Upload
lee-rock
View
97
Download
2
Embed Size (px)
Citation preview
National Bank
Information Security Framework Document V.1.0
Name: Lee Rock
Student Number: 20038860
Department: Department of Graduate Business
Course: MSc in Global Financial Information Systems
Module: Global Financial Information System Security, Continuity and Ethics
Presented To: Mr Joseph Griffin
Assignment 2 of 2
I firmly declare that this is assignment was completed by my own accord and to the best of my abilities in accordance with the plagiarism regulations and in line with the standards of academia set out by Waterford Institute of Technology.
Signature:______________________________ Date:__________________________________
Contents1.0 Introduction.....................................................................................................................................1
1.1 Information Assurance................................................................................................................1
1.2 Defence in Depth.........................................................................................................................2
1.3 Information Security Systems Engineering Process.....................................................................3
1.4 Network Security.........................................................................................................................4
1.4 Scope...........................................................................................................................................5
1.5 Aim..............................................................................................................................................6
1.6 Framework Breach.......................................................................................................................6
2.0 Information Security Documentation..............................................................................................6
2.1 Information Security Policy Summary..........................................................................................9
2.2 Compliance..................................................................................................................................9
2.3 Policy Review.............................................................................................................................10
3.0 Training..........................................................................................................................................10
4.0 Information Classification and Treatment.....................................................................................11
4.1 Access........................................................................................................................................12
4.2 Storage......................................................................................................................................12
4.3 Discussion..................................................................................................................................12
5.0 Roles and Responsibilities..............................................................................................................13
6.0 Communication.............................................................................................................................17
7.0 Risk Management..........................................................................................................................17
7.1 Risk Assessment and Treatment................................................................................................18
7.1.1 Probability...........................................................................................................................18
7.1.2 Impact.................................................................................................................................19
7.1.3 Risk score............................................................................................................................19
7.1.4 Risk Assessment and Treatment.........................................................................................20
8.0 Physical Access Control..................................................................................................................25
9.0 Physical Security............................................................................................................................26
10.0 Acceptable Information and Device Usage..................................................................................27
10.1 Email........................................................................................................................................28
10.2 Internet Usage.........................................................................................................................29
10.3 Instant Messaging/Phone/Other Communications.................................................................29
10.4 SWIFT.......................................................................................................................................29
10.5 Monitoring...............................................................................................................................30
10.6 Software..................................................................................................................................30
10.7 Wireless Access Points.............................................................................................................30
10.8 Social Media............................................................................................................................31
11.0 Passwords....................................................................................................................................31
12.0 Network Security Layering...........................................................................................................32
12.1 Dual Authentication.................................................................................................................33
12.2 Firewalls...................................................................................................................................33
12.2.1 Packet Filtering Firewalls..................................................................................................33
12.2.2 Application/Proxy Firewalls..............................................................................................34
12.2.3 Packet Inspection Firewalls...............................................................................................34
12.3 Antivirus, Antimalware, Antispyware and Popup Blockers......................................................34
12.4 Intrusion Protection System....................................................................................................34
12.5 Intrusion Detection System.....................................................................................................35
12.6 Patching...................................................................................................................................35
12.7 Network Segmentation............................................................................................................35
12.8 Encryption................................................................................................................................35
12.9 Hardening................................................................................................................................36
12.9.1 Hardening process............................................................................................................37
12.9.2 Hardening Requirements..................................................................................................38
12.9.3 Hardening Checklist..........................................................................................................39
12.10 DNS Restriction......................................................................................................................49
13.0 VPN..............................................................................................................................................51
14.0 Information Security Audits.........................................................................................................51
14.1 Information Security Floor Audits............................................................................................51
14.2 Information Security Documentation Audits...........................................................................52
14.3 System Audits..........................................................................................................................52
14.4 Benchmarking..........................................................................................................................52
15.0 PEN Testing..................................................................................................................................53
16.0 Applicant Screening and Processing............................................................................................53
17.0 Post-Employment........................................................................................................................54
18.0 Electronic Data Transfer..............................................................................................................54
18.1 Printing....................................................................................................................................54
18.2 Physical Documentation..........................................................................................................54
18.3 Paper Disposal.........................................................................................................................55
18.4 Electronic Media Disposal and Reuse......................................................................................55
18.5 Data Retention.........................................................................................................................55
19.0 Security Breach Procedure..........................................................................................................56
19.1 Notification and Reporting.......................................................................................................58
19.2 Physical Breach........................................................................................................................58
19.3 Electronic Breach.....................................................................................................................59
20.0 Vendor Security...........................................................................................................................60
21.0 Contingency Plans........................................................................................................................60
21.1 Data Backup Plan.....................................................................................................................60
21.2 Business Continuity..................................................................................................................61
21.2.1 Incident Classification.......................................................................................................61
21.2.2 Business Continuity Process..............................................................................................62
21.2.3 Testing..............................................................................................................................63
21.2.4 Business Continuity Lifecycle............................................................................................63
21.2.5 Mechanisms to ensure continuity.....................................................................................64
21.3 Disaster Recovery Plan............................................................................................................65
21.3.1 Disaster Recovery Action Plans.........................................................................................65
21.3.2 Disaster Recovery Process................................................................................................68
21.3.3 Testing..............................................................................................................................68
22.0 Quantifying Network disruption..................................................................................................68
23.0 Ethical Behaviour.........................................................................................................................69
24.0 Governance.................................................................................................................................69
25.0 Sign Off........................................................................................................................................69
Equation 1 Risk Score Equation...........................................................................................................19
Figure 1 Aspects of Information Assurance. Source: http://www.snia.org/sites/default/education/tutorials/2009/spring/security/EricHibbard-Introduction-Information-Assurance.pdf..............................................................................................2Figure 2 Defence in Depth Strategy, Oracle. Source: http://www.slideshare.net/OTNArchbeat/rationalization-and-defense-in-depth-two-steps-closer-to-the-clouds..............................................................................................................................................3
Figure 3 Network Security Concepts......................................................................................................5Figure 4 National Bank's Risk Management Process (Griffin, 2016a)...................................................18Figure 5 Layered Security Approach, SANS Institute, Source: https://www.sans.org/reading-room/whitepapers/analyst/layered-security-works-34805...............32Figure 6 Hardening Process, TechTarget, Source: http://searchsecurity.techtarget.com/feature/The-Basics-of-Information-Security............................................................................................................38Figure 7 Business Continuity Lifecycle. Source: http://www.eci.com/products-services/business-availability/business-continuity.html...................................................................................................64
Table 1 Information Systems Security Engineering Process..................................................................4Table 2 Information Security Documentation.......................................................................................9Table 3 Information Security Roles and Responsibilities.....................................................................17Table 4 Probability Matrix...................................................................................................................19Table 5 Impact Matrix..........................................................................................................................19Table 6 Risk Score Matrix.....................................................................................................................20Table 7 National Bank Risk Assessment and Treatment Plan as of 02/03/2016..................................25Table 8 National Bank Email Retention...............................................................................................29Table 9 Encryption Types.....................................................................................................................36Table 10 National Bank Security Hardening Form, University of Texas in Austin, Source: https://wikis.utexas.edu/display/ISO/Windows+Server+2012+R2+Hardening+Checklist...................49Table 11 OpenDNS Products and Services of National Bank. Source: https://www.opendns.com/about/innovations/.................................................................................51Table 12 Breach Types.........................................................................................................................57Table 13 Business Continuity Plan Incident Classification....................................................................62Table 14 Disaster Recovery Plan Form.................................................................................................68Table 15 Sign Off..................................................................................................................................69
1.0 IntroductionThe purpose of the document is to outline the framework for which National Bank manages
information security. This is realised though information assurance by utilising a defence in
depth strategy which applies a multi layered onion approach to protect the wider network.
This document will outline the security framework of national bank taking into consideration
the threats and vulnerabilities identified in National Bank’s Network Architecture and
Potential Vulnerability Report of 2016. Appendix 1 will reiterate the main vulnerabilities
1.1 Information Assurance“Information Assurance measures that protect and defend information and information
systems by ensuring their availability, integrity, authentication, confidentiality, and non-
repudiation. These measures include providing for restoration of information systems by
incorporating protection, detection, and reaction capabilities” (Barker et al, pp.15, 2003).
Information assurance incorporates a wide array of policies, standards, services and
mechanisms to provide confidentiality, integrity, availability, possession, utility, authenticity,
nonrepudiation authorised use and privacy of information (Willett, 2008). The diagram below
identifies the aspects of information assurance.
Version: 1.0 Page 1 of 66 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Figure 1 Aspects of Information Assurance. Source: http://www.snia.org/sites/default/education/tutorials/2009/spring/security/EricHibbard-Introduction-Information-Assurance.pdf
1.2 Defence in DepthDefence in depth is a best practice strategy that utilises a variety of techniques and
technologies to form a balance between capability, cost and operational performance
(National Security Agency, 2015). The idea behind defence in depth is that if one protection
mechanism fails another mechanism should prevent the event from occurring (SANS
Institute, 2001). The premise of defence in depth is to slow down and obstruct malicious
attackers but there is a trade-off between security and efficiency (Griffin, 2016a). People
often misconceive defence in depth for a pure electronic layer approach, though defence in
depth incorporates this, it also conceptualises a broader range of aspects such as physical
security and forensic recovery (Perrin, 2008). The figure below gives an overview of the
concepts that National Banks utilises in order to achieve information assurance through
defence in depth.
Version: 1.0 Page 2 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Figure 2 Defence in Depth Strategy, (Rhubart, 2011) Oracle. Source: http://www.slideshare.net/OTNArchbeat/rationalization-and-defense-in-depth-two-steps-closer-to-the-clouds
National Banks defence in depth strategy includes:
Security Governance.
Security awareness through training and policies.
Security through best practice processes, procedures industry and international
standards, regulation and requirements.
Security through compliance/policy/procedure/process/requirement enforcement.
Security through comprehensive hiring policy and process.
Network layering security approach.
Periodic risk assessment and treatment.
Physical controls.
Business continuity, disaster recovery and data backup plan.
1.3 Information Security Systems Engineering ProcessNational Bank conducts the following systems engineering process in order to secure the
network and achieve information assurance (IATF, 2002):
Detail Description Action
Discover
Information
Protection
Needs
Identify areas of vulnerabilities and what
systems/data/areas require protection but
physically and electronically.
Risk assessments, PEN
testing and vulnerability
reports.
Define System
Security
Requirements
Identify the protection needs of each
system.
Compliance with industry
standard
policies/procedures/processes,
ISO 27001 and 20022, PCI
DSS, all relevant legislation
and regulations, Security.
Perform SWOT and gap
analysis.
Design
System
Identify the specific components of the
system that require security and provide
External consultants/internal
knowledge base analyse and
Version: 1.0 Page 3 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Security
Architecture
solutions (mechanisms, processes and
procedures) to security requirements.
research the system to
identify the optimal security
solutions.
Develop
Detailed
Security
Design
Assess funding limitations, trade-offs, pros
and cons of security mechanisms,
processes and procedures.
SWOT analysis, cost-benefit
analysis of proposed security
solutions
Implement
System
Security
Initiate new security functions, processes
and procedures.
Test, end-user testing, fix
faults, implement system
security, provide training and
update training where
applicable, provide
continuous maintenance and
support
Assess
effectiveness
Assess the implementation and the
capabilities of the security design and
architecture
(mechanisms/polices/processes/procedures)
meet the intended security objectives,
requirements and compliance. If not make
the necessary changes and repeat the
previous steps where applicable.
Benchmarking, SWOT
analysis, testing, end user
testing, PEN testing, real life
events.
