Lee_Rock_20038860_GFIS_2016_CA2

National Bank

Information Security Framework Document V.1.0

Name: Lee Rock

Student Number: 20038860

Department: Department of Graduate Business

Course: MSc in Global Financial Information Systems

Module: Global Financial Information System Security, Continuity and Ethics

Presented To: Mr Joseph Griffin

Assignment 2 of 2

I firmly declare that this is assignment was completed by my own accord and to the best of my abilities in accordance with the plagiarism regulations and in line with the standards of academia set out by Waterford Institute of Technology.

Signature:______________________________ Date:__________________________________

Contents1.0 Introduction.....................................................................................................................................1

1.1 Information Assurance................................................................................................................1

1.2 Defence in Depth.........................................................................................................................2

1.3 Information Security Systems Engineering Process.....................................................................3

1.4 Network Security.........................................................................................................................4

1.4 Scope...........................................................................................................................................5

1.5 Aim..............................................................................................................................................6

1.6 Framework Breach.......................................................................................................................6

2.0 Information Security Documentation..............................................................................................6

2.1 Information Security Policy Summary..........................................................................................9

2.2 Compliance..................................................................................................................................9

2.3 Policy Review.............................................................................................................................10

3.0 Training..........................................................................................................................................10

4.0 Information Classification and Treatment.....................................................................................11

4.1 Access........................................................................................................................................12

4.2 Storage......................................................................................................................................12

4.3 Discussion..................................................................................................................................12

5.0 Roles and Responsibilities..............................................................................................................13

6.0 Communication.............................................................................................................................17

7.0 Risk Management..........................................................................................................................17

7.1 Risk Assessment and Treatment................................................................................................18

7.1.1 Probability...........................................................................................................................18

7.1.2 Impact.................................................................................................................................19

7.1.3 Risk score............................................................................................................................19

7.1.4 Risk Assessment and Treatment.........................................................................................20

8.0 Physical Access Control..................................................................................................................25

9.0 Physical Security............................................................................................................................26

10.0 Acceptable Information and Device Usage..................................................................................27

10.1 Email........................................................................................................................................28

10.2 Internet Usage.........................................................................................................................29

10.3 Instant Messaging/Phone/Other Communications.................................................................29

10.4 SWIFT.......................................................................................................................................29

10.5 Monitoring...............................................................................................................................30

10.6 Software..................................................................................................................................30

10.7 Wireless Access Points.............................................................................................................30

10.8 Social Media............................................................................................................................31

11.0 Passwords....................................................................................................................................31

12.0 Network Security Layering...........................................................................................................32

12.1 Dual Authentication.................................................................................................................33

12.2 Firewalls...................................................................................................................................33

12.2.1 Packet Filtering Firewalls..................................................................................................33

12.2.2 Application/Proxy Firewalls..............................................................................................34

12.2.3 Packet Inspection Firewalls...............................................................................................34

12.3 Antivirus, Antimalware, Antispyware and Popup Blockers......................................................34

12.4 Intrusion Protection System....................................................................................................34

12.5 Intrusion Detection System.....................................................................................................35

12.6 Patching...................................................................................................................................35

12.7 Network Segmentation............................................................................................................35

12.8 Encryption................................................................................................................................35

12.9 Hardening................................................................................................................................36

12.9.1 Hardening process............................................................................................................37

12.9.2 Hardening Requirements..................................................................................................38

12.9.3 Hardening Checklist..........................................................................................................39

12.10 DNS Restriction......................................................................................................................49

13.0 VPN..............................................................................................................................................51

14.0 Information Security Audits.........................................................................................................51

14.1 Information Security Floor Audits............................................................................................51

14.2 Information Security Documentation Audits...........................................................................52

14.3 System Audits..........................................................................................................................52

14.4 Benchmarking..........................................................................................................................52

15.0 PEN Testing..................................................................................................................................53

16.0 Applicant Screening and Processing............................................................................................53

17.0 Post-Employment........................................................................................................................54

18.0 Electronic Data Transfer..............................................................................................................54

18.1 Printing....................................................................................................................................54

18.2 Physical Documentation..........................................................................................................54

18.3 Paper Disposal.........................................................................................................................55

18.4 Electronic Media Disposal and Reuse......................................................................................55

18.5 Data Retention.........................................................................................................................55

19.0 Security Breach Procedure..........................................................................................................56

19.1 Notification and Reporting.......................................................................................................58

19.2 Physical Breach........................................................................................................................58

19.3 Electronic Breach.....................................................................................................................59

20.0 Vendor Security...........................................................................................................................60

21.0 Contingency Plans........................................................................................................................60

21.1 Data Backup Plan.....................................................................................................................60

21.2 Business Continuity..................................................................................................................61

21.2.1 Incident Classification.......................................................................................................61

21.2.2 Business Continuity Process..............................................................................................62

21.2.3 Testing..............................................................................................................................63

21.2.4 Business Continuity Lifecycle............................................................................................63

21.2.5 Mechanisms to ensure continuity.....................................................................................64

21.3 Disaster Recovery Plan............................................................................................................65

21.3.1 Disaster Recovery Action Plans.........................................................................................65

21.3.2 Disaster Recovery Process................................................................................................68

21.3.3 Testing..............................................................................................................................68

22.0 Quantifying Network disruption..................................................................................................68

23.0 Ethical Behaviour.........................................................................................................................69

24.0 Governance.................................................................................................................................69

25.0 Sign Off........................................................................................................................................69

Equation 1 Risk Score Equation...........................................................................................................19

Figure 1 Aspects of Information Assurance. Source: http://www.snia.org/sites/default/education/tutorials/2009/spring/security/EricHibbard-Introduction-Information-Assurance.pdf..............................................................................................2Figure 2 Defence in Depth Strategy, Oracle. Source: http://www.slideshare.net/OTNArchbeat/rationalization-and-defense-in-depth-two-steps-closer-to-the-clouds..............................................................................................................................................3

Figure 3 Network Security Concepts......................................................................................................5Figure 4 National Bank's Risk Management Process (Griffin, 2016a)...................................................18Figure 5 Layered Security Approach, SANS Institute, Source: https://www.sans.org/reading-room/whitepapers/analyst/layered-security-works-34805...............32Figure 6 Hardening Process, TechTarget, Source: http://searchsecurity.techtarget.com/feature/The-Basics-of-Information-Security............................................................................................................38Figure 7 Business Continuity Lifecycle. Source: http://www.eci.com/products-services/business-availability/business-continuity.html...................................................................................................64

Table 1 Information Systems Security Engineering Process..................................................................4Table 2 Information Security Documentation.......................................................................................9Table 3 Information Security Roles and Responsibilities.....................................................................17Table 4 Probability Matrix...................................................................................................................19Table 5 Impact Matrix..........................................................................................................................19Table 6 Risk Score Matrix.....................................................................................................................20Table 7 National Bank Risk Assessment and Treatment Plan as of 02/03/2016..................................25Table 8 National Bank Email Retention...............................................................................................29Table 9 Encryption Types.....................................................................................................................36Table 10 National Bank Security Hardening Form, University of Texas in Austin, Source: https://wikis.utexas.edu/display/ISO/Windows+Server+2012+R2+Hardening+Checklist...................49Table 11 OpenDNS Products and Services of National Bank. Source: https://www.opendns.com/about/innovations/.................................................................................51Table 12 Breach Types.........................................................................................................................57Table 13 Business Continuity Plan Incident Classification....................................................................62Table 14 Disaster Recovery Plan Form.................................................................................................68Table 15 Sign Off..................................................................................................................................69

1.0 IntroductionThe purpose of the document is to outline the framework for which National Bank manages

information security. This is realised though information assurance by utilising a defence in

depth strategy which applies a multi layered onion approach to protect the wider network.

This document will outline the security framework of national bank taking into consideration

the threats and vulnerabilities identified in National Bank’s Network Architecture and

Potential Vulnerability Report of 2016. Appendix 1 will reiterate the main vulnerabilities

1.1 Information Assurance“Information Assurance measures that protect and defend information and information

systems by ensuring their availability, integrity, authentication, confidentiality, and non-

repudiation. These measures include providing for restoration of information systems by

incorporating protection, detection, and reaction capabilities” (Barker et al, pp.15, 2003).

Information assurance incorporates a wide array of policies, standards, services and

mechanisms to provide confidentiality, integrity, availability, possession, utility, authenticity,

nonrepudiation authorised use and privacy of information (Willett, 2008). The diagram below

identifies the aspects of information assurance.

Version: 1.0 Page 1 of 66 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield

Figure 1 Aspects of Information Assurance. Source: http://www.snia.org/sites/default/education/tutorials/2009/spring/security/EricHibbard-Introduction-Information-Assurance.pdf

1.2 Defence in DepthDefence in depth is a best practice strategy that utilises a variety of techniques and

technologies to form a balance between capability, cost and operational performance

(National Security Agency, 2015). The idea behind defence in depth is that if one protection

mechanism fails another mechanism should prevent the event from occurring (SANS

Institute, 2001). The premise of defence in depth is to slow down and obstruct malicious

attackers but there is a trade-off between security and efficiency (Griffin, 2016a). People

often misconceive defence in depth for a pure electronic layer approach, though defence in

depth incorporates this, it also conceptualises a broader range of aspects such as physical

security and forensic recovery (Perrin, 2008). The figure below gives an overview of the

concepts that National Banks utilises in order to achieve information assurance through

defence in depth.


http://www.snia.org/sites/default/education/tutorials/2009/spring/security/EricHibbard-Introduction-Information-Assurance.pdf


Figure 2 Defence in Depth Strategy, (Rhubart, 2011) Oracle. Source: http://www.slideshare.net/OTNArchbeat/rationalization-and-defense-in-depth-two-steps-closer-to-the-clouds

National Banks defence in depth strategy includes:

Security Governance.

Security awareness through training and policies.

Security through best practice processes, procedures industry and international

standards, regulation and requirements.

Security through compliance/policy/procedure/process/requirement enforcement.

Security through comprehensive hiring policy and process.

Network layering security approach.

Periodic risk assessment and treatment.

Physical controls.

Business continuity, disaster recovery and data backup plan.

1.3 Information Security Systems Engineering ProcessNational Bank conducts the following systems engineering process in order to secure the

network and achieve information assurance (IATF, 2002):

Detail Description Action

Discover

Information

Protection

Needs

Identify areas of vulnerabilities and what

systems/data/areas require protection but

physically and electronically.

Risk assessments, PEN

testing and vulnerability

reports.

Define System

Security

Requirements

Identify the protection needs of each

system.

Compliance with industry

standard

policies/procedures/processes,

ISO 27001 and 20022, PCI

DSS, all relevant legislation

and regulations, Security.

Perform SWOT and gap

analysis.

Design

System

Identify the specific components of the

system that require security and provide

External consultants/internal

knowledge base analyse and


http://www.slideshare.net/OTNArchbeat/rationalization-and-defense-in-depth-two-steps-closer-to-the-clouds

Security

Architecture

solutions (mechanisms, processes and

procedures) to security requirements.

research the system to

identify the optimal security

solutions.

Develop

Detailed

Security

Design

Assess funding limitations, trade-offs, pros

and cons of security mechanisms,

processes and procedures.

SWOT analysis, cost-benefit

analysis of proposed security

solutions

Implement

System

Security

Initiate new security functions, processes

and procedures.

Test, end-user testing, fix

faults, implement system

security, provide training and

update training where

applicable, provide

continuous maintenance and

support

Assess

effectiveness

Assess the implementation and the

capabilities of the security design and

architecture

(mechanisms/polices/processes/procedures)

meet the intended security objectives,

requirements and compliance. If not make

the necessary changes and repeat the

previous steps where applicable.

