Alpha Bank Policy and Information Security System

Network Architecture and Security Considerations

According to the fact that Alpha Bank runs several externally accessible services such as HTTP and e-mail, the probability of an outside attack on the company is quite high. To prevent data theft, it is recommended to make these services physically and logically separated from the internal network. Firewalls and enhanced protection of sites and applications would prevent random attacks. However, experienced offenders can penetrate the internal network in case the services they have cracked reside within the same network like the other nodes. Externally accessible services should be located in the so-called demilitarized zone, which is a logical segment, by which the traffic from the Internet can reach these services without transferring to the internal network. In case the demilitarized zone is attacked, the rest of the internal network will remain hidden behind the firewall in a separate segment. It is also possible to use firewall policies for the reception, transfer, refusal, and ban of the data packets. They can contain complex rules of routing and forwarding of the data, enabling administrators to provide the external access only to certain services running on specific addresses and ports, as well as open the internal services only for the local network by preventing the attacks from fake IPs (Bacik, 2008).

 

Wireless Security

The wireless security of the organization may be ensured if the following measures are taken. First of all, training of users and administrators is required since they must know and understand the limitations set by the information security policy and have the necessary skills to detect and prevent policy violations. The control over the access to the corporate network allows reducing the level of risk associated with the unauthorized access to it. It involves disabling unused switch ports, filtering of the users by MAC-addresses, and the installation of the intrusion detection systems and security scanners. The territory of the organization must be controlled to reduce the probability of connecting to the network by means of wireless devices used from outside. Restricting access to the network ports and expansion slots of the computer equipment will also reduce the possibility of connecting to it by means of a wireless device. Finally, it is required to minimize the privileges of the majority of users, thus reducing the likelihood of unauthorized changes in the settings of wireless interfaces (Straub, Goodman, & Baskerville, 2008).

Remote Access Security

The remote workstation of the external users creates additional threats in comparison with the local office workspace. In particular, the mobile users are out of the direct physical control of the organization. Their data is distributed through channels that are beyond the control of the organization and may be subject to interception and unauthorized modification. Thus, it is required to provide remote access security by means of such solutions as OpenVPN. In this case, the application traffic (fully or partially) is packed into an open transport protocol and then into the IP-packets. After that, they are intercepted and re-encapsulated in a transport protocol with the help of SSL or TLS tools. As a result, the traffic becomes almost impossible to intercept, decrypt or modify. However, such solution requires the presence of the VPN-client in the remote workstation since web browsers are not capable of intercepting the mentioned IP-packets (Straub et al., 2008).

Laptop and Removable Media Security

The laptops and removable media that are used by employees at home or on business trips are not protected by the corporate network, meaning that they can be a potential threat to the security of the information system of the company. To reduce the risk of data leaks and thefts, it is required to use the so-called endpoint solutions. They cannot be used through a remote server as the usual components of the overwhelming majority of security systems but rather by means of a laptop itself. This means that they are efficient regardless of the network to which they are connected and availability of such connection. At the same time, endpoint solutions can be used differently within the corporate network and outside it. Being a part of a protective circuit, endpoint module on the laptop is constantly connected to the central components of the security system, providing them with the intercepted information according to the information security policy. However, as soon as the laptop disconnects from the corporate network, the module switches to an autonomous mode. By means of this mode, it collects data on user actions, saving the information on documents and messages sent by the user, as well as some other incoming and outgoing data on the laptop or removable media. As soon as the laptop is returned to the office, all the data will be transferred to the corresponding component of the security system so that the experts will be able to learn about any violations of corporate policies, which could potentially lead to the information leaks (Straub et al., 2008).

Vulnerability and Penetration Testing

Alpha Bank uses a wide array of software solutions in its activities. As a result, there is always a risk that it will be hacked from the outside. The primary reason for that is the human factor involved in the development of computer solutions. Thus, there is always an unprotected space in the network that may be used by the criminals to penetrate into the system of the bank. The independent search for the vulnerabilities of the network and its penetration testing take extremely long time. Therefore, there is a need to use automated search software, the so-called security scanner. It is required to conduct an analysis of both end-user terminals of the corporate network (computers) and database servers, which are the sites that store and process large volumes of confidential data, as well as the e-mail and web-based servers. The security scanner must be capable of identifying the services running on different ports of the operating system, which will allow monitoring the latest updates and defining the vulnerabilities of the network. It is also required to check the stability of the company’s servers to DoS (denial of service) attacks and search for vulnerabilities of password protection (Straub et al., 2008).

