Higher Nationals
Internal verification of assessment decisions – BTEC (RQF)
INTERNAL VERIFICATION – ASSESSMENT DECISIONS
Programme title
BTEC Higher National Diploma in Computing
Assessor
Unit(s)
Assignment title
Student’s name
Internal Verifier
Unit 05: Security
Providing a suitable security solution for METROPOLIS CAPITAL Bank
M.V Pasindu Dilshan
List which assessment
criteria the Assessor has
awarded.
Pass
Merit
INTERNAL VERIFIER CHECKLIST
Do the assessment criteria awarded match
those shown in the assignment brief?
Y/N
Is the Pass/Merit/Distinction grade awarded
justified by the assessor’s comments on the
student work?
Y/N
Distinction
Has the work been assessed
accurately?
Y/N
Is the feedback to the student:
Give details:
• Constructive?
• Linked to relevant assessment
criteria?
Y/N
Y/N
• Identifying opportunities for
improved performance?
• Agreeing actions?
Does the assessment decision need
amending?
Y/N
Y/N
Y/N
Assessor signature
Date
Internal Verifier signature
Date
Programme Leader signature(if
required)
Date
Confirm action completed
Remedial action taken
Give details:
Assessor signature
Date
Internal Verifier
signature
Date
Programme Leader
signature (if required)
Date
Higher Nationals - Summative Assignment Feedback Form
Student Name/ID
Unit Title
M.V Pasindu Dilshan / E192604
Unit 05: Security
Assignment Number
Submission Date
Assessor
Date Received 1st
submission
04/02/2023
Date Received 2nd
submission
Re-submission Date
Assessor Feedback:
LO1. Merit
Assess
risks to IT security
Pass,
& Distinction
P1
Descripts
LO2. Describe IT security solutions.
M1
D1
Pass, Merit & Distinction
P3
P4
M2
Descripts
LO3. Review mechanisms to control organisational IT security.
Pass, Merit & Distinction
P5
P6
M3
Descripts
LO4. Manage organisational security.
D1
Pass, Merit & Distinction
Descripts
D3
P7
P2
P8
M5
M4
D2
Grade:
Assessor Signature:
Date:
Assessor Signature:
Date:
Resubmission Feedback:
Grade:
Internal Verifier’s Comments:
Signature & Date:
* Please note that grade decisions are provisional. They are only confirmed once internal and external moderation has taken place and grades decisions have
been agreed at the assessment board.
Pearson
Higher Nationals in
Computing
Unit 5: Security
General Guidelines
1.
2.
3.
4.
5.
A Cover page or title page – You should always attach a title page to your assignment. Use previous page as your cover
sheet and make sure all the details are accurately filled.
Attach this brief as the first section of your assignment.
All the assignments should be prepared using a word processing software.
All the assignments should be printed on A4 sized papers. Use single side printing.
Allow 1” for top, bottom , right margins and 1.25” for the left margin of each page.
Word Processing Rules
1.
2.
3.
4.
5.
The font size should be 12 point, and should be in the style of Time New Roman.
Use 1.5 line spacing. Left justify all paragraphs.
Ensure that all the headings are consistent in terms of the font size and font style.
Use footer function in the word processor to insert Your Name, Subject, Assignment No, and Page Number on each
page. This is useful if individual sheets become detached for any reason.
Use word processing application spell check and grammar check function to help editing your assignment.
Important Points:
1.
It is strictly prohibited to use textboxes to add texts in the assignments, except for the compulsory information. eg: Figures,
tables of comparison etc. Adding text boxes in the body except for the before mentioned compulsory information will result
in rejection of your work.
2. Avoid using page borders in your assignment body.
3.
4.
5.
6.
7.
Carefully check the hand in date and the instructions given in the assignment. Late submissions will not be accepted.
Ensure that you give yourself enough time to complete the assignment by the due date.
Excuses of any nature will not be accepted for failure to hand in the work on time.
You must take responsibility for managing your own time effectively.
If you are unable to hand in your assignment on time and have valid reasons such as illness, you may apply (in writing) for
an extension.
8. Failure to achieve at least PASS criteria will result in a REFERRAL grade .
9. Non-submission of work without valid reasons will lead to an automatic RE FERRAL. You will then be asked to complete
an alternative assignment.
10. If you use other people’s work or ideas in your assignment, reference them properly using HARVARD referencing system
to avoid plagiarism. You have to provide both in-text citation and a reference list.
11. If you are proven to be guilty of plagiarism or any academic misconduct, your grade could be reduced to A REFERRAL
or at worst you could be expelled from the course
Student Declaration
I hereby, declare that I know what plagiarism entails, namely to use another’s work and to present it as my own without
attributing the sources in the correct way. I further understand what it means to copy another’s work.
1. I know that plagiarism is a punishable offence because it constitutes theft.
2. I understand the plagiarism and copying policy of the Edexcel UK.
3. I know what the consequences will be if I plagiaries or copy another’s work in any of the assignments for this
program.
4. I declare therefore that all work presented by me for every aspects of my program, will be my own, and where
I have made use of another’s work, I will attribute the source in the correct way.
5. I acknowledge that the attachment of this document signed or not, constitutes a binding agreement between
myself and Edexcel UK.
6. I understand that my assignment will not be considered as submitted if this document is not attached to the
attached.
Student’s Signature: mvpdilshan@gmail.com
Date: 4/02/2023
(Provide E-mail ID)
(Provide Submission Date)
Assignment Brief
Student Name /ID Number
M.V Pasindu Dilshan / E192604
Unit Number and Title
Unit 5- Security
Academic Year
2022/23
Unit Tutor
Assignment Title
METROPOLIS CAPITAL Bank
Issue Date
Submission Date
04/02/2023
IV Name & Date
Submission Format:
The submission is in the form of an individual written report. This should be written in a concise, formal
business style using single spacing and font size 12. You are required to make use of headings, paragraphs
and subsections as appropriate, and all work must be supported with research and referenced using the
Harvard referencing system. Please also provide an end list of references using the Harvard referencing
system.
Unit Learning Outcomes:
LO1 Assess risks to IT security.
LO2 Describe IT security solutions.
LO3 Review mechanisms to control organizational IT security.
LO4 Manage organizational security.
Assignment Brief and Guidance:
METROPOLIS CAPITAL Bank is one of the leading private banking service providers in Sri Lanka. It
operates over 100 branches and 500 ATM machines across the island as well as 8 Branches overseas. In
order to provide their services, METROPOLIS CAPITAL Bank has a primary datacenter located in
Colombo and a Secondary datacenter located in Galle. Each branch and ATM must have connectivity to
the core banking system to be able to operate normally. In order to establish the connectivity between
datacenters, branches and ATM machines, each location has a single ISP link. This link provides VPN
services between branches, ATMs and datacenters as well as MPLS services for the bank and it
establishes connectivity between datacenters, ATMs, and branches.