Benchmarking, SWOT

analysis, testing, end user

testing, PEN testing, real life

events.

Table 1 Information Systems Security Engineering Process

1.4 Network SecurityNational Bank aims to achieve an optimal level of network security through the following

concepts (Chia, 2012 and Griffin, 2016b)

Confidentiality: Ensuring information is accessed on a need to know basis.

Integrity: Ensuring data is not modified or manipulated without acceptance or

authorisation.

Availability: Ensuring authorised users have appropriate, timely and uninterrupted

access to information.


Authentication: Each authorised individual user has a unique identifier and password

to access the system.

Identification: The system can validate the credentials of the authorised user

correctly and prohibit unauthorised access through random credential entry.

Accountability: Authorised user awareness that they are responsible for their actions

on the network.

Authorisation: Ensuring individuals privy to the network can only access what they

need in order to fulfil their contractual obligations and work duties. The principle of

least privilege (cryptome.org) is applied.

Figure 3 Network Security Concepts

1.4 ScopeThis document applies to all employees, contractors, 3rd parties and affiliates of National

Bank. The contents of this document are applicable to all information and information assets

under the control of National Bank.


Network Security

Confidentiality Availability Integrity

AuthenticationAuthorisationAccountability Accountability

1.5 AimThe Aim of this document is to outline the security mechanisms in place to protect the

confidentiality, integrity, availability of information and information assets under the control

of National Bank in order to achieve information assurance.

1.6 Framework BreachA breach of this framework may lead to disciplinary action leading to and up to dismissal.

Civil and/or criminal action may also be taken by the company where applicable.

2.0 Information Security Documentation The following table provides a synopsis of the information security documentation

concerning National Bank and its location on the network (InformationSheild.com). If you

have any queries regarding information security, please contact your local information

security officer. All relevant information security documentation can be found on the

company’s Intranet, Q Drive and Dcoumentum.

DocNo Document Version Type Directory

NBP01 Information Security Policy V.1.0 Policy Q:\Compliance\Policies

NBS02 Information Classification and

Treatment

V.1.0 SOP Q:\Compliance\SOPs

NBP03 Password Policy V.1.0 Policy Q:\Compliance\Policies

NBP04 Acceptable Usage Policy V.1.0 Policy Q:\Compliance\Policies

NBP05 Social Media Policy V.1.0 Policy Q:\Compliance\Policies

NBS06 IT Audit Procedure V.1.0 SOP Q:\Compliance\SOPs

NBM07 Roles and Responsibilities V.1.0 Manual Q:\Compliance\Manuals

NBP08 3rd Party and Affiliate Policy V.1.0 Policy Q:\Compliance\Policies

NBP09 Electronic, Mobile and Credit

Card Payments Policy

V.1.0 Policy Q:\Compliance\Policies

NBP10 Physical Security Policy V.1.0 Policy Q:\Compliance\Policies

NBP11 Procurement Policy V.1.0 Policy Q:\Compliance\Policies

NBS12 Procurement Procedure V.1.0 SOP Q:\Compliance\SOPs

NBP13 Software Development Policy V.1.0 Policy Q:\Compliance\Policies

NBM14 Business Continuity Plan V.1.0 Manual Q:\Compliance\Manuals

NBS15 Information Security Breach V.1.0 Policy Q:\Compliance\Policies


Procedure

NBP16 Information, Software,

Hardware and Data Destruction

Policy


NBP17 VPN Policy V.1.0 Policy Q:\Compliance\Policies

NBP18 Mobile Device Policy V.1.0 Policy Q:\Compliance\Policies

NBP19 Service Licence Agreements V.1.0 Licence Q:\Compliance\Lisences

NBS20 PEN Test Procedure V.1.0 SOP Q:\Compliance\SOPs

NBP21 Physical Access Policy V.1.0 Policy Q:\Compliance\Policies

NBP22 IT Access Policy V.1.0 Policy Q:\Compliance\Policies

NBP23 IT Governance V.1.0 Policy Q:\Compliance\Policies

NBP24 Risk Management Policy V.1.0 Policy Q:\Compliance\Policies

NBP25 Risk Assessment and Treatment

Procedure


NBP26 Data Protection Policy V.1.0 Policy Q:\Compliance\Policies

NBP27 Account and Privilege

Management Policy


NBP28 Wireless Network Security

Policy


NBP29 Asset Management Policy V.1.0 Policy Q:\Compliance\Policies

NBP30 Data Backup and Recovery

Policy


NBP31 Firewall Management Policy V.1.0 Policy Q:\Compliance\Policies

NBP32 Email, Instant Messaging, Phone

and Other Communications

Security Policy


NBP33 External Party Information

Disclosure Policy


NBP34 Information Exchange Policy V.1.0 Policy Q:\Compliance\Policies

NBP35 Information Ownership Policy V.1.0 Policy Q:\Compliance\Policies

NBP36 Internet Security Policy V.1.0 Policy Q:\Compliance\Policies

NBP37 Network Security Management V.1.0 Policy Q:\Compliance\Policies


Policy

NBP38 Log Management and

Monitoring Policy


NBM39 Information Security Framework V.1.0 Manual Q:\Compliance\Manuals

NBM40 Compliance Policy V.1.0 Policy Q:\Compliance\Policies

NBP41 Document Control Procedure V.1.0 SOP Q:\Compliance\Policies

NBP42 Management Review Policy V.1.0 Policy Q:\Compliance\Policies

NBS43 IT Internal Review Procedure V.1.0 Policy Q:\Compliance\Policies

NBS44 Software Requirements and

Validation Procedure


NBP45 Information Security Training

Policy


NBS46 Information Security Training

Procedure


NBP47 Information Security Supplier,

Client, 3rd Party and Other

Affiliate Policy


NBP48 Group Policy V.1.0 Policy Q:\Compliance\Policies

NBP49 Network Segmentation Policy V.1.0 Policy Q:\Compliance\Policies

NBP50 Information Ethical Usage

Policy


NBP51 Disciplinary Policy V.1.0 Policy Q:\Compliance\Policies

NBS52 Network Hardening Procedure V.1.0 SOP Q:\Compliance\SOPs

NBS53 Patch Management Procedure V.1.0 SOP Q:\Compliance\SOPs

NBP54 Endpoint Security Management

Policy


NBP55 Removable Media Policy V.1.0 Policy Q:\Compliance\Policies

NBS56 PEN testing Procedure V.1.0 SOP Q:\Compliance\SOPs

NBP57 Vulnerability Scanning and

Management Policy


NBP58 Removable and Personal Media

Policy


NBP59 Senior Management Information V.1.0 Policy Q:\Compliance\Policies


Security Commitment Policy

NBP60 Vendor Security Policy V.1.0 Policy Q:\Compliance\Policies

NBP61 End User Requirements Policy V.1.0 Policy Q:\Compliance\PoliciesTable 2 Information Security Documentation

2.1 Information Security Policy Summary National Bank is committed to securing all relevant information and information assets under

its control to protect the wider network as well as clients, parties and associates National

Bank is affiliated with. In order to achieve information assurance National Bank’s

information security goals, include:

Compliance with all data protection, financial, payments, transaction laws and

regulations from an Irish, European and International prerogative.

Compliance with PCI DSS, IS0 27001 and ISO 20022

Provide appropriate confidentiality, availability and integrity of all information and

information assets.

Provide up to date and periodic information security training to all applicable parties.

Ensure the functioning and continuity of the organisation in the event of a network

disruption.

Ensure all applicable parties are compliant with the information security policies,

procedures and protocols with regards to National Bank.

Appropriate document control, document review and information security training

review.

Provide adequate resources and funding to the information assurance process.

Update processes, procedures, training and documentation when applicable.

2.2 ComplianceNational Bank is fully compliant with PCI DSS and ISO 27001/20022 and is subject to

external security audits as part of this compliance. National Bank is committed to remaining

fully complaint with all rules, legislation and regulations across any jurisdiction in which it

operates.


2.3 Policy ReviewThe CISO will conduct an annual review of all information security documentation to ensure

all polices/processes/procedures are in line with the organisations strategy and reflect the

necessary precautions to be taken for network security and information assurance.

Information security documentation maintenance and control is the responsibility of

CISO.

Changes can be made on an ad-hoc basis.

Any changes made need to be identified and approved by the board of directors.

Local ISOs can and are encouraged to notify and recommend any necessary changes

in documentation to the CISO.

Communications of changes must channel throughout the organisation.

3.0 TrainingEmployees will receive information security training upon their induction followed by annual

refresher courses there-after. Contractors will receive information security training at least

two days before the contract initiates, if the contract is for a period of longer than 12 months

they are subject to an annual refresher. Formal information security training is required to be

singed off by the individual and the respective trainer. Trainees are also required to complete

an information security assessment at the end of training. Any third party, supplier, client or

affiliates are required to be briefed by their National Bank liaison where applicable in regards

to information security policy and procedures.

National Bank will periodically update and review its information security documentation,

procedures and processes, these changes take immediate effect from executive signoff and

can be communicated through one or more of the following channels

Intranet

Email

Documentum

Meetings

Unexpected roleplay


As part of an employee’s/contractor’s information security training they are required to read

all applicable documentation. Electronic Sign off is required for compliance with PCI DSS

and ISO 27001 and 20022.

National Bank employs Documentum (EnterpriseContentManagement.com) which organises

the relevant documentation to be read and signed off by each individual. An email will be

sent to each applicable individual informing of new/updated documents which require their

comprehension and electronic signoff through their documented account. A lead time to

complete sign off is applied to each document upon notification, emails reminding the

individual (and their respective supervisor) to complete the signoff will be sent periodically

during this lead time. If the individual fails to read and sign off the respective document in

the allotted time, disciplinary action may be taken.

Suppliers, 3rd parties, clients and other affiliates may also be required to read and sign off

applicable information security documentation if they are privy to information classified

confidential or greater where they are not the data owner.

4.0 Information Classification and Treatment National classifies its information assets into three categories, list within the categories

are example and the list is not exhaustive:

Unrestricted:

Public information includes marketing, promotion, upcoming events, prospectus, annual

reports and press releases. Unrestricted information has no classification label.

Confidential:

Employee personal details, contractor personal details, supplier, 3rd party, client and other

affiliate personal details, credit card data, company financial information, client and other

affiliates financial information company research and reports, intellectual property,

meetings. Confidential information where applicable will be labelled as ‘Confidential’.


Secret:

Executive meetings, strategic growth plans, surprise events, new products and services,

new competitive strategies. Secret information where applicable will be labelled as

‘Secret’.

All documentation classed as restricted or higher must be watermarked with the appropriate

label:

Confidential: Confidential.

Secret: Secret.

4.1 Access Everyone will have access to public information.

Access to information classified confidential or higher will be granted on a need to

know basis by the data custodian.

Intended parties (depending on need to know in order to fulfil duties) will have access

to confidential information.

Intended parties (depending on need to know in order to fulfil duties) will have access

to secret information.

4.2 Storage Electronic documents labelled confidential or higher must be stored on an approved

device by the IT department.

All physical documentation and records labelled confidential or higher must be stored

in a locked, secure area.

Please ensure that any information, electronic/physical documentation and records are

not clearly visible when a party not privy to this information is within the visual

vicinity of this information.

Data backups are maintained.

Information is separated and segregated on the network.

4.3 Discussion No steps need be taken for information classified as unrestricted.

Only discuss restricted information with other parties who are also privy to the

information.


For information classified confidential or higher please take all necessary precautions

to ensure that no unintended parties are able to comprehend and understand the

discussion.

Example of some security measures include:

Check that your phone is off and or not connected with anybody else.