Physical Security

The physical security of the network must be implemented in the form of integrated modular solutions that provide direct protection from a variety of external attacks. Such solutions guarantee the safety of the entire information system, namely the data center. The most elaborated and comprehensive solution that can be used by Alpha Bank is the IT security room. It must be developed on the basis of room-in-the-room principle, which will guarantee protection against physical impacts. Its most valuable feature is the resistance to high temperatures, particularly during the fire. The structure can withstand the temperature of 1100°C for two hours while indoor temperature does not exceed 70°C. As a result, even in case of fire, the confidential data of the bank will remain intact (Bacik, 2008).

Guidelines for Reviewing and Changing Policies

The changes in the information system of the company facilitate a need to make adjustments to the system of information security management and security policy. Therefore, it is necessary to set a period of reviewing the security policy in the organizational schedule. This section of security policy can be set out in the following way. The provision of security policies requires regular reviews and adjustments made at least once a year. The unscheduled reviews of security policies are carried out in case of significant changes in the information system of the company, as well as in case of incidents in the sphere of information security. In case changes are made to the security policy, it is required to take into account the results of the audit of information security, as well as the recommendations of the independent experts on information security (Whitman & Mattord, 2013).

Policies

Acceptable Use Policy

Policy statement. The acceptable use policy defines the terms of the agreement between Alpha Bank and its employees, under which they may access the information system of the organization. It applies to all workers and representatives of the third parties collaborating with the company. The use of the information system of Alpha Bank means that the users accept and agree to comply with all the rules listed in the policy.

Purpose. The policy suggests an acceptable use of the computer equipment in the information system of Alpha Bank to provide maximum protection. The improper use of the information system makes the organization vulnerable to a variety of risks, including virus attacks and hacking of the computer networks.

Objectives. The policy aims at ensuring the circulation of the reliable data in the information system of Alpha Bank, as well as the prevention of damage to the reputation of the company as a result of the actions of its employees. Additionally, its objective is to protect confidential data related to the company’s sphere of activity.

Standards. The user interface used for processing the information in the Internet/Intranet/Extranet systems is to be regarded as confidential according to the rules of corporate security of Alpha Bank. The examples of confidential information include private company data, corporate strategy, information that is valuable to competitors, trade secrets, specifications, customer lists and research data. The company’s employees need to take all the necessary steps to prevent unauthorized access to this information. In particular, the posts in forums that contain corporate e-mail address must contain a notice that the statements are based on the workers’ personal opinion and may not be supported by the organization, unless the posted messages are related to their professional activities. All the computers with access to the Internet/Intranet/Extranet systems owned by the employees or Alpha Bank should use anti-virus software with the most recent anti-virus databases (except the cases defined by the organizational policy) (Whitman & Mattord, 2013).

Procedures and guidelines. Due to the fact that the organization aims at providing a reasonable level of security, the employees must remember that all the data they have created within the corporate system is the property of Alpha Bank. To ensure the security of information systems of the organization, the management should guarantee confidentiality of the information within the boundaries of the corporate network. It is recommended to encrypt the information that is considered confidential or vulnerable. In order to ensure safety of the information system, the authorized personnel of Alpha Bank should monitor equipment, systems and network activities at all times in accordance with the audit policy. The company also reserves the right to make a periodic audit of information systems in order to ensure compliance with the acceptable use policy (Whitman & Mattord, 2013).

Responsibilities. The policy applies to full-time employees, contract workers, consultants, temporary workers and other employees of Alpha Bank, with all of them bearing full responsibility for their actions. Each department should be guided by its own rules regarding the use of the Internet/Intranet/Extranet resources. In case such rules are absent, it is required to follow the general policy of the company (Whitman & Mattord, 2013).

Review and change management. The management of Alpha Bank can revise the described acceptable use policy at any time by modifying the contents of the handbook as well the corresponding page on the corporate website. It is assumed that the employees will check the page from time to time and keep track of the changes. Some provisions of the acceptable use policy may also be superseded by notices published in other sections of the corporate website (Whitman & Mattord, 2013).

Password Policy

Policy statement. To prevent the unauthorized use of the services or resources of Alpha Bank, take security measures to protect personal data, and restrict access to the information systems of the company, it is required to implement rules for the creation and use of credentials according to the regulatory documents on the use of information technology in local and global networks and cryptographic requirements of stability.

Purpose. The purpose of this policy is to establish the standards of password creation, their protection, and the frequency of their change, as well as the required standards for the developers of applications collaborating with Alpha Bank.

Objectives. The objectives of the password policy of Alpha Bank include the protection of the confidential information, including the personal data of its clients and employees, trade secrets, research results, etc. Additionally, it is meant to increase the employees’ responsibility in terms of handling the confidential information.

