Assume that you are hired as the IT consultant for a modern commercial bank also offering commercial transaction over online portal. You are assigned a task of doing a thorough audit of the security of the information systems used in that bank and recommend solutions to enhance security.
a) What are the main areas that you shall look into to evaluate the security situation of the information systems?
b) Prepare a sample questionnaire for the employees to assess their level of awareness regarding information security.
c) What security measures would you recommend to make the electronics payment transactions more secure for the bank?
a) The major areas that recommended are:
The system architecture and possible areas of security concern.
The system deployment modality.
Logistic arrangements such as power, network connectivity etc. Power backup and network redundancy are critical for system reliability and robustness.
The security arrangement at the network boundaries such as Internet access points, customer access points etc. It is necessary to make sure that no unnecessary exposure is given to the system.
The system configuration and user profiles. Proper distribution of controlled privileges and accesses into the system, both physically as well as over network, is important to ensure optimum security.
Data backup and system backup restoration facility is critical to recover system and data in case of crisis.
Robustness of the user interfaces and online applications to make sure that user credentials are properly checked and enforced while making system foolproof from unlawful access.
Security checking of banking software and outlets such as ATM, office counters, online portals.
Use of secure applications and protocols for business and monetary transaction interfaces.
b) The sample questionnaire is as follows:
Do you use computer on a regular basis? (yes/no)
For what purpose do you use a computer? (Internet/Office Work/Entertainment)
Do you have username/password to open your computer? (Yes/No)
If you have username/password, do you share that with your colleagues? (Yes/No)
Do you share your username/password for official database or ERP access with your colleagues with similar privilege? (Yes/No)
Do you know about computer viruses? (Yes/No)
Do you know about hacking and intrusion? (Yes/No)
Is your computer having antivirus software? (Yes / No). If yes, is the software regularly updated? (Yes/No)
Do you know that your computer activity can be tracked hidden programs and your data stolen? (Yes / No).
c) Following techniques are recommended:
Use of secure web interfaces (SSL based with authentic digital certificates) for online transactions.
Use of links from registered and proven service providers to connect the outlets such as ATMs and payment kiosks.
Use of secure VPN and data encryption technology for monetary transaction outlets such as online portal, department store counters and even ATM terminals.
Use of robust firewall and antivirus systems at the major boundaries of system such as server network, bank-wide intranet, Internet access gateways, connectivity to other banks and partners etc.
Use of redundant network links, power backup at data centers and data backup arrangement to prevent system outage and data loss in cases of disaster.
Deployment of major data servers at more than one geographical locations.
Hosting of the online portals with proven web hosting organization if the hosting is not
possible within the bank‘s own network.
Regularly audit, update, patch and upgrade the system to stay ahead of latest threats and loopholes.