Don’t have confidential/secret discussions over the phone.

Ensure you’re in a secluded area where a 3rd party hearing and visual senses

will be impaired from the conversation.

Level of voice when speaking.

All webcams/recording devices/listening devices turned off.

Non-disclosure agreements must be signed by those parties who do not own

the information classified confidential or higher but will require access in

order to fulfil job and contractual duties.

5.0 Roles and Responsibilities The following will outline the roles and responsibilities of all user types on the network.

Role Responsibilities

Chief Information Security Officer (CISO) Accountable for network security and

information assurance

Ensure compliance with all

regulatory, statutory bodies, ISO

27001 AND 20022, PCI DSS.

Approve new/updates of information

security documents.

Responsible for the creation or

initiation of new information security

and IT documentation.

Approve procurement of

software/hardware of up to $2000

Get approval for procurement of

software/hardware greater than $2000

Update the board of directors on new


information security policy/process

changes, breaches, new methods of

network securitisation etc.

Propose corrective/disciplinary action

against internal security breaches.

Coordinate efforts to ensure

information assurance.

Information Security Awareness at

senior level.

Coordinate response to malicious

attacks where applicable.

Periodic review of information

security documentation and

processes.

Document control in regards to all IT

and information security

documentation.

Information Security Officer (ISO) Responsible for network security and

information assurance.

Perform and report risk assessment

results.

Communication of new

documentation, policy/process

changes, new risks and breaches to

mezzanine and junior levels of the

organisation.

Ensuring information security

policies and procedures are adhered

to.

Assist the CISO in coordination or

resources before/during and after data


breaches.

Perform and Assess Information

Security Audit.

Report applicable malicious attacks,

malfunction or disruption to the

system owner CISO.

Ensure conformance with all IT and

IT security polices processes and

procedures.

System Owner (SO) Define authorisation and access

protocols.

Awareness of Information the

position and system (s) is responsible

for.

Report applicable malicious threat or

malfunction to the ISO.

Maintenance, development and

security of the system(s) under the

position’s control.

Implement system and information

security polices, processes and

procedures.

Accountable for information

availability, integrity and

confidentiality on the system.

Report malicious attacks, malfunction

or disruption to the ISO.

System Administrator (SA) System backup and continuity.

Monitor that all users adhere to

system and information security

policies, processes and procedures


whilst operating the system.

Access and authentication control to

the system.

Awareness regarding information

usage, manipulation, export/import on

the system.

Responsible for information

availability, integrity and

confidentiality on the system.

Champion and educate end users on

information security regarding the

system.

Report applicable malicious attack,

malfunction or disruption to the SO.

Users Report any malicious attack,

malfunction or disruption to the SA.

Comply with all system and

information security policies,

processes and procedures.

Only access systems and information

the individual is authorised or privy

to.

Keep access and authentication

details confidential.

Network Engineers Network continuity and security.

Network efficiency.

Approve hardware and software for

usage.

Test/maintain and request updates of

hardware where applicable.


Monitor traffic on the network, report

suspicious activity to the ISO where

applicable.

Ensure all issued hardware/devices

possess up to date and relevant

security mechanisms.

Network Audit.

Network Patching.

Internal PEN testing.

Data/Software/Hardware destruction

and disposal.Table 3 Information Security Roles and Responsibilities

6.0 Communication National bank issues a monthly information security newsletter to all employees via email

highlighting new policy changes, information security audit results both internal and external,

malicious attacks, common security mistakes and any other security issue in order to promote

awareness and compliance in regards to information assurance.

7.0 Risk ManagementNational Bank undergoes a periodic risk assessment and possible reassessments if a malicious

attack or events significantly harms or disrupts the network. The assessment covers a wide

scope such physical, software, hardware, internal, external factors which could compromise

the network and disrupt the integrity availability and confidentiality of data. Risks are added

and updated in the risk register which records each risk, its likelihood, occurrence, and

treatment action. The purpose of the risk assessment is to identify and pre-empt potential risk

and exploits as well as limiting or eliminating vulnerabilities and exploits in the network. The

figure below describes the risk management process of National Bank.


Figure 4 National Bank's Risk Management Process (Griffin, 2016a)

7.1 Risk Assessment and Treatment As National Bank handles credit card data it must be PCI DSS compliant. National Bank also

conforms to ISO 27001 and ISO 20022 standards. Due to the network being an integral part

of operations it is in scope for the standards and thus periodic risk assessments/treatments

must be carried out. Threats to the network must be identified and assessed for probability of

occurrence, impact if the threat happens and each threat given a risk score. Generally, if score

is low the risk can be accepted. If the risk score is medium/high measures are put in place to

prevent or mitigate the risk. Identifying possible threats, risks and vulnerabilities allows

National Bank to plan and control these flaws which can disrupt the network.

7.1.1 Probability The probability is the likelihood of an event occurring. The probability of each threat is given

a rating from 1-10 with 1 being very unlikely and 10 being extremely likely (mindtools.com).

Probability Score Description

High 10 high chance of occurrence

Medium 5 Mediocre chance of occurrence


Low 1 Low chance of occurrenceTable 4 Probability Matrix

7.1.2 Impact The impact of an event occurring is the damage it can do to the network. The impact of each

threat is given a rating from 1-10 with 1 having minimal damage and 10 being extremely

detrimental to the survival and operation of the organisation (mindtools.com).

Impact Score Description

High 10 Mission critical, catastrophic to

network and organisation, firm cannot

function if this occurs

Medium 5 Significant distribution will be caused

if the event occurs but the organisation

can still operate

Low 1 Minor inconvenienceTable 5 Impact Matrix

7.1.3 Risk score To get the risk score probability of that risk is multiplied by the corresponding impact

(Dumbravă and Iacob, 2013).

Risk=Probability× Impact

R=P × I

Equation 1 Risk Score Equation

Likelihood

Severity

High Medium Low

High 10 x 10 = 100 10 x 5 = 50 10 x 1 = 1

Medium 5 x 10 = 50 5 x 5 = 25 5 x 1 = 5

Low 1 x 10 = 10 1 x 5 = 5 1 x 1 = 1

Scale 50 – 100 = High 11 – 49 = Medium 1 – 9 = LowTable 6 Risk Score Matrix


7.1.4 Risk Assessment and Treatment The following risk assessment was conducted as of the 11 th of February 2016 in coincidence

with mapping the network architecture of National Bank. The following treatments have been

applied to each risk in order to mitigate avoid or accept the risk.

Category Vulnerability

Threat Risk Owner

Likelihood

Severity

Risk Score

Action

Employee

visible passwords

unauthorised access, criminal/malicious intent/Data breach

ALL 8 7 56 Training/weekly IT audits/passwords reset every 45 days

Employee

susceptible to phishing


ALL 5 6 30 Spam filter/anti-virus/firewall/training/monitor emails

Employee

unlocked devices


ALL 7 5 35 automatic lock set for 5 minutes of user inactivity, disabled features to adjust this on all devices/trained to lock device when not using them

Employee

internal hacking/fraud/information theft


IT 3 8 24 logs/email/instant messaging/security camera monitoring reporting structure/IT audits/Hiring process-background checks /training/network segmentation

Employee

Key network employee leaves

System disruption/unavailability

IT 3 5 15 obligated to give 30 days’ notice in order to find a suitable replacement , cross training of responsibilities


Employee

accidental information destruction/network disruption /breach of data integrity

unauthorised access, criminal/malicious intent/Data breach/System disruption

ALL 6 6 36 Backups and data recovery

Employee

employee devices stolen outside the firm


ALL 7 8 56 automatic 5-minute locking, device locks down after authentication 3 attempts

Organisational

lack of sufficient training


IT/Training

2 6 12 induction training/periodic refreshers/training updated periodically/ constant communications i.e. monthly information security news letter

Organisational

outdated and insufficient security policies


IT/Senior Mgt.

4 5 20 IT weekly audit/contingency reserve/anti-virus and software patching/firewalls/intrusion protection system/ PEN testing

Organisational

lack of security funding


Senior Mgt.

4 9 36 commitment from senior management in information security policy to provide adequate funding

Organisational

lack of political will to secure networks


Senior Mgt.

4 9 36 commitment from senior management in information security policy to enable adequate provision of resources to


protect the network

Organisational

Loss of communication channels


3 8 24 Backup generator/multiple communication channels/firewalls/intrusion protection system/SWIFT external platform

Physical IP camera failure


Facilities

2 7 14 Backup generator/spare equipment/segmented network to make traffic more efficient/security guard patrols

Physical Swipe access failure


Facilities

2 9 18 IP camera at entry points/training-question unrecognisable people/lock in capability/sensitive areas alarmed.

Physical security guard incompetence/error


Facilities

3 7 21 swipe access to open doors, IP cameras/training/other employees

Software Back doors unauthorised access, criminal/malicious intent/Data breach

IT 4 6 24 Software development policy/supplier vetting process/segmented network/firewalls/antivirus/intrusion protection system

Software outdated software


IT 4 5 20 service licence agreements to update to new version

Software poor software vendor support


IT 5 6 30 vendor vetting process/use of multiple vendors


Software unauthorised software on network


IT 3 8 24 training/software request forms/antivirus/firewalls/intrusion protection system/admin rights disabled for the end user-requires approval from IT

Software bugs in operating system/software


IT 5 6 30 Software development and validation policy and procedure/PEN testing/vendor vetting/ use of multiple vendors

Software Malicious software attacks from outsiders


IT 7 9 63 multiple firewalls from different manufacturers, Multiple Intrusion protection systems from different manufactures/anti-virus/spam blocker/popup and add blocker/removed certain websites from DNS/training/network monitoring and benchmarking/segregated network

Hardware

Outdated hardware

unauthorised access, criminal/malicious intent/Data breach/System disruption

IT 4 6 24 commitment from management to provide adequate resources/IT audit

Hardware

equipment failure


IT 4 9 36 contingency fund/backup equipment/backup generator

Hardwar hardware unauthorised IT 2 7 14 swipe access to


e theft access, criminal/malicious intent/Data breach

areas of sensitive hardware/comms rooms not marked/ IP cameras/security guards/ electronic lock in/alarm system

Hardware

Poor Vendor hardware support


IT 5 6 30 use of multiple vendors/details of alternative vendors/contractual agreements/vendor vetting process

Hardware/

software

remote access to network


IT 6 8 48 dual authentication to access network/firewalls/intrusion protection systems/port security procedures in place

Hardware/

software

firewall/identification protection/detection device, anti-virus spyware failure


IT 4 9 36 Network Segmentation/Security breach procedure/use of multiple firewalls/intrusion protection systems from different manufacturers/ intrusion detection systems/ network segmentation

Environmental

Natural Disasters


ALL 2 9 18 business continuity plan/backup generator and data backup


Environmental

Terrorism System disruption/unavailability/unauthorised access, criminal/malicious intent/Data breach

ALL 1 9 9 business continuity plan/backup generator and data backup

Environmental

Power Failure


Facilities

3 9 27 business continuity plan/backup generator and data backup

Environmental

Internet outage


IT 1 9 9 business continuity plan/backup generator and data backup/ multiple connection lines to provider

Table 7 National Bank Risk Assessment and Treatment Plan as of 02/03/2016

8.0 Physical Access Control National bank operates swipe access at all premises for all areas which have an

information classification of confidential or higher.

Additional swipe access points are utilised to further protect areas with sensitive

information and equipment such as the comms room. Access rights to certain areas

like the comms room are granted on a “need to enter” basis.

Employees are given a blue ribbon and identification badge with swipe access.

Contractors are given green ribbon and identification badge with swipe access

Visitors are given a red ribbon and identification badge.