Standards. All the user and system passwords must comply with the following standards. Passwords to the system accounts (domain administrator, local administrator, root, etc.) must be changed on the quarterly basis. All passwords to the system accounts, applications and operated equipment must be stored in the database in the encrypted form. Their validity must not exceed nine months, although the recommended interval between password changes is six months. Passwords to the user accounts with the administrative privileges must be unique with respect to the other account passwords of the users. A password received by the employee must be changed at the first logon. Additionally, the application developers that cooperate with Alpha Bank need to ensure that their programs meet the following standards. First of all, the applications must support the authentication of individual users, not groups. Besides, they must not store the passwords in the open or easily obtainable form. Finally, the applications must provide an opportunity to transfer the rights so that one user could perform the functions of another one without knowing the password (Straub et al., 2008).

Procedures and guidelines. Alpha Bank uses passwords for a variety of purposes. These include the access to the user accounts, the web interface, e-mail, screen saver protection, voicemail password, and access routers. Since very few systems support one-time password tokens (dynamic passwords that are used only once), it is required to know how to create a secure password. Weak passwords have the following characteristics. They contain less than eight characters or include the names of other employees, fictional characters, etc. They may also contain computer terms, the name of the company, the date of birth, and other personal information such as addresses and telephone numbers. Additionally, it is required to avoid using the templates such as aaabbb, qwerty, 12345, etc. (Straub et al., 2008).

Responsibilities. All the employees of Alpha Bank (including contractors and third parties) are responsible for compliance with the password policy. Any employee violating the current password policy of the organization may be subject to disciplinary measures up to the dismissal.

Review and change management. The password policy may be reviewed or changed at any time by the company’s management, with the employees being notified of the change in advance to avoid downtimes. In case of an incident, the policy is to be reviewed immediately by taking into consideration the specific circumstances and nature of the event.

Our Benefits
  • 300 words/page
  • Papers written from scratch
  • Relevant and up-to-date sources
  • Fully referenced materials
  • Attractive discount system
  • Strict confidentiality
  • 24/7 customer support
We offer for Free
  • Free Title page
  • Free Bibliography list
  • Free Revisions (within two days)
  • Free Prompt delivery
  • Free Plagiarism report (on request)

Incident Response Policy

Policy statement. The investigation of a security incident and response to it will uncover the vulnerabilities of the information system, including traces of attacks and intrusions. It will also allow checking the functioning of protective mechanisms, and the quality of the system architecture. These processes are to be carried out in compliance with the existing standards and in the way that ensures the safety of the organization.

Purpose. Incident response policy is aimed at providing timely notification of the management of Alpha Bank about the security incidents and means of responding to them, as well as the measures that ensure the integrity of the data related to them.

Objectives. The objectives of the incident response policy include the confirmation of an incident, the provision of the detailed report and useful recommendations, and the provision of a quick recovery of the system. Additionally, it aims at creating the conditions for the accumulation and storage of accurate information about security incidents in the company to ensure rapid detection and prevention of such incidents in the future. Finally, its objective is to protect the reputation of Alpha Bank and its resources, as well as teach the employees on the process of responding to the incidents.

Standards. Response to the incidents must be carried out in accordance with the standards such as NIST SP 800-61, meaning that it has to adhere to the following algorithm (Williams, 2013). First of all, it is required to be prepared for the fact that security incidents might occur to minimize their consequences and to ensure the rapid recovery of the system. Next, it is required to form a critical incident stress response team. This stage is the most important one as it defines the success of the investigation of a potential incident. The next step includes detection of the incident and initial response to it, which involves conducting the initial investigation, recording the basic details of the events accompanying the incident, gathering a commission of inquiry, and informing the stakeholders of it. It is followed by the formulation of response strategies that are to be based on well-known facts and determine the best ways of responding to the incident. The strategies also specify the actions that will be taken in case the incident such as civil or criminal case or administrative action takes place. Incident investigation is conducted through data collection and analysis and is followed by the presentation of a detailed report containing the information received during the inquiry in the form suitable for decision-making (Williams, 2013).

Procedures and guidelines. The response to security incident includes technical measures that will ensure the integrity of forensically relevant data and the possibility of its judicial investigation in the future, as well as organizational measures that will reduce the damage from the incident and allow preparing the necessary documents for the law enforcement agencies. The essence of technical measures is to provide the integrity of data that is potentially related to the incident by disconnecting, packing, sealing, and properly storing the respective media. By disabling them, it is possible to reduce the risk of destruction of forensically relevant data as a result of malicious programs and actions of the attackers. At the same time, their packaging, sealing and proper storage give an opportunity to assess the reliability of the results of the forensic investigation in the court. The organizational measures include the notification of the management of Alpha Bank, the corporate units of information security, and other organizations concerned about the incident. Documents drawn up as a result of the organizational measures can be used as a basis to consider the institution of the criminal proceedings (Straub et al., 2008).