METROPOLIS CAPITAL Banks Head Office is a 5 Story Building in Kollupitiya with the Ground Floor
allocated for Customer Services, the First Floor allocated for HR, the Second Floor allocated for Meeting
Rooms and Senior Executive Staff, the Third Floor is allocated for the Technical Support Team and the
Fourth Floor hosts High Performance Servers running core banking systems. Fifth Floor is for some other
outside companies that are not related with the METROPOLIS CAPITAL Bank. Other than this,
METROPOLIS CAPITAL bank provides a lot of services to customers including online and mobile
banking facilities. Therefore, their core banking system must communicate with several outside systems
and all communication between outside systems, Data centers and the Head Office is protected by a single
firewall. In Addition, METROPOLIS CAPITAL Bank has recently implemented a bring your own device
(BYOD) concept for Senior Executive Staff and HR Departments and to facilitate this, they are providing
employee WiFi as well as a guest WiFi Hotspot.
The bank has signed agreements, AMCs, contracts and NDAs with several Local and foreign IT service
vendors. Some local vendors provide services and supports to foreign companies. METROPOLIS
CAPITAL Banks Technical Support Team is a local third-party vendor, contracted by METROPOLIS
CAPITAL Bank and managed by their Supply chain management officer. The Technical Support Team
provides onsite and remote support for their customers.
METROPOLIS CAPITAL bank strictly follows the rules and regulations enforced by the government and
the Central Bank. Therefore, they have obtained the ISO 31000:2009 certification. In addition to this, the
areas of datacenters, branches, ATM and HQ is covered by CCTV and 24x7 monitoring is happening.
Other security functions like VA scanning, internal auditing, and security operation done by the bank
employees. They have purchased a VA scanning tool, Privilege access management (PAM) system,
Endpoint detection and respond (EDR) system, Data loss prevention (DLP) tool, Web application firewall
(WAF) and Secure mail gateway which are managed by the Technical Support Team.
It has been reported that an emergency is likely to occur where a work from home situation may be
initiated. Therefore, you have been employed by METROPOLIS CAPITAL Bank as a Network Security
Analyst to recommend and implement a suitable Security solution to facilitate this situation.
Activity 01
Discuss and assess the security procedures and types of security risks METROPOLIS CAPITAL
Bank may face under its current status and evaluate a range of physical and virtual security measures
that can be employed to ensure the integrity of organizational IT security. You also need to analyze
the benefits of implementing network monitoring systems for METROPOLIS CAPITAL Bank with
valid reasons in order to minimize security risks identified and enhance the organizational security.
Activity 02
2.1 Discuss how an incorrect/improper configuration for network infrastructure such as firewall and VPN
could impact METROPOLIS CAPITAL Bank. Assess IT security risks that may face by the employees of
METROPOLIS CAPITAL Bank and propose how the organization can facilitate their employees with a
“Secure remote working environment”.
2.2. Discuss how following technologies would benefit METROPOLIS CAPITAL Bank and its Clients to
increase network performance. (Support your answer with suitable illustrations).
i) Static IP,
ii) NAT
iii)DMZ
Activity 03
Review risk assessment procedures for METROPOLIS CAPITAL Bank to protect itself and its clients.
Explain the mandatory data protection laws and procedures which will be applied to data storage solutions
provided by METROPOLIS CAPITAL Bank. Explain the topic "ISO 31000 risk management
methodology" and summarize the ISO 31000 risk management methodology and its application in IT
security. Analyze possible impacts to organizational security resulting from an IT security audit.
Recommend how IT security can be aligned with organizational Policy, detailing the security impact of any
misalignment.
Activity 04
4.1 Design and Implement suitable security policy to prevent misuse and exploitations in line with
METROPOLIS CAPITAL Bank using the Organizational policy tools for the given scenario, While
evaluating and justifying the suitability of the tools used in an organizational policy to meet business
needs. Identify the stakeholders who are subject to the METROPOLIS CAPITAL Bank and describe the
role of these stakeholders to build security audit recommendations for the organization.
4.2 Discuss and present a disaster recovery plan for METROPOLIS CAPITAL Bank for all their sites to
guarantee maximum reliability to their clients. (Student must develop a PowerPoint-based presentation
which illustrates the recovery plan within 15 minutes of time including justifications and reasons for
decisions and options used).
Grading Rubric
Grading Criteria
LO1 Assess risks to IT security
P1 Discuss types of security risks to organizations.
P2 Assess organizational security procedures.
M1 Analyze the benefits of implementing network monitoring systems
with supporting reasons.
D1 Evaluate a range of physical and virtual security measures that can be
employed to ensure the integrity of organizational IT security.
Achieved
Feedback
LO2 Describe IT security solutions
P3 Discuss the potential impact to IT security of incorrect configuration
of firewall policies and third- party VPNs.
P4 Discuss, using an example for each, how implementing a DMZ, static
IP and NAT in a network can improve network security.
M2 Propose a method to assess and treat IT security risks.
LO3 Review mechanisms to control organizational IT
Security
P5 Review risk assessment procedures in an organization.
P6 Explain data protection processes and regulations as applicable to an
organization.
M3 Summarize the ISO 31000 risk management methodology and its
application in IT security.
M4 Analyze possible impacts to organizational security resulting from an
IT security audit.
D2 Recommend how IT security can be aligned with organizational
Policy, detailing the security impact of any misalignment.
LO4 Manage organizational security
P7 Design a suitable security policy for an organization, including the
main components of an organizational disaster recovery plan.
P8 Discuss the roles of stakeholders in the organization in implementing
security audits.
M5 Justify the security plan developed giving reasons for the elements
selected.