Visitors are required to sign in and out when entering and leaving the premises

Visitors should always have a National Bank liaison accompanying them through

areas classified as confidential or higher.

IP cameras are located at access points and around areas containing sensitive

information and hardware.

Security guards are placed towards the main entrance of each site and conduct regular

patrols.


Tailgating is strictly forbidden.

All employees/contractors are required to clock in and out when entering and

egressing the premises.

9.0 Physical Security Security guards reserve the right to conduct random bag searches of any individual

exiting the premises of national bank.

Security guards have the right to prevent or remove individuals from company

premises.

Security guards and superiors have the right to confiscate company property on

suspicion of malpractice.

All doors are to remain closed

All windows are to remain sealed and obstructed from veiwing inward.

The face of a monitor should not be visible through a window or door.

No paper, devices or any company property is allowed offsite unless there is a

business need and authorised by the asset owner and documented.

All paper waste is to be disposed of in the secure bins and shredders provided.

Paper with information classified as confidential or higher must be placed in a locked

cabinet and sealed when unused.

Rooms with sensitive information or information assets remain locked with

unattended.

Whiteboards are to be cleared, disposable media and paper removed, systems logged

out of, after meetings.

All hardware is to be checked for any relevant data, software removed, wiped, reset to

factory default and made unusable before disposal and destruction.

Physical destruction of hardware is to take place on site and then handed to an

authorised disposal company.

Reception will not accept personal deliveries for employees/contractors.

Reception is to be notified of intended business deliveries.

Reception is to be notified of expected visitors.

Reception should ring the intended party’s liaison or nearest alternative to confirm the

visitor/delivery before access to restricted areas are granted.


Visitor may not pass reception without signing in, granted a visitor badge and

supervised by the liaison.

Sensitive hardware such as switches and servers are to take residence in a strict access

controlled area free from interference by unauthorised access, fire, water and other

natural disasters.

All physical devices and hardware of national bank is to be given a unique

identification number and labelled accordingly.

A register of all authorised hardware and designated users where applicable is

maintained.

Personal mobile devices/media are prohibited in any area with information classed as

confidential or higher. All personal devices must be stored in the employee lockers

provided.

3rd party mobile devices/media are not permitted to enter any area with information

classed confidential or higher unless approved by the local ISO. Unapproved devices

must be left in a secure container at reception ad labelled to the appropriate party.

Fire drills are conducted on an annual basis.

Health and safety audits are conducted on a monthly basis.

10.0 Acceptable Information and Device Usage Acceptable usage of information and must be in compliance with all relevant laws and

regulations in all jurisdictions in which National Bank operates (e.g.

Dataportection.ie).

Information stored on any of National Bank’s hardware is classified as National Bank

property.

Some information stored, such as credit card data and client information is not owned

by National Bank rather the company is a custodian of this information.

National Bank’s resources are to be used of intended purposed only and in

compliance with policies/procedures set out by National Bank, all relevant legislation,

regulations and in compliance with ISO 27001/20022, PCI DSS.

Confidentiality, Integrity and Availability of information and information assets must

be realised at all times.


Information may only be accessed in accordance with the policies/procedures set out

by National Bank and used for its intended purpose.

Privacy, ownership and intellectual property right are to be respected at all times.

Information may only be destroyed in accordance with National Bank’s data

destruction policy.

All information assets are to be well maintained and treated with care.

Any employee/contractor/supplier/3rd parties and other affiliates who require

information they do not own classified confidential or higher by National Bank are

required to sign a non-disclosure agreement.

Damaged or stolen information/information assets must be reported to the relevant

supervisor immediately.

An end user agreement is prompted after login to inform the user what is acceptable

and what is not acceptable usage on the network, User acceptance are accepted by the

user clicking “OK”.

10.1 Email National Bank email accounts are not intended for personal use but may be used for

this purpose.

Emails may be monitored.

Credit card details cannot be sent via email.

Company login details/passwords cannot be sent via email.

Email accounts require dual authentication for access.

Do not open suspicious emails; report them to the ISO as soon as possible.

Email accounts are to be used for business purposes only, misuse (e.g. harassment,

bullying, criminal, incompliance) of company email may result in disciplinary action.

Emails are encrypted.

Emails should not include confidential or secret information/attachments unless

authorised by the data owner.

Email retention is as follows:

Category Detail Retention Period

Administrative Company events, policy

updates, task requests,

5 years (or longer depending

on jurisdiction legislation)


reports etc.

Financial Budgets, metrics, revenue,

expenses, accounts.

7 years (or longer depending


General Miscellaneous in nature. 5 years (or longer depending


Personal Relevant only to the

individual.

Retain until read

Security Regarding breaches,

incidents, cautions, evidence

etc.

Retain until evaluated

relevance and threat is

mitigated/avoided.Table 8 National Bank Email Retention

10.2 Internet Usage Use of internet is deemed acceptable by National Bank to fulfil work duties.

Communication via the internet may be monitored.

Employees/contractors/suppliers/3rd parties and other affiliates may only access

approved websites using company property.

Any attempt to bypass security safeguards to access unauthorised sites may lead to

disciplinary action.

If access is required for business purposes to an unauthorised website, contact the

local ISO for clearance.

10.3 Instant Messaging/Phone/Other Communications Communications sent and received by/to company property may be monitored.

Information graded confidential or higher should not be sent over these platforms

without data owner authorisation.

Communication platforms should only be used for business purposes.

Suspicious/unusual activity regarding these platforms must be reported to the local

ISO.

10.4 SWIFTWhen utilising the SWIFT payment and communication system, all employees/contractors

must abide by all IT and information security polices/procedures put in place by National

Bank as well as the terms and conditions of SWIFT. Failure to comply may result in

disciplinary action.


10.5 Monitoring National Bank may monitor incoming/outgoing activity on the network for the following

reasons:

Troubleshooting.

Network security.

Validate compliance of all relevant legislation/data protection laws/regulations/ ISO

27001/20022/PCI DSS.

Detect misuse and incompliance with National Bank policies, procedures, processes,

legislation, data protection laws, regulations, ISO 27001, ISO 20022, PCI DSS.

Network performance, efficiency and availability.

10.6 Software Internally developed, open source or vendor software may only be used in accordance

with the policies/processes and procedures as set out by National Bank as well as the

terms and conditions identified by the software owner.

A register of all authorised software is maintained.

A register of each device and its approved software is maintained with its

corresponding service licence agreement where applicable.

All software downloads and installs will be conducted by the local IT department or

by an approved third party where applicable.

All software requests are to be process by the local ISO via the Software Install,

Update or Removal form (NBF001).

New/Updated software both internal and vendor driven must be tested on an isolated

network and follow the Software Validation Procedure before live implementation.

10.7 Wireless Access Points All wireless access points require dual authentication.

All devices must be scanned, hardened and approved by the local IT department

before being granted wireless access rights.

All national Bank sites are prohibited from offering a public WIFI service.

The SSID shall be configured as to prohibit the exposure of information that will

identify the organisation such as the company name, username, division etc.


10.8 Social Media Social media sites are prohibited at all times on company devices with the exception

of the marketing and BI departments for business case reasons.

Social media sites are to be blacklisted for all departments except marketing and BI.

Each user assumes responsibility for what they post on social media.

Employees/contractors of National Bank who engage in social media are prohibited

from using social media as a platform to exchange and transmit information classified

as confidential or higher in any respects.

Employees/contractors of National Bank who compromise the company, company’s

reputation, confidentiality, integrity, availability of company data may be subject to

disciplinary action lead up to dismissal and/or civil as well as criminal action where

applicable.

11.0 Passwords Passwords may not be written down or communicated electronically.

Users will be prompted to change passwords every 45 days.

Users who fail to change their passwords within 45 days will be automatically locked

out from the network requiring a password reset by the local IT department.

Passwords are not to be reused.

Passwords must be a minimum of 15 characters using at least one uppercase,

lowercase, number and special character.

As a means of best practice, one should create passwords as a random phrase or

combination of characters that is not easily guessed or ascertained such as birthdays,

names, hobbies, schools etc.

Each individual should not use the same password as authentication for different

logins.

Passwords must never be prompted to be AutoSaved on any application; this feature

must be disabled where possible.

Passwords are to be encrypted over the network.

History of previous passwords will be maintained to prevent reuse.


Permanent lockout will initiate after 3 unsuccessful login attempts for all devices,

applications and systems, contact the relevant system owner, local IT department,

system administrator or local ISO for password reset.

Passwords may not by reset without proof of person.

It is imperative that all default passwords on any device, hardware, software or

application much be changed with the utmost urgency.

12.0 Network Security Layering In order to optimise network security, National Bank undertakes a layered security approach

under the assumption that no one mechamism can fully protect the network infrastructure. A

multitude of security mechanisms are realised in order to disrupt/hinder/prevent any potential

malicious attack whilst keeping network availability and performance to an optimum level.

The diagram below provides a high level view of National Bank’s layering approach.

Figure 5 Layered Security Approach, SANS Institute, Source: https://www.sans.org/reading-room/whitepapers/analyst/layered-security-works-34805

National Bank’s layered security approach includes:

Dual authentication for network access.

Firewalls (hardware, software and port level) by varying vendors.

Anti-virus, anti-malware, anti-spyware, popup blockers


https://www.sans.org/reading-room/whitepapers/analyst/layered-security-works-34805

Patching.

Intrusion protection and detection systems by varying vendors.

Network segmentation through VLANS.

Encryption mechanisms throughout the network.

Hardening of devices.

DNS restriction.

12.1 Dual Authentication Access to the network requires a username and password from any platform.

Access is only granted if the username and password match.

Permanent lockout occurs after 3 unsuccessful attempts and will require a reset by the

local IT department.

Accounts may not be reset without proof of person.

In accordance with the password policy, accounts will receive an automatic lockout if

the password is not changed within 45 days require a reset by the local IT department.

Separate dual authentication is required to access the network from a wireless access

point.

The local IT department will configure and register approved devices for wireless

access to the network.

12.2 FirewallsNational Bank has deployed a firewall management system in order to control traffic to and

from the network. The firewall management system consists with a mix of hardware and

software mechanisms. National Bank employs multiple firewalls from different vendors.

Firewall configurations will differ from vendor to vendor thus increasing the level of

difficulty to penetrate the network. National Bank utilises the following firewall types (Blair

and Durai, 2009):

12.2.1 Packet Filtering FirewallsPacket filtering firewalls approve packet entry through the network by analysing protocol,

source, destination, source/destination port numbers, Service code point, type of service

among other factors in the IP header.


12.2.2 Application/Proxy FirewallsApplication/Proxy firewalls provide security on layer 7 of the OSI. They act on behalf of a

client which adds an extra buffer from malicious attacks such as port scans. Service requests

are sent to the proxy and the proxy opens a web connection on behalf of the client.

12.2.3 Packet Inspection FirewallsPacket inspection firewalls operate on the session layer of the OSI. It analyses session

information such as protocols, new/existing connections, source and destinations IP addresses

port numbers, IP checksums, sequence numbers and application-specific information, e.g.

command and response conditions in Simple Mail Transfer Protocol (SMTP). The packet

inspection firewall decides whether a packet is applicable for the network through a defined

rule set. These firewalls have deep packet inspection which has the ability to analyse the data

aspect of IP packet and identify whether it is legitimate HTTP traffic.