Table 1 Information Systems Security Engineering Process
1.4 Network SecurityNational Bank aims to achieve an optimal level of network security through the following
concepts (Chia, 2012 and Griffin, 2016b)
Confidentiality: Ensuring information is accessed on a need to know basis.
Integrity: Ensuring data is not modified or manipulated without acceptance or
authorisation.
Availability: Ensuring authorised users have appropriate, timely and uninterrupted
access to information.
Version: 1.0 Page 4 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Authentication: Each authorised individual user has a unique identifier and password
to access the system.
Identification: The system can validate the credentials of the authorised user
correctly and prohibit unauthorised access through random credential entry.
Accountability: Authorised user awareness that they are responsible for their actions
on the network.
Authorisation: Ensuring individuals privy to the network can only access what they
need in order to fulfil their contractual obligations and work duties. The principle of
least privilege (cryptome.org) is applied.
Figure 3 Network Security Concepts
1.4 ScopeThis document applies to all employees, contractors, 3rd parties and affiliates of National
Bank. The contents of this document are applicable to all information and information assets
under the control of National Bank.
Version: 1.0 Page 5 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Network Security
Confidentiality Availability Integrity
AuthenticationAuthorisationAccountability Accountability
1.5 AimThe Aim of this document is to outline the security mechanisms in place to protect the
confidentiality, integrity, availability of information and information assets under the control
of National Bank in order to achieve information assurance.
1.6 Framework BreachA breach of this framework may lead to disciplinary action leading to and up to dismissal.
Civil and/or criminal action may also be taken by the company where applicable.
2.0 Information Security Documentation The following table provides a synopsis of the information security documentation
concerning National Bank and its location on the network (InformationSheild.com). If you
have any queries regarding information security, please contact your local information
security officer. All relevant information security documentation can be found on the
company’s Intranet, Q Drive and Dcoumentum.
DocNo Document Version Type Directory
NBP01 Information Security Policy V.1.0 Policy Q:\Compliance\Policies
NBS02 Information Classification and
Treatment
V.1.0 SOP Q:\Compliance\SOPs
NBP03 Password Policy V.1.0 Policy Q:\Compliance\Policies
NBP04 Acceptable Usage Policy V.1.0 Policy Q:\Compliance\Policies
NBP05 Social Media Policy V.1.0 Policy Q:\Compliance\Policies
NBS06 IT Audit Procedure V.1.0 SOP Q:\Compliance\SOPs
NBM07 Roles and Responsibilities V.1.0 Manual Q:\Compliance\Manuals
NBP08 3rd Party and Affiliate Policy V.1.0 Policy Q:\Compliance\Policies
NBP09 Electronic, Mobile and Credit
Card Payments Policy
V.1.0 Policy Q:\Compliance\Policies
NBP10 Physical Security Policy V.1.0 Policy Q:\Compliance\Policies
NBP11 Procurement Policy V.1.0 Policy Q:\Compliance\Policies
NBS12 Procurement Procedure V.1.0 SOP Q:\Compliance\SOPs
NBP13 Software Development Policy V.1.0 Policy Q:\Compliance\Policies
NBM14 Business Continuity Plan V.1.0 Manual Q:\Compliance\Manuals
NBS15 Information Security Breach V.1.0 Policy Q:\Compliance\Policies
Version: 1.0 Page 6 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Procedure
NBP16 Information, Software,
Hardware and Data Destruction
Policy
V.1.0 Policy Q:\Compliance\Policies
NBP17 VPN Policy V.1.0 Policy Q:\Compliance\Policies
NBP18 Mobile Device Policy V.1.0 Policy Q:\Compliance\Policies
NBP19 Service Licence Agreements V.1.0 Licence Q:\Compliance\Lisences
NBS20 PEN Test Procedure V.1.0 SOP Q:\Compliance\SOPs
NBP21 Physical Access Policy V.1.0 Policy Q:\Compliance\Policies
NBP22 IT Access Policy V.1.0 Policy Q:\Compliance\Policies
NBP23 IT Governance V.1.0 Policy Q:\Compliance\Policies
NBP24 Risk Management Policy V.1.0 Policy Q:\Compliance\Policies
NBP25 Risk Assessment and Treatment
Procedure
V.1.0 SOP Q:\Compliance\SOPs
NBP26 Data Protection Policy V.1.0 Policy Q:\Compliance\Policies
NBP27 Account and Privilege
Management Policy
V.1.0 Policy Q:\Compliance\Policies
NBP28 Wireless Network Security
Policy
V.1.0 Policy Q:\Compliance\Policies
NBP29 Asset Management Policy V.1.0 Policy Q:\Compliance\Policies
NBP30 Data Backup and Recovery
Policy
V.1.0 Policy Q:\Compliance\Policies
NBP31 Firewall Management Policy V.1.0 Policy Q:\Compliance\Policies
NBP32 Email, Instant Messaging, Phone
and Other Communications
Security Policy
V.1.0 Policy Q:\Compliance\Policies
NBP33 External Party Information
Disclosure Policy
V.1.0 Policy Q:\Compliance\Policies
NBP34 Information Exchange Policy V.1.0 Policy Q:\Compliance\Policies
NBP35 Information Ownership Policy V.1.0 Policy Q:\Compliance\Policies
NBP36 Internet Security Policy V.1.0 Policy Q:\Compliance\Policies
NBP37 Network Security Management V.1.0 Policy Q:\Compliance\Policies
Version: 1.0 Page 7 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Policy
NBP38 Log Management and
Monitoring Policy
V.1.0 Policy Q:\Compliance\Policies
NBM39 Information Security Framework V.1.0 Manual Q:\Compliance\Manuals
NBM40 Compliance Policy V.1.0 Policy Q:\Compliance\Policies
NBP41 Document Control Procedure V.1.0 SOP Q:\Compliance\Policies
NBP42 Management Review Policy V.1.0 Policy Q:\Compliance\Policies
NBS43 IT Internal Review Procedure V.1.0 Policy Q:\Compliance\Policies
NBS44 Software Requirements and
Validation Procedure
V.1.0 SOP Q:\Compliance\SOPs
NBP45 Information Security Training
Policy
V.1.0 Policy Q:\Compliance\Policies
NBS46 Information Security Training
Procedure
V.1.0 SOP Q:\Compliance\SOPs
NBP47 Information Security Supplier,
Client, 3rd Party and Other
Affiliate Policy
V.1.0 Policy Q:\Compliance\Policies
NBP48 Group Policy V.1.0 Policy Q:\Compliance\Policies
NBP49 Network Segmentation Policy V.1.0 Policy Q:\Compliance\Policies
NBP50 Information Ethical Usage
Policy
V.1.0 Policy Q:\Compliance\Policies
NBP51 Disciplinary Policy V.1.0 Policy Q:\Compliance\Policies
NBS52 Network Hardening Procedure V.1.0 SOP Q:\Compliance\SOPs
NBS53 Patch Management Procedure V.1.0 SOP Q:\Compliance\SOPs
NBP54 Endpoint Security Management
Policy
V.1.0 Policy Q:\Compliance\Policies
NBP55 Removable Media Policy V.1.0 Policy Q:\Compliance\Policies
NBS56 PEN testing Procedure V.1.0 SOP Q:\Compliance\SOPs
NBP57 Vulnerability Scanning and
Management Policy
V.1.0 SOP Q:\Compliance\SOPs
NBP58 Removable and Personal Media
Policy
V.1.0 Policy Q:\Compliance\Policies
NBP59 Senior Management Information V.1.0 Policy Q:\Compliance\Policies
Version: 1.0 Page 8 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Security Commitment Policy
NBP60 Vendor Security Policy V.1.0 Policy Q:\Compliance\Policies
NBP61 End User Requirements Policy V.1.0 Policy Q:\Compliance\PoliciesTable 2 Information Security Documentation
2.1 Information Security Policy Summary National Bank is committed to securing all relevant information and information assets under
its control to protect the wider network as well as clients, parties and associates National
Bank is affiliated with. In order to achieve information assurance National Bank’s
information security goals, include:
Compliance with all data protection, financial, payments, transaction laws and
regulations from an Irish, European and International prerogative.
Compliance with PCI DSS, IS0 27001 and ISO 20022
Provide appropriate confidentiality, availability and integrity of all information and
information assets.
Provide up to date and periodic information security training to all applicable parties.
Ensure the functioning and continuity of the organisation in the event of a network
disruption.
Ensure all applicable parties are compliant with the information security policies,
procedures and protocols with regards to National Bank.
Appropriate document control, document review and information security training
review.
Provide adequate resources and funding to the information assurance process.
Update processes, procedures, training and documentation when applicable.
2.2 ComplianceNational Bank is fully compliant with PCI DSS and ISO 27001/20022 and is subject to
external security audits as part of this compliance. National Bank is committed to remaining
fully complaint with all rules, legislation and regulations across any jurisdiction in which it
operates.
Version: 1.0 Page 9 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
2.3 Policy ReviewThe CISO will conduct an annual review of all information security documentation to ensure
all polices/processes/procedures are in line with the organisations strategy and reflect the
necessary precautions to be taken for network security and information assurance.
Information security documentation maintenance and control is the responsibility of
CISO.
Changes can be made on an ad-hoc basis.
Any changes made need to be identified and approved by the board of directors.
Local ISOs can and are encouraged to notify and recommend any necessary changes
in documentation to the CISO.
Communications of changes must channel throughout the organisation.
3.0 TrainingEmployees will receive information security training upon their induction followed by annual
refresher courses there-after. Contractors will receive information security training at least
two days before the contract initiates, if the contract is for a period of longer than 12 months
they are subject to an annual refresher. Formal information security training is required to be
singed off by the individual and the respective trainer. Trainees are also required to complete
an information security assessment at the end of training. Any third party, supplier, client or
affiliates are required to be briefed by their National Bank liaison where applicable in regards
to information security policy and procedures.
National Bank will periodically update and review its information security documentation,
procedures and processes, these changes take immediate effect from executive signoff and
can be communicated through one or more of the following channels
Intranet
Documentum
Meetings
Unexpected roleplay
Version: 1.0 Page 10 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
As part of an employee’s/contractor’s information security training they are required to read
all applicable documentation. Electronic Sign off is required for compliance with PCI DSS
and ISO 27001 and 20022.
National Bank employs Documentum (EnterpriseContentManagement.com) which organises
the relevant documentation to be read and signed off by each individual. An email will be
sent to each applicable individual informing of new/updated documents which require their
comprehension and electronic signoff through their documented account. A lead time to
complete sign off is applied to each document upon notification, emails reminding the
individual (and their respective supervisor) to complete the signoff will be sent periodically
during this lead time. If the individual fails to read and sign off the respective document in
the allotted time, disciplinary action may be taken.
Suppliers, 3rd parties, clients and other affiliates may also be required to read and sign off
applicable information security documentation if they are privy to information classified
confidential or greater where they are not the data owner.
4.0 Information Classification and Treatment National classifies its information assets into three categories, list within the categories
are example and the list is not exhaustive:
Unrestricted:
Public information includes marketing, promotion, upcoming events, prospectus, annual
reports and press releases. Unrestricted information has no classification label.
Confidential:
Employee personal details, contractor personal details, supplier, 3rd party, client and other
affiliate personal details, credit card data, company financial information, client and other
affiliates financial information company research and reports, intellectual property,
meetings. Confidential information where applicable will be labelled as ‘Confidential’.
Version: 1.0 Page 11 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Secret:
Executive meetings, strategic growth plans, surprise events, new products and services,
new competitive strategies. Secret information where applicable will be labelled as
‘Secret’.
All documentation classed as restricted or higher must be watermarked with the appropriate
label:
Confidential: Confidential.
Secret: Secret.
4.1 Access Everyone will have access to public information.
Access to information classified confidential or higher will be granted on a need to
know basis by the data custodian.