D3 Evaluate the suitability of the tools used in an organizational policy to
meet business needs
Contents
Activity 01 .................................................................................................................23
1.1 What is security? ............................................................................................................ 23
1.1.1 Physical security ..................................................................................................... 23
1.1.2 Information security ................................................................................................ 27
1.2 Vulnerabilities, Threats, and Risks ................................................................................. 30
1.2.1 Vulnerabilities ......................................................................................................... 30
1.2.2 Threats ..................................................................................................................... 31
1.2.3 Risks........................................................................................................................ 31
1.3) Types of Security Risks to METROPOLIS CAPITAL Bank ................................................ 32
1.4) Assessment of current Organizational Security Procedures of METROPOLIS CAPITAL
Bank...................................................................................................................................... 35
1.5 Network monitoring tools .............................................................................................. 39
1.5.1 Types of network monitoring tools and how do they work .................................... 39
1.5.2 Types of network monitoring tools available in market ......................................... 42
1.5) Benefits of Implementing Network Monitoring Systems to METROPOLIS CAPITAL
Bank...................................................................................................................................... 49
1.6) Evaluation of security measures that can be employed to ensure the integrity of
METROPOLIS CAPITAL Bank IT security ............................................................................... 51
1.6.1) Physical Security Measures: .................................................................................. 51
1.6.2) Virtual Security Measures: .................................................................................... 53
Activity 2 ...................................................................................................................55
2.1) Firewall .......................................................................................................................... 56
2.1.1 Various types of firewalls........................................................................................ 56
2.1.2) The Necessity of Firewalls .................................................................................... 59
2.2) VPN................................................................................................................................ 59
2.2.2 Benefits of a VPN Connection ................................................................................ 60
2.2.3 Types of VPNs ........................................................................................................ 61
2.3 How improper configuration of firewalls, VPNs and other network infrastructure will
affect to the METROPOLIS CAPITAL Bank system ................................................................ 62
2.4 Assessing the IT security risks that may face by the employees of METROPOLIS
CAPITAL Bank and propose how the organization can facilitate their employees with a
Secure remote working environment. ................................................................................. 65
2.4.1 Assets, Vulnerabilities, threats and risk identification ............................................ 65
2.4.2 Analyzing the risk ................................................................................................... 67
2.4.3 Solution for mitigate risks and Secure remote working environment. ................... 69
2.5 Static IPs ......................................................................................................................... 71
2.5.1 Usages of Static Ips ................................................................................................. 71
2.5.2 advantaged and disadvantages of static Ips ............................................................ 73
2.6 Network Address Translation (NAT) .............................................................................. 74
2.7 Demilitarized Zone (DMZ) .............................................................................................. 77
2.8 How Static IP, NAT, DMZ technologies would benefit METROPOLIS CAPITAL Bank and
its Clients to increase network performance. ..................................................................... 80
2.8.1 Benefit of using Static IP in METROPOLIS CAPITAL Bank ............................... 80
2.8.2 Benefit of NAT (Network Address Translation) to METROPOLIS CAPITAL Bank
.......................................................................................................................................... 80
2.8.3 Benefit of DMZ (Demilitarized Zone) to METROPOLIS CAPITAL Bank: ......... 81
Activity 3 ...................................................................................................................83
3.1 Review risk assessment procedures for METROPOLIS CAPITAL Bank to protect itself
and its clients. ...................................................................................................................... 83
3.2 Mandatory data protection laws and procedures which will be applied to data storage
solutions provided by METROPOLIS CAPITAL Bank. ............................................................ 85
3.2.1. Data Protection Laws: ............................................................................................ 85
3.2.2. Data Storage Procedures: ....................................................................................... 89
3.3 ISO 31000 risk management methodology ................................................................... 91
3.3.1 ISO 31000 Risk Management Methodology Application in IT Security: .............. 92
3.4 Analyze possible impacts to organizational security resulting from an IT security audit
.............................................................................................................................................. 94
3.4.1 Positive Impacts: ..................................................................................................... 94
3.4.2 Negative Impacts: ....................................................................................................... 95
3.5 Recommendation of how IT security can be aligned with METROPOLIS CAPITAL Bank's
Policies ................................................................................................................................. 97
3.5.1 Alignment Strategies: .............................................................................................. 97
3.5.2 Misalignment and Negative Impact: ....................................................................... 99
Activity 4 ................................................................................................................ 100
4.1. METROPOLIS CAPITAL Bank - Security Policy Document............................................ 100
4.1.1 Introduction ........................................................................................................... 101
4.1.2. Roles and Responsibilities ................................................................................... 102
4.1.3. Data Protection and Privacy................................................................................. 104
4.1.4. Network Security ................................................................................................. 107
4.1.5. Device Management ............................................................................................ 110
4.1.6. Remote Access Protocol ...................................................................................... 112
4.1.7 Employee Training and Awareness ....................................................................... 115
4.1.8 Incident Response Plan ......................................................................................... 117
4.1.9 Third-Party and Vendor Management ................................................................... 120
4.1.10. Compliance and Legal Requirements ................................................................ 122
4.1.11. Continuous Monitoring and Improvement ......................................................... 125
4.1.12. Emergency Protocols for Work from Home ...................................................... 127
1.1.13. Review and Update Cycle .................................................................................. 130
4.1.14 Implementation Steps.......................................................................................... 133
4.2 METROPOLIS CAPITAL Bank - Disaster Recovery Plan Document ............................... 136
4.2.1. Introduction .......................................................................................................... 136
4.2.2 METROPOLIS CAPITAL Bank Organization IT Disaster Recovery Plan Revision
History............................................................................................................................ 139
4.2.3 Information Technology Statement of Intent ........................................................ 139
4.2.4. Policy Statement .................................................................................................. 141
4.2.5 Objectives ............................................................................................................. 144
4.2.6 Key Personnel Contact Info .................................................................................. 146
4.2.7 Notification Calling Tree ...................................................................................... 149
4.2.8 External Contacts .................................................................................................. 151
4.2.9 External Contacts Calling Tree ............................................................................. 153
4.2.10. Plan over view.................................................................................................... 156
4.2.11 Emergency........................................................................................................... 167
4.2.12 Disaster Recovery ............................................................................................... 175
4.2.13 Disaster Recovery Team ..................................................................................... 178
4.2.14 Emergency Alert, Escalation and DRP Activation .............................................. 181
4.2.14.7 Personnel and Family Notification .................................................................. 197
4.2.15. Media ................................................................................................................. 200
4.2.16. Insurance ............................................................................................................ 208
4.2.17. Financial and Legal Issues ................................................................................. 211
4.2.18. DRP Exercising .................................................................................................. 219
4.3. Justify of the security plan .......................................................................................... 224
4.4 Evaluate the suitability of the tools used to meet business needs ............................. 226
4.5 Stakeholders who are subject to the METROPOLIS CAPITAL Bank and roles of
stakeholders to build security audit recommendations for the organization. .................. 229
4.6 PowerPoint Presentation of METROPOLIS CAPITAL Bank Recovery Plan ................... 232
5. References ............................................................................................................245
Activity 01
1.1 What is security?
What does security entail in the realm of information technology? IT security encompasses
the techniques, tools, and personnel employed to safeguard an organization's digital assets.
