contents
1. Introduction......................................................................................................................3
2. Literature on Information Security..................................................................................3
3. Current Security Situation and Titles of the Security Personnel.....................................4
3.1 Risk Assessment and Threat Identification...............................................................6
3.2 Security Models.........................................................................................................8
4. Development of Security Program..................................................................................9
5. Roles and Responsibilities.............................................................................................11
6. Improvement Plan..........................................................................................................11
7. Training Requirements..................................................................................................12
8. ISO Standards and Models............................................................................................12
9. Conclusion.....................................................................................................................13
10. Recommendations........................................................................................................14
11. References....................................................................................................................15
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3
STRATEGIC INFORMATION SECURITY
1. Introduction
Information is considered to be the most valued asset of any sector. Information is
susceptible to various types of risks as well as threats. With the emergence of information
technology, the cyber threats are increasing at a fast pace. Information security focuses on
protecting the valuable and sensitive data of an organization. Information security is involved in
protecting the integrity, confidentiality and availability of the information. Banking sectors deal
with financial data that needs to be protected. Nabil Bank is known as the first commercial
private bank of Nepal (Nabilbank.com 2017). Nabil Bank is involved in providing wide range of
banking services via its 52 representation points.
This report discusses and plans a security program for providing information security to
Nabil Bank. It tries to improve the present security structure of Nabil Bank. This report gives a
brief overview of information security. It gives suggestion about the kinds of security models
that can be adopted by Nabil Bank for better and secure operations. Threat identification along
with risk assessment is also carried out in this report. This report discusses about the ISO
standards as well as modes that will be suitable for Nabil Bank with proper reasoning. The
training requirements are also provided in this report for adopting security programs in an
effective manner. This report recommends certain steps and procedures that can be taken by
Nabil bank for improving its security infrastructure and for making the system of information
security strong.
STRATEGIC INFORMATION SECURITY
1. Introduction
Information is considered to be the most valued asset of any sector. Information is
susceptible to various types of risks as well as threats. With the emergence of information
technology, the cyber threats are increasing at a fast pace. Information security focuses on
protecting the valuable and sensitive data of an organization. Information security is involved in
protecting the integrity, confidentiality and availability of the information. Banking sectors deal
with financial data that needs to be protected. Nabil Bank is known as the first commercial
private bank of Nepal (Nabilbank.com 2017). Nabil Bank is involved in providing wide range of
banking services via its 52 representation points.
This report discusses and plans a security program for providing information security to
Nabil Bank. It tries to improve the present security structure of Nabil Bank. This report gives a
brief overview of information security. It gives suggestion about the kinds of security models
that can be adopted by Nabil Bank for better and secure operations. Threat identification along
with risk assessment is also carried out in this report. This report discusses about the ISO
standards as well as modes that will be suitable for Nabil Bank with proper reasoning. The
training requirements are also provided in this report for adopting security programs in an
effective manner. This report recommends certain steps and procedures that can be taken by
Nabil bank for improving its security infrastructure and for making the system of information
security strong.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4
STRATEGIC INFORMATION SECURITY
2. Literature on Information Security
Information security can be considered to be a practice of defending and protecting
information from any kind of unauthorized access, misuse, disclosure, modification and
disruption (Vacca 2012). The modern generation is completely dependent on the information and
communication technology for confidential as well as commercial purposes. There are several
risks as well as threats that are associated with information technology like safety risk,
environmental risk, physical risk and financial risk. Security concerns that are related to ICT are
gaining major importance with time. All the organizations in every sector face some kind of
security issues (Webb et al. 2014). Strong information security structure as well as risks can be
adopted in an organization to protect it from risks and threats. Risks can be mitigated and
prevented by several methods and techniques.
Information security has certain aspects like confidentiality, availability and integrity.
When the information cannot be accessed by any unauthorized user then the confidential aspect
of information is achieved (Von Solms and Van Niekerk 2013). When the information cannot be
misused, destructed or modified by an attacker or user than the integrity of the information is
maintained. When the right information is available to the right or authorized person at the
correct time with no such interference or obstruction then the availability of information is
achieved. Banking sectors have been a major target for the hackers, crackers as well as the cyber
criminals. Information security aims at identifying the risks and mitigating it for protecting
sensitive information.
