Information Security Policies in the Banking Industry
Name of Student
Institution of Affiliation
This article is a research study that summarises the concept of online transactions in the banking industry. It assesses and evaluates the threats and vulnerabilities that risk personal and financial information in the banking sector. It goes ahead to analyze the information technology risks and vulnerabilities that face AMP Bank Ltd, an Australian financial institution that is renowned for its leading retail and corporate superannuation services. It has gone ahead to provide policy recommendations aimed at controlling, prevention, and mitigation of threats and vulnerabilities that the institution face towards its personal and financial information, as well as for its customers, as a way of promoting a safe banking system in institution.
The banking sector has proven a vital industry in the management of monetary processes at a local, national, and international scale. This has been enabled by the development of internet enabled transactions which have created flexibility in this sector. However, the issue of information security has become an important issue for most banks due to the continued cyber attacks and internal frauds that have seen these banking institutions lose a lot of money to scammers. A lot of risks, threats, and vulnerabilities pose at the security of online banking transactions and banking information. Most banks have been able to control their financial transactions through the effective implementation of security for the banking and financial services they provide (Zhang et al., 2013).
The history of online banking ranges between ten to twenty years ago with the introduction of internet technology. The use of internet banking has become the new trend in all financial institutions. Both customers and service providers agree that internet banking has become less complex, more convenient, and more compatible to business efficiency (In Taplin, 2017). However, the full maturity of e-banking has been hampered by the threats and vulnerabilities of cyber attacks. There is an extra mile that needs to be covered in terms of protecting customer and organizational information from attackers. One way that has been identified is the ability of financial institutions to invest in security measures and policy strategies in addressing security concerns.
The ability to protect financial information and online transactions forms the basic security capability that must be enhanced in the banking industry. The process of protecting and securing the systems, facilities, and media of an organization, identify risks, threats, and vulnerability in a bid to ensure vital information is safeguarded, is what information security entails. It entails striving in certain objective aspects such as confidentiality, assurance, accountability, integrity, and availability (Chishti et al., 2018). Moreover, security objective would be increased if such aspects as strategy, information risk assessment, process monitoring, system and policy updates, and controls implementation are in place among other factors. This research study explores threats, vulnerabilities that affect the AMP Bank Ltd which is an Australian based institution in the banking sector. It will formulate, develop, and document a strategic security policy that can be used by AMP bank, after evaluating the threats and vulnerabilities that face its banking services, and come up with policy-based strategies on how they can be mitigated (In Taplin, 2017).
The AMP Bank Ltd
The AMP Bank Ltd is an Australian based financial institution that was developed to offer financial services on residential mortgage, deposits, loans, and banking services to individuals. Its Headquarters is in Parramatta and has been for a long time the leading retail and corporate superannuation service provider, as well as the most competitive provider of life risk business services in Australia. Just like most banking institution that requires fast and efficient business transactions, AMP distributes its services directly via internet banking and mobile phones. The company’s stakeholders include Harris Associates LP, The Vanguard Group, Vanguard Investments Australia, Blackrock investment Ltd., Perpetual investment Management Ltd., and the Norges Bank Investment Managements, who make the main shareholders of the bank. In the management there is Mike Wilkins who is the current CEO, John O’Sullivan, who is the Director, and Gordon Lefevre, who is the CFO among other senior management officials (MarketScreener, 2018).
Threats and Vulnerabilities
AMP bank has a well-developed information security and online banking system; however, it is still vulnerable to internal and external banking vulnerabilities which require policy reforms. The reliance on the internet as the core banking strategy has also put it to unavoidable security risk that can be addressed through a well-designed threat and vulnerabilities evaluations. The nature of attacks that AMP faces come in three forms; first of all, there is the credential stealing attacks (CSA) which entail hackers and scammers trying to access unauthorized information from the institution via phishing or use of malicious software (Zhang et al., 2013). The other nature of attack is through a channel breaking attack (CBA) whereby communication between the client and the bank is intercepted through masquerading by the fraudsters. The last one is via content manipulation attack where the adversary gains access of reading, writing, and changing the data when the user and the browser are active but unaware.
External Online Threats and Vulnerabilities
One of the external online threats to AMP is the Trojan attack which is usually installed by an attacker on a user’s computer capturing banking information of the user as they log into the bank’s website. The Trojan us thus used by the attacker to make illegal transactions at any time without the user’s consent or knowledge. Secondly, there is the man-in-the-middle attack, which entails the creation of a fake website to get the attention of users to it. Messages which are disguised as authentic from AMP may be sent to the bank’s clients thinking that it is from a trusted source. They end up releasing their private information to the attackers who use it to withdraw money and access other private information.
The concept of malicious attackers is common for most banks, AMP Bank included. It entails attackers who gain access to unauthorized information through hacking. Hacking can be on the user’s computer or on the bank’s servers. Vulnerability is another threat that entails the aspect of guessing the user’s passwords either online or offline by unauthorized attackers. When it comes to phishing attacks, entails access to personal confidential information such as social security number, bank accounts, and driving license among other details to conduct fraudulent transactions (Chishti et al., 2018). For example, a client may receive a fraudulent email from a misrepresented person in AMP Bank thinking it is a trusted source. This is common in online banking and many clients have been victims.
Other external vulnerabilities and threats come in form of sniffers also known as network monitors, which is a software used to capture passwords and login Ids. The other one is Brute force, which entail a technique that captures encrypted messages and decodes them using a black-market software code, and then gaining access to the user’s ID and passwords. The use of worms, which are destructive programs designed to replicate themselves, and logic bombs which also perform destructive actions on the users’ accounts are also common.