The primary objective of IT security is to shield these assets, including devices and services,
from potential disruption, theft, or exploitation by unauthorized individuals, commonly
referred to as threat actors. These threats may originate externally or internally, and they can
manifest as either malicious or accidental incidents.
An effective security strategy employs a variety of approaches to mitigate vulnerabilities and
address various types of cyberthreats. Detecting, preventing, and responding to security
threats necessitate the utilization of security policies, software tools, and IT services.
Regrettably, technological advancements benefit both IT defenders and cybercriminals alike.
To safeguard business assets, companies must consistently assess, update, and enhance their
security measures to stay ahead of cyberthreats and confront the escalating sophistication of
cybercriminal tactics.
IT security is generally categorized into two domains: physical security and information
security.
1.1.1 Physical security
Physical security involves safeguarding people, hardware, software, network information,
and data from physical threats, intrusions, and events that could potentially harm an
organization and its assets. Ensuring the physical security of a business entails protection
against threat actors, accidents, and natural disasters like fires, floods, earthquakes, and
severe weather. Failing to provide adequate physical protection puts servers, devices, and
utilities at risk, jeopardizing the smooth functioning of business operations and processes.
Notably, individuals constitute a significant aspect of the physical security threat.
Examples of human-initiated threats, such as theft and vandalism, necessitate solutions rooted
in physical security. Unlike a data breach that may require technical knowledge, a physical
security breach poses a comparable level of danger.
Physical security comprises three key elements:
•
Access Control
•
Surveillance
•
Testing
The efficacy of an organization's physical security program hinges on the efficient
implementation, maintenance, and updating of each of these components.
1. Access Control
Access Control is crucial to physical security as it involves regulating entry to office
buildings, research centers, laboratories, data centers, and other critical locations. An
instance of a physical security breach could be an intruder gaining access to an
organization and using a Universal Serial Bus (USB) flash drive to copy or steal data,
or introduce malware into systems.
The objective of access control is to record, monitor, and restrict the number of
unauthorized users interacting with sensitive and confidential physical assets. Simple
access control measures include barriers like walls, fences, and locked doors.
Identification badges and keycodes are integral parts of an effective physical access
system. Physical identification serves as a means to authenticate the identity of users
attempting to access devices and areas designated for authorized personnel.
More advanced access control methods involve various forms of biometric
authentication, utilizing unique biological characteristics to authenticate the identity
of authorized users. Examples include fingerprint and facial recognition,
demonstrating the application of sophisticated technology in enhancing physical
security measures.
2. Surveillance
Surveillance encompasses the technologies and strategies employed to observe
activities within and around facilities and equipment. Numerous companies opt for
closed-circuit television cameras to fortify the perimeters of their structures. These
cameras serve as both a deterrent to potential intruders and a tool for responding to
and analyzing incidents. Surveillance technology encompasses various tools such as
cameras, thermal sensors, motion detectors, and security alarms.
3. Testing
Testing stands as a dependable method to enhance physical security. Companies with robust
security protocols routinely assess their policies to determine if updates or changes are
necessary. Such evaluations may involve practices like red teaming, where a team of ethical
hackers attempts to penetrate an organization's cybersecurity protocols. This proactive
approach helps identify vulnerabilities and ensures that security measures remain effective
and up-to-date.
1.1.2 Information security
Information security, commonly referred to as infosec, involves the deployment of strategies
to oversee processes, tools, and policies aimed at safeguarding both digital and nondigital
assets. When implemented with efficiency, infosec enhances an organization's capacity to
prevent, detect, and respond to various threats.
Infosec encompasses distinct categories of security technology, including:
1.Application Security
This facet focuses on safeguarding applications against threats aiming to manipulate,
access, steal, modify, or delete software and its associated data. Application security
utilizes a blend of software, hardware, and policies known as countermeasures.
Examples of countermeasures include application firewalls, encryption, patch
management, and biometric authentication systems.
2.Cloud Security
This involves a set of policies and technologies designed to protect data and
infrastructure within a cloud computing environment. Key concerns in cloud security
include identity and access management and data privacy. Infosec professionals
employ tools such as penetration testing, network protocol maintenance, man-in-themiddle (MitM) detection, and application scanning to ensure the confidentiality of
information.
The responsibility for cloud security is a shared commitment between the cloud
service provider (CSP) and the tenant, representing the business leasing infrastructure
like servers and storage. A legal ambiguity in cloud security may arise if CSP
agreements lack precision. For instance, in cases where a cybercriminal compromises
a tenant's server, gaining access to another tenant's server, determining accountability
can become unclear.
3. Endpoint Security
Endpoint security necessitates that network nodes adhere to specific security
standards, such as the Federal Information Security Modernization Act, before
establishing a secure connection. These node devices encompass personal computers,
laptops, tablets, smartphones, as well as equipment like point-of-sale terminals,
barcode readers, sensors, and internet of things (IoT) devices.
4. Internet Security
Internet security revolves around safeguarding software applications, web browsers,
and virtual private networks utilizing the internet. Methods like encryption play a
crucial role in shielding data from various attacks, including malware, phishing, manin-the-middle attacks, and denial-of-service attacks.
5. Mobile Security
Referred to as wireless security, mobile security protects mobile devices such as
smartphones, tablets, and laptops, along with the networks they connect to, from
threats like theft, data leakage, and other malicious attacks.
6. Network Security
Network security serves to defend the network infrastructure and connected devices
against threats like unauthorized access, malicious utilization, and unauthorized
modifications.
7. Supply Chain Security
Supply chain security safeguards the communication network between a company and
its suppliers, who frequently possess access to confidential information, including
employee data and intellectual property. The SolarWinds data breach in 2020 vividly
illustrated the susceptibility of organizations when there is insufficient monitoring of
supply chain channels. SolarWinds, an IT company overseeing client networks and
systems, had access to customers' IT infrastructure. When hackers infiltrated
SolarWinds' update server, they successfully installed a virus serving as a digital
backdoor to client systems and data.
1.2 Vulnerabilities, Threats, and Risks
The terms vulnerabilities, threats, and risks are often used together, but they represent distinct
components within the realm of cybersecurity. In essence, they form a continuum,
•
Vulnerability: This pertains to a flaw or weakness present in the design,
implementation, or operation and management of an asset, which could be exploited
by a threat.
•
Threat: It signifies the potential for a threat agent to exploit a vulnerability.
•
Risk: This denotes the potential for loss when a threat materializes.