STRATEGIC INFORMATION SECURITY
2. Literature on Information Security
Information security can be considered to be a practice of defending and protecting
information from any kind of unauthorized access, misuse, disclosure, modification and
disruption (Vacca 2012). The modern generation is completely dependent on the information and
communication technology for confidential as well as commercial purposes. There are several
risks as well as threats that are associated with information technology like safety risk,
environmental risk, physical risk and financial risk. Security concerns that are related to ICT are
gaining major importance with time. All the organizations in every sector face some kind of
security issues (Webb et al. 2014). Strong information security structure as well as risks can be
adopted in an organization to protect it from risks and threats. Risks can be mitigated and
prevented by several methods and techniques.
Information security has certain aspects like confidentiality, availability and integrity.
When the information cannot be accessed by any unauthorized user then the confidential aspect
of information is achieved (Von Solms and Van Niekerk 2013). When the information cannot be
misused, destructed or modified by an attacker or user than the integrity of the information is
maintained. When the right information is available to the right or authorized person at the
correct time with no such interference or obstruction then the availability of information is
achieved. Banking sectors have been a major target for the hackers, crackers as well as the cyber
criminals. Information security aims at identifying the risks and mitigating it for protecting
sensitive information.
5
STRATEGIC INFORMATION SECURITY
3. Current Security Situation and Titles of the Security Personnel
Nabil Bank was founded in July, 1984. Their main objective is to extend the services of
modern banking to different sectors of the society. Nabil Bank provides several banking and
financial services via its 52 representation points. It has introduced several innovative and
modern marketing concepts and products in banking sector. Their main objective is customer
satisfaction. Highly qualified personnel are responsible for managing the daily operations.
Sensitive financial information is handled by the bank. Risk management is carried out by highly
experienced and qualifies management team. Nabil Bank is totally equipped with advanced
technology that consists of banking software of international standard for supporting E-
transactions and E-channels. Their aim is to provide a complete and secure financial solution to
their customers. The risk management team is highly efficient in assessing the risk and providing
information security to the organization (Sandberg, Amin and Johansson 2015). There are many
security personnel present in the risk management team. They are as follows:
Chief Risk Officer: The main duty of the Chief Risk Officer is to implement risk
functions, tools as well as systems for identifying, assessing, measuring, monitoring and
reporting risks. They identify main risk areas and enhance the function of security architect.
They are also responsible for implementing security program.
Head of Credit Risk Management: They are responsible for implementing procedures and
policies for the purpose of reducing credit risk. They are also involved in building financial
models that have the capability to predict any type of credit risk that can affect the organization.
The credit risk management team reports to their head regarding daily operations and activities.
STRATEGIC INFORMATION SECURITY
3. Current Security Situation and Titles of the Security Personnel
Nabil Bank was founded in July, 1984. Their main objective is to extend the services of
modern banking to different sectors of the society. Nabil Bank provides several banking and
financial services via its 52 representation points. It has introduced several innovative and
modern marketing concepts and products in banking sector. Their main objective is customer
satisfaction. Highly qualified personnel are responsible for managing the daily operations.
Sensitive financial information is handled by the bank. Risk management is carried out by highly
experienced and qualifies management team. Nabil Bank is totally equipped with advanced
technology that consists of banking software of international standard for supporting E-
transactions and E-channels. Their aim is to provide a complete and secure financial solution to
their customers. The risk management team is highly efficient in assessing the risk and providing
information security to the organization (Sandberg, Amin and Johansson 2015). There are many
security personnel present in the risk management team. They are as follows:
Chief Risk Officer: The main duty of the Chief Risk Officer is to implement risk
functions, tools as well as systems for identifying, assessing, measuring, monitoring and
reporting risks. They identify main risk areas and enhance the function of security architect.
They are also responsible for implementing security program.
Head of Credit Risk Management: They are responsible for implementing procedures and
policies for the purpose of reducing credit risk. They are also involved in building financial
models that have the capability to predict any type of credit risk that can affect the organization.