12.3 Antivirus, Antimalware, Antispyware and Popup BlockersNational Bank employs antivirus, antimalware, antispyware throughout the network to ensure

protection from network disruption, stolen/compromised data, of daily scans are conducted

across all sites. All end user devices where applicable are required to have antivirus

protection. Macro auto-run upon opening an application have been disabled on all applicable

devices and Java script auto-run has also been disabled on all applicable devices for all as a

prevention mechanism for malicious code. Pop up blockers are also enabled on all applicable

devices. Popup blockers are enabled to ensure spam and sites with malicious code are

blocked from appearing unless the user chooses to allow the pop up. All anti-malware

products must be purchased from an approved and trusted vendor.

12.4 Intrusion Protection SystemNational Bank has deployed intrusion protection systems which provide the following

security functions (paloaltonetworks.com):

Alert the CISO and local ISO.

Discards the potentially malicious packets.

Blocks traffic from the alleged malicious source address.

Resets the connection.


12.5 Intrusion Detection System Network Intrusion detection systems have been placed throughout the network in

order to monitor, gather, log and alert the CISO and local ISO of suspicious/malicious

activity (sans.org).

Network benchmark metrics are set and updated when applicable by each local site in

order to identify potential network irregularities.

Host based intrusion detection systems have also been deployed on devices to alert

the user of a potential malicious attack (sans.org).

12.6 Patching All system, software, operating system and application patching is to remain up to

date.

The local IT department has the responsibility to maintain patch updates or an

approved authorised vendor where applicable.

12.7 Network SegmentationNational Bank segments its network logically through the use of VLANs. Network

devices (fat/thin clients, servers, etc.) are grouped logically via a VLAN. Devices on a

particular VLAN can only communicate with other devices connected to that same

VLAN. For example, a client on the finance VLAN cannot access the HR servers; this

increases the security profile of the network as network segmentation aids the least

privileges principle.

National Bank also employs Microsoft Active Directory in order to operate the principle

of least privilege. Active directory facilitates the creation, grouping and access rights of

users or groups of users. Access rights can be assigned to files/folders/drives etc. for a

specific user or group of users. For example, all users have access to the G drive but only

the Finance department can access the finance folder and only the Chief Financial Officer

can access the CFO folder within the finance folder.

12.8 Encryption National Bank employs a range of encryption methods where applicable in order to further

secure the network and sensitive data. Common encryptions include (blackberry.com;

techtarget.com; products.office.com; Henry, 2015):


Encryption Type Description

Wi-Fi Encryption (IEEE 802.11) For data in transit between a device and

wireless access point

VPN Encryption For data in transit between a device and a

VPN server.

Secure Sockets Layer (SSL) /Transport

Layer Security (TLS) Encryption

For data in transit between a device and

content server, web server, or mail server.

Secure Socket Shell (SSH) Secure remote access to a device

Microsoft Outlook Email Encryption National Bank emails are encrypted via

Microsoft Outlook email encryption.

VeraCrypt File encryption software utilised by National

Bank.

BitLocker Drive Encryption Hard drive encryptionTable 9 Encryption Types

Encryption protocols must be used to protect data in transmission.

Servers containing sensitive information such as credit card, trading details, financial

accounts deposits etc. or information assets must have encryption mechanisms.

All emails require encryption.

All end user devices such as smart phones, tablets, fat clients, thin clients, laptops etc.

must utilise hard drive encryption.

SWIFT payments and Communication software is encrypted for secure transmission

of data.

12.9 Hardening Hardening is a concept of system security by limiting the amount of functions a

system/device can perform. Removing unnecessary functions will reduce the vulnerability

surface of a system/device thus in principle making it more secure. The hardening process is

to be conducted by the local IT department. National Bank hardens all company devices

where applicable; these devices include but are not limited to:

Routers.

Laptops.

Tablets.


Smartphones.

Printers and multifunctional devices.

Modems.

Servers.

Wireless access points.

Switches.

Gateways.

Hubs.

Intrusion protection/detection devices.

Firewall devices.

IP Cameras.

Swipe access points.

Miscellaneous equipment such as ATMs, card terminals, kiosks where applicable.

12.9.1 Hardening processNational Bank engages in the following hardening procedure:

Where applicable reset the device to factory default.

Complete the installation based on vendor direction and requirements.

Remove all unnecessary software, applications and services.

Remove default configurations where applicable such as usernames, passwords, IP

addresses, etc.

Patch the system where applicable.

Conduct vulnerability scans.

Installation and configuration of firewalls antivirus, antimalware, antispyware,

intrusion detection/protection systems where applicable.

Apply labelling where applicable.

Log and monitor system/device.


Figure 6 Hardening Process, TechTarget, Source: http://searchsecurity.techtarget.com/feature/The-Basics-of-Information-Security

12.9.2 Hardening Requirements Only authorised and relevant software may be installed.

All devices such as smartphones, tablets, servers, fat clients, thin clients, switches etc.

will have default security configurations removed and replaced by the standards

approved by National Bank.

Administrative access will only be assigned to applicable IT staff.

Antivirus, antimalware, firewalls and intrusion detection/protection systems must be

installed on any device susceptible to the malicious code attacks.

Antivirus, antimalware, firewalls and intrusion detection/protection systems must not

be implemented with factory default security configurations.

All security protection software must be configured to automatically download

updates and patches where applicable.

Unnecessary ports must be closed.

Vulnerability scanning will take place upon implementation and on a quarterly basis

thereafter.

Patching internal and vendor software/applications must be kept up to date.


http://searchsecurity.techtarget.com/feature/The-Basics-of-Information-Security


Users are prompted to change passwords every 45 days

Bios passwords are applied to all devices.

Principle of least privilege must be applied.

Endpoint security mechanisms must be applied to applicable remote devices, servers

and gateways (webopedia.com).

12.9.3 Hardening Checklist National Bank utilises the following hardening checklist:

National Bank Security Hardening Form (NBF001)

MAC AddressIP AddressMachine NameAsset TagAdministrator NameDateStep √ To Do CIS UT Note Cat I Cat II Cat III Min Std

Preparation and Installation

1 If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened.

2 Consider using the Security Configuration Wizard to assist in hardening the host.Service Packs and Hotfixes

3 Install the latest service packs and


hotfixes from Microsoft.

4 Enable automatic notification of patch availability.User Account Policies

5 Set minimum password length.

6 Enable password complexity requirements.

7 Do not store passwords using reversible encryption. (Default)

8 Configure account lockout policy.User Rights Assignment

9 Restrict the ability to access this computer from the network to Administrators and Authenticated Users.

10 Do not grant any users the 'act as part of the operating system' right. (Default)

11 Restrict local logon access to


Administrators.

12 Deny guest accounts the ability to logon as a service, a batch job, locally, or via RDP.Security Settings

13 Place the University warning banner in the Message Text for users attempting to log on.

14 Disallow users from creating and logging in with Microsoft accounts.

15 Disable the guest account. (Default)

16 Require Ctrl+Alt+Del for interactive logins. (Default)

17 Configure machine inactivity limit to protect idle interactive sessions.

18 Configure Microsoft


Network Client to always digitally sign communications.

19 Configure Microsoft Network Client to digitally sign communications if server agrees. (Default)

20 Disable the sending of unencrypted passwords to third party SMB servers.

21 Configure Microsoft Network Server to always digitally sign communications.

22 Configure Microsoft Network Server to digitally sign communications if client agrees.Network Access Controls

23 Disable anonymous SID/Name translation. (Default)

24 Do not allow anonymous enumeration


of SAM accounts. (Default)

25 Do not allow anonymous enumeration of SAM accounts and shares.

26 Do not allow Everyone permissions to apply to anonymous users. (Default)

27 Do not allow any named pipes to be accessed anonymously.

28 Restrict anonymous access to named pipes and shares. (Default)

29 Do not allow any shares to be accessed anonymously.

30 Require the "Classic" sharing and security model for local accounts. (Default)Network Security Settings

31 Allow Local System to use computer


identity for NTLM.

32 Disable Local System NULL session fallback.

33 Configure allowable encryption types for Kerberos.

34 Do not store LAN Manager hash values.

35 Set LAN Manager authentication level to only allow NTLMv2 and refuse LM and NTLM.

36 Enable the Windows Firewall in all profiles (domain, private, public). (Default)

37 Configure the Windows Firewall in all profiles to block inbound traffic by default. (Default)Active Directory Domain Member Security


Settings38 Digitally

encrypt or sign secure channel data (always). (Default)

39 Digitally encrypt secure channel data (when possible). (Default)

40 Digitally sign secure channel data (when possible). (Default)

41 Require strong (Windows 2000 or later) session keys.

42 Configure the number of previous logons to cache.Audit Policy Settings

43 Configure Account Logon audit policy.

44 Configure Account Management audit policy.

45 Configure Logon/Logoff audit policy.

46 Configure Policy Change audit


policy.47 Configure

Privilege Use audit policy.Event Log Settings

48 Configure Event Log retention method and size.

49 Configure log shipping (e.g. to Splunk).Additional Security Protection

50 Disable or uninstall unused services.

51 Disable or delete unused users.

52 Configure User Rights to be as secure as possible.

53 Ensure all volumes are using the NTFS file system.

54 Configure file system permissions.

55 Configure registry permissions.

56 Disallow remote registry access if not required.Additional


Steps57 Set the

system date/time and configure it to synchronize against campus time servers.

58 Install and enable anti-virus software.

59 Install and enable anti-spyware software.

60 Configure anti-virus software to update daily.

61 Configure anti-spyware software to update daily.

62 Provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits,


physically securing the storage media, or any combination thereof as deemed appropriate.

63 Install software to check the integrity of critical operating system files.

64 If RDP is utilized, set RDP connection encryption level to high.Physical Security

65 Set a BIOS/firmware password to prevent alterations in system start up settings.

66 Disable automatic administrative logon to recovery console.

67 Do not allow the system to be shut down without having to log on. (Default)

68 Configure the device boot order to prevent unauthorized


booting from alternate media.

69 Configure a screen-saver to lock the console's screen automatically if the host is left unattended.

Table 10 National Bank Security Hardening Form, University of Texas in Austin, Source: https://wikis.utexas.edu/display/ISO/Windows+Server+2012+R2+Hardening+Checklist

12.10 DNS RestrictionDomain naming system (DNS) converts a web search query into an IP address so the correct

webpage can be retrieved. When a query for a website is entered into a search engine, the

DNS checks the local host file first to retrieve the IP address of that website. If the address

can’t be found on the local host the DNS, the public DNS server is searched. DNS hacking

occurs when the IP address of a website is changed on the DNS in which the unsuspecting

user is unknowingly directed to a potentially malicious site (Eli the Computer Guy, 2010). In

order to combat this National Bank employs a number of mechanisms:

National Bank configures its domain naming system to block sites that are deemed

unsafe or unnecessary (e.g. social media, adult sites, gambling sites, gaming sites

etc.).

Access to the local host by end users is restricted.

All blacklisted sites have their IP addressed changed to National Banks “Website

Blocked, Contact IT” website’s IP Address.

National Bank does not use the public DNS of the internet service provider. National

Bank employs a private DNS service (e.g. openDNS) that prevents the user from

accessing malicious sites.

Local DNS is configured to allow both marketing and BI departments to access social

media sites.

National Bank employs the following OpenDNS products/services to secure its DNS:

Product Description


https://wikis.utexas.edu/display/ISO/Windows+Server+2012+R2+Hardening+Checklist

OpenDNS Security Graph Automates protection from known and

emerging threats using cross sectional and

predictive analysis of global internet activity.

OpenDNS Global Network Proven 100% uptime, enforces security

policies with no added latency and covers

any device

OpenGraphiti An interactive open source data visualisation

engine. Used to analyse malware threats such

as ransomware, cryptolocker, cryptodefense

botnets etc.

DNSCrypt Mechanism that protects the “last mile” of

the connection between a device and the

internet service provider, preventing man in

the middle and data snooping attacks.

