The Commonwealth Bank of Australia has reportedly experienced a considerable cyber-attacks which are alleged to have compromised personal data for millions of its clients. BBC news has come up with a report revealing more details concerning the attack. According to the report, the corporate lost personal information for more than 20 million clients and attempts to cover the breach to its customers (BBC News, 2018).
As such, it is essential for the organization to have policies in place and in effect if they will offer a reasonable assurance to clients that the security concerns in the organization are addressed. The commonwealth organization needs to exercise its due diligence in formulating, documenting and implementing security governance and achieve compliance with the overall goals of information security laws as well as standards to which there data including but not limited to personal information are used.
As stated by Abawajy, (2014, pp.237-248), the information security policy is an umbrella that defines the security programs at the Commonwealth Corporation. It also offers the foundation where security programs will be designed and adopted by each department within the Commonwealth organization. Based on the nature of the organization and its stakeholders, this article seeks to research, formulate, and document a strategic information security policy for the Corporation. The information policy system will be formulated with the policy statements which are supported by the high-level description of the requirements for implementations of the laws.
Policy purpose
The main purpose for the system security policy is to outline the security goals and objectives regarding protection of the corporate’s information assets such as technology resources, personal information, and confidential information among other sensitive data as a step into creating the programmatic controls, policies and procedures that protect the organization’s sensitive information from threats whether deliberate or accidental and whether internal or external threats. Along with the three guiding principles of information security i.e. integrity, confidentiality, and availability, the corporate must consider the implementation of all security controls against the applicable policies, standards, laws, and regulations (Dittrich, and Kenneally, 2012, pp.27-33; Dubois, Heymans, Mayer, and Matulevi?ius, 2010, pp. 289-306).
Scope
The policies to be formulated in this following section are based on but not limited to the three guiding principle of the information security mentioned in the previous section as well as other information that is collected, processed, stored, handled, and disseminated by the organization and its stakeholders. The policies must also be incorporated into all its contractual agreements made with regards to the policy as well as all its inter-agencies.
Policy formulation
Due to the increased profile of cybersecurity threats witnessed by the organization, the policy of Commonwealth will be to ensure that all information including but not limited to personal data, private information, and confidential information that is collected, handled, stored and disposed while providing services to consumers are safeguard against all threats whether accident or deliberate, and internal or external threat. This information security policy covers the following three guiding principles of information security.
Integrity: this principle applies to protect the accuracy and completeness of data as well as methods of processing the information and hence needs to be protected against deliberate or accidental, distraction or unauthorized modification, partial or complete of the media containing the data whether electronic or physical.
Confidentiality: this principle ensures that the information is accessible to the rightful user therefore preventing the deliberate or accidental unauthorized access to the sensitive information.
Availability: involves providing the information and assets to the authorized user whenever required by the user. The assets may include but not limited to hardware, software, and networks according to the defined level of service defining the availability requirements. It is therefore important for the organization adhere to an appropriate continuity of business plans serving to improve the availability of the strategic assets.
The information system policies of Commonwealth bank
The policies incorporate information security objectives of the organization such that the security objectives are stated after which the policy pertaining to the objectives is defined within it.
Security management program
The security system management program representing the policies and controls has been adopted and implemented by the Commonwealth organization. Security management program provides both management staffs as well as customers with a clear understanding of the approaches, goals as well as the implemented controls for safeguarding the organization’s assets.
The organization shall review the security policies at least one in a year to ensure the adequacy, suitability, and effectiveness of the controls. Amendments shall also take place when a significant change that may have a negative impact on the policy occur.
Organization of information security
Commonwealth corporate shall document the specific duties of its staffs inclusive of third parties to maintain the security of the organization’s data as well as information processing facilities that are accessed, handled and presented by employees, third parties and onsite-contractors as follows:
Security risk assessment
The Commonwealth organization shall construct policies to identify, quantify and prioritize the possible risk to information system against operational and security objectives and implement the controls that with the realistic assurance that the security objectives will be achieved (Sarker, Xiao, and Beaulieu, 2013, pp.6-9; Linetsky, Check Point Software Tech Inc, 2012, pp. 47-79). This process shall include identification of the risk factors by finding out the vulnerability of the system i.e. unknown changes that may occur in the information system making the information to be no longer reliable, loss of the data within the system that may occur accidentally or for malicious reasons. The process shall also include identification of threats such us assessing the likelihood as well as impacts of potential threats i.e. appraisal of the chances of occurrence of each threat.
Security risk treatment
The specific controls that must be adopted to achieve the defined security objectives shall be monitored and evaluated by the Commonwealth organization (Siponen, and Vance, 2010, pp.487-502). This policy identifies the security controls to be adopted as well as details regarding their appropriateness.
Staff and contractor access
The Commonwealth corporate organization shall ensure all its shareholders, employees, the third party users and contractors understand the policies as well as the necessary knowledge and skills to ensure that the policies are implemented effectively to reduce the security risk (Ifinedo, 2012, pp.83-95). This include unauthorized access to the system assets including: risk assessment to find out the applicable level of employee screening before change of responsibility during employment, removal of access rights during after contract ends, return of the organization assets and or equipment upon change or termination of contract, disabling the rights to access the corporates system during after a long period of inactivity.
Environmental and physical security
The commonwealth organization shall safeguard against physical access, interference and damage to its assets including but not limited to the organization’s information system resources as well as personal information by implementing facility access to its security resources, secure disposal or reuse of resources, physical security of the organization’s departments shall be designed and implanted and equipment security i.e. protection to reduce the risks from security threats as well as environmental hazards (Ifinedo, 2012, pp.83-95).