The credit risk management team reports to their head regarding daily operations and activities.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6
STRATEGIC INFORMATION SECURITY
Senior Credit Analyst: They are responsible for reviewing and assessing financial history
of a company or an individual for the purpose of determining whether the candidate is eligible
for getting loan. They evaluate financial statements like balance sheets as well as income
statements for understanding the default risk level.
Compliance and Operational Risk Manager: They are responsible for handling the risk
related to legal sanctions, financial loss or loss of bank’s reputation. They ensure that the bank
complies with the government laws, standards and its own code of ethics and conducts. They
also manage any type of risk arising because of failure of internal processes, systems, people as
well as external events.
3.1 Risk Assessment and Threat Identification
. Risk assessment deals with a number of steps and procedures for understanding the
asset values, possible threats, system vulnerabilities, and predictable impacts of threats along
with the likelihood of threats (Kit et al. 2014). Risk can be defined as vulnerability functions as
well as the expected impacts of threats. Risk depends on the probability of the occurrence of
threat. System characterization is the first step in risk assessment. Information about the
software and hardware involved is initially found out (Aloini, Dulmin and Mininno 2012). NIST
framework of risk management involves assessment of risk after all the risks have been framed.
This framework integrates business processes, company goals, mission, SDLC processes and
information security infrastructure for effective risk assessment. The methodology of risk
assessment includes a process, risk model, an approach for assessment and analysis approach (Lo
and Chen 2012). After risk identification is carried out, the risks are monitored. ENISA
framework will be effective in the E-transaction processes of Nabil Bank for the purpose of
STRATEGIC INFORMATION SECURITY
Senior Credit Analyst: They are responsible for reviewing and assessing financial history
of a company or an individual for the purpose of determining whether the candidate is eligible
for getting loan. They evaluate financial statements like balance sheets as well as income
statements for understanding the default risk level.
Compliance and Operational Risk Manager: They are responsible for handling the risk
related to legal sanctions, financial loss or loss of bank’s reputation. They ensure that the bank
complies with the government laws, standards and its own code of ethics and conducts. They
also manage any type of risk arising because of failure of internal processes, systems, people as
well as external events.
3.1 Risk Assessment and Threat Identification
. Risk assessment deals with a number of steps and procedures for understanding the
asset values, possible threats, system vulnerabilities, and predictable impacts of threats along
with the likelihood of threats (Kit et al. 2014). Risk can be defined as vulnerability functions as
well as the expected impacts of threats. Risk depends on the probability of the occurrence of
threat. System characterization is the first step in risk assessment. Information about the
software and hardware involved is initially found out (Aloini, Dulmin and Mininno 2012). NIST
framework of risk management involves assessment of risk after all the risks have been framed.
This framework integrates business processes, company goals, mission, SDLC processes and
information security infrastructure for effective risk assessment. The methodology of risk
assessment includes a process, risk model, an approach for assessment and analysis approach (Lo
and Chen 2012). After risk identification is carried out, the risks are monitored. ENISA
framework will be effective in the E-transaction processes of Nabil Bank for the purpose of
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7
STRATEGIC INFORMATION SECURITY
assessing risks (Theoharidou, Mylonas and Gritzalis 2012). This model identifies the risk and
analyses it for the purpose of evaluation.
Information security can be enhanced in an organization only by identifying the possible
threats and risks. Threat can be considered to be a potential for some kind of trouble or damage
to IT infrastructure. After proper identification of threats a well planned security program can be
carried out in order to protect the bank from any data and security breach. Nabil Bank provides
several financial and banking services. It also provides online banking facilities to the customers.
There are two broad categories of threats that are identified initially. These are the internal and
external threats.
Internal threats: Business practices and processes of a financial institute have a huge
influence on internal threats. If more number of employees is able to access sensitive customer
information then the probability of threats will be more. The intensity of internal threats is less as
they are under the control of the bank.
External threats: These threats have a greater intensity as they are not under the control of
the bank. External threats can be reviewed by listing the reasons and ways in which personal
data can be accessed, identifying the ways by which the bank’s system is connected to outside
world via emails and networks, identifying service providers that have access to the data. Then
the exposure of the threat is identified.