CacheCheck Allows a manual refresh of DNS caches and

insight into DNS trends.

SmartCache Allows access to downed websites, in

particular when DNS nameserver outages

occur.

IPv6 Sandbox Allows the support of IPv6 addresses.

PhishTank Suspected phishing attacks are entered and

assessed/voted upon by other groups and

individuals as to whether it is a phishing

attack. When a phishing attack has been

verified it’s added to a feed that allows

individuals to quickly find an attack and

cross analyse it with their suspicions.

Open DNS Domain Tagging A people-powered Internet security system,

Using the intelligence of the OpenDNS

community (security researchers, academics,

IT professionals), domains are submitted and

tagged with a corresponding category such as


gambling, social media, hate etc. the domain

is verified and voted on for accuracy, then

users can use the system to block these sites

and/or categories from the network.Table 11 OpenDNS Products and Services of National Bank. Source: https://www.opendns.com/about/innovations/

13.0 VPN Employees/Contractors must be approved to utilise VPN by the local ISO.

A record of each employee with the corresponding device (s) used for VPN must be

maintained.

Approved VPN devices must receive appropriate hardening, encryption, and

antivirus/malware software.

VPN application may not be used on any unauthorised device such as a home

computer.

Files stored on VPN devices with a classification of confidential or higher should be

encrypted using VeraCrypt encryption software.

14.0 Information Security Audits IT audits will be conducted by members of the local IT department. The local ISO will

review and sign off each individual sit audit.

14.1 Information Security Floor AuditsInformation security floor audits are conducted on a weekly basis to ensure physical controls

are adhered as well as highlighting and possible vulnerabilities. Minor non-conformances will

be dealt with by the ISO. Major non-conformances must be reported to the CISO. Examples

of conformances for floor audits include:

Monitors are locked when unattended.

Paper with information classed confidential or higher is not in plain sight.

Credit card details are not written down.

Paper with information classed confidential or higher are disposed of in the secure

bins not ordinary rubbish bins.

IP cameras are functioning.

Swipe access is functioning.


https://www.opendns.com/about/innovations/

Tailgating is not observed.

Employee/contractor/visitor identification cards are clearly visible on their person.

The face of monitors cannot be seen through doors or windows.

Areas with sensitive information or information assets remain closed.

Rooms with sensitive information or information assets remain locked with

unattended.

Cabinets and other storage components with information classified confidential or

higher remain locked.

Employees/contractors and applicable 3rd parties have an awareness of information

security policies/processes and procedures and where these documents are located.

Food and drink is not located near sensitive equipment.

Unauthorised devices are not found.

All authorised devices are appropriately labelled.

Information and information assets are appropriately labelled.

Random password entry should not grant access.

14.2 Information Security Documentation Audits Processes and procedures are audited on a quarterly basis by the local ISO to ensure that

these process and procedures comply with applicable information security protocols, policies

and procedures.

CISO will review all information security related documentation annually to ensure

documentation is updated in adherence with industry, compliance, regulation and legal

requirements.

14.3 System Audits System audits are to be conducted by the system owner on a quarterly basis to ensure all

systems maintain compliance with the information security policies, procedures and

processes.

14.4 Benchmarking Each local IT department is responsible for analysing network and system metrics to identify

daily usage of systems, network applications, servers, outgoing and incoming traffic etc. on a

periodic basis. Abnormal traffic levels may be a sign of a malicious attack. Any levels

significantly above or below the benchmark must be investigated.


15.0 PEN Testing Both internal and external penetration testing is conducted on an annual basis to find potential

vulnerabilities in the network. Results of PEN testing will be reviewed by the local ISO.

Major issues are to be reported to the CISO from PEN testing includes but is not limited to:

Attempted unauthorised access through wireless access points.

Physical access through social engineering techniques, opportunism and mock

intrusions.

Simulated malicious code attack.

Simulated emails sent to employees/contractors with spam and click bait.

Internal hacking attempts.

Password cracking.

Social engineering to manipulate individuals to provide access to sensitive

information.

16.0 Applicant Screening and Processing All applicants are required to undergo a background check.

The interviewer is required to ask competency based and scenario based questions

regarding information security.

Qualifications and certifications are to be verified for reputable prestige and sincerity.

Successful candidates are required to sign a non-disclosure agreement in which its

requirements extend post-employment/contract.

Successful candidates are required to read the applicable information security policies

and sign off on these policies as proof of comprehension.

Successful candidates are required to undergo information security training during

induction.

17.0 Post-Employment An exit interview is to be conducted by the individual’s applicable supervisor,

superior or HR, to inform the individual of their information security responsibilities

post-employment.

All company devices and property are to be returned before or during the exit

interview.


Returned devices are to be scanned for relevant information and wiped where

applicable.

Devices may be reused or disposed of where applicable.

The individual’s logins, passwords in and access credentials are to be

decommissioned within one hour of exit.

18.0 Electronic Data TransferTransfer, download, upload or any other communication of information classified as

confidential or higher must be treated with great caution and strictly controlled.

18.1 Printing Information printed classified as confidential or higher must be watermarked

appropriately.

Information printed classified as confidential or higher must be sent to the

individual’s print box where login credentials are required at the printer to print.

Any unattended paper in the vicinity of a printer marked confidential or higher must

be disposed of in the secure paper bins.

18.2 Physical Documentation When unused physical documentation should be laid face down.

Any physical documentation with information classed as confidential or higher must

have the appropriate watermark.

When unattended physical documentation with information classified as confidential

or higher must be stored in a locked cabinet or similar storage area to that effect.

Any unattended visible physical documentation labelled confidential or higher must

be disposed of in the secure bins provided.

18.3 Paper Disposal Secure bins are provided throughout the premises of National Bank sites.

Shredders are also provided throughout the premises of National Bank sites.

Paper containing information classified as confidential or higher should be shredded

and then disposed of in the secure bins provided.

A trusted and vetted 3rd party removes the contents from the secure bins on a periodic

basis for further disposal.


18.4 Electronic Media Disposal and Reuse Any device returned to the IT department for disposal or reuse must be treated as

if it contains information classified confidential or higher.

Any device applicable for reuse or disposal must be signed off by the asset owner.

Devices will be searched for any relevant information that is still required by the

company where applicable.

Devices will be wiped.

Device hard drive will be destroyed on site.

If reusing the hard drive will be replaced and the device re-hardened where

applicable.

When disposing the device will be removed by a vetted and trusted third party

vendor.

A certificate of destruction must be issued from the vendor.

All devices awaiting use, reuse or disposal must be kept in a secure locked

environment with restricted access rights.

18.5 Data Retention All company financial information is required to be kept for a period of 6 years in

accordance with Irish legislation (Revenue.ie). National Bank will hold all financial

information for a period of 7 years or longer depending on local jurisdictional

legislation in which sites operate.

Customer and client data is kept indefinitely and stored in the company data

warehouse but changes such as name, addresses, errors etc. may occur with the

permission of the data owner.

All other business information is to be kept as long as necessary in compliance with

the Irish Data Protection Act 2003 (datprotection.ie) or longer depending or

jurisdictional legislation.

19.0 Security Breach ProcedureSecurity breaches can have a significant impact on the business and its daily operations, thus

all breaches must be treated with caution irrespective of intent. Some breaches may not be

malicious in nature (e.g. human error) but can still compromise the


availability/confidentiality/integrity of the network and the information stored on the

network. The main types of breaches include (omnisecu.com):

Type Description Example Prevention

Passive May or may not be

malicious in nature

depends on the intent

of the attacker i.e. the

attacker could be

monitoring the wrong

company. Difficult to

detect as the attacker

is not actively trying

to breach and

penetrate the network.

Packet sniffing,

eavesdropping, data

snooping, man in the

middle,

reconnaissance.

Network and

communication

encryption,

antispyware.

Active The attacker is

actively trying to

penetrate and target

the network. More

easily detected as the

malicious user is

sending traffic.

Malicious code (virus,

Trojan, worm)

Firewalls, IDS,

IPS from

different

vendors, anti-

virus,

antimalware

from different

vendors with

default

configurations

removed.

Close in A physical attack on

the network.

Breaking and entering

to steal/destroy data

and/or equipment.

National Bank

has applied

physical controls

(selection 8 and

9 of this

document).

Insider An attack conducted Stealing/deleting Recruitment


by an

employee/contractor

within the

organisation.

information, malicious

code.

procedure,

training,

principle of least

privilege applied,

restricted

physical and

electronic access

rights. physical

controls

(selection 8 and

9 of this

document).

Distribution Network penetration

and attacks using

backdoors from

hardware and/or

software

Using a back door or

bug from hardware,

internal/ vendor driven

software to gain access

to the network.

Vendor

information

security audits,

patching, PEN

testing, software

testing and

validation

requirements.Table 12 Breach Types

Where an incident penetrates network defences (firewalls/IPS/antivirus) and gains access into

the internal network where sensitive information is stored is classified as a breach. In the

event of a breach the following actions should be taken:

19.1 Notification and Reporting Any suspected information security breach, physical, electronic, internal or

external must be reported to the local ISO, once dealt with, the CISO is to be

notified.

In severe or escalating cases the CISO is to be notified by the local ISO with

immediate effect.


19.2 Physical Breach In the event of a physical breach all employees/contractors are to evacuate the area of

attack and move to a secure protected area.

Site security guards will initiate lockdown procedure and quarantine the area of

attack.

Appropriate authorities will be contacted.

Entry and egress from the site is not permitted until the attack is neutralised.

Where threat to life becomes a realisation, the evacuation procedure should be

executed where plausible.

All employees, contractors, third parties, affiliates etc. who witnessed the event are

obliged to comply with the requests of the authorities.

All evidence applicable to the incident is to be handed over to the relevant authorities.

The local ISO is responsible for ensuring no unnecessary information classified

confidential or higher is handed over to the authorities unless it is applicable to the

incident.

Where data with a classification of confidential or higher is compromised due to the

event, the data owner(s) must be notified.

An internal investigation lead by the local ISO will be conducted to review possible

breakdowns in policy/procedures/processes that lead to the event and provide

recommendations to the CISO for possible areas of improvement. Performance on

how the event was handled will also be reviewed as part of a continuous learning

process. External consultants approved by the CISO may also be utilised where

applicable.

19.3 Electronic Breach In event of a malicious electronic attack the local ISO is to be notified with immediate

effect.

If applicable a screenshot of the event should be saved and stored as evidence.

Infected devices are to be removed from the network and isolated in a separate

quarantined network environment.

Identify the type of attack.

Scan the local network and ensure all infected devices are removed.

Alert the CISO of the attack.


CISO will alert other sites to be wary of this attack and ensure network defences are

appropriately updated.

If plausible, try to remove the attack without wiping the device.

If plausible, try to remove sensitive information/data/applications from the device that

are not infected.

Once/If sensitive and business critical information/applications are recovered, wipe

the device, re-install applications, perform data recovery and back up process.

Re-harden and update the device.

Scan the network to ensure the threat is removed.

Where data with a classification of confidential or higher is compromised due to the

event, the data owner(s) must be notified.

An internal investigation lead by the local ISO will be conducted to review possible

breakdowns in policy/procedures/processes that lead to the event and provide

recommendations to the CISO for possible areas of improvement. Performance on

how the event was handled will also be reviewed as part of a continuous learning

process. External consultants approved by the CISO may also be utilised where

applicable.

Where applicable evidence collected that may lead to the apprehension of the

malicious attackers may be handed over to the relevant authorities upon prior

approval of the CISO.

20.0 Vendor Security All vendors are required to sign a non-disclosure agreement.

Vendors are required to complete a vendor information security form detailing any

compliance certification as well as a synopsis of their information security protocols.

