The Organization under study is Citigroup. The Mission of Citi is to provide innovative and cost-effective solutions that enable clients to succeed in their missions, while their vision is to be “a preferred Information Technology solution provider while promoting and maintaining the most qualified and diverse professional staff available in the industry (Citi, 2018). Therefore, the Security plan proposed will be aligned to these two critical facets of Citigroup Bank.
This security plan is derived from the organization’s security policy, which is a principle that guides and defines the organization’s requirements towards achieving an appropriate computer and network usage and involves procedures for detecting, preventing, and responding to all types of security incidents (Craig, 2016). Therefore, this Security Plan constitutes the “Standard Operating Procedures” relating to physical, cyber, and procedural security for all the systems of the organization. A Bank, in this case, Citigroup Bank is a commercial entity, therefore, the two security models Biba’s Strict Integrity Policy and Clark-Wilson Security Models are more practical and more applicable for installation of enterprise security, because most of the applications hold commercial data. The Security Plan will revolve around (but not limited to) these areas: local network, remote network, public network, and partner access.
The Security Plan has a framework that ensures that all the IT staff, other staff, and management know their responsibilities, whereby each one knows, which data is classified to what categories and who has access to what type of data. These categorizations include internal data, general data, confidential data, and data that should be sent outside the organization.
The bank holds lots of valuable and sensitive data including account records for customers, bank statements, transaction accountability, contact information, purchasing history, social security numbers, phone numbers, addresses, and email addresses. All these will be secured through the allocation of privileges and the right to access and modify (Federal Communications Commission, 2016).
Since the bank handles multiple data across different spheres across the network of the bank, data security policies regarding remote access of data and configuration of IP addresses will be considered. This is critical because data handled should be traceable through network components like switches and routers. This level also houses policies that define detection of any kind of intrusion of the network. Furthermore, it is critical to cover all bases to include wired and wireless technologies, authorizations for applications (databases), or information (customer information) access. Categorize assets that need protection and segregate information by employee roles
No network is 100% resistant to vulnerabilities. Therefore, the IT infrastructures should have the capacity to scan for any form of vulnerabilities, prior to hackers exploit, in case they exist and expose the bank to risk. A daily routine application will be installed to check the bank’s network at scheduled intervals to detect any vulnerabilities.
System threats have been so frequent, therefore, regular implementation of codes will be done to eliminate any risks, vulnerabilities, or threats to the system.
As a global banking institution, servers and operating systems are the frameworks onto which all data is stored or moves around. Involves categorizing data in regards to what is public, private, and who has access to what data. At the same time, it comprises methods of data storage and backup. This system data is very critical to data security. All servers running on the bank’s network must have rules related to management of access accounts, passwords, database access, firewalls, and antivirus must have a guiding policy (Basani, 2016).
While there will be sufficient safeguard of all systems in terms of security, there is no doubt that breaches are likely to occur. In the event that they occur, there should be a policy that defines how it should be handled in terms of reporting and resolving the breach and prevention from a reoccurrence. Therefore, the staff should be ready and willing to volunteer information in the event of a breach and provide their participation in an attempt to resolve the problems associated with the breach.
For proper policy implementation, the bank will prescribe a specific IT employee or business manager to be in charge of complete and total implementation of the security policy. This helps to create a sense of accountability, whereby the policy leader is charged with updating the policy regularly and make desired security changes. Even when new applications are added onto the online systems, he/she will be responsible for ensuring compliance.
The policy will indicate what data will be encrypted and using what methods, as well as, who has access rights to the encryption keys. Furthermore, the plan will show password guidelines, how often they should be changed, and how to secure passwords. Encryption ensures Citi Bank’s sensitive information is not lost even when devices like laptops are stolen or misplaced, and helps to protect information on movable media, as well as, data in systems like servers.
At the point of employment or entry into the organization, staff ought to be sufficiently trained on terms of use of data and systems within the bank and make clear definitions on what constitutes acceptable use. Furthermore, it is critical that they are subjected to signing a policy document to be used for disciplinary measures should they deviate from what is stipulated in the policy (Federal Trade Commission, 2015). This means that the staff should know their responsibilities, roles, and what the organization expects of them. Communication to employees in writing should include what is acceptable and what is not regarding the use of company equipment and network resources, the penalties for violation, that their performance reviews will include the security aspect, and that all their activities are being monitored.
Central to succeeding in evaluating compliance with the security policy, the best method is to perform regular audits on all transactions performed by the staff and management. Trails will indicate whether there were attempts by users to access prohibited levels or illegal transactions were done that compromise data security. The more frequent the audits, the lesser the risks. For this Security Plan, an application that is capable of automation of audit and compliance workflow will be installed to help in keeping logs of audit trail and generating scheduled reports. Monitoring is not surveillance per se, but it is about detecting whether compliance is being met or violated (Ferry, 2015).
It is not a coincidence that some or most of the security compromises constitute legitimate or inactive users within the systems. This occurs when for example some staff members are no longer working with the bank, but their accounts still exist and their might still have valid access to the same systems either remotely or via online platforms. The same people can exploit this loophole and continue to access the company’s systems and compromise the system. Therefore, there should be specific personnel within the IT department to monitor and control user accounts diligently, hence preventing illegal activity.
Security policies have capacities to include a variety of features and issues, like how the interrelated networks can be segments to hold different types of data, like in the case of the bank: ATM servers, versus other transactions’ server. However, the most critical aspect of a security plan is that it has to clearly stipulate how the entire security of the organization, including monitoring all activities across the information technology infrastructure, with the capability to detect any strange or suspicious activities. Secondly, this security plan will continue to be reviewed after every six (6) months, and it will undergo appropriate upgrades as soon as it is required by the changing organization’s software and infrastructure. In sum, preventing cyber-attacks can be achieved through the creation of a custom policy that links data security and data privacy.
Basani, V. (2016). Elements to Corporate Data Security Policies that Protect Data Privacy. Security Magazine. Available at https://www.securitymagazine.com/articles/87113-important-elements-to-corporate-data-security-policies-that-protect-data-privacy
Citi (2018). About Citi: Mission and Vision. Retrieved from https://www.citigroup.com/citi/about/mission-and-value-proposition.html
Craig, A. (2016). Developing a Security Plan. Retrieved from https://slideplayer.com/slide/5859280/
Federal Communications Commission (n.d.). Cyber Security and Planning Guide. Available at: https://transition.fcc.gov/cyber/cyberplanner.pdf
Federal Trade Commission (2015). Careful Connections: Building Security in the Internet of Things. Retrieved from https://www.ftc.gov/system/files/documents/plain-language/pdf0199-carefulconnections-buildingsecurityinternetofthings.pdf
Ferry, P. (2015). Essential Elements of Continuous Monitoring (and why it matters). Available at https://www.metacompliance.com/blog/the-5-essential-elements-of-continuous-monitoring-and-why-it-matters/
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.
Read moreEach paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.
Read moreThanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.
Read moreYour email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.
Read moreBy sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.
Read moreOur specialists are always online to help you! We are available 24/7 via live chat, WhatsApp, and phone to answer questions, correct mistakes, or just address your academic fears.
See our T&Cs