1.2.1 Vulnerabilities
A vulnerability is essentially a weakness or flaw existing in an operating system, network, or
application. Threat actors attempt to exploit these vulnerabilities to gain unauthorized access
to data or systems. The origins of security vulnerabilities can vary, encompassing
misconfigurations, design flaws, or the use of outdated software versions.
Typical vulnerabilities include issues like software vulnerabilities (indicating poor code),
easily guessable passwords, unpatched systems, lack of encryption, insecure network
configurations, and human errors such as falling prey to phishing scams or inadvertently
sharing sensitive information.
1.2.2 Threats
Threats refer to potential dangers or harmful events capable of exploiting vulnerabilities and
causing harm to a system, organization, or individual. Threats can manifest as intentional or
unintentional occurrences. Deliberate threats involve malicious actions or attacks orchestrated
by threat actors with harmful intent, such as cyberattacks involving malware, malicious code,
SQL injection attacks, ransomware, phishing attempts, or distributed denial-of-service
(DDoS) attacks.
Conversely, unintentional threats stem from human error or accidental actions leading to
security breaches. Examples of these threats include inadvertently disclosing sensitive
information or succumbing to social engineering tactics.
1.2.3 Risks
Risk signifies the likelihood of a threat exploiting a vulnerability and resulting in harm. It
encapsulates the potential loss or damage associated with a specific threat. Cyber risk
encompasses potential financial, operational, legal, or reputational consequences following a
successful cyberattack or data breach.
Organizations utilize risk management procedures and approaches to recognize, assess, and
prioritize security risks. Within risk management, risk assessment plays a crucial role by
methodically pinpointing potential cybersecurity threats, vulnerabilities, and the impacts
linked to them. This systematic approach assists organizations in understanding their security
stance, allocating resources effectively, and making informed choices concerning the
mitigation of risks.
1.3) Types of Security Risks to METROPOLIS CAPITAL
Bank
Organizations face various security risks that can pose threats to their digital and physical
assets. Some types of security risks for METROPOLIS CAPITAL Bank include,
Cybersecurity Risks
•
Malware: Possibility of malware infections on systems, which could lead to data
breaches or disruption of services.
•
Phishing Attacks: Attempts to trick employees into revealing sensitive information or
credentials.
•
Ransomware: Threat of malicious software encrypting critical data, demanding a
ransom for its release.
Insider Risks
•
Employee Negligence: Unintentional security breaches due to lack of awareness or
training.
•
Malicious Insiders: Employees or contractors with malicious intent exploiting their
access to sensitive information.
Data Breaches Risks
•
Unauthorized Access: Potential for outsiders gaining access to customer or internal
data.
•
Disclosure: Accidental or intentional release of sensitive information.
Physical Security Risks
•
Theft or Vandalism: Risks to physical infrastructure, including data centers and
critical IT components.
•
Natural Disasters: Possibility of earthquakes, floods, or other disasters affecting the
physical security of data centers.
Regulatory Compliance Risks
•
Failure to Comply: Risks associated with not adhering to government and Central
Bank regulations, leading to legal consequences.
Third-Party Risks
•
IT Service Vendors: Security risks associated with vendors providing services to the
bank.
•
Supply Chain Management: Risks related to the management of third-party vendors,
particularly the Technical Support Team.
Network Security Risks
•
Vulnerabilities: Potential weaknesses in the network infrastructure that could be
exploited by attackers.
•
Lack of Network Visibility: Challenges in monitoring and securing network traffic
effectively.
Communication Security Risks
•
Insecure Communication: Risks associated with unsecured communication channels
between branches, data centers, and external systems.
•
Weaknesses in Firewall Protection: Potential gaps in the firewall's ability to protect
against external threats.
1.4) Assessment of current Organizational Security
Procedures of METROPOLIS CAPITAL Bank
METROPOLIS CAPITAL Bank demonstrates a robust security posture through various
measures,
1) ISO 31000:2009 Certification
•
Assessment: The bank has obtained the ISO 31000:2009 certification, indicating a
commitment to risk management and adherence to international standards.
•
Strength: Certification demonstrates a structured approach to risk identification and
management.
•
Recommendation: Periodic reviews and updates to ensure ongoing compliance and
alignment with evolving security best practices.
2) Firewall Protection
•
Assessment: The use of a single firewall to protect communication between outside
systems, data centers, and the Head Office is mentioned.
•
Strength: Firewall implementation is a standard security practice.
•
Recommendation: Regularly update and upgrade firewall systems to address
emerging cyber threats and vulnerabilities.
3) CCTV Monitoring
•
Assessment: Continuous 24x7 CCTV monitoring for physical security.
•
Strength: Real-time visibility into critical areas enhances physical security measures.
•
Recommendation: Regular assessments to optimize CCTV coverage and ensure
coverage of all sensitive areas.
4) Security Tools (VA Scanning, PAM, EDR, DLP, WAF, Secure Mail Gateway)
•
Assessment: Deployment of various security tools for vulnerability assessment,
privileged access management, endpoint detection and response, data loss prevention,
web application firewall, and secure mail gateway.
•
Strength: Indicates a multi-layered approach to cybersecurity.
•
Recommendation: Regularly update and fine-tune security tools to adapt to emerging
threats and ensure optimal performance.
5) BYOD Policy
•
Assessment: Implementation of a Bring Your Own Device (BYOD) policy for Senior
Executive Staff and HR Departments.
•
Strength: Adaptable to modern work trends.
•
Recommendation: Regularly update and communicate the BYOD policy, ensuring
security measures and employee training are in place.
6) Legal Frameworks (Agreements, AMCs, Contracts, NDAs)
•
Assessment: Existence of agreements, Annual Maintenance Contracts (AMCs),
contracts, and Non-Disclosure Agreements (NDAs) with IT service vendors.
•
Strength: Establishes legal frameworks for security responsibilities.
•
Recommendation: Regularly review and update contractual agreements to align with
changing security requirements and industry standards.
7) Network Structure
•
Assessment: Use of VPN services and MPLS connectivity between branches, ATMs,
and data centers.
•
Strength: Secure approach to ensuring communication and connectivity.
•
Recommendation: Regularly review and update the network structure to
accommodate changes in business requirements and emerging security technologies.
8) Regulatory Compliance
•
Assessment: Adherence to government and Central Bank regulations.
•
Strength: Demonstrates commitment to legal and regulatory compliance.
•
Recommendation: Maintain regular audits and assessments to ensure continuous
compliance with evolving regulatory requirements.
9) Employee Training
•
Assessment: Implementation of a Bring Your Own Device (BYOD) concept requires
employee training.