Intended parties (depending on need to know in order to fulfil duties) will have access
to confidential information.
Intended parties (depending on need to know in order to fulfil duties) will have access
to secret information.
4.2 Storage Electronic documents labelled confidential or higher must be stored on an approved
device by the IT department.
All physical documentation and records labelled confidential or higher must be stored
in a locked, secure area.
Please ensure that any information, electronic/physical documentation and records are
not clearly visible when a party not privy to this information is within the visual
vicinity of this information.
Data backups are maintained.
Information is separated and segregated on the network.
4.3 Discussion No steps need be taken for information classified as unrestricted.
Only discuss restricted information with other parties who are also privy to the
information.
Version: 1.0 Page 12 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
For information classified confidential or higher please take all necessary precautions
to ensure that no unintended parties are able to comprehend and understand the
discussion.
Example of some security measures include:
Check that your phone is off and or not connected with anybody else.
Don’t have confidential/secret discussions over the phone.
Ensure you’re in a secluded area where a 3rd party hearing and visual senses
will be impaired from the conversation.
Level of voice when speaking.
All webcams/recording devices/listening devices turned off.
Non-disclosure agreements must be signed by those parties who do not own
the information classified confidential or higher but will require access in
order to fulfil job and contractual duties.
5.0 Roles and Responsibilities The following will outline the roles and responsibilities of all user types on the network.
Role Responsibilities
Chief Information Security Officer (CISO) Accountable for network security and
information assurance
Ensure compliance with all
regulatory, statutory bodies, ISO
27001 AND 20022, PCI DSS.
Approve new/updates of information
security documents.
Responsible for the creation or
initiation of new information security
and IT documentation.
Approve procurement of
software/hardware of up to $2000
Get approval for procurement of
software/hardware greater than $2000
Update the board of directors on new
Version: 1.0 Page 13 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
information security policy/process
changes, breaches, new methods of
network securitisation etc.
Propose corrective/disciplinary action
against internal security breaches.
Coordinate efforts to ensure
information assurance.
Information Security Awareness at
senior level.
Coordinate response to malicious
attacks where applicable.
Periodic review of information
security documentation and
processes.
Document control in regards to all IT
and information security
documentation.
Information Security Officer (ISO) Responsible for network security and
information assurance.
Perform and report risk assessment
results.
Communication of new
documentation, policy/process
changes, new risks and breaches to
mezzanine and junior levels of the
organisation.
Ensuring information security
policies and procedures are adhered
to.
Assist the CISO in coordination or
resources before/during and after data
Version: 1.0 Page 14 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
breaches.
Perform and Assess Information
Security Audit.
Report applicable malicious attacks,
malfunction or disruption to the
system owner CISO.
Ensure conformance with all IT and
IT security polices processes and
procedures.
System Owner (SO) Define authorisation and access
protocols.
Awareness of Information the
position and system (s) is responsible
for.
Report applicable malicious threat or
malfunction to the ISO.
Maintenance, development and
security of the system(s) under the
position’s control.
Implement system and information
security polices, processes and
procedures.
Accountable for information
availability, integrity and
confidentiality on the system.
Report malicious attacks, malfunction
or disruption to the ISO.
System Administrator (SA) System backup and continuity.
Monitor that all users adhere to
system and information security
policies, processes and procedures
Version: 1.0 Page 15 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
whilst operating the system.
Access and authentication control to
the system.
Awareness regarding information
usage, manipulation, export/import on
the system.
Responsible for information
availability, integrity and
confidentiality on the system.
Champion and educate end users on
information security regarding the
system.
Report applicable malicious attack,
malfunction or disruption to the SO.
Users Report any malicious attack,
malfunction or disruption to the SA.
Comply with all system and
information security policies,
processes and procedures.
Only access systems and information
the individual is authorised or privy
to.
Keep access and authentication
details confidential.
Network Engineers Network continuity and security.
Network efficiency.
Approve hardware and software for
usage.
Test/maintain and request updates of
hardware where applicable.
Version: 1.0 Page 16 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Monitor traffic on the network, report
suspicious activity to the ISO where
applicable.
Ensure all issued hardware/devices
possess up to date and relevant
security mechanisms.
Network Audit.
Network Patching.
Internal PEN testing.
Data/Software/Hardware destruction
and disposal.Table 3 Information Security Roles and Responsibilities
6.0 Communication National bank issues a monthly information security newsletter to all employees via email
highlighting new policy changes, information security audit results both internal and external,
malicious attacks, common security mistakes and any other security issue in order to promote
awareness and compliance in regards to information assurance.
7.0 Risk ManagementNational Bank undergoes a periodic risk assessment and possible reassessments if a malicious
attack or events significantly harms or disrupts the network. The assessment covers a wide
scope such physical, software, hardware, internal, external factors which could compromise
the network and disrupt the integrity availability and confidentiality of data. Risks are added
and updated in the risk register which records each risk, its likelihood, occurrence, and
treatment action. The purpose of the risk assessment is to identify and pre-empt potential risk
and exploits as well as limiting or eliminating vulnerabilities and exploits in the network. The
figure below describes the risk management process of National Bank.
Version: 1.0 Page 17 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Figure 4 National Bank's Risk Management Process (Griffin, 2016a)
7.1 Risk Assessment and Treatment As National Bank handles credit card data it must be PCI DSS compliant. National Bank also
conforms to ISO 27001 and ISO 20022 standards. Due to the network being an integral part
of operations it is in scope for the standards and thus periodic risk assessments/treatments
must be carried out. Threats to the network must be identified and assessed for probability of
occurrence, impact if the threat happens and each threat given a risk score. Generally, if score
is low the risk can be accepted. If the risk score is medium/high measures are put in place to
prevent or mitigate the risk. Identifying possible threats, risks and vulnerabilities allows
National Bank to plan and control these flaws which can disrupt the network.
7.1.1 Probability The probability is the likelihood of an event occurring. The probability of each threat is given
a rating from 1-10 with 1 being very unlikely and 10 being extremely likely (mindtools.com).
Probability Score Description
High 10 high chance of occurrence
Medium 5 Mediocre chance of occurrence
Version: 1.0 Page 18 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Low 1 Low chance of occurrenceTable 4 Probability Matrix
7.1.2 Impact The impact of an event occurring is the damage it can do to the network. The impact of each
threat is given a rating from 1-10 with 1 having minimal damage and 10 being extremely
detrimental to the survival and operation of the organisation (mindtools.com).
Impact Score Description
High 10 Mission critical, catastrophic to
network and organisation, firm cannot
function if this occurs
Medium 5 Significant distribution will be caused
if the event occurs but the organisation
can still operate
Low 1 Minor inconvenienceTable 5 Impact Matrix
7.1.3 Risk score To get the risk score probability of that risk is multiplied by the corresponding impact
(Dumbravă and Iacob, 2013).
Risk=Probability× Impact
R=P × I
Equation 1 Risk Score Equation
Likelihood
Severity
High Medium Low
High 10 x 10 = 100 10 x 5 = 50 10 x 1 = 1
Medium 5 x 10 = 50 5 x 5 = 25 5 x 1 = 5
Low 1 x 10 = 10 1 x 5 = 5 1 x 1 = 1
Scale 50 – 100 = High 11 – 49 = Medium 1 – 9 = LowTable 6 Risk Score Matrix
Version: 1.0 Page 19 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
7.1.4 Risk Assessment and Treatment The following risk assessment was conducted as of the 11 th of February 2016 in coincidence
with mapping the network architecture of National Bank. The following treatments have been
applied to each risk in order to mitigate avoid or accept the risk.
Category Vulnerability
Threat Risk Owner
Likelihood
Severity
Risk Score
Action
Employee
visible passwords
unauthorised access, criminal/malicious intent/Data breach
ALL 8 7 56 Training/weekly IT audits/passwords reset every 45 days
Employee
susceptible to phishing
unauthorised access, criminal/malicious intent/Data breach
ALL 5 6 30 Spam filter/anti-virus/firewall/training/monitor emails
Employee
unlocked devices
unauthorised access, criminal/malicious intent/Data breach
ALL 7 5 35 automatic lock set for 5 minutes of user inactivity, disabled features to adjust this on all devices/trained to lock device when not using them
Employee
internal hacking/fraud/information theft
unauthorised access, criminal/malicious intent/Data breach
IT 3 8 24 logs/email/instant messaging/security camera monitoring reporting structure/IT audits/Hiring process-background checks /training/network segmentation
Employee
Key network employee leaves
System disruption/unavailability
IT 3 5 15 obligated to give 30 days’ notice in order to find a suitable replacement , cross training of responsibilities
Version: 1.0 Page 20 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Employee
accidental information destruction/network disruption /breach of data integrity
unauthorised access, criminal/malicious intent/Data breach/System disruption
ALL 6 6 36 Backups and data recovery
Employee
employee devices stolen outside the firm
unauthorised access, criminal/malicious intent/Data breach
ALL 7 8 56 automatic 5-minute locking, device locks down after authentication 3 attempts
Organisational
lack of sufficient training
unauthorised access, criminal/malicious intent/Data breach
IT/Training
2 6 12 induction training/periodic refreshers/training updated periodically/ constant communications i.e. monthly information security news letter
Organisational
outdated and insufficient security policies
unauthorised access, criminal/malicious intent/Data breach
IT/Senior Mgt.
4 5 20 IT weekly audit/contingency reserve/anti-virus and software patching/firewalls/intrusion protection system/ PEN testing
Organisational
lack of security funding
unauthorised access, criminal/malicious intent/Data breach
Senior Mgt.
4 9 36 commitment from senior management in information security policy to provide adequate funding
Organisational
lack of political will to secure networks
unauthorised access, criminal/malicious intent/Data breach
Senior Mgt.
4 9 36 commitment from senior management in information security policy to enable adequate provision of resources to
Version: 1.0 Page 21 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
protect the network
Organisational
Loss of communication channels
System disruption/unavailability
3 8 24 Backup generator/multiple communication channels/firewalls/intrusion protection system/SWIFT external platform
Physical IP camera failure
unauthorised access, criminal/malicious intent/Data breach
Facilities
2 7 14 Backup generator/spare equipment/segmented network to make traffic more efficient/security guard patrols
Physical Swipe access failure
unauthorised access, criminal/malicious intent/Data breach
Facilities
2 9 18 IP camera at entry points/training-question unrecognisable people/lock in capability/sensitive areas alarmed.