Some of the threats that have been identified in the internet banking system of Nabil
Bank are phishing, spyware, viruses, Trojan horses as well as key loggers. In phishing attack
hoax mails are used for committing a fraud activity (Hong 2012). Online thieves can steal
sensitive data of the customers to misuse it. Spyware is a type of malicious software that collects
STRATEGIC INFORMATION SECURITY
assessing risks (Theoharidou, Mylonas and Gritzalis 2012). This model identifies the risk and
analyses it for the purpose of evaluation.
Information security can be enhanced in an organization only by identifying the possible
threats and risks. Threat can be considered to be a potential for some kind of trouble or damage
to IT infrastructure. After proper identification of threats a well planned security program can be
carried out in order to protect the bank from any data and security breach. Nabil Bank provides
several financial and banking services. It also provides online banking facilities to the customers.
There are two broad categories of threats that are identified initially. These are the internal and
external threats.
Internal threats: Business practices and processes of a financial institute have a huge
influence on internal threats. If more number of employees is able to access sensitive customer
information then the probability of threats will be more. The intensity of internal threats is less as
they are under the control of the bank.
External threats: These threats have a greater intensity as they are not under the control of
the bank. External threats can be reviewed by listing the reasons and ways in which personal
data can be accessed, identifying the ways by which the bank’s system is connected to outside
world via emails and networks, identifying service providers that have access to the data. Then
the exposure of the threat is identified.
Some of the threats that have been identified in the internet banking system of Nabil
Bank are phishing, spyware, viruses, Trojan horses as well as key loggers. In phishing attack
hoax mails are used for committing a fraud activity (Hong 2012). Online thieves can steal
sensitive data of the customers to misuse it. Spyware is a type of malicious software that collects
8
STRATEGIC INFORMATION SECURITY
valuable information of the users in a secretive manner for misusing and modifying it
(Giannetsos and Dimitriou 2013). Viruses can get attached to another program like spreadsheets
for replicating itself. Trojan horses are another type of threat where an application acts like a
secure application and harms the system in which it is downloaded or injected. Key logger
software is considered to be the most harmful threat of Nabil Bank (Dadkhah and Jazi 2014). If
key logger software is installed in the electronic device of the customer from where the customer
accesses online banking services, then it tracks all the information that is used by the customers.
This information can be used by the attackers in order to steal money from the bank. The
financial database of the bank can be hacked to access sensitive financial data (Martins, C.,
Oliveira and Popovič 2014). Deliberate and external threats are extremely harmful for the
banking sector as it causes huge financial loss. After identifying the threats, their exposure must
be determined to rank them based on their intensity. This will be extremely helpful for the bank
to mitigate risk in an efficient manner.
3.2 Security Models
Security models are responsible for providing standards for the purpose of comparison
and reference. Nabil Bank uses the NIST access control model for the purpose of identification
of access mechanism that is used in different levels that exist in the bank. Management level is
involved in dealing with information that will help in the strategic planning process. The level
that deals with administration work will be responsible for controlling operational data. The
technical layer of the bank deals with daily operational data that is needed for running the
business.
STRATEGIC INFORMATION SECURITY
valuable information of the users in a secretive manner for misusing and modifying it
(Giannetsos and Dimitriou 2013). Viruses can get attached to another program like spreadsheets
for replicating itself. Trojan horses are another type of threat where an application acts like a
secure application and harms the system in which it is downloaded or injected. Key logger
software is considered to be the most harmful threat of Nabil Bank (Dadkhah and Jazi 2014). If
key logger software is installed in the electronic device of the customer from where the customer
accesses online banking services, then it tracks all the information that is used by the customers.
This information can be used by the attackers in order to steal money from the bank. The
financial database of the bank can be hacked to access sensitive financial data (Martins, C.,
Oliveira and Popovič 2014). Deliberate and external threats are extremely harmful for the
banking sector as it causes huge financial loss. After identifying the threats, their exposure must
be determined to rank them based on their intensity. This will be extremely helpful for the bank
to mitigate risk in an efficient manner.