Responsibilities. The responsibility of employees of the company for the failure to comply with the incident response policy, which has resulted in the loss or disclosure of restricted information, is defined by the state and federal legislation, internal regulations of the organization, and job descriptions.

Review and change management. The policy is reviewed and changed in case of the changes in laws and other requirements that regulate the process of the incident response in the sphere of information security, as well as the development of the corresponding technologies. However, this process must be carried out at least every 36 months (Straub et al., 2008).

What our Clients say

Check out our customers' feedback
# 1260 | Term paper

I was worried about the term paper I ordered, but the members of your company dealt with all my requests. I give you a credit.

19:22 PM, 12 Oct 2018

# 1324 | Term paper

I couldn’t write the term paper by myself because of unforeseen circumstances, but my order was performed just like I expected. My gratitude!

23:15 PM, 13 Oct 2018

# 1312 | Term paper

Your website and its staff made my day! I’ll reach you again with my friends.

16:26 PM, 12 Oct 2018

User Awareness and Training Policy

Policy statement. In the present conditions, the employees of Alpha Bank require knowledge of specific issues related to the provision of information security. Such need has arisen due to the requirements presented by the state and federal legislation, American and international standards, regulations of the company, as well as the basic safety requirements and the need to ensure security of the confidential data of the clients.

Purpose. The purpose of the policy is to develop and implement the training programs that will allow increasing the competence of the employees of Alpha Bank in terms of information security.

Objectives. The policy is aimed at increasing the employees’ awareness of the existing corporate policies on information security and the protective measures used by the company, as well as the significance and importance of the activities of employees in terms of ensuring the information security of Alpha Bank. Additionally, it is focused on providing the employees with skills required for the proper use of protective measures in accordance with the internal regulations of the organization.

Standards. User awareness and training policy is to be carried out in accordance with Deming’s cyclic model, which is the basis of quality management standards, including ISO/IEC IS 27001:2005 (Williams, 2013). It consists of four stages. The first of them is the Plan stage, which involves the formulation of learning objectives, the purchase of the system of training, development of the curriculum, creation of the necessary training materials, and preparation of the organizational and administrative documents regarding the structure of training. The Do stage involves the implementation of the developed training program and monitoring of the employees. Before using the training system, it is required to instruct the users on the ways of its correct exploitation, establish the order of the educational tasks, and control the process of their performance. The Check stage involves the evaluation of the effectiveness of training programs, which includes the assessment of the obtained knowledge and skills of employees, as well as statistical analysis of changes in the frequency of security incidents. The Act stage involves the revision and enhancement of the training programs and educational materials (Williams, 2013).

Procedures and guidelines. For large companies with an extensive regional network, such as Alpha Bank, the use of distance learning systems that allow training and supervising a large number of employees at once is the most feasible option. The software market offers a variety of distance learning systems (Digital Security E-Learning System, ELeaP LMS, etc.). The choice of a system depends on the number of students, the available resources for the development of courses and tests, the timing of implementation, and the possibility of introducing additional courses. In addition, the training process may involve the so-called non-standard means used to maintain the atmosphere of information security, thanks to which the employee will remember certain provisions of the security policy and understand the importance of its requirements on the emotional and subconscious levels. These include screensavers, video clips, multimedia materials, blocks of news on information security and posters. The greatest effect can be achieved by means of the integrated application of various forms and methods of training as a part of the multi-level awareness of the company’s employees in the field of information security (Whitman & Mattord, 2013).

Responsibilities. The responsibility for the implementation of user awareness and training policy, including the selection and purchase of the required software and the development of curriculum, is carried by the department of information security of Alpha Bank.

Review and change management. The policy is reviewed and changed in case there have been changes in the requirements that regulate the process of user training in the sphere of information security, as well as the emergence of the corresponding innovative technologies.

Customer's review

5.0

"I have to say that when I first heard about this company I was like "are they forreal". I get in touch with them when I needed to write an essay... Here's the thing, I would usually write it by myself but this time I actually needed help. I was desperate and the deadline was imminent. The result was amazing.. they followed my guidelines and did it the way I would. Thanks you so much!"

Maria G. reviewed Exclusive-Paper.com on Dec 13, 2017 via SiteJabber Click to see the original review on an external website. ? Learn more about our commitment to verified reviews.

Place the First order and Get 15% Discount Order now Limited Time Offer

scroll to top call us
live-chat-button