Physical security guard incompetence/error
unauthorised access, criminal/malicious intent/Data breach
Facilities
3 7 21 swipe access to open doors, IP cameras/training/other employees
Software Back doors unauthorised access, criminal/malicious intent/Data breach
IT 4 6 24 Software development policy/supplier vetting process/segmented network/firewalls/antivirus/intrusion protection system
Software outdated software
unauthorised access, criminal/malicious intent/Data breach
IT 4 5 20 service licence agreements to update to new version
Software poor software vendor support
System disruption/unavailability
IT 5 6 30 vendor vetting process/use of multiple vendors
Version: 1.0 Page 22 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Software unauthorised software on network
unauthorised access, criminal/malicious intent/Data breach
IT 3 8 24 training/software request forms/antivirus/firewalls/intrusion protection system/admin rights disabled for the end user-requires approval from IT
Software bugs in operating system/software
unauthorised access, criminal/malicious intent/Data breach
IT 5 6 30 Software development and validation policy and procedure/PEN testing/vendor vetting/ use of multiple vendors
Software Malicious software attacks from outsiders
unauthorised access, criminal/malicious intent/Data breach
IT 7 9 63 multiple firewalls from different manufacturers, Multiple Intrusion protection systems from different manufactures/anti-virus/spam blocker/popup and add blocker/removed certain websites from DNS/training/network monitoring and benchmarking/segregated network
Hardware
Outdated hardware
unauthorised access, criminal/malicious intent/Data breach/System disruption
IT 4 6 24 commitment from management to provide adequate resources/IT audit
Hardware
equipment failure
System disruption/unavailability
IT 4 9 36 contingency fund/backup equipment/backup generator
Hardwar hardware unauthorised IT 2 7 14 swipe access to
Version: 1.0 Page 23 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
e theft access, criminal/malicious intent/Data breach
areas of sensitive hardware/comms rooms not marked/ IP cameras/security guards/ electronic lock in/alarm system
Hardware
Poor Vendor hardware support
System disruption/unavailability
IT 5 6 30 use of multiple vendors/details of alternative vendors/contractual agreements/vendor vetting process
Hardware/
software
remote access to network
unauthorised access, criminal/malicious intent/Data breach
IT 6 8 48 dual authentication to access network/firewalls/intrusion protection systems/port security procedures in place
Hardware/
software
firewall/identification protection/detection device, anti-virus spyware failure
unauthorised access, criminal/malicious intent/Data breach
IT 4 9 36 Network Segmentation/Security breach procedure/use of multiple firewalls/intrusion protection systems from different manufacturers/ intrusion detection systems/ network segmentation
Environmental
Natural Disasters
System disruption/unavailability
ALL 2 9 18 business continuity plan/backup generator and data backup
Version: 1.0 Page 24 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Environmental
Terrorism System disruption/unavailability/unauthorised access, criminal/malicious intent/Data breach
ALL 1 9 9 business continuity plan/backup generator and data backup
Environmental
Power Failure
System disruption/unavailability
Facilities
3 9 27 business continuity plan/backup generator and data backup
Environmental
Internet outage
System disruption/unavailability
IT 1 9 9 business continuity plan/backup generator and data backup/ multiple connection lines to provider
Table 7 National Bank Risk Assessment and Treatment Plan as of 02/03/2016
8.0 Physical Access Control National bank operates swipe access at all premises for all areas which have an
information classification of confidential or higher.
Additional swipe access points are utilised to further protect areas with sensitive
information and equipment such as the comms room. Access rights to certain areas
like the comms room are granted on a “need to enter” basis.
Employees are given a blue ribbon and identification badge with swipe access.
Contractors are given green ribbon and identification badge with swipe access
Visitors are given a red ribbon and identification badge.
Visitors are required to sign in and out when entering and leaving the premises
Visitors should always have a National Bank liaison accompanying them through
areas classified as confidential or higher.
IP cameras are located at access points and around areas containing sensitive
information and hardware.
Security guards are placed towards the main entrance of each site and conduct regular
patrols.
Version: 1.0 Page 25 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Tailgating is strictly forbidden.
All employees/contractors are required to clock in and out when entering and
egressing the premises.
9.0 Physical Security Security guards reserve the right to conduct random bag searches of any individual
exiting the premises of national bank.
Security guards have the right to prevent or remove individuals from company
premises.
Security guards and superiors have the right to confiscate company property on
suspicion of malpractice.
All doors are to remain closed
All windows are to remain sealed and obstructed from veiwing inward.
The face of a monitor should not be visible through a window or door.
No paper, devices or any company property is allowed offsite unless there is a
business need and authorised by the asset owner and documented.
All paper waste is to be disposed of in the secure bins and shredders provided.
Paper with information classified as confidential or higher must be placed in a locked
cabinet and sealed when unused.
Rooms with sensitive information or information assets remain locked with
unattended.
Whiteboards are to be cleared, disposable media and paper removed, systems logged
out of, after meetings.
All hardware is to be checked for any relevant data, software removed, wiped, reset to
factory default and made unusable before disposal and destruction.
Physical destruction of hardware is to take place on site and then handed to an
authorised disposal company.
Reception will not accept personal deliveries for employees/contractors.
Reception is to be notified of intended business deliveries.
Reception is to be notified of expected visitors.
Reception should ring the intended party’s liaison or nearest alternative to confirm the
visitor/delivery before access to restricted areas are granted.
Version: 1.0 Page 26 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Visitor may not pass reception without signing in, granted a visitor badge and
supervised by the liaison.
Sensitive hardware such as switches and servers are to take residence in a strict access
controlled area free from interference by unauthorised access, fire, water and other
natural disasters.
All physical devices and hardware of national bank is to be given a unique
identification number and labelled accordingly.
A register of all authorised hardware and designated users where applicable is
maintained.
Personal mobile devices/media are prohibited in any area with information classed as
confidential or higher. All personal devices must be stored in the employee lockers
provided.
3rd party mobile devices/media are not permitted to enter any area with information
classed confidential or higher unless approved by the local ISO. Unapproved devices
must be left in a secure container at reception ad labelled to the appropriate party.
Fire drills are conducted on an annual basis.
Health and safety audits are conducted on a monthly basis.
10.0 Acceptable Information and Device Usage Acceptable usage of information and must be in compliance with all relevant laws and
regulations in all jurisdictions in which National Bank operates (e.g.
Dataportection.ie).
Information stored on any of National Bank’s hardware is classified as National Bank
property.
Some information stored, such as credit card data and client information is not owned
by National Bank rather the company is a custodian of this information.
National Bank’s resources are to be used of intended purposed only and in
compliance with policies/procedures set out by National Bank, all relevant legislation,
regulations and in compliance with ISO 27001/20022, PCI DSS.
Confidentiality, Integrity and Availability of information and information assets must
be realised at all times.
Version: 1.0 Page 27 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Information may only be accessed in accordance with the policies/procedures set out
by National Bank and used for its intended purpose.
Privacy, ownership and intellectual property right are to be respected at all times.
Information may only be destroyed in accordance with National Bank’s data
destruction policy.
All information assets are to be well maintained and treated with care.
Any employee/contractor/supplier/3rd parties and other affiliates who require
information they do not own classified confidential or higher by National Bank are
required to sign a non-disclosure agreement.
Damaged or stolen information/information assets must be reported to the relevant
supervisor immediately.
An end user agreement is prompted after login to inform the user what is acceptable
and what is not acceptable usage on the network, User acceptance are accepted by the
user clicking “OK”.
10.1 Email National Bank email accounts are not intended for personal use but may be used for
this purpose.
Emails may be monitored.
Credit card details cannot be sent via email.
Company login details/passwords cannot be sent via email.
Email accounts require dual authentication for access.
Do not open suspicious emails; report them to the ISO as soon as possible.
Email accounts are to be used for business purposes only, misuse (e.g. harassment,
bullying, criminal, incompliance) of company email may result in disciplinary action.
Emails are encrypted.
Emails should not include confidential or secret information/attachments unless
authorised by the data owner.
Email retention is as follows:
Category Detail Retention Period
Administrative Company events, policy
updates, task requests,
5 years (or longer depending
on jurisdiction legislation)
Version: 1.0 Page 28 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
reports etc.
Financial Budgets, metrics, revenue,
expenses, accounts.
7 years (or longer depending
on jurisdiction legislation)
General Miscellaneous in nature. 5 years (or longer depending
on jurisdiction legislation)
Personal Relevant only to the
individual.
Retain until read
Security Regarding breaches,
incidents, cautions, evidence
etc.
Retain until evaluated
relevance and threat is
mitigated/avoided.Table 8 National Bank Email Retention
10.2 Internet Usage Use of internet is deemed acceptable by National Bank to fulfil work duties.
Communication via the internet may be monitored.
Employees/contractors/suppliers/3rd parties and other affiliates may only access
approved websites using company property.
Any attempt to bypass security safeguards to access unauthorised sites may lead to
disciplinary action.
If access is required for business purposes to an unauthorised website, contact the
local ISO for clearance.
10.3 Instant Messaging/Phone/Other Communications Communications sent and received by/to company property may be monitored.
Information graded confidential or higher should not be sent over these platforms
without data owner authorisation.
Communication platforms should only be used for business purposes.
Suspicious/unusual activity regarding these platforms must be reported to the local
ISO.
10.4 SWIFTWhen utilising the SWIFT payment and communication system, all employees/contractors
must abide by all IT and information security polices/procedures put in place by National
Bank as well as the terms and conditions of SWIFT. Failure to comply may result in
disciplinary action.
Version: 1.0 Page 29 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
10.5 Monitoring National Bank may monitor incoming/outgoing activity on the network for the following
reasons:
Troubleshooting.
Network security.
Validate compliance of all relevant legislation/data protection laws/regulations/ ISO
27001/20022/PCI DSS.
Detect misuse and incompliance with National Bank policies, procedures, processes,
legislation, data protection laws, regulations, ISO 27001, ISO 20022, PCI DSS.
Network performance, efficiency and availability.
10.6 Software Internally developed, open source or vendor software may only be used in accordance
with the policies/processes and procedures as set out by National Bank as well as the
terms and conditions identified by the software owner.
A register of all authorised software is maintained.
A register of each device and its approved software is maintained with its
corresponding service licence agreement where applicable.
All software downloads and installs will be conducted by the local IT department or
by an approved third party where applicable.
All software requests are to be process by the local ISO via the Software Install,
Update or Removal form (NBF001).
New/Updated software both internal and vendor driven must be tested on an isolated
network and follow the Software Validation Procedure before live implementation.
10.7 Wireless Access Points All wireless access points require dual authentication.
All devices must be scanned, hardened and approved by the local IT department
before being granted wireless access rights.
All national Bank sites are prohibited from offering a public WIFI service.
The SSID shall be configured as to prohibit the exposure of information that will
identify the organisation such as the company name, username, division etc.
Version: 1.0 Page 30 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
10.8 Social Media Social media sites are prohibited at all times on company devices with the exception
of the marketing and BI departments for business case reasons.
Social media sites are to be blacklisted for all departments except marketing and BI.
Each user assumes responsibility for what they post on social media.
Employees/contractors of National Bank who engage in social media are prohibited
from using social media as a platform to exchange and transmit information classified
as confidential or higher in any respects.
Employees/contractors of National Bank who compromise the company, company’s
reputation, confidentiality, integrity, availability of company data may be subject to
disciplinary action lead up to dismissal and/or civil as well as criminal action where
applicable.
11.0 Passwords Passwords may not be written down or communicated electronically.
Users will be prompted to change passwords every 45 days.
Users who fail to change their passwords within 45 days will be automatically locked
out from the network requiring a password reset by the local IT department.
Passwords are not to be reused.
Passwords must be a minimum of 15 characters using at least one uppercase,
lowercase, number and special character.
As a means of best practice, one should create passwords as a random phrase or
combination of characters that is not easily guessed or ascertained such as birthdays,
names, hobbies, schools etc.
Each individual should not use the same password as authentication for different
logins.
Passwords must never be prompted to be AutoSaved on any application; this feature
must be disabled where possible.
Passwords are to be encrypted over the network.
History of previous passwords will be maintained to prevent reuse.
Version: 1.0 Page 31 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Permanent lockout will initiate after 3 unsuccessful login attempts for all devices,
applications and systems, contact the relevant system owner, local IT department,
system administrator or local ISO for password reset.
Passwords may not by reset without proof of person.
It is imperative that all default passwords on any device, hardware, software or
application much be changed with the utmost urgency.
12.0 Network Security Layering In order to optimise network security, National Bank undertakes a layered security approach
under the assumption that no one mechamism can fully protect the network infrastructure. A
multitude of security mechanisms are realised in order to disrupt/hinder/prevent any potential
malicious attack whilst keeping network availability and performance to an optimum level.
The diagram below provides a high level view of National Bank’s layering approach.
Figure 5 Layered Security Approach, SANS Institute, Source: https://www.sans.org/reading-room/whitepapers/analyst/layered-security-works-34805
National Bank’s layered security approach includes:
Dual authentication for network access.
Firewalls (hardware, software and port level) by varying vendors.