•
Strength: Proactive approach to security awareness.
•
Recommendation: Continue to invest in ongoing employee training programs to
address evolving cybersecurity threats and best practices.
10) Third-Party Management
•
Assessment: Technical Support Team, a local third-party vendor managed by the
Supply Chain Management Officer, provides onsite and remote support.
•
Strength: Local vendor support indicates a level of control and oversight.
•
Recommendation: Regularly assess and monitor third-party vendors to ensure they
adhere to security standards and contractual obligations.
1.5 Network monitoring tools
Network monitoring tools gather information from active network devices like routers,
switches, servers, firewalls, and probes. This data is then analyzed to create a comprehensive
view of the network's status. The effective functioning of these tools relies on the dual
processes of collecting detailed data and providing administrators with clear, understandable
output. Armed with this information, network administrators can confidently address and
resolve issues that may impede business operations, ensuring optimal service and minimizing
disruptions.
1.5.1 Types of network monitoring tools and how do they
work
❖ SNMP:
In the past, SNMP (Simple Network Management Protocol) was commonly employed as a
standard protocol for monitoring various devices in IP networks. This method, often referred
to as infrastructure monitoring, was designed to cover the entire company infrastructure
along with each device within it. Despite its widespread coverage, the drawback of SNMP lies
in its lack of detailed information when a more in-depth analysis is required.
While SNMP effectively reports on device availability, status, specific errors, and physical
details like server CPU temperature, it falls short in providing insights into traffic structure,
the ability to delve into user transactions, or the identification of anomalous traffic.
❖ Network Telemetry:
To achieve more in-depth insights, alternative network monitoring tools utilize network
metadata. Falling under the category of solutions for monitoring network traffic or visibility,
these tools are designed to offer a comprehensive understanding of various aspects of IP
network traffic.
For example, they have the capability to reveal bottlenecks and identify sources of service
degradation, precisely locating them within the application delivery chain. This involves not
only identifying the problematic element but also understanding the nature of the issue,
whether it involves server delays, misconfigured devices, or insufficient link capacity.
The demand for such insights is gradually becoming a necessity due to the proliferation,
cloud integration, and hybridization of company IT environments. Managing these
environments without a monitoring tool is increasingly challenging to impossible.
Network monitoring tools utilize various flow data formats, such as NetFlow or IPFIX, to
analyze and depict the network and its activities. This data can be generated by proprietary
probes or network-active devices, although the latter typically provides less detailed
information.
❖ Cloud Telemetry:
With the undeniable advantages of flexibility and easy management, businesses are
increasingly adopting cloud and hybrid infrastructures. However, the cloud introduces
challenges in terms of visibility, making the ability to monitor cloud traffic a highly soughtafter feature among network monitoring tools.
Many solutions depend on third-party packet brokers to provide them with cloud data. While
these solutions are effective, they often come with a substantial price tag. To address this
drawback, vendors are creating software probes for deployment in Infrastructure as a
Service (IaaS) environments. These probes leverage flow logs, which essentially serve as the
cloud equivalent of flow data generated by network switches and similar devices.
❖ Full Packet Capture:
Certain solutions take a meticulous approach by capturing and processing complete packet
data, encompassing not just network traffic metadata but the entire communication.
Although this method provides thorough detail, it demands extensive storage and processing
resources, making packet-based solutions generally expensive and often exceeding the
budget constraints of most companies.
Nevertheless, packet capture has always been a part of the daily routine for network
administrators. They frequently tap into problematic sections of the network, record the
communication passing through, and manually analyze it using tools like Wireshark. While
this manual process yields a wealth of information and allows for pinpointing numerous
issues with utmost accuracy, it requires hands-on effort.
Fortunately, some solutions are adopting a hybrid monitoring approach. They predominantly
rely on flows for the majority of traffic monitoring but incorporate support for on-demand or
on-detect full-packet capture and analysis when needed.
1.5.2 Types of network monitoring tools available in market
1. SolarWinds Network Performance Monitor (NPM)
•
Features: SolarWinds NPM is renowned for its comprehensive network
monitoring capabilities, including fault, performance, availability
monitoring, and advanced alerting. It's designed to be scalable, making it
suitable for large banking networks.
•
Benefits: Helps in identifying network bottlenecks, improving network
performance, and reducing downtime.
2. Nagios XI
•
Features: Offers complete network, server, and application monitoring. It
provides a highly configurable platform with extensive alerting options.
•
Benefits: Enables early detection of infrastructure issues, helping to
maintain operational continuity in banking services.
3. PRTG Network Monitor
•
Features: PRTG offers an all-in-one monitoring solution that can track
network traffic, performance, applications, and hardware health. It features
an intuitive interface and customizable dashboards.
•
Benefits: Simplifies network management and provides real-time data for
quick decision-making.
4. Splunk
•
Features: While known for its powerful log management capabilities,
Splunk also offers network monitoring through data collection and
analytics. It excels in handling big data, making it ideal for monitoring
complex banking networks.
•
Benefits: Offers deep insights into network activity and security,
supporting compliance and cybersecurity efforts.
5. Cisco Stealthwatch
•
Features: Stealthwatch uses NetFlow analysis to provide visibility into
network traffic and detect unusual patterns that could indicate security
threats.
•
Benefits: Enhances network security through anomaly detection and
supports regulatory compliance with comprehensive reporting.
6. Zabbix
•
Features: Zabbix is an open-source monitoring tool that provides network,
server, cloud, application, and services monitoring with a strong focus on
security.
•
Benefits: Offers a cost-effective solution for comprehensive monitoring,
with strong community support for troubleshooting.
7. ManageEngine OpManager
•
Features: OpManager provides real-time network monitoring, physical and
virtual server monitoring, and customizable dashboards.
•
Benefits: Helps in ensuring high availability and performance of banking
applications and infrastructure.
1.5) Benefits of Implementing Network Monitoring
Systems to METROPOLIS CAPITAL Bank
Implementing network monitoring systems at METROPOLIS CAPITAL Bank can provide
several benefits, enhancing the overall security, performance, and reliability of the
organization's network infrastructure. Here are some key benefits,
1) Early Threat Detection
•
Network monitoring systems can detect and alert on unusual or suspicious activities,
allowing the bank to identify potential security threats at an early stage.
•
Early detection enables prompt response to security incidents, minimizing the impact
and reducing the risk of data breaches or network compromises.
2) Performance Optimization
•
Network monitoring tools provide real-time visibility into network performance,
helping to identify bottlenecks, latency issues, or other performance-related issues.