3.2 Security Models
Security models are responsible for providing standards for the purpose of comparison
and reference. Nabil Bank uses the NIST access control model for the purpose of identification
of access mechanism that is used in different levels that exist in the bank. Management level is
involved in dealing with information that will help in the strategic planning process. The level
that deals with administration work will be responsible for controlling operational data. The
technical layer of the bank deals with daily operational data that is needed for running the
business.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
9
STRATEGIC INFORMATION SECURITY
NIST framework is responsible for describing the present cyber security posture, their
target state, find out ways to improve risk management and fosters the process of communication
between the external and internal stakeholders of the bank. The present risk management
procedure is not replaced when the bank uses NIST framework. Rather the NIST framework tries
to complement the present security structure (Chang, Kuo and Ramachandran 2016). The bank
can use its current structure and leverage NIST framework for the purpose of identifying
opportunities for improving the current risk security management. The security models of NIST
framework will be highly beneficial for Nabil Bank as their documents are available at free of
cost. It can also be updated by government. Risk assessment guidelines, security plans and
privacy control plans are provided NIST framework (Malik and Nazir 2012). Strong information
security policies can be implemented for protecting the bank’s valuable information.
4. Development of Security Program
Nabil Bank is a large sized company having 52 points of representation across Nepal.
The organization structure that is present in the bank is hierarchical in nature. The organization
has code of ethics and conducts incorporated in its culture. The main objective of the bank is to
provide a single and secure financial solution to its customers. Nabil Bank gives first priority to
its customer. The employees follow a code of ethics in the organization (Peltier 2016). They act
in an honest manner to protect the interest of their clients (Hu et al. 2012). The bank takes major
action against any employee who commits any misconduct. Strong information security policies
can be implemented for protecting the bank’s valuable information. A well planned security
program can be effective for protecting the bank from any security risks and threats. Financial
data breach will cause loss to the clients and also will affect the reputation of the bank. The
following steps can be taken in order to develop an efficient security program:
STRATEGIC INFORMATION SECURITY
NIST framework is responsible for describing the present cyber security posture, their
target state, find out ways to improve risk management and fosters the process of communication
between the external and internal stakeholders of the bank. The present risk management
procedure is not replaced when the bank uses NIST framework. Rather the NIST framework tries
to complement the present security structure (Chang, Kuo and Ramachandran 2016). The bank
can use its current structure and leverage NIST framework for the purpose of identifying
opportunities for improving the current risk security management. The security models of NIST
framework will be highly beneficial for Nabil Bank as their documents are available at free of
cost. It can also be updated by government. Risk assessment guidelines, security plans and
privacy control plans are provided NIST framework (Malik and Nazir 2012). Strong information
security policies can be implemented for protecting the bank’s valuable information.
4. Development of Security Program
Nabil Bank is a large sized company having 52 points of representation across Nepal.
The organization structure that is present in the bank is hierarchical in nature. The organization
has code of ethics and conducts incorporated in its culture. The main objective of the bank is to
provide a single and secure financial solution to its customers. Nabil Bank gives first priority to
its customer. The employees follow a code of ethics in the organization (Peltier 2016). They act
in an honest manner to protect the interest of their clients (Hu et al. 2012). The bank takes major
action against any employee who commits any misconduct. Strong information security policies
can be implemented for protecting the bank’s valuable information. A well planned security
program can be effective for protecting the bank from any security risks and threats. Financial
data breach will cause loss to the clients and also will affect the reputation of the bank. The
following steps can be taken in order to develop an efficient security program:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10
STRATEGIC INFORMATION SECURITY
Risk assessment: The first step in this process is to identify what department deals with
what information. The bank also needs to find out who has access to what sensitive information.
The second step will be to identify external and internal threats and determine its probability of
occurrence. The last step is to determine whether the existing policies are adequate for protecting
the information.
Current policy adjustments: A security policy must be designed to protect the customer
information. This policy must be approved by the board of directors in order to carry enhance the
information security of the bank.
Security control design: The management should focus on developing security control
plans for all the business units. There must be security guidelines present. Access controls need
to be designed where authentication procedures like passwords, PINs, electronic tokens are used.
