Class 3 - Classroom Participation Case Study: Banking Scenario
Prof: Arthur R. Friedman
Date: 09/17/2017
Submitted by: Ujwal Rai, Shalikram Bhandari & Rajendra Shrestha
1. Background information and threat:
In past few days, our IT security team had been investigating on a fraudulent act on one of our customers’ bank account. The customer noticed the unusual activity on his bank account as the ATM statement he received at bank did not match with the monthly statement he received at his home. Therefore, he questioned regarding fraudulent transactions occurred on his bank account.
Based on our investigation, it is found that one of our clerks was involved on this act. The clerk changed the customer’s address to …show more content…
Especially, for bank who deals with thousands of monetary transactions and personal information must develop and establish a formal documented access control policy and procedure that addresses the purpose, roles, responsibilities and compliance that implies to protect the secured information. The existing access control policy needs to be reviewed, update if required and implemented as soon as possible.
A better access enforcement has to be established in order to enforce assigned authorizations for controlling access to the confidential information with applicable policy. Access control must be applied in the applicable job and duties of the employees. The employees should not be granted more access than they are required to do their job. Only certain people should be granted the access to confidential data. This helps to prevent the misuse of data for personal benefit. In our scenario, if the clerk was not given access to update the customer’s information and get the pin number of the customer, probably the fraudulent act would not have …show more content…
The second step is Content of Audit Records. An audit record content must include (i) date and time of the event, (ii) the component of the information system where the even occurred, (iii) type of event, (iv) subject identity and (v) the outcome of the event. The third step is audit monitoring, analysis and reporting. Our team recommends regularly reviews/analyzes audit records in order to identify as well as investigate inappropriate, suspicious or unusual activities and report findings to appropriate officials. Detail information from past audit records needs to be verified if the recent fraudulent incident by the clerk had occurred before but was noticed. In addition, detail investigation regarding how frequently an audit and accountability are being conducted in past and what contents are being recorded has to be checked as soon as possible. It will help to track if there are more incidents like this are happening in the bank that our audit and accountability team are not being able to catch. The fourth step is Protection of Audit Information. All the information collected from audit and audit tools shall be protected by the information management team from unauthorized access, modification, and deletion. Finally, the fifth step is audit retention. Audit information and logs shall be protected and retained by the bank to meet