Property management
In order for the organization to maintain security for its assets, the corporate will formulate policy to meet the following needs:
The potential threats and vulnerability of security of Commonwealth
As far as cybersecurity is concerned, vulnerability often applies to the specific weakness within a system. Despite the fact that banks are often on the forefront of the preparations for cybersecurity, they are continuously becoming the targets of cybercriminals (Yuan, Xing, Chen, and Zang, 2011, p. 6; Lim, Yeow, and Yuen, 2010, pp.39-62). This particular threat is associated with Commonwealth bank as the corporation does not perceive itself as a target on the same scale as other international banks as its current policies do not stress on that aspect.
The reality, however, is that banks should prioritize cybersecurity due to the fact that data breaches can lead to severe consequences not only on the solvency of the organization but also on confidence in its financial system at large. Cybersecurity is a matter of international importance and the organization should have a high understanding of the vulnerable cyber-attacks (Lim, Yeow, and Yuen, 2010, pp.39-62; Zhang, Wuwong, and Li, 2010, pp. 1328-1334). This awareness is a critical issue that should not be taken for granted more so in banking domain.
Another potential threat to cyber-attack in Commonwealth organization is shortages in cyber-security skills; the bank provides a warning that insufficiency in the cybersecurity skilled personnel could lead to an increasingly high profile and damaging cyber-attacks. The commonwealth bank has called for a shakeup in various institutions over the issue as there is a continuous growth in cyber threats to the corporate’s computer system arguing that cybersecurity courses should focus on the practical experience than theory.
Moreover, treating cybersecurity as an “afterthought” is one vulnerability that has been taken for advantage by the hackers (Roman, Lopez, and Mambo, 2018, pp.680-698). This leaves the bank vulnerable to cyber-attack as it opens the way for criminals to infiltrate the outer line of defense of the organization’s system and gain access to the corporate’s information.
How the threats and vulnerabilities of the Commonwealth organization can be mitigated
There are various ways through which commonwealth can mitigate the above-stated risks. One way is by setting a strategic agenda in every cybersecurity meeting that commonwealth organization holds (Hoy, Fenkner, and Farren, L3 Technologies Inc, 2018; Spears, and Barki, 2010, pp.503-522). The meeting will help in aligning the key initiatives of cyber security objectives and tackle the cybersecurity problems, this initiative will discard the illusion that has consumed the corporate hence enhancing security. Another way is by sponsoring a research on cybersecurity for the organization to better understand the cost of the cyber-crimes.
In order to mitigate the threat concerning insufficiency of skilled cyber-security personnel, Commonwealth corporate needs to liars with higher learning institutions in Australia to establish a center of expertise for cyber-security which focus on the practical experience than theory. The corporate has a long focus investment, moreover, this is a potential commercialization and collaboration that will help the organization to align itself with innovation that will solve cybersecurity related issues. The most crucial mitigation strategy for the above-mentioned security threats, however, lies in information security system policy (Bulgurcu, Cavusoglu, and Benbasat, 2010, pp.523-548). The organization should adhere to the policies in order to avoid such cyber-crimes.
Conclusion
At a glance, in this study, we have formulated, designed, and documented a strategic policy for the Commonwealth organization. All responsibilities to ensure that this policy is adhered to is therefore left on the shoulders of the organization’s staff. On the side of the third party, the customers should ensure that all information system assets including hardware and software developed by or for the organization conform to this policy in order to avoid the cyber-security issues in the near future.
Reference list
Abawajy, J., 2014. User preference of cyber security awareness delivery methods. Behaviour & Information Technology, 33(3), pp.237-248.
BBC News, 2018 May, Australia’s Commonwealth Bank lost data of 20m accounts, ]
Bulgurcu, B., Cavusoglu, H. and Benbasat, I., 2010. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 34(3), pp.523-548.
Dittrich, D. and Kenneally, E., 2012. The Menlo Report: Ethical principles guiding information and communication technology research. US Department of Homeland Security, pp. 27-33.
Hoy, R.B., Fenkner, M. and Farren, S.W., L3 Technologies Inc, 2018. Internet isolation for avoiding internet security threats. U.S. Patent 9,942,198.
Ifinedo, P., 2012. Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), pp.83-95.
Lim, N., Yeow, P.H. and Yuen, Y.Y., 2010. An online banking security framework and a cross-cultural comparison. Journal of Global Information Technology Management, 13(3), pp.39-62.
Linetsky, G., Check Point Software Tech Inc, 2012, Security system with methodology for defending against security breaches of peripheral devices, pp. 47-79, U.S., Patent 8,281,114).
Roman, R., Lopez, J. and Mambo, M., 2018. Mobile edge computing, fog et al.: A survey and analysis of security threats and challenges. Future Generation Computer Systems, 78, pp.680-698.
Ross, R.S., McEvilley, M. and Oren, J.C., 2018. Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems [including updates as of 1-03-2018] (No. Special Publication (NIST SP)-800-160).
Sarker, S., Xiao, X. and Beaulieu, T., 2013. Qualitative studies in information systems: a critical review and some guiding principles. MIS quarterly, 37(4), pp.6-9.
Siponen, M. and Vance, A., 2010. Neutralization: new insights into the problem of employee information systems security policy violations. MIS quarterly, pp.487-502.
Yuan, L., Xing, W., Chen, H. and Zang, B., 2011, July, Security breaches as PMU deviation: detecting and identifying security attacks using performance counters, In Proceedings of the Second Asia-Pacific Workshop on Systems, p. 6, ACM.
Zhang, X., Wuwong, N., and Li, H. 2010, June. Information security risk management framework for the cloud computing environments. In Computer and Information Technology (CIT), 2010 IEEE 10th International Conference o
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download