Vendors must comply with all security documentation/policies/processes/procedures

set out by National Bank and sign an agreement of compliance.

Vendors are subject to an information security audit.

A local site register of all IT equipment is maintained along with location and label

identification tag of each equipment piece. Vendor details such as company, price,

date of purchase, sales person and vendor contact details is also maintained.


21.0 Contingency PlansNational Bank utilises contingency plans in order to ensure the organisation can maintain

operations and recover from a negative event to operational capacity.

21.1 Data Backup Plan The local ISO is responsible to liase with site department to identify the appropriate

files, systems and applications that aree mission critical and thus are required to be

backed up.

Local ISO is responsible to ensure all site data is backed up in accordance with all

data protection laws and regulations within their respective jurisdiction.

It is the responsibility of the local department head to inform the local ISO when a

new file/system/application is applicable for backup.

A site registry of all files/systems/applications applicable for backup is maintained.

National Bank performs daily backups the information it contains to ensure continuity

and redundancy of the data.

All sites have local backup servers.

All sites servers are also backed up to an alternative site within the organisation,

ensuring necessary redundancy times of crisis.

Each site maintains tape backup which are stored in a secured environment until

pickup.

Each site stores its tapes in an offsite undisclosed location which updated on a weekly

basis.

Ghost images are performed on all devices by the local IT department and updated on

a periodic basis.

Systems undergo periodic backups.

The following are applicable for backup:

o Databases

o Data warehouses

o Hardware configurations

o Software configurations

o Files

o Operating systems


o Software (where applicable)

o User configurations

o Systems and system configurations

o All information

Server and tape backups are tested on a periodic basis to ensure all relevant items

have been backed up.

All systems are to undergo restoration testing in a simulated network environment

isolated from the live network on an annual basis.

All server backups are retained for a period of 30 days. Some may be kept longer with

approval of the local ISO.

All tapes are retained for a period of 7 years. Some may be kept longer with approval

of the local ISO.

21.2 Business Continuity National Bank employs to ensure the continuation of business operations in the event of a

mission critical scenario taking place. The objective of the business continuity plan is to

minimise downtime and optimise operations when a disruption to the organisation occurs.

The table below will classify incidents and the appropriate action an employee/contractor

should take in the event of an incident type occurring.

21.2.1 Incident ClassificationLevel Example Description Response

Minor Device malfunction,

small leakage

A small

inconvenience to the

organisation, has no

impact on day to day

operations

Report to local

ISO/IT Department.

Medium Physical/electronic

breach of the

network but no

information

compromised, system

malfunction

An incident that will

have a small impact

on day to day

operations but the

business is still able

to function at

Report to local

ISO/IT Department


relatively strong

capacity.

Major Serious information

security breach, fire,

flood, short term

power outage, lack of

internet access for a

short period of time.

A significant event in

which a major

disruption to the

network and day to

day operations is

caused.

Contact local

ISO/CISO

emergency services

and relevant 3rd

parties where

applicable.

Critical Collapse of the

network, long term

power/internet

outage, Security

breach where large

volumes and highly

sensitive information

is compromised.

Mission critical event

and severely impacts

day to day operations

and causes a huge

disruption to the

network. Operations

are very limited.

Contact local

ISO/CISO

emergency services

and relevant 3rd

parties where

applicable.

Table 13 Business Continuity Plan Incident Classification

21.2.2 Business Continuity Process Notification and description of the incident.

Classify the severity of the Incident.

Identify the risk owner.

Assemble the Business Continuity Management Team.

Enact the business continuity plan.

Prepare data recovery and network restoration procedures.

Communicate situation across the organisation.

Inform data owners if information has been compromised.

Provide funding, resources and support to enable recovery.

Monitor progress and make changes if necessary.

Internal review of the event regarding the plan and performance of execution. Identify

the weaknesses and strengths of each as part of continuous approval and update the

plan to respond more efficiently to a similar event if applicable.


21.2.3 TestingThe business continuity plan will be tested annually by the Business Continuity Management

Team. Critical applications of the plan will be bested on a quarterly basis. All testing will

involve scenario cases in order to fully monitor the effectiveness of the plan. . Case scenario

testing can be live testing or script readings where applicable.

21.2.4 Business Continuity LifecycleNational Bank undergoes the following business continuity lifecycle:

Regular risk assessments.

Regular business impact analysis.

Strategy (risk treatment) and develop/update business continuity plan.

Train and maintain.

Monitor and measure.

Repeat.

Figure 7 Business Continuity Lifecycle. Source: http://www.eci.com/products-services/business-availability/business-continuity.html

21.2.5 Mechanisms to ensure continuity National Bank has employed the following mechanisms to ensure continuity of the

organisation:


http://www.eci.com/products-services/business-availability/business-continuity.html


Uninterrupted power supplies and backup generators are deployed at all sites.

Sprinkler system is in operation at all sites.

Fire gas suppression is in operation in areas with mission sensitive equipment such as

the comms rooms at all sites. Fire water suppression systems are deployed in areas of

that does not contain mission sensitive equipment.

Portable carbon dioxide, foam and water Fire extinguishers are deployed across all

sites in areas where potential fire hazards may occur.

Multiple cable connections to the authorised electricity provider, telecommunications

provider and internet service provider are in place across all sites.

Air cleaning and ventilation system is in place at all sites.

A register of all relevant authorities and emergency services for each site is

maintained.

Fire doors are in place at all sites.

Cross duty training is encouraged by National Bank to ensure departments are able to

sustain operations due to loss of key personnel.

Contingency reserves are in place and reviewed annually by the board of directors.

Inventory of spare hardware is maintained across all sites.

National Bank employs backup hardware such as super computers, servers etc.

creating the necessary redundancy to atomically take over from the failing/failed

equipment.

Data is backed up on local servers, on backup servers in an alternative site and

through physical tapes stored in an undisclosed location ensuring the necessary

redundancy in the event of a crisis.

All sites are configured to have the capacity to takeover or at least partially takeover

operations of another site in the event of a site network disruption/failure/loss in order

to minimise damage.

21.3 Disaster Recovery Plan National Bank’s disaster recovery plan will operate parallel to its business continuity plan.

National Bank’s disaster recovery plan incorporates the same goals and objectives as the

business continuity plan. The main aim of the plan is to restore the organisation to full

operational capacity in the most efficient time and method possible. Examples of disasters

include but are not limited to:


Extreme weather.

Severe fire/flooding.

Terrorism.

Prolonged power outage.

System failure.

Data loss.

21.3.1 Disaster Recovery Action Plans Each local ISO is responsible for the erection of site specific disaster recovery plans.

Each local ISO is responsible to ensure than disaster recovery plans are tested and

updated on an annual basis or part of a continuous learning process post event.

A directory of case scenarios are maintained for disaster recovery on Documentum

consisting of theoretical and past events as well as relevant current news events.

Local ISOs must identify which events are applicable to their respective site and

provide rationale for inapplicable events.

CISO is responsible to ensure that each site has completed satisfactory planning for

disaster recovery.

Local ISOs can update the directory but submissions must be approved by the CISO.

All disaster recovery plans must be completed on form NBF002 and approved by the

CISO.

Both a hard and soft copy of the plan is to be maintained.

Disaster Recovery Action Plan 1Previous Revision:Previously Revised By:Last Revised:Revised by:Site:Plan Owner:System:System Owner :System Administrators:Equipment Locatio

nTag IP Address DNS

EntryMemory

CPU Vendor Details

Model Power Application Cable VLAN Descriptio Other


Wattage s Tag n

Equipment Location

Tag IP Address DNS Entry

Memory

CPU Vendor Details

Model Power Wattage

Applications

Cable Tag

VLAN Description

Other

Colocation Site:System Backup Procedure:Data Backup Procedure:Information Classification:Critical Hardware List to Restore System to Operational Capacity:Critical Software List to Restore System to Operational Capacity:Critical Files that Require Recovery:Other Files that Require Recovery:Directories that Require Recovery:Critical Business Functions the System Supports:


Scenario 1

Scenario 1 Description

Recovery Action Plan for Scenario 1

Recovery Plan Contact ListName Position Locatio

nOffice Lo cation

Mobile

Office Phone

Email Instant Messaging Name

Table 14 Disaster Recovery Plan Form (Kirvan, 2009)

21.3.2 Disaster Recovery ProcessNational Bank’s disaster recovery is as follows:

Event is reported.

Business continuity management team assemble.

Severity of event is analysed.

Continuity procedure is initiated.

Continuity procedure is monitored.

Identify accurate or nearest accurate disaster recovery plan.

Initiate disaster recovery plan.

Initiate system restoration and data backup procedures.

Business continuity management team must ensure proper and efficient allocation of

resources during the recovery process.

Recovery process is monitored and changes made accordingly.

Systems and data undergo verification and validation testing.

Systems are monitored for a period of applicable time until there is certainty the

situation is stabilised.


21.3.3 Testing In conjunction with the business continuity plan, the disaster recovery plan is tested on an

annual basis in a case scenario format to ensure its effectiveness. Case scenario testing can be

live testing or script readings where applicable.

22.0 Quantifying Network disruptionNational Bank is a largely global financial entity which runs on information and data. Any

event that disrupts the flow of information can have serious consequences for the

organisation as 95% of our operations are conducted in an online environment. The

organisation can sustain partial network disruption. A full network outage would be

detrimental to the organisation. For every minute the network is down or even partially down,

costs to the company increase on an exponential basis with each passing minute.

23.0 Ethical Behaviour National Bank regards itself as a socially responsible company, its policies/processes and

procedures are drafted around acting responsibly and in the best interest of all of the

organisations stakeholders. National Bank expects all employees/contractors to act in an

ethical manner fulfilling their duties and not compromise the integrity of the organisation by

conducting or engaging in mal-practice. National Bank expects its employees/contractors to

report any dubious/negligible or malicious behaviour to the appropriate employee and for all

reports to be conducted with respect and urgency to ensure the

confidentiality/availability/integrity of the information the organisation holds as well as its

information assets are not compromised. National Bank aims to achieve information

assurance through a strong information security aware culture, up to date documentation,

processes and equipment.

24.0 Governance National Bank board of directors are deeply committed to achieving information assurance

and to protect the confidentiality/availability/integrity of the information and information

assets held by National Bank. The board will conduct an annual review of all information

security documentation and seek council from the CISO on all information security related

matters. The board is committed to ensuring adequate resources and funding is allocated to


information and network security. The board urges all employees/ contractors and affiliates to

ensure that all policies/processes/procedures are carried out bearing the security of the

organisation and data owner in mind.