Anti-virus, anti-malware, anti-spyware, popup blockers
Version: 1.0 Page 32 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Patching.
Intrusion protection and detection systems by varying vendors.
Network segmentation through VLANS.
Encryption mechanisms throughout the network.
Hardening of devices.
DNS restriction.
12.1 Dual Authentication Access to the network requires a username and password from any platform.
Access is only granted if the username and password match.
Permanent lockout occurs after 3 unsuccessful attempts and will require a reset by the
local IT department.
Accounts may not be reset without proof of person.
In accordance with the password policy, accounts will receive an automatic lockout if
the password is not changed within 45 days require a reset by the local IT department.
Separate dual authentication is required to access the network from a wireless access
point.
The local IT department will configure and register approved devices for wireless
access to the network.
12.2 FirewallsNational Bank has deployed a firewall management system in order to control traffic to and
from the network. The firewall management system consists with a mix of hardware and
software mechanisms. National Bank employs multiple firewalls from different vendors.
Firewall configurations will differ from vendor to vendor thus increasing the level of
difficulty to penetrate the network. National Bank utilises the following firewall types (Blair
and Durai, 2009):
12.2.1 Packet Filtering FirewallsPacket filtering firewalls approve packet entry through the network by analysing protocol,
source, destination, source/destination port numbers, Service code point, type of service
among other factors in the IP header.
Version: 1.0 Page 33 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
12.2.2 Application/Proxy FirewallsApplication/Proxy firewalls provide security on layer 7 of the OSI. They act on behalf of a
client which adds an extra buffer from malicious attacks such as port scans. Service requests
are sent to the proxy and the proxy opens a web connection on behalf of the client.
12.2.3 Packet Inspection FirewallsPacket inspection firewalls operate on the session layer of the OSI. It analyses session
information such as protocols, new/existing connections, source and destinations IP addresses
port numbers, IP checksums, sequence numbers and application-specific information, e.g.
command and response conditions in Simple Mail Transfer Protocol (SMTP). The packet
inspection firewall decides whether a packet is applicable for the network through a defined
rule set. These firewalls have deep packet inspection which has the ability to analyse the data
aspect of IP packet and identify whether it is legitimate HTTP traffic.
12.3 Antivirus, Antimalware, Antispyware and Popup BlockersNational Bank employs antivirus, antimalware, antispyware throughout the network to ensure
protection from network disruption, stolen/compromised data, of daily scans are conducted
across all sites. All end user devices where applicable are required to have antivirus
protection. Macro auto-run upon opening an application have been disabled on all applicable
devices and Java script auto-run has also been disabled on all applicable devices for all as a
prevention mechanism for malicious code. Pop up blockers are also enabled on all applicable
devices. Popup blockers are enabled to ensure spam and sites with malicious code are
blocked from appearing unless the user chooses to allow the pop up. All anti-malware
products must be purchased from an approved and trusted vendor.
12.4 Intrusion Protection SystemNational Bank has deployed intrusion protection systems which provide the following
security functions (paloaltonetworks.com):
Alert the CISO and local ISO.
Discards the potentially malicious packets.
Blocks traffic from the alleged malicious source address.
Resets the connection.
Version: 1.0 Page 34 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
12.5 Intrusion Detection System Network Intrusion detection systems have been placed throughout the network in
order to monitor, gather, log and alert the CISO and local ISO of suspicious/malicious
activity (sans.org).
Network benchmark metrics are set and updated when applicable by each local site in
order to identify potential network irregularities.
Host based intrusion detection systems have also been deployed on devices to alert
the user of a potential malicious attack (sans.org).
12.6 Patching All system, software, operating system and application patching is to remain up to
date.
The local IT department has the responsibility to maintain patch updates or an
approved authorised vendor where applicable.
12.7 Network SegmentationNational Bank segments its network logically through the use of VLANs. Network
devices (fat/thin clients, servers, etc.) are grouped logically via a VLAN. Devices on a
particular VLAN can only communicate with other devices connected to that same
VLAN. For example, a client on the finance VLAN cannot access the HR servers; this
increases the security profile of the network as network segmentation aids the least
privileges principle.
National Bank also employs Microsoft Active Directory in order to operate the principle
of least privilege. Active directory facilitates the creation, grouping and access rights of
users or groups of users. Access rights can be assigned to files/folders/drives etc. for a
specific user or group of users. For example, all users have access to the G drive but only
the Finance department can access the finance folder and only the Chief Financial Officer
can access the CFO folder within the finance folder.
12.8 Encryption National Bank employs a range of encryption methods where applicable in order to further
secure the network and sensitive data. Common encryptions include (blackberry.com;
techtarget.com; products.office.com; Henry, 2015):
Version: 1.0 Page 35 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Encryption Type Description
Wi-Fi Encryption (IEEE 802.11) For data in transit between a device and
wireless access point
VPN Encryption For data in transit between a device and a
VPN server.
Secure Sockets Layer (SSL) /Transport
Layer Security (TLS) Encryption
For data in transit between a device and
content server, web server, or mail server.
Secure Socket Shell (SSH) Secure remote access to a device
Microsoft Outlook Email Encryption National Bank emails are encrypted via
Microsoft Outlook email encryption.
VeraCrypt File encryption software utilised by National
Bank.
BitLocker Drive Encryption Hard drive encryptionTable 9 Encryption Types
Encryption protocols must be used to protect data in transmission.
Servers containing sensitive information such as credit card, trading details, financial
accounts deposits etc. or information assets must have encryption mechanisms.
All emails require encryption.
All end user devices such as smart phones, tablets, fat clients, thin clients, laptops etc.
must utilise hard drive encryption.
SWIFT payments and Communication software is encrypted for secure transmission
of data.
12.9 Hardening Hardening is a concept of system security by limiting the amount of functions a
system/device can perform. Removing unnecessary functions will reduce the vulnerability
surface of a system/device thus in principle making it more secure. The hardening process is
to be conducted by the local IT department. National Bank hardens all company devices
where applicable; these devices include but are not limited to:
Routers.
Laptops.
Tablets.
Version: 1.0 Page 36 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Smartphones.
Printers and multifunctional devices.
Modems.
Servers.
Wireless access points.
Switches.
Gateways.
Hubs.
Intrusion protection/detection devices.
Firewall devices.
IP Cameras.
Swipe access points.
Miscellaneous equipment such as ATMs, card terminals, kiosks where applicable.
12.9.1 Hardening processNational Bank engages in the following hardening procedure:
Where applicable reset the device to factory default.
Complete the installation based on vendor direction and requirements.
Remove all unnecessary software, applications and services.
Remove default configurations where applicable such as usernames, passwords, IP
addresses, etc.
Patch the system where applicable.
Conduct vulnerability scans.
Installation and configuration of firewalls antivirus, antimalware, antispyware,
intrusion detection/protection systems where applicable.
Apply labelling where applicable.
Log and monitor system/device.
Version: 1.0 Page 37 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Figure 6 Hardening Process, TechTarget, Source: http://searchsecurity.techtarget.com/feature/The-Basics-of-Information-Security
12.9.2 Hardening Requirements Only authorised and relevant software may be installed.
All devices such as smartphones, tablets, servers, fat clients, thin clients, switches etc.
will have default security configurations removed and replaced by the standards
approved by National Bank.
Administrative access will only be assigned to applicable IT staff.
Antivirus, antimalware, firewalls and intrusion detection/protection systems must be
installed on any device susceptible to the malicious code attacks.
Antivirus, antimalware, firewalls and intrusion detection/protection systems must not
be implemented with factory default security configurations.
All security protection software must be configured to automatically download
updates and patches where applicable.
Unnecessary ports must be closed.
Vulnerability scanning will take place upon implementation and on a quarterly basis
thereafter.
Patching internal and vendor software/applications must be kept up to date.
Version: 1.0 Page 38 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Users are prompted to change passwords every 45 days
Bios passwords are applied to all devices.
Principle of least privilege must be applied.
Endpoint security mechanisms must be applied to applicable remote devices, servers
and gateways (webopedia.com).
12.9.3 Hardening Checklist National Bank utilises the following hardening checklist:
National Bank Security Hardening Form (NBF001)
MAC AddressIP AddressMachine NameAsset TagAdministrator NameDateStep √ To Do CIS UT Note Cat I Cat II Cat III Min Std
Preparation and Installation
1 If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened.
2 Consider using the Security Configuration Wizard to assist in hardening the host.Service Packs and Hotfixes
3 Install the latest service packs and
Version: 1.0 Page 39 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
hotfixes from Microsoft.
4 Enable automatic notification of patch availability.User Account Policies
5 Set minimum password length.
6 Enable password complexity requirements.
7 Do not store passwords using reversible encryption. (Default)
8 Configure account lockout policy.User Rights Assignment
9 Restrict the ability to access this computer from the network to Administrators and Authenticated Users.
10 Do not grant any users the 'act as part of the operating system' right. (Default)
11 Restrict local logon access to
Version: 1.0 Page 40 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Administrators.
12 Deny guest accounts the ability to logon as a service, a batch job, locally, or via RDP.Security Settings
13 Place the University warning banner in the Message Text for users attempting to log on.
14 Disallow users from creating and logging in with Microsoft accounts.
15 Disable the guest account. (Default)
16 Require Ctrl+Alt+Del for interactive logins. (Default)
17 Configure machine inactivity limit to protect idle interactive sessions.
18 Configure Microsoft
Version: 1.0 Page 41 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Network Client to always digitally sign communications.
19 Configure Microsoft Network Client to digitally sign communications if server agrees. (Default)
20 Disable the sending of unencrypted passwords to third party SMB servers.
21 Configure Microsoft Network Server to always digitally sign communications.
22 Configure Microsoft Network Server to digitally sign communications if client agrees.Network Access Controls
23 Disable anonymous SID/Name translation. (Default)
24 Do not allow anonymous enumeration
Version: 1.0 Page 42 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
of SAM accounts. (Default)
25 Do not allow anonymous enumeration of SAM accounts and shares.
26 Do not allow Everyone permissions to apply to anonymous users. (Default)
27 Do not allow any named pipes to be accessed anonymously.
28 Restrict anonymous access to named pipes and shares. (Default)
29 Do not allow any shares to be accessed anonymously.
30 Require the "Classic" sharing and security model for local accounts. (Default)Network Security Settings
31 Allow Local System to use computer
Version: 1.0 Page 43 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
identity for NTLM.
32 Disable Local System NULL session fallback.
33 Configure allowable encryption types for Kerberos.
34 Do not store LAN Manager hash values.
35 Set LAN Manager authentication level to only allow NTLMv2 and refuse LM and NTLM.
36 Enable the Windows Firewall in all profiles (domain, private, public). (Default)
37 Configure the Windows Firewall in all profiles to block inbound traffic by default. (Default)Active Directory Domain Member Security
Version: 1.0 Page 44 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Settings38 Digitally
encrypt or sign secure channel data (always). (Default)
39 Digitally encrypt secure channel data (when possible). (Default)
40 Digitally sign secure channel data (when possible). (Default)
41 Require strong (Windows 2000 or later) session keys.
42 Configure the number of previous logons to cache.Audit Policy Settings
43 Configure Account Logon audit policy.
44 Configure Account Management audit policy.
45 Configure Logon/Logoff audit policy.
46 Configure Policy Change audit
Version: 1.0 Page 45 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
policy.47 Configure
Privilege Use audit policy.Event Log Settings
48 Configure Event Log retention method and size.
49 Configure log shipping (e.g. to Splunk).Additional Security Protection
50 Disable or uninstall unused services.
51 Disable or delete unused users.
52 Configure User Rights to be as secure as possible.
53 Ensure all volumes are using the NTFS file system.
54 Configure file system permissions.
55 Configure registry permissions.
56 Disallow remote registry access if not required.Additional
Version: 1.0 Page 46 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Steps57 Set the
system date/time and configure it to synchronize against campus time servers.
