Business Case for Change and Memo

INTERNAL MEMO
To: The Chief Technology Officer
From: The IT Officer
Date: 18 January 2019
Re: Business Case for Change of Bank’s Security Plan
Enclosed please find a draft proposal narrative for the need to change the Security Plan for the Bank. I request your in-depth analysis of the contents.
From the evaluation of the Bank’s security plan, there is a need to make relevant changes to the Banks Security to conform with the Financial Regulations and fit within the framework of our Business Strategies. The proposals included will be key benchmarks for a robust and improved system.
The IT Department and Review team appreciates your review of the proposal. I am available for further input, clarification and/or recommendations on the documents provided to pave way for the improvement of the Bank’s Security.
Kind regards,

IT Officer
NB: Enclosures

Introduction
Management of information or computer security is required to guard against different types of security breaches, frequent loss of integrity, and confidentiality of information, as well as, lack of accessibility to information by legible persons. Security plans also involve safeguarding against disclosure of sensitive information and fraud. A strict security plan helps in the appreciation of continuous investment by organizations in management of security risks on information, creates a coordinated approach to reduction of costs associated to information security, and ensures that there is sufficient information that is necessary for decision making in respect to managing security risks in the organization (Change Factory, n.d.).
Developing a Case for Change the Business Case for Change in Security Plan
As a large organization, Citi Bank Group requires proper implementation of a system of information security capable of managing risks linked to its financial, physical, and intellectual property assets. Execution of a viable security plan will prevent loss of reputation resulting from system vulnerability, prevent breaches affecting regulatory non-compliance and prevent loss of revenue among others.
Rationale for Security Change of Plan
The current Bank’s Security System has been subjected to evaluation and thorough assessment. With a continued collaboration and cooperation between the business strategy and technology group of the bank, the aim was to investigate the state and strength of the security system. Consequently, the results of consultative audits and testing have revealed a number of weaknesses, which necessitates changes in the Security Plan. Over time, the Bank has encountered attacks and threats to its Security System both from within the organization and from outside as well. These attacks have exposed the data and information of the bank and its clients to risk and it is important to accept a need to change the Security Plan.
Implementation Plan
Setting of Controls and Measures
The evaluation revealed that the risks and vulnerabilities are all related to Cyber Security and Data Integrity Vulnerabilities.
The Security Response Plan Targets. Prevention, detection, and response.
For Cyber Attacks/Crime. As a Bank, there is a need to implement excellent defense against cybercrime, and all electronic commercial sites should be guarded against Distributed Denial of Service (DDoS) attacks. In this regard, the new security plan includes implementation of cybersecurity hygiene and a comprehensive anti-data breach policy. A response plan is in place that guides the behavior of staff before, during, and after an attack (Lago, 2018).
Tools. Trackers and spreadsheets will be employed frequently for recording security controls and are documents that can be easily updated, with audit trails of past actions for both rewrite and archival.
Encryption. The new security plan will facilitate end-to-end security encryption within every department and at different levels in the company and protect both physical and digital files from unauthorized access.
Data Map. A data map has been drawn to help indicate the location of stored files, who has authority to access, and for how long they should be kept.
No “USD/Flash Disks”. Zero acceptance to plugging of USB devices on company computers.

Current Organizational Situation and Associated Risks
Security Review. In this, we identified the lack of proper implementation of the security policies, lack of sufficient resources, and negligence by the administration.
Protocols. Most of the security protocols are in place.
Staff Awareness. It appears only the IT Department Staff seem to have complete security awareness, but they lack the necessary tools to undertake complete implementation.
Evaluation Tools: We utilized risk registers, Gantt charts, and timelines to set milestones, keep accurate records, and track the security evaluation process.
Detail Security Model Attributes Applicable to Citi
Service Availability. 24/7 unrestricted convenience and allows accessibility of all financial digital services anywhere and anytime.
Data Aggregation. This means the financial services are highly personalized and ensures that all customer data and financial services can be found in one digital location with tools and online support.
Open Banking. Data content can be verified by third parties. This means that bank clients can get more information and tools to enhance their financial services, and interact with the bank through systems to obtain specific recommendations based on their financial needs (Fintech Futures, 2018).
Customer Experience. Incorporates social content to improve customer experience through integrated videos or customer help forums and social platforms for customers to engage on security issues and other banking aspects.