Biometric identification and firewalls can be implemented for protecting the databases that store
sensitive financial data. The networks can be protected by implementing firewalls. The customer
details can be encrypted to protect it from any unauthorized access.
Response plan: The management team must develop and design a response plan for
overcoming a security breach situation. The person who is in charge of maintaining customer
information must design this plan. It must be well written. The plan needs to include the contact
details of law agencies for taking appropriate steps.
Service provider: The contract between the bank and service provider must contain
effective response plans. The bank must ensure that the contract contains appropriate standards
for information security.
STRATEGIC INFORMATION SECURITY
Risk assessment: The first step in this process is to identify what department deals with
what information. The bank also needs to find out who has access to what sensitive information.
The second step will be to identify external and internal threats and determine its probability of
occurrence. The last step is to determine whether the existing policies are adequate for protecting
the information.
Current policy adjustments: A security policy must be designed to protect the customer
information. This policy must be approved by the board of directors in order to carry enhance the
information security of the bank.
Security control design: The management should focus on developing security control
plans for all the business units. There must be security guidelines present. Access controls need
to be designed where authentication procedures like passwords, PINs, electronic tokens are used.
Biometric identification and firewalls can be implemented for protecting the databases that store
sensitive financial data. The networks can be protected by implementing firewalls. The customer
details can be encrypted to protect it from any unauthorized access.
Response plan: The management team must develop and design a response plan for
overcoming a security breach situation. The person who is in charge of maintaining customer
information must design this plan. It must be well written. The plan needs to include the contact
details of law agencies for taking appropriate steps.
Service provider: The contract between the bank and service provider must contain
effective response plans. The bank must ensure that the contract contains appropriate standards
for information security.
11
STRATEGIC INFORMATION SECURITY
Testing: The testing of the security controls and plans must be done to make sure that the
bank is well protected from any type of security threat and risk (Shackelford et al. 2015). The
parties involved in the contract must conduct control testing. They must conduct ethical hacking
to find out the effectiveness of the security policies and plans.
5. Roles and Responsibilities
Chief Risk Officer: The main duty of the Chief Risk Officer is to implement risk
functions, tools as well as systems for identifying, assessing, measuring, monitoring and
reporting risks. They identify main risk areas and enhance the function of security architect.
They are also responsible for implementing security program.
Security Manager: The role of the security manager is to collect and utilize information in
an effective manner to achieve the goal of the organization. They are responsible for proper
communication of information among various layers.
Senior Credit Analyst: They are responsible for reviewing and assessing financial history
of a company or an individual for the purpose of determining whether the candidate is eligible
for getting loan. They evaluate financial statements like balance sheets as well as income
statements for understanding the default risk level.
6. Improvement Plan
Information security of Nabil Bank can be improved by adding more designations and
roles so that there is no overlap of responsibilities of the employees (Ahmad, Maynard and Park
2014). Some of the new titles that can play an effective role in improving information security
are:
STRATEGIC INFORMATION SECURITY
Testing: The testing of the security controls and plans must be done to make sure that the
bank is well protected from any type of security threat and risk (Shackelford et al. 2015). The
parties involved in the contract must conduct control testing. They must conduct ethical hacking
to find out the effectiveness of the security policies and plans.
5. Roles and Responsibilities
Chief Risk Officer: The main duty of the Chief Risk Officer is to implement risk
functions, tools as well as systems for identifying, assessing, measuring, monitoring and
reporting risks. They identify main risk areas and enhance the function of security architect.
They are also responsible for implementing security program.
Security Manager: The role of the security manager is to collect and utilize information in
an effective manner to achieve the goal of the organization. They are responsible for proper
communication of information among various layers.
Senior Credit Analyst: They are responsible for reviewing and assessing financial history
of a company or an individual for the purpose of determining whether the candidate is eligible
for getting loan. They evaluate financial statements like balance sheets as well as income
statements for understanding the default risk level.
6. Improvement Plan
Information security of Nabil Bank can be improved by adding more designations and
roles so that there is no overlap of responsibilities of the employees (Ahmad, Maynard and Park
2014). Some of the new titles that can play an effective role in improving information security
are:
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 20
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.