58 Install and enable anti-virus software.
59 Install and enable anti-spyware software.
60 Configure anti-virus software to update daily.
61 Configure anti-spyware software to update daily.
62 Provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits,
Version: 1.0 Page 47 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
physically securing the storage media, or any combination thereof as deemed appropriate.
63 Install software to check the integrity of critical operating system files.
64 If RDP is utilized, set RDP connection encryption level to high.Physical Security
65 Set a BIOS/firmware password to prevent alterations in system start up settings.
66 Disable automatic administrative logon to recovery console.
67 Do not allow the system to be shut down without having to log on. (Default)
68 Configure the device boot order to prevent unauthorized
Version: 1.0 Page 48 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
booting from alternate media.
69 Configure a screen-saver to lock the console's screen automatically if the host is left unattended.
Table 10 National Bank Security Hardening Form, University of Texas in Austin, Source: https://wikis.utexas.edu/display/ISO/Windows+Server+2012+R2+Hardening+Checklist
12.10 DNS RestrictionDomain naming system (DNS) converts a web search query into an IP address so the correct
webpage can be retrieved. When a query for a website is entered into a search engine, the
DNS checks the local host file first to retrieve the IP address of that website. If the address
can’t be found on the local host the DNS, the public DNS server is searched. DNS hacking
occurs when the IP address of a website is changed on the DNS in which the unsuspecting
user is unknowingly directed to a potentially malicious site (Eli the Computer Guy, 2010). In
order to combat this National Bank employs a number of mechanisms:
National Bank configures its domain naming system to block sites that are deemed
unsafe or unnecessary (e.g. social media, adult sites, gambling sites, gaming sites
etc.).
Access to the local host by end users is restricted.
All blacklisted sites have their IP addressed changed to National Banks “Website
Blocked, Contact IT” website’s IP Address.
National Bank does not use the public DNS of the internet service provider. National
Bank employs a private DNS service (e.g. openDNS) that prevents the user from
accessing malicious sites.
Local DNS is configured to allow both marketing and BI departments to access social
media sites.
National Bank employs the following OpenDNS products/services to secure its DNS:
Product Description
Version: 1.0 Page 49 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
OpenDNS Security Graph Automates protection from known and
emerging threats using cross sectional and
predictive analysis of global internet activity.
OpenDNS Global Network Proven 100% uptime, enforces security
policies with no added latency and covers
any device
OpenGraphiti An interactive open source data visualisation
engine. Used to analyse malware threats such
as ransomware, cryptolocker, cryptodefense
botnets etc.
DNSCrypt Mechanism that protects the “last mile” of
the connection between a device and the
internet service provider, preventing man in
the middle and data snooping attacks.
CacheCheck Allows a manual refresh of DNS caches and
insight into DNS trends.
SmartCache Allows access to downed websites, in
particular when DNS nameserver outages
occur.
IPv6 Sandbox Allows the support of IPv6 addresses.
PhishTank Suspected phishing attacks are entered and
assessed/voted upon by other groups and
individuals as to whether it is a phishing
attack. When a phishing attack has been
verified it’s added to a feed that allows
individuals to quickly find an attack and
cross analyse it with their suspicions.
Open DNS Domain Tagging A people-powered Internet security system,
Using the intelligence of the OpenDNS
community (security researchers, academics,
IT professionals), domains are submitted and
tagged with a corresponding category such as
Version: 1.0 Page 50 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
gambling, social media, hate etc. the domain
is verified and voted on for accuracy, then
users can use the system to block these sites
and/or categories from the network.Table 11 OpenDNS Products and Services of National Bank. Source: https://www.opendns.com/about/innovations/
13.0 VPN Employees/Contractors must be approved to utilise VPN by the local ISO.
A record of each employee with the corresponding device (s) used for VPN must be
maintained.
Approved VPN devices must receive appropriate hardening, encryption, and
antivirus/malware software.
VPN application may not be used on any unauthorised device such as a home
computer.
Files stored on VPN devices with a classification of confidential or higher should be
encrypted using VeraCrypt encryption software.
14.0 Information Security Audits IT audits will be conducted by members of the local IT department. The local ISO will
review and sign off each individual sit audit.
14.1 Information Security Floor AuditsInformation security floor audits are conducted on a weekly basis to ensure physical controls
are adhered as well as highlighting and possible vulnerabilities. Minor non-conformances will
be dealt with by the ISO. Major non-conformances must be reported to the CISO. Examples
of conformances for floor audits include:
Monitors are locked when unattended.
Paper with information classed confidential or higher is not in plain sight.
Credit card details are not written down.
Paper with information classed confidential or higher are disposed of in the secure
bins not ordinary rubbish bins.
IP cameras are functioning.
Swipe access is functioning.
Version: 1.0 Page 51 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Tailgating is not observed.
Employee/contractor/visitor identification cards are clearly visible on their person.
The face of monitors cannot be seen through doors or windows.
Areas with sensitive information or information assets remain closed.
Rooms with sensitive information or information assets remain locked with
unattended.
Cabinets and other storage components with information classified confidential or
higher remain locked.
Employees/contractors and applicable 3rd parties have an awareness of information
security policies/processes and procedures and where these documents are located.
Food and drink is not located near sensitive equipment.
Unauthorised devices are not found.
All authorised devices are appropriately labelled.
Information and information assets are appropriately labelled.
Random password entry should not grant access.
14.2 Information Security Documentation Audits Processes and procedures are audited on a quarterly basis by the local ISO to ensure that
these process and procedures comply with applicable information security protocols, policies
and procedures.
CISO will review all information security related documentation annually to ensure
documentation is updated in adherence with industry, compliance, regulation and legal
requirements.
14.3 System Audits System audits are to be conducted by the system owner on a quarterly basis to ensure all
systems maintain compliance with the information security policies, procedures and
processes.
14.4 Benchmarking Each local IT department is responsible for analysing network and system metrics to identify
daily usage of systems, network applications, servers, outgoing and incoming traffic etc. on a
periodic basis. Abnormal traffic levels may be a sign of a malicious attack. Any levels
significantly above or below the benchmark must be investigated.
Version: 1.0 Page 52 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
15.0 PEN Testing Both internal and external penetration testing is conducted on an annual basis to find potential
vulnerabilities in the network. Results of PEN testing will be reviewed by the local ISO.
Major issues are to be reported to the CISO from PEN testing includes but is not limited to:
Attempted unauthorised access through wireless access points.
Physical access through social engineering techniques, opportunism and mock
intrusions.
Simulated malicious code attack.
Simulated emails sent to employees/contractors with spam and click bait.
Internal hacking attempts.
Password cracking.
Social engineering to manipulate individuals to provide access to sensitive
information.
16.0 Applicant Screening and Processing All applicants are required to undergo a background check.
The interviewer is required to ask competency based and scenario based questions
regarding information security.
Qualifications and certifications are to be verified for reputable prestige and sincerity.
Successful candidates are required to sign a non-disclosure agreement in which its
requirements extend post-employment/contract.
Successful candidates are required to read the applicable information security policies
and sign off on these policies as proof of comprehension.
Successful candidates are required to undergo information security training during
induction.
17.0 Post-Employment An exit interview is to be conducted by the individual’s applicable supervisor,
superior or HR, to inform the individual of their information security responsibilities
post-employment.
All company devices and property are to be returned before or during the exit
interview.
Version: 1.0 Page 53 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Returned devices are to be scanned for relevant information and wiped where
applicable.
Devices may be reused or disposed of where applicable.
The individual’s logins, passwords in and access credentials are to be
decommissioned within one hour of exit.
18.0 Electronic Data TransferTransfer, download, upload or any other communication of information classified as
confidential or higher must be treated with great caution and strictly controlled.
18.1 Printing Information printed classified as confidential or higher must be watermarked
appropriately.
Information printed classified as confidential or higher must be sent to the
individual’s print box where login credentials are required at the printer to print.
Any unattended paper in the vicinity of a printer marked confidential or higher must
be disposed of in the secure paper bins.
18.2 Physical Documentation When unused physical documentation should be laid face down.
Any physical documentation with information classed as confidential or higher must
have the appropriate watermark.
When unattended physical documentation with information classified as confidential
or higher must be stored in a locked cabinet or similar storage area to that effect.
Any unattended visible physical documentation labelled confidential or higher must
be disposed of in the secure bins provided.
18.3 Paper Disposal Secure bins are provided throughout the premises of National Bank sites.
Shredders are also provided throughout the premises of National Bank sites.
Paper containing information classified as confidential or higher should be shredded
and then disposed of in the secure bins provided.
A trusted and vetted 3rd party removes the contents from the secure bins on a periodic
basis for further disposal.
Version: 1.0 Page 54 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
18.4 Electronic Media Disposal and Reuse Any device returned to the IT department for disposal or reuse must be treated as
if it contains information classified confidential or higher.
Any device applicable for reuse or disposal must be signed off by the asset owner.
Devices will be searched for any relevant information that is still required by the
company where applicable.
Devices will be wiped.
Device hard drive will be destroyed on site.
If reusing the hard drive will be replaced and the device re-hardened where
applicable.
When disposing the device will be removed by a vetted and trusted third party
vendor.
A certificate of destruction must be issued from the vendor.
All devices awaiting use, reuse or disposal must be kept in a secure locked
environment with restricted access rights.
18.5 Data Retention All company financial information is required to be kept for a period of 6 years in
accordance with Irish legislation (Revenue.ie). National Bank will hold all financial
information for a period of 7 years or longer depending on local jurisdictional
legislation in which sites operate.
Customer and client data is kept indefinitely and stored in the company data
warehouse but changes such as name, addresses, errors etc. may occur with the
permission of the data owner.
All other business information is to be kept as long as necessary in compliance with
the Irish Data Protection Act 2003 (datprotection.ie) or longer depending or
jurisdictional legislation.
19.0 Security Breach ProcedureSecurity breaches can have a significant impact on the business and its daily operations, thus
all breaches must be treated with caution irrespective of intent. Some breaches may not be
malicious in nature (e.g. human error) but can still compromise the
Version: 1.0 Page 55 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
availability/confidentiality/integrity of the network and the information stored on the
network. The main types of breaches include (omnisecu.com):
Type Description Example Prevention
Passive May or may not be
malicious in nature
depends on the intent
of the attacker i.e. the
attacker could be
monitoring the wrong
company. Difficult to
detect as the attacker
is not actively trying
to breach and
penetrate the network.
Packet sniffing,
eavesdropping, data
snooping, man in the
middle,
reconnaissance.
Network and
communication
encryption,
antispyware.
Active The attacker is
actively trying to
penetrate and target
the network. More
easily detected as the
malicious user is
sending traffic.
Malicious code (virus,
Trojan, worm)
Firewalls, IDS,
IPS from
different
vendors, anti-
virus,
antimalware
from different
vendors with
default
configurations
removed.
Close in A physical attack on
the network.
Breaking and entering
to steal/destroy data
and/or equipment.
National Bank
has applied
physical controls
(selection 8 and
9 of this
document).
Insider An attack conducted Stealing/deleting Recruitment
Version: 1.0 Page 56 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
by an
employee/contractor
within the
organisation.
information, malicious
code.
procedure,
training,
principle of least
privilege applied,
restricted
physical and
electronic access
rights. physical
controls
(selection 8 and
9 of this
document).
Distribution Network penetration
and attacks using
backdoors from
hardware and/or
software
Using a back door or
bug from hardware,
internal/ vendor driven
software to gain access
to the network.