Identify the Model and Attributes for Citi
The Security Attributes are derived from the Clark-Wilson Model and apply to the banking industry because it involves a strict verification procedure of data items. The model is designed to achieve integrity enforcement during all the transformation procedures, and facilitate an audit trail of all financial transactions, which is a key security concept in monitoring.
Security Plan’s Potential Security Improvement
First, the bank will have sufficient backups to restore information in the event that there is a threat and systems need to be rebooted. Secondly, there will be limited damage, as sufficient precautions would have been put in place through the installation of endpoint protection software and keeping the systems up to date with security fixes. The plan will require hiring independent experts to make a periodical evaluation of the security systems to improve performance. There will be a two-step verification system for every access. Everything in the bank will be encrypted.
Pros and Cons for Implementation versus CIA
Confidentiality. This involves protecting information from disclosure to unauthorized people. For example, bank accounts of customers, their information, credit card numbers, government documents and bank’s trade secrets will constitute a larger part of the security plan. To achieve this, encryption protocol will be employed, which means only the right people can read information to which they have right of access (Chia, 2012).
Integrity. Integrity entails protecting information from any kind of modification by unauthorized users. In the new security plan, it is critical that valuable information remains correct and should not be tampered with to avoid losses and costs. By using cryptography and hashing data, then the bank will achieve data integrity.
Availability. Information becomes valuable whenever authorized users are able to access it when required. The new system will invariably provide this feature, because any kind of Denial of Service requests in any system is detrimental to the success of the organization, especially in the case of a bank. Availability of data will be achieved through regular on-site and off-site backups to limit the damage on storage areas or disasters of any kind.
Risks and Impacts in Relation to Finances
Operational Risks
This could be a risk of loss because of inadequate or failed internal processes, systems, or external activities. Mostly, operational risks occur due to human errors done unconsciously or willingly. IT/System risk is one resulting from a system failure or programming errors or process risks occurring from information processing through hacks or leaks of/and inaccurate data processing (Gangreddiwar, 2015). From a financial perspective, investing in new security policy is heavily dependent on the financial capability of the organization. Therefore, money availability determines the proper implementation of a new Security Plan, through investment insufficient hardware or IT support, which requires lots of money, as well as, computer software like anti-tamper software.
Maintenance of Business Continuity
The new security plan does not intend to overhaul the entire existing one but advocates the refinement and sizable changes to the existing framework, and critical improvements in the security plan for the bank. While implementing the changes, there would still be business continuity and alignment to its business strategic goals without any form of disruption.

References
Change Factory (n.d.). Managing change in information security. Retrieved from https://www.changefactory.com.au/our-thinking/articles/managing-change-information-security/
Chia, T. (2012). Confidentiality, integrity, availability: the three components of CIA triad. Retrieved from https://security.blogoverflow.com/2012/08/confidentiality-integrity-availability-the-three-components-of-the-cia-triad/
Fintech Futures (2018). The Five Attributes of a Successful Banking Experience. Retrieved from https://www.bankingtech.com/2018/11/the-five-attributes-of-a-successful-digital-banking-experience/
Gangreddiwar, A. (2015). 8 risks in the banking industry faced by every bank. Retrieved from https://gomedici.com/8-risks-in-the-banking-industry-faced-by-every-bank/
Lago, C. (2018). How to implement a successful security plan in 5 steps. Retrieved from https://www.cio.co.nz/article/644908/how-implement-successful-security-plan-5-steps/