25.0 Sign OffName Title Version Date SignatureLee Rock CISO V1.0 13/03/2016

Michael Caufield

CEO V1.0 13/03/2016

Table 15 Sign Off


ReferencesBarker, W., C., Evans, D., L., Bond, J., P. and Bement, A., L. (2003), ‘Guideline for

Identifying an Information System as a National Security System’, National Institute of

Standards and Technology, Special Publication 800-59, [Accessed Online: 29th of February

2016], Available From: http://csrc.nist.gov/publications/nistpubs/800-59/SP800-59.pdf

Blair, R. and Durai, A. (2009), ‘Chapter 1: Types of Firewalls’, Cisco Press, Network World,

[Accessed Online: 06th of March 2016], Available From:

http://www.networkworld.com/article/2255950/lan-wan/chapter-1--types-of-firewalls.html

blackberry.com, ‘Types of encryption used for communication between devices and your

resources’, [Accessed Online: 06th of March 2016], Available From:

https://help.blackberry.com/en/bes12/12.1/security/ake1381945720424B.html

Chia, T. (2012), ‘Confidentiality, Integrity, Availability: The three components of the CIA

Triad’, IT Security Information Blog, [Accessed Online: 06th of March 2016], Available

From: http://security.blogoverflow.com/2012/08/confidentiality-integrity-availability-the-

three-components-of-the-cia-triad/

cryptome.org, ‘Fundamental Security Concepts’, [Accessed Online: 15th of March 2016],

Available From: https://cryptome.org/2013/09/infosecurity-cert.pdf

Dataproetction.ie, ‘Law On Data Protection’, [Accessed Online: 15th of March 2016],

Available From: https://www.dataprotection.ie/docs/Law-On-Data-Protection/m/795.htm

Dumbravă, V., and Iacob, V., S. (2013), ‘Using Probability – Impact Matrix in Analysis and

Risk Assessment Projects’, Journal of Knowledge Management, Economics and Information

Technology, [Accessed Online: 09th of February 2016], Available From:

http://www.scientificpapers.org/wp-content/files/07_Dumbrava_Iacob-

USING_PROBABILITY__IMPACT_MATRIX_IN__ANALYSIS_AND_RISK_ASSESSM

ENT_PROJECTS.pdf

Eli the Computer Guy, (2010) ‘DNS hacking’, youtube.com, [Accessed Online: 16th of

March 2016], Available From: https://www.youtube.com/watch?v=zRysni9ND2w

https://www.youtube.com/watch?v=zRysni9ND2w

http://www.scientificpapers.org/wp-content/files/07_Dumbrava_Iacob-USING_PROBABILITY__IMPACT_MATRIX_IN__ANALYSIS_AND_RISK_ASSESSMENT_PROJECTS.pdf



https://www.dataprotection.ie/docs/Law-On-Data-Protection/m/795.htm

https://cryptome.org/2013/09/infosecurity-cert.pdf

http://security.blogoverflow.com/2012/08/confidentiality-integrity-availability-the-three-components-of-the-cia-triad/

http://security.blogoverflow.com/2012/08/confidentiality-integrity-availability-the-three-components-of-the-cia-triad/

https://help.blackberry.com/en/bes12/12.1/security/ake1381945720424B.html

http://www.networkworld.com/article/2255950/lan-wan/chapter-1--types-of-firewalls.html

http://csrc.nist.gov/publications/nistpubs/800-59/SP800-59.pdf

Enterprise Content Management, ‘Documentum’, [Accessed Online: 2nd of March 2016],

Available From:

http://www.emc.com/enterprise-content-management/documentum/index.htm

Ezi.com, ‘Eze Business Continuity Planning’, [Accessed Online: 13th of March 2016],

Available From: http://www.eci.com/products-services/business-availability/business-

continuity.html

Griffin, J., D (2016a) ‘Lecture05 – OS Security’, Class Notes

Griffin, J., D (2016b) ‘Lecture06 –IS Security Design Principles’, Class Notes

Henry, A. (2015), ‘Five Best File Encryption Tools’, Lifehacker.com [Accessed Online: 06th

of March 2016], Available From: http://lifehacker.com/five-best-file-encryption-tools-

5677725

Hibbard, E., A. (2009), ‘Introduction to Information Assurance’, Storage Networking

Industry Association, [Accessed Online: 06th of March 2016], Available From:

http://www.snia.org/sites/default/education/tutorials/2009/spring/security/EricHibbard-

Introduction-Information-Assurance.pdf

Kirvan, P. (2009) ‘IT Disaster Recovery Plan Template’, SearchDisasterRecovery.com,

TechTarget, [Accessed Online: 06th of April 2016], Available From:

http://searchdisasterrecovery.techtarget.com/feature/IT-disaster-recovery-DR-plan-template-

A-free-download-and-guide

IATF, (2002), ‘The Information Systems Security Engineering Process’, IATF Release 3.1—

September 2002, [Accessed Online: 06th of March 2016], Available From:

http://webcache.googleusercontent.com/search?

q=cache:SqBjZ3OcN7IJ:trygstad.rice.iit.edu:8000/Policies%2520%26%2520Tools/

InformationAssuranceTechnicalFramework3.1/

ch03TheInformationSystemsSecurityEngineeringProcess.doc+&cd=2&hl=en&ct=clnk&gl=i

e

Information Shield, ‘Information Security Policy’, [Accessed Online: 01st of March 2016],

Available From: http://www.informationshield.com/ispme_contents.html

http://www.informationshield.com/ispme_contents.html

http://webcache.googleusercontent.com/search?q=cache:SqBjZ3OcN7IJ:trygstad.rice.iit.edu:8000/Policies%2520%26%2520Tools/InformationAssuranceTechnicalFramework3.1/ch03TheInformationSystemsSecurityEngineeringProcess.doc+&cd=2&hl=en&ct=clnk&gl=ie



http://searchdisasterrecovery.techtarget.com/feature/IT-disaster-recovery-DR-plan-template-A-free-download-and-guide

http://searchdisasterrecovery.techtarget.com/feature/IT-disaster-recovery-DR-plan-template-A-free-download-and-guide



http://lifehacker.com/five-best-file-encryption-tools-5677725

http://lifehacker.com/five-best-file-encryption-tools-5677725



http://www.emc.com/enterprise-content-management/documentum/index.htm

mindtools.com, ‘Risk Impact/Probability Chart, Learning to Prioritize Risks’, [Accessed

Online: 09th of February 2016], Available From:

https://www.mindtools.com/pages/article/newPPM_78.htm

National Security Agency, (2015), ‘Defense in Depth, A practical strategy for achieving

Information Assurance in today’s highly networked environments’, [Accessed Online: 29th of

February 2016], Available From: https://www.nsa.gov/ia/_files/support/defenseindepth.pdf

omnisecu.com, ‘Different Classes of Network attacks and how to defend them’,[Accessed

Online: 06th of March 2016], Available From:

http://www.omnisecu.com/ccna-security/different-classes-of-network-attacks-and-how-to-

defend-them.php

OpenDNS.com ‘OpenDNS Innovations’, [Accessed Online: 16th of March 2016], Available

From: https://www.opendns.com/about/innovations/

paloaltonetworks.com, ‘What is an intrusion prevention system?’, [Accessed Online: 29th of

February 2016], Available From:

https://www.paloaltonetworks.com/documentation/glossary/what-is-an-intrusion-prevention-

system-ips

Perrin, C. (2008), ‘Understanding Layered Security and Defense in Depth’, Tech Republic,

[Accessed Online: 01st of March 2016], Available From:

http://www.techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-

depth/

products.office.com, ‘Office 365 Message Encryption’, [Accessed Online: 06th of March

2016], Available From: https://products.office.com/en-us/exchange/office-365-message-

encryption

Revenue.ie, ‘Keeping Records and Revenue Audit’, [Accessed Online: 15th of March 2016],

Available From: http://www.revenue.ie/en/business/running/keeping-records-revenue-

audit.html

Rhubart, B. (2011), ‘Rationalization and Defense in Depth - Two Steps Closer to the Clouds’,

Slide 5, [Accessed Online: 29th of February 2016], Available From:

http://www.slideshare.net/OTNArchbeat/rationalization-and-defense-in-depth-two-steps-

closer-to-the-clouds



http://www.revenue.ie/en/business/running/keeping-records-revenue-audit.html

http://www.revenue.ie/en/business/running/keeping-records-revenue-audit.html

https://products.office.com/en-us/exchange/office-365-message-encryption

https://products.office.com/en-us/exchange/office-365-message-encryption

http://www.techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-depth/

http://www.techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-depth/

https://www.paloaltonetworks.com/documentation/glossary/what-is-an-intrusion-prevention-system-ips

https://www.paloaltonetworks.com/documentation/glossary/what-is-an-intrusion-prevention-system-ips

https://www.opendns.com/about/innovations/

http://www.omnisecu.com/ccna-security/different-classes-of-network-attacks-and-how-to-defend-them.php

http://www.omnisecu.com/ccna-security/different-classes-of-network-attacks-and-how-to-defend-them.php

https://www.nsa.gov/ia/_files/support/defenseindepth.pdf

https://www.mindtools.com/pages/article/newPPM_78.htm

SANS Institute, (2001), ‘Defense In Depth’, [Accessed Online: 29th of February 2016],

Available From: https://www.sans.org/reading-room/whitepapers/basics/defense-in-depth-

525

SANS.org, ‘Intrusion Detection FAQ: What is Intrusion Detection?’, [Accessed Online: 06th

of March 2016], Available From:

https://www.sans.org/security-resources/idfaq/what_is_id.php

techtarget.com, ‘Secure Shell (SSH)’, [Accessed Online: 06th of March 2016], Available

From: http://searchsecurity.techtarget.com/definition/Secure-Shell

techtarget.com, ‘The Basics of Information Security’, [Accessed Online: 07th of March 2016],

Available From: http://searchsecurity.techtarget.com/feature/The-Basics-of-Information-

Security

University of Texas in Austin, ‘Information Security Office’, [Accessed Online: 07th of March

2016], Available From:


Webopedia.com, ‘endpoint security’, [Accessed Online: 07th of March 2016], Available

From: http://www.webopedia.com/TERM/E/endpoint_security.html

Willett, K., D. (2008), ‘Information Assurance Architecture’, CRC Press, ISBN 978-0-8493-

8067-9

http://www.webopedia.com/TERM/E/endpoint_security.html




http://searchsecurity.techtarget.com/definition/Secure-Shell

https://www.sans.org/security-resources/idfaq/what_is_id.php

https://www.sans.org/reading-room/whitepapers/basics/defense-in-depth-525

https://www.sans.org/reading-room/whitepapers/basics/defense-in-depth-525

Appendix 1The following table will synopsise the security mechanisms implemented in order to prevent

and mitigate the potential threats and vulnerabilities discovered in National Bank’s Network

Architecture and Potential Vulnerability Report of 2016.

Threat/Vulnerability Prevention/Mitigation

Malicious Code Antivirus, antimalware, multiple firewalls

from different vendors, intrusion detection

and protection systems, pop up blockers,

blacklisted sites/DNS restriction, devices

hardened, internet usage polices, policies and

procedures relating to software installation.

Network patching, network segmentation,

security breach procedure, business

continuity and disaster recovery plans, PEN

testing.

Transmission Interception Transmission encryption, communication

procedures.

Denial of Service Multiple lines to internet service provider,

business continuity and disaster recovery

plans, ability to lease extra bandwidth from

internet security provider

Phishing Induction and annual information security

training, pop up blocker, spam and junk mail

algorithms, firewalls, antivirus, antispyware,

communication encryption.

Physical Access Intrusion Security guards, security breach procedure,

IP cameras, restricted physical and electronic

access (principle of least privilege), induction

and annual information security training,

employee/contractor processes and

precautions.

Process and Policy Vulnerabilities Continuous learning, external/internal reports

after significant events and update

policies/processes/procedures where

applicable, annual review of all

documentation to ensure

policies/processes/procedures are updated

accordingly, internal audits.

Social Engineering Induction and annual information security

training, information handling procedures.

Human Incompetence and Negligence Induction and annual information security

training, information handling procedures,

restricted electronic and physical access, non-

disclosure agreements, acceptable usage

policy, social media policy, defined roles and

responsibilities, HR background and

qualification checks, dual authentication on

systems, internal audits.

Acts of God Backup servers and tapes, business continuity

and disaster recovery plan.

Poor Vendor Security, Service and Quality Vendor vetting, vendor audits, non-disclosure

and information security acceptance

agreement, equipment and software testing

before live implantation.

Documents

Lee_Rock_20038860_GFIS_2016_CA2