Vendor
information
security audits,
patching, PEN
testing, software
testing and
validation
requirements.Table 12 Breach Types
Where an incident penetrates network defences (firewalls/IPS/antivirus) and gains access into
the internal network where sensitive information is stored is classified as a breach. In the
event of a breach the following actions should be taken:
19.1 Notification and Reporting Any suspected information security breach, physical, electronic, internal or
external must be reported to the local ISO, once dealt with, the CISO is to be
notified.
In severe or escalating cases the CISO is to be notified by the local ISO with
immediate effect.
Version: 1.0 Page 57 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
19.2 Physical Breach In the event of a physical breach all employees/contractors are to evacuate the area of
attack and move to a secure protected area.
Site security guards will initiate lockdown procedure and quarantine the area of
attack.
Appropriate authorities will be contacted.
Entry and egress from the site is not permitted until the attack is neutralised.
Where threat to life becomes a realisation, the evacuation procedure should be
executed where plausible.
All employees, contractors, third parties, affiliates etc. who witnessed the event are
obliged to comply with the requests of the authorities.
All evidence applicable to the incident is to be handed over to the relevant authorities.
The local ISO is responsible for ensuring no unnecessary information classified
confidential or higher is handed over to the authorities unless it is applicable to the
incident.
Where data with a classification of confidential or higher is compromised due to the
event, the data owner(s) must be notified.
An internal investigation lead by the local ISO will be conducted to review possible
breakdowns in policy/procedures/processes that lead to the event and provide
recommendations to the CISO for possible areas of improvement. Performance on
how the event was handled will also be reviewed as part of a continuous learning
process. External consultants approved by the CISO may also be utilised where
applicable.
19.3 Electronic Breach In event of a malicious electronic attack the local ISO is to be notified with immediate
effect.
If applicable a screenshot of the event should be saved and stored as evidence.
Infected devices are to be removed from the network and isolated in a separate
quarantined network environment.
Identify the type of attack.
Scan the local network and ensure all infected devices are removed.
Alert the CISO of the attack.
Version: 1.0 Page 58 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
CISO will alert other sites to be wary of this attack and ensure network defences are
appropriately updated.
If plausible, try to remove the attack without wiping the device.
If plausible, try to remove sensitive information/data/applications from the device that
are not infected.
Once/If sensitive and business critical information/applications are recovered, wipe
the device, re-install applications, perform data recovery and back up process.
Re-harden and update the device.
Scan the network to ensure the threat is removed.
Where data with a classification of confidential or higher is compromised due to the
event, the data owner(s) must be notified.
An internal investigation lead by the local ISO will be conducted to review possible
breakdowns in policy/procedures/processes that lead to the event and provide
recommendations to the CISO for possible areas of improvement. Performance on
how the event was handled will also be reviewed as part of a continuous learning
process. External consultants approved by the CISO may also be utilised where
applicable.
Where applicable evidence collected that may lead to the apprehension of the
malicious attackers may be handed over to the relevant authorities upon prior
approval of the CISO.
20.0 Vendor Security All vendors are required to sign a non-disclosure agreement.
Vendors are required to complete a vendor information security form detailing any
compliance certification as well as a synopsis of their information security protocols.
Vendors must comply with all security documentation/policies/processes/procedures
set out by National Bank and sign an agreement of compliance.
Vendors are subject to an information security audit.
A local site register of all IT equipment is maintained along with location and label
identification tag of each equipment piece. Vendor details such as company, price,
date of purchase, sales person and vendor contact details is also maintained.
Version: 1.0 Page 59 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
21.0 Contingency PlansNational Bank utilises contingency plans in order to ensure the organisation can maintain
operations and recover from a negative event to operational capacity.
21.1 Data Backup Plan The local ISO is responsible to liase with site department to identify the appropriate
files, systems and applications that aree mission critical and thus are required to be
backed up.
Local ISO is responsible to ensure all site data is backed up in accordance with all
data protection laws and regulations within their respective jurisdiction.
It is the responsibility of the local department head to inform the local ISO when a
new file/system/application is applicable for backup.
A site registry of all files/systems/applications applicable for backup is maintained.
National Bank performs daily backups the information it contains to ensure continuity
and redundancy of the data.
All sites have local backup servers.
All sites servers are also backed up to an alternative site within the organisation,
ensuring necessary redundancy times of crisis.
Each site maintains tape backup which are stored in a secured environment until
pickup.
Each site stores its tapes in an offsite undisclosed location which updated on a weekly
basis.
Ghost images are performed on all devices by the local IT department and updated on
a periodic basis.
Systems undergo periodic backups.
The following are applicable for backup:
o Databases
o Data warehouses
o Hardware configurations
o Software configurations
o Files
o Operating systems
Version: 1.0 Page 60 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
o Software (where applicable)
o User configurations
o Systems and system configurations
o All information
Server and tape backups are tested on a periodic basis to ensure all relevant items
have been backed up.
All systems are to undergo restoration testing in a simulated network environment
isolated from the live network on an annual basis.
All server backups are retained for a period of 30 days. Some may be kept longer with
approval of the local ISO.
All tapes are retained for a period of 7 years. Some may be kept longer with approval
of the local ISO.
21.2 Business Continuity National Bank employs to ensure the continuation of business operations in the event of a
mission critical scenario taking place. The objective of the business continuity plan is to
minimise downtime and optimise operations when a disruption to the organisation occurs.
The table below will classify incidents and the appropriate action an employee/contractor
should take in the event of an incident type occurring.
21.2.1 Incident ClassificationLevel Example Description Response
Minor Device malfunction,
small leakage
A small
inconvenience to the
organisation, has no
impact on day to day
operations
Report to local
ISO/IT Department.
Medium Physical/electronic
breach of the
network but no
information
compromised, system
malfunction
An incident that will
have a small impact
on day to day
operations but the
business is still able
to function at
Report to local
ISO/IT Department
Version: 1.0 Page 61 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
relatively strong
capacity.
Major Serious information
security breach, fire,
flood, short term
power outage, lack of
internet access for a
short period of time.
A significant event in
which a major
disruption to the
network and day to
day operations is
caused.
Contact local
ISO/CISO
emergency services
and relevant 3rd
parties where
applicable.
Critical Collapse of the
network, long term
power/internet
outage, Security
breach where large
volumes and highly
sensitive information
is compromised.
Mission critical event
and severely impacts
day to day operations
and causes a huge
disruption to the
network. Operations
are very limited.
Contact local
ISO/CISO
emergency services
and relevant 3rd
parties where
applicable.
Table 13 Business Continuity Plan Incident Classification
21.2.2 Business Continuity Process Notification and description of the incident.
Classify the severity of the Incident.
Identify the risk owner.
Assemble the Business Continuity Management Team.
Enact the business continuity plan.
Prepare data recovery and network restoration procedures.
Communicate situation across the organisation.
Inform data owners if information has been compromised.
Provide funding, resources and support to enable recovery.
Monitor progress and make changes if necessary.
Internal review of the event regarding the plan and performance of execution. Identify
the weaknesses and strengths of each as part of continuous approval and update the
plan to respond more efficiently to a similar event if applicable.
Version: 1.0 Page 62 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
21.2.3 TestingThe business continuity plan will be tested annually by the Business Continuity Management
Team. Critical applications of the plan will be bested on a quarterly basis. All testing will
involve scenario cases in order to fully monitor the effectiveness of the plan. . Case scenario
testing can be live testing or script readings where applicable.
21.2.4 Business Continuity LifecycleNational Bank undergoes the following business continuity lifecycle:
Regular risk assessments.
Regular business impact analysis.
Strategy (risk treatment) and develop/update business continuity plan.
Train and maintain.
Monitor and measure.
Repeat.
Figure 7 Business Continuity Lifecycle. Source: http://www.eci.com/products-services/business-availability/business-continuity.html
21.2.5 Mechanisms to ensure continuity National Bank has employed the following mechanisms to ensure continuity of the
organisation:
Version: 1.0 Page 63 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Uninterrupted power supplies and backup generators are deployed at all sites.
Sprinkler system is in operation at all sites.
Fire gas suppression is in operation in areas with mission sensitive equipment such as
the comms rooms at all sites. Fire water suppression systems are deployed in areas of
that does not contain mission sensitive equipment.
Portable carbon dioxide, foam and water Fire extinguishers are deployed across all
sites in areas where potential fire hazards may occur.
Multiple cable connections to the authorised electricity provider, telecommunications
provider and internet service provider are in place across all sites.
Air cleaning and ventilation system is in place at all sites.
A register of all relevant authorities and emergency services for each site is
maintained.
Fire doors are in place at all sites.
Cross duty training is encouraged by National Bank to ensure departments are able to
sustain operations due to loss of key personnel.
Contingency reserves are in place and reviewed annually by the board of directors.
Inventory of spare hardware is maintained across all sites.
National Bank employs backup hardware such as super computers, servers etc.
creating the necessary redundancy to atomically take over from the failing/failed
equipment.
Data is backed up on local servers, on backup servers in an alternative site and
through physical tapes stored in an undisclosed location ensuring the necessary
redundancy in the event of a crisis.
All sites are configured to have the capacity to takeover or at least partially takeover
operations of another site in the event of a site network disruption/failure/loss in order
to minimise damage.
21.3 Disaster Recovery Plan National Bank’s disaster recovery plan will operate parallel to its business continuity plan.
National Bank’s disaster recovery plan incorporates the same goals and objectives as the
business continuity plan. The main aim of the plan is to restore the organisation to full
operational capacity in the most efficient time and method possible. Examples of disasters
include but are not limited to:
Version: 1.0 Page 64 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Extreme weather.
Severe fire/flooding.
Terrorism.
Prolonged power outage.
System failure.
Data loss.
21.3.1 Disaster Recovery Action Plans Each local ISO is responsible for the erection of site specific disaster recovery plans.
Each local ISO is responsible to ensure than disaster recovery plans are tested and
updated on an annual basis or part of a continuous learning process post event.
A directory of case scenarios are maintained for disaster recovery on Documentum
consisting of theoretical and past events as well as relevant current news events.
Local ISOs must identify which events are applicable to their respective site and
provide rationale for inapplicable events.
CISO is responsible to ensure that each site has completed satisfactory planning for
disaster recovery.
Local ISOs can update the directory but submissions must be approved by the CISO.
All disaster recovery plans must be completed on form NBF002 and approved by the
CISO.
Both a hard and soft copy of the plan is to be maintained.
Disaster Recovery Action Plan 1Previous Revision:Previously Revised By:Last Revised:Revised by:Site:Plan Owner:System:System Owner :System Administrators:Equipment Locatio
nTag IP Address DNS
EntryMemory
CPU Vendor Details
Model Power Application Cable VLAN Descriptio Other
Version: 1.0 Page 65 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Wattage s Tag n
Equipment Location
Tag IP Address DNS Entry
Memory
CPU Vendor Details
Model Power Wattage
Applications
Cable Tag
VLAN Description
Other
Colocation Site:System Backup Procedure:Data Backup Procedure:Information Classification:Critical Hardware List to Restore System to Operational Capacity:Critical Software List to Restore System to Operational Capacity:Critical Files that Require Recovery:Other Files that Require Recovery:Directories that Require Recovery:Critical Business Functions the System Supports:
Version: 1.0 Page 66 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
Scenario 1
Scenario 1 Description
Recovery Action Plan for Scenario 1
Recovery Plan Contact ListName Position Locatio
nOffice Lo cation
Mobile
Office Phone
Email Instant Messaging Name
Table 14 Disaster Recovery Plan Form (Kirvan, 2009)
21.3.2 Disaster Recovery ProcessNational Bank’s disaster recovery is as follows:
Event is reported.
Business continuity management team assemble.
Severity of event is analysed.
Continuity procedure is initiated.
Continuity procedure is monitored.
Identify accurate or nearest accurate disaster recovery plan.
Initiate disaster recovery plan.