Internal Threats at AMP
Apparently, threats and vulnerability on information security can come from within the company. The first one is employee sabotage, whereby disgruntled and unhappy employees decide to intentionally destroy the organization’s information system resources. Some of the actions may include entering incorrect data, planting logic bombs, destroying hardware facilities, deleting data, or changing data. The other threat is that of trap-doors, which is a password that known only to the attacker and is used to access the information security system easily (Chishti et al., 2018). Errors and omissions may also act as vulnerability by compromising the integrity of the information system; these could be intentional or unintentional, allowing ease of access to the system by hackers. Fraud and theft form the other vulnerability whereby insiders use software to access unauthorized information; it is not easy to detect insiders since they are usually familiar with the system.
Formulation of Information Security Policies
According to Zhang et al. (2013), the concept of information security is broad and entails policy formulation and other means to protect information and information systems from unauthorized disruption, disclosure, access, perusal, destruction, recording, or inspection. In a bid to ensure that AMP’s information security system is enhanced, there is need to come up with security measures and policies that will be based on the following elements; possession, utility, integrity, confidentiality, authenticity, and availability. This will ensure that the organization’s information is not disclosed to unauthorized personnel, ensure that falsified data modification does not happen, and create a security system that assess risks, identify threats, and mitigate vulnerabilities.
The following are some of the information Security policies that AMP is expected to adopt in a bid to strengthen its security measure against the outlined internal and external threats and vulnerabilities. The employment of these policies will see to it that personal information of individuals will be protected. The following policies must be adhered and used for information system protection:
General Fraud Mitigation
All new employees will be required to be taken through a one-week training seminar on information security measures and the threats and vulnerabilities that AMP faces. A program for safety and vulnerability refreshment for all employees must be initiated and implemented once every year. Secondly, the banking system must adopt the 128-bit encryption system to safeguard its information during conveyance from the bank to the clients and vice versa, or from bank to another bank. It will also be required that the use of Virtual Private networks (VPN) as anti-theft measures must also be adhered to in the user accounts (De et al., 2015).
Another security-based policy is based on the ensuring a shared responsibility of the management, employees, and customers to ensure that they protect any form of private information that may put their accounts or those of the organization to vulnerability. An alarm system for system’s breach or attempted breach must also be designed and installed in the information security system to keep the IT team vigilant of impending attacks. Moreover, there is need for an information backup storage system that must be safeguarded with lock and key and a complex entry authorization procedure meant for only the two or three top most management officials only (Zhang et al., 2013).
In the open systems, the bank must use encryption, digital signatures, and digital-time stamping to prevent alteration. Secondly, the organization’s servers must be under 24 hour surveillance with ready technicians in case of breakdown so that the time taken to restore security systems is as short as possible (In Vacca, 2017). There is also the need to engage independent security consultants whose work will be to verify the effectiveness of the current information security system, its design, firewall, controls, web security applications, ad security controls , to ensure the system is protected all the time. It will also be expected that AMP’s management and information security team Collaborates with the Australian threat intelligence organizations, law enforcement agencies, and financial service sector to ensure the safety of the client’s accounts (De et al., 2015).
Password Security and Confidentiality
When it comes to the safeguarding of passwords in a bid to reinforce information confidentiality for users, one policy is that all passwords must be used in a complex combination ensuring that they have capital letters, numbers, and symbols to make it hard for hackers to break them. One way to do this is to avoid using passwords that are simple or suggestive. For example, one’s pin must never be used as password, and users must be taught to keep their passwords private. Passwords must never have personal information and it should never be shared with anyone, not even with the staff members of AMP bank (In Vacca, 2017). This is a basic information security and confidentiality policy. It will also be advisable for all employees and users to be emphasized on the need to keep changing their account passwords once in a while.
There is also need to incorporate digital certificates in the authentication of both the banking system and users in presence of a public key infrastructure (PKI) for transaction of huge bank amounts. In addition, short message services will also be used to notify the account holders of any transaction that is taking place online, and the requirement for a go-ahead with the transaction from the phone number linked to that bank account (De et al., 2015).
As outlined above, in order for AMP Bank Ltd to make most of IT revolution and safeguard its information security, it will need to be constantly updated of the threats and vulnerabilities that are posed to its offline and online transactions. The banking industry is prone to many threats and vulnerabilities that range from malware, errors and omissions, hacking and unauthorized access, loss of data, changing of data, and phishing among other challenges. The adoption of the outline information security policies at AMP bank will see to it that confidentiality, integrity, access, utility, authenticity, and availability of the institution’s information and data are safeguarded from any form of threats and vulnerabilities. The policies have addressed both internal and external threats and vulnerabilities that are faced by the bank, and the roles that the new policies will play to control, regulate, and mitigate their prevalence.
Chishti, S., Barberis, J., & Puschmann, T. (2018). The WealthTech Book: The FinTech Handbook for Investors, Entrepreneurs and Finance Visionaries.
De, M. J., Portesi, S., European Union, & Deloitte Bedrijfsrevisoren. (2015). Cyber security information sharing: An overview of regulatory and non-regulatory approaches.
In Taplin, R. (2017). Managing cyber risk in the financial sector: Lessons from Asia, Europe and the USA.
In Vacca, J. R. (2017). Computer and information security handbook. Cambridge, MA: Morgan Kaufmann Publishers.
MarketScreener. (2018). AMP Limited company : Shareholders, managers and business summary | AUSTRALIAN SECURITIES EXCHANGE LIMITED: AMP | MarketScreener. Retrieved from https://www.marketscreener.com/AMP-LIMITED-6491362/company/
Zhang, Q., Wang, J., & Zhang, K. (2013). Security management research based on financial database. Information Technology and Industrial Engineering. doi:10.2495/itie130801