•
Proactive monitoring allows for optimization of network resources, ensuring efficient
and reliable operation of critical banking services.
3) Compliance Assurance
•
Network monitoring helps the bank maintain compliance with regulatory
requirements and security policies by tracking and reporting on network activities.
•
Continuous monitoring ensures that the organization meets industry standards and can
provide necessary documentation during compliance audits.
4) Incident Response Improvement:
•
Network monitoring systems assist in streamlining incident response efforts by
providing detailed information about the nature and scope of security incidents.
•
Faster incident response reduces the time it takes to mitigate the impact of security
events, limiting potential damage and improving overall resilience.
5) Resource Utilization
•
Monitoring network traffic and resource utilization allows for efficient management
of bandwidth and other network resources.
•
Optimization of resource allocation contributes to improved network efficiency and
better user experience for both customers and employees.
6) Proactive Maintenance
•
Network monitoring enables proactive identification of potential issues before they
lead to service disruptions.
•
Scheduled maintenance and preventive measures can be implemented based on
insights gained from monitoring, reducing the likelihood of unexpected downtime.
7) Security Policy Enforcement
•
Network monitoring systems can enforce security policies by identifying and blocking
unauthorized access attempts or abnormal network behavior.
•
This helps in maintaining the integrity of security protocols and ensuring that the
organization's security policies are consistently applied.
8) Network Visibility
•
Improved visibility into network traffic and device activities allows for a better
understanding of the overall network environment.
•
Network administrators can identify trends, track user behavior, and make informed
decisions to enhance overall network security.
9) Troubleshooting and Diagnostics
•
Network monitoring tools facilitate quick and effective troubleshooting by providing
detailed insights into network issues.
•
Rapid diagnostics and resolution of network problems contribute to the reliability of
banking services and customer satisfaction.
10) Cost Savings
•
By optimizing network performance and reducing downtime, network monitoring can
contribute to cost savings associated with operational efficiency and avoiding
potential financial losses from security incidents.
1.6) Evaluation of security measures that can be employed
to ensure the integrity of METROPOLIS CAPITAL Bank
IT security
To ensure the integrity of METROPOLIS CAPITAL Bank's IT security, a combination of
physical and virtual security measures should be implemented. Here is an evaluation of
various measures
1.6.1) Physical Security Measures:
1)Access Controls
•
Description: Restricting physical access to data centers and critical IT
infrastructure.
•
Evaluation: Essential for preventing unauthorized personnel from physically
tampering with servers and network equipment. Biometric access, key cards, and
surveillance enhance effectiveness.
2) Surveillance Systems (CCTV)
•
Description: Continuous monitoring of sensitive areas using CCTV.
•
Evaluation: Provides real-time visibility and recording of physical activities.
Essential for deterring unauthorized access and investigating security incidents.
3) Environmental Controls
•
Description: Implementing measures like fire suppression systems, temperature
control, and humidity control in data centers.
•
Evaluation: Protects IT infrastructure from environmental threats, ensuring the
integrity of servers and preventing potential data loss due to environmental
factors.
4) Secure Server Rooms
•
Description: Physically securing server rooms with access controls and
reinforced doors.
•
Evaluation: Adds an extra layer of protection to critical infrastructure, limiting
physical access to authorized personnel only.
1.6.2) Virtual Security Measures:
1) Firewalls
•
Description: Implementing firewalls to regulate and monitor incoming and
outgoing network traffic.
•
Evaluation: Essential for protecting against cyber threats, ensuring that only
authorized traffic flows through the network and preventing unauthorized access.
2) Intrusion Detection and Prevention Systems (IDPS)
•
Description: Monitoring and analyzing network or system activities for signs of
malicious activities.
•
Evaluation: Provides real-time detection of suspicious behavior, helping to
prevent or mitigate potential security incidents.
3) Encryption
•
Description: Encrypting sensitive data during transmission and storage.
•
Evaluation: Protects data from unauthorized access, ensuring the confidentiality
and integrity of information, especially during communication over networks.
4) Endpoint Protection (Antivirus/Anti-malware)
•
Description: Deploying antivirus and anti-malware software on endpoints
(computers, laptops, mobile devices).
•
Evaluation: Protects individual devices from malicious software, reducing the
risk of malware compromising the integrity of systems.
5) Multi-Factor Authentication (MFA)
•
Description: Implementing MFA to add an extra layer of identity verification.
•
Evaluation: Enhances access control by requiring multiple forms of
identification, reducing the risk of unauthorized access.
6) Regular Software Patching and Updates
•
Description: Keeping operating systems, applications, and software up-to-date
with the latest security patches.
•
Evaluation: Reduces vulnerabilities by addressing known security issues,
ensuring a more secure IT environment.
7) Data Loss Prevention (DLP)
•
Description: Monitoring, detecting, and blocking sensitive data from unauthorized
access or transmission.
•
Evaluation: Prevents data breaches, ensuring the confidentiality and integrity of
sensitive information.
8) Security Information and Event Management (SIEM)
•
Description: Aggregating and analyzing log data from various sources to identify and
respond to security events.
•
Evaluation: Provides a centralized view of security events, aiding in the detection
and response to potential security incidents.
9) Regular Security Audits and Assessments
•
Description: Conducting periodic security audits to identify vulnerabilities and assess
the effectiveness of security measures.
•
Evaluation: Proactively identifies weaknesses and allows for continuous
improvement of security measures.
10) Web Application Firewalls (WAF)
•
Description: Protecting web applications from various online threats and attacks.
•
Evaluation: Safeguards against web-based attacks, ensuring the security and
integrity of online services.
11) Secure Wi-Fi Configuration
•
Description: Configuring Wi-Fi networks with strong encryption protocols and
secure authentication methods.
•
Evaluation: Prevents unauthorized access to the network, protecting against
potential security breaches.
12) Backup and Disaster Recovery Plans
•
Description: Regularly backing up critical data and having a comprehensive
disaster recovery plan in place.
•
Evaluation: Ensures data integrity by providing a means to recover from data loss
or system failures.
Activity 2
2.1) Firewall
A firewall serves as a network security tool responsible for overseeing both incoming and
outgoing network traffic, determining the permission or restriction of specific traffic based on
a predetermined set of security rules. For many years, firewalls have acted as the initial
defense layer in network security. They create a separation between internally secured and
regulated networks, considered trustworthy, and external networks, including the untrusted
Internet.
Firewalls can manifest in various forms, including hardware, software, software-as-a-service
(SaaS), public cloud, or private cloud (virtual).