Initiate system restoration and data backup procedures.
Business continuity management team must ensure proper and efficient allocation of
resources during the recovery process.
Recovery process is monitored and changes made accordingly.
Systems and data undergo verification and validation testing.
Systems are monitored for a period of applicable time until there is certainty the
situation is stabilised.
Version: 1.0 Page 67 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
21.3.3 Testing In conjunction with the business continuity plan, the disaster recovery plan is tested on an
annual basis in a case scenario format to ensure its effectiveness. Case scenario testing can be
live testing or script readings where applicable.
22.0 Quantifying Network disruptionNational Bank is a largely global financial entity which runs on information and data. Any
event that disrupts the flow of information can have serious consequences for the
organisation as 95% of our operations are conducted in an online environment. The
organisation can sustain partial network disruption. A full network outage would be
detrimental to the organisation. For every minute the network is down or even partially down,
costs to the company increase on an exponential basis with each passing minute.
23.0 Ethical Behaviour National Bank regards itself as a socially responsible company, its policies/processes and
procedures are drafted around acting responsibly and in the best interest of all of the
organisations stakeholders. National Bank expects all employees/contractors to act in an
ethical manner fulfilling their duties and not compromise the integrity of the organisation by
conducting or engaging in mal-practice. National Bank expects its employees/contractors to
report any dubious/negligible or malicious behaviour to the appropriate employee and for all
reports to be conducted with respect and urgency to ensure the
confidentiality/availability/integrity of the information the organisation holds as well as its
information assets are not compromised. National Bank aims to achieve information
assurance through a strong information security aware culture, up to date documentation,
processes and equipment.
24.0 Governance National Bank board of directors are deeply committed to achieving information assurance
and to protect the confidentiality/availability/integrity of the information and information
assets held by National Bank. The board will conduct an annual review of all information
security documentation and seek council from the CISO on all information security related
matters. The board is committed to ensuring adequate resources and funding is allocated to
Version: 1.0 Page 68 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
information and network security. The board urges all employees/ contractors and affiliates to
ensure that all policies/processes/procedures are carried out bearing the security of the
organisation and data owner in mind.
25.0 Sign OffName Title Version Date SignatureLee Rock CISO V1.0 13/03/2016
Michael Caufield
CEO V1.0 13/03/2016
Table 15 Sign Off
Version: 1.0 Page 69 of 69 Revised By: Lee RockLast Revised: 13/03/2016 Approved By: Michael Caufield
ReferencesBarker, W., C., Evans, D., L., Bond, J., P. and Bement, A., L. (2003), ‘Guideline for
Identifying an Information System as a National Security System’, National Institute of
Standards and Technology, Special Publication 800-59, [Accessed Online: 29th of February
2016], Available From: http://csrc.nist.gov/publications/nistpubs/800-59/SP800-59.pdf
Blair, R. and Durai, A. (2009), ‘Chapter 1: Types of Firewalls’, Cisco Press, Network World,
[Accessed Online: 06th of March 2016], Available From:
http://www.networkworld.com/article/2255950/lan-wan/chapter-1--types-of-firewalls.html
blackberry.com, ‘Types of encryption used for communication between devices and your
resources’, [Accessed Online: 06th of March 2016], Available From:
https://help.blackberry.com/en/bes12/12.1/security/ake1381945720424B.html
Chia, T. (2012), ‘Confidentiality, Integrity, Availability: The three components of the CIA
Triad’, IT Security Information Blog, [Accessed Online: 06th of March 2016], Available
From: http://security.blogoverflow.com/2012/08/confidentiality-integrity-availability-the-
three-components-of-the-cia-triad/
cryptome.org, ‘Fundamental Security Concepts’, [Accessed Online: 15th of March 2016],
Available From: https://cryptome.org/2013/09/infosecurity-cert.pdf
Dataproetction.ie, ‘Law On Data Protection’, [Accessed Online: 15th of March 2016],
Available From: https://www.dataprotection.ie/docs/Law-On-Data-Protection/m/795.htm
Dumbravă, V., and Iacob, V., S. (2013), ‘Using Probability – Impact Matrix in Analysis and
Risk Assessment Projects’, Journal of Knowledge Management, Economics and Information
Technology, [Accessed Online: 09th of February 2016], Available From:
http://www.scientificpapers.org/wp-content/files/07_Dumbrava_Iacob-
USING_PROBABILITY__IMPACT_MATRIX_IN__ANALYSIS_AND_RISK_ASSESSM
ENT_PROJECTS.pdf
Eli the Computer Guy, (2010) ‘DNS hacking’, youtube.com, [Accessed Online: 16th of
March 2016], Available From: https://www.youtube.com/watch?v=zRysni9ND2w
Enterprise Content Management, ‘Documentum’, [Accessed Online: 2nd of March 2016],
Available From:
http://www.emc.com/enterprise-content-management/documentum/index.htm
Ezi.com, ‘Eze Business Continuity Planning’, [Accessed Online: 13th of March 2016],
Available From: http://www.eci.com/products-services/business-availability/business-
continuity.html
Griffin, J., D (2016a) ‘Lecture05 – OS Security’, Class Notes
Griffin, J., D (2016b) ‘Lecture06 –IS Security Design Principles’, Class Notes
Henry, A. (2015), ‘Five Best File Encryption Tools’, Lifehacker.com [Accessed Online: 06th
of March 2016], Available From: http://lifehacker.com/five-best-file-encryption-tools-
5677725
Hibbard, E., A. (2009), ‘Introduction to Information Assurance’, Storage Networking
Industry Association, [Accessed Online: 06th of March 2016], Available From:
http://www.snia.org/sites/default/education/tutorials/2009/spring/security/EricHibbard-
Introduction-Information-Assurance.pdf
Kirvan, P. (2009) ‘IT Disaster Recovery Plan Template’, SearchDisasterRecovery.com,
TechTarget, [Accessed Online: 06th of April 2016], Available From:
http://searchdisasterrecovery.techtarget.com/feature/IT-disaster-recovery-DR-plan-template-
A-free-download-and-guide
IATF, (2002), ‘The Information Systems Security Engineering Process’, IATF Release 3.1—
September 2002, [Accessed Online: 06th of March 2016], Available From:
http://webcache.googleusercontent.com/search?
q=cache:SqBjZ3OcN7IJ:trygstad.rice.iit.edu:8000/Policies%2520%26%2520Tools/
InformationAssuranceTechnicalFramework3.1/
ch03TheInformationSystemsSecurityEngineeringProcess.doc+&cd=2&hl=en&ct=clnk&gl=i
e
Information Shield, ‘Information Security Policy’, [Accessed Online: 01st of March 2016],
Available From: http://www.informationshield.com/ispme_contents.html
mindtools.com, ‘Risk Impact/Probability Chart, Learning to Prioritize Risks’, [Accessed
Online: 09th of February 2016], Available From:
https://www.mindtools.com/pages/article/newPPM_78.htm
National Security Agency, (2015), ‘Defense in Depth, A practical strategy for achieving
Information Assurance in today’s highly networked environments’, [Accessed Online: 29th of
February 2016], Available From: https://www.nsa.gov/ia/_files/support/defenseindepth.pdf
omnisecu.com, ‘Different Classes of Network attacks and how to defend them’,[Accessed
Online: 06th of March 2016], Available From:
http://www.omnisecu.com/ccna-security/different-classes-of-network-attacks-and-how-to-
defend-them.php
OpenDNS.com ‘OpenDNS Innovations’, [Accessed Online: 16th of March 2016], Available
From: https://www.opendns.com/about/innovations/
paloaltonetworks.com, ‘What is an intrusion prevention system?’, [Accessed Online: 29th of
February 2016], Available From:
https://www.paloaltonetworks.com/documentation/glossary/what-is-an-intrusion-prevention-
system-ips
Perrin, C. (2008), ‘Understanding Layered Security and Defense in Depth’, Tech Republic,
[Accessed Online: 01st of March 2016], Available From:
http://www.techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-
depth/
products.office.com, ‘Office 365 Message Encryption’, [Accessed Online: 06th of March
2016], Available From: https://products.office.com/en-us/exchange/office-365-message-
encryption
Revenue.ie, ‘Keeping Records and Revenue Audit’, [Accessed Online: 15th of March 2016],
Available From: http://www.revenue.ie/en/business/running/keeping-records-revenue-
audit.html
Rhubart, B. (2011), ‘Rationalization and Defense in Depth - Two Steps Closer to the Clouds’,
Slide 5, [Accessed Online: 29th of February 2016], Available From:
http://www.slideshare.net/OTNArchbeat/rationalization-and-defense-in-depth-two-steps-
closer-to-the-clouds
SANS Institute, (2001), ‘Defense In Depth’, [Accessed Online: 29th of February 2016],
Available From: https://www.sans.org/reading-room/whitepapers/basics/defense-in-depth-
525
SANS.org, ‘Intrusion Detection FAQ: What is Intrusion Detection?’, [Accessed Online: 06th
of March 2016], Available From:
https://www.sans.org/security-resources/idfaq/what_is_id.php
techtarget.com, ‘Secure Shell (SSH)’, [Accessed Online: 06th of March 2016], Available
From: http://searchsecurity.techtarget.com/definition/Secure-Shell
techtarget.com, ‘The Basics of Information Security’, [Accessed Online: 07th of March 2016],
Available From: http://searchsecurity.techtarget.com/feature/The-Basics-of-Information-
Security
University of Texas in Austin, ‘Information Security Office’, [Accessed Online: 07th of March
2016], Available From:
https://wikis.utexas.edu/display/ISO/Windows+Server+2012+R2+Hardening+Checklist
Webopedia.com, ‘endpoint security’, [Accessed Online: 07th of March 2016], Available
From: http://www.webopedia.com/TERM/E/endpoint_security.html
Willett, K., D. (2008), ‘Information Assurance Architecture’, CRC Press, ISBN 978-0-8493-
8067-9
Appendix 1The following table will synopsise the security mechanisms implemented in order to prevent
and mitigate the potential threats and vulnerabilities discovered in National Bank’s Network
Architecture and Potential Vulnerability Report of 2016.
Threat/Vulnerability Prevention/Mitigation
Malicious Code Antivirus, antimalware, multiple firewalls
from different vendors, intrusion detection
and protection systems, pop up blockers,
blacklisted sites/DNS restriction, devices
hardened, internet usage polices, policies and
procedures relating to software installation.
Network patching, network segmentation,
security breach procedure, business
continuity and disaster recovery plans, PEN
testing.
Transmission Interception Transmission encryption, communication
procedures.
Denial of Service Multiple lines to internet service provider,
business continuity and disaster recovery
plans, ability to lease extra bandwidth from
internet security provider
Phishing Induction and annual information security
training, pop up blocker, spam and junk mail
algorithms, firewalls, antivirus, antispyware,
communication encryption.
Physical Access Intrusion Security guards, security breach procedure,
IP cameras, restricted physical and electronic
access (principle of least privilege), induction
and annual information security training,
employee/contractor processes and
precautions.
Process and Policy Vulnerabilities Continuous learning, external/internal reports
after significant events and update
policies/processes/procedures where
applicable, annual review of all
documentation to ensure
policies/processes/procedures are updated
accordingly, internal audits.
Social Engineering Induction and annual information security
training, information handling procedures.
Human Incompetence and Negligence Induction and annual information security
training, information handling procedures,
restricted electronic and physical access, non-
disclosure agreements, acceptable usage
policy, social media policy, defined roles and
responsibilities, HR background and
qualification checks, dual authentication on
systems, internal audits.
Acts of God Backup servers and tapes, business continuity
and disaster recovery plan.
Poor Vendor Security, Service and Quality Vendor vetting, vendor audits, non-disclosure
and information security acceptance
agreement, equipment and software testing
before live implantation.