2.1.1 Various types of firewalls
1) Proxy Firewall
An initial form of firewall, the proxy firewall acts as the entry point from one network
to another, specifically for a particular application. Proxy servers offer extra features
like content caching and security by obstructing direct connections from external
networks. Nevertheless, this can potentially impact throughput capabilities and the
range of applications they can accommodate.
2) Stateful Inspection Firewall
Regarded as a "traditional" firewall today, a stateful inspection firewall permits or
blocks traffic based on state, port, and protocol. It scrutinizes all activities from the
initiation of a connection until its closure. Filtering decisions rely on both rules
defined by administrators and context, which involves information from previous
connections and packets related to the same connection.
3) Unified Threat Management (UTM) Firewall
A UTM device typically integrates, in a loosely connected manner, the functionalities
of a stateful inspection firewall with intrusion prevention and antivirus features. It
might also encompass additional services and frequently includes cloud management.
UTMs prioritize simplicity and user-friendliness.
4) Next-Generation Firewall (NGFW)
Firewalls have progressed beyond basic packet filtering and stateful inspection, with
many companies adopting next-generation firewalls to counter contemporary threats
such as advanced malware and attacks targeting the application layer. According to
Gartner, Inc.'s definition, a next-generation firewall must encompass:
•
Intelligence-based access control with stateful inspection
•
Integrated intrusion prevention system (IPS)
•
Application awareness and control for identifying and blocking risky apps
•
Upgrade paths for future information feeds
•
Techniques addressing evolving security threats
•
URL filtering based on geolocation and reputation
5) Threat-Focused NGFW
These firewalls encompass all the features of a traditional NGFW and go a step
further by providing advanced threat detection and remediation. With a threat-focused
NGFW, you can,
•
Identify the most vulnerable assets through comprehensive context
awareness
•
Swiftly respond to attacks with intelligent security automation that
dynamically establishes policies and fortifies defenses
•
Enhance detection of evasive or suspicious activities through network and
endpoint event correlation
•
Significantly reduce the time from detection to cleanup with retrospective
security that continuously monitors for suspicious activity and behavior
even after initial inspection
•
Simplify administration and reduce complexity with unified policies
safeguarding across the entire attack continuum
6) Virtual Firewall
Usually configured as a virtual appliance, a virtual firewall finds its deployment
within private clouds, including platforms like VMware ESXi, Microsoft Hyper-V, or
KVM, as well as public clouds like Oracle Cloud Infrastructure and Google Cloud
Platform. Its primary function revolves around monitoring and securing traffic within
the realms of both physical and virtual networks. Often integrated into softwaredefined networks, the virtual firewall assumes a pivotal role in fortifying and
improving network security.
7) Cloud Native Firewall
Cloud native firewalls represent a modernized approach to securing applications and
workload infrastructure on a large scale. Equipped with automated scaling features,
these firewalls empower networking operations and security operations teams to
operate with agility. The advantages of cloud native firewalls include,
•
Agile and Elastic Security: The ability to adapt and scale security
measures quickly in response to changing demands.
•
Multi-Tenant Capability: Supporting multiple tenants simultaneously,
ensuring efficient and secure resource sharing.
•
Smart Load Balancing: Intelligent distribution of network traffic to
optimize performance and enhance overall security.
2.1.2) The Necessity of Firewalls
The significance of firewalls, particularly Next Generation Firewalls, lies in their emphasis
on thwarting malware and application-layer attacks. With the integration of an intrusion
prevention system (IPS), these advanced firewalls exhibit swift and seamless responsiveness
to identify and counteract attacks spanning the entire network. Firewalls, operating based on
pre-established policies, play a crucial role in fortifying your network by swiftly identifying
and neutralizing invasive or suspicious activities, such as malware. By incorporating a
firewall into your security infrastructure, you establish specific policies for managing
incoming and outgoing traffic.
2.2) VPN
VPN, short for "Virtual Private Network," refers to the capability to establish a secure
network connection while utilizing public networks. VPNs employ encryption to safeguard
internet traffic and obfuscate online identities, making it challenging for third parties to
monitor online activities and pilfer data. The encryption process occurs in real-time.
2.2.1 Functionality of a VPN
A VPN conceals your IP address by directing it through a specifically configured remote
server managed by a VPN host. Consequently, when you browse the internet with a VPN, the
VPN server serves as the origin of your data. This implies that your Internet Service Provider
(ISP) and other external entities cannot observe the websites you visit or the data you
transmit and receive online. Essentially, a VPN acts as a filter that transforms all your data
into unintelligible content. Even if someone gains access to your data, it remains futile.
2.2.2 Benefits of a VPN Connection
•
Data Traffic Protection
A VPN connection shields your online data traffic from external intrusion.
Unencrypted data is susceptible to viewing by anyone with network access, but a
VPN prevents hackers and cybercriminals from deciphering this data.
•
Secure Encryption
For data comprehension, an encryption key is essential. Without it, a brute force
attack would require millions of years to decode the encrypted data. Through a VPN,
your online activities stay concealed, even on public networks.
•
Location Disguise
VPN servers function as proxies on the internet, obscuring your actual location. Since
demographic location data originates from a server in another country, your real
location remains undisclosed. Moreover, most VPN services do not retain logs of your
activities, ensuring the permanent concealment of any potential record of user
behavior.
•
Access to Regional Content
Regional web content may not always be accessible universally. VPNs enable location
spoofing, allowing you to switch to a server in another country and effectively alter
your apparent location. This facilitates access to content that may be restricted based
on geographical location.
•
Secure Data Transfer
For remote work involving access to vital files on a company's network, a secure
connection is imperative. VPN connections, which link to private servers and employ
encryption methods, mitigate the risk of data leakage and provide a secure means to
access the network.
2.2.3 Types of VPNs
Various types of VPNs exist, and it's essential to be acquainted with the three primary
categories:
1) SSL VPN
•
SSL VPNs are deployed when not all employees possess a company laptop for
remote work, a situation accentuated during events like the COVID-19 crisis.
•
Utilizing private devices such as PCs, laptops, tablets, or mobile phones,
employees access an SSL-VPN solution often implemented through a
corresponding hardware box.
•
Access is secured via a username and password, requiring an HTML-5-capable
browser, accessible across different operating systems.
2) Site-to-Site VPN:
•
A site-to-site VPN establishes a private network concealing intranets, enabling
secure interconnection for users within these networks.
•
It proves valuable for companies with multiple locations, each having its local
area network (LAN) linked to the Wide Area Network (WAN).
•
Especially suitable for large companies, site-to-site VPNs facilitate
communication within and between extensive departments, albeit with a more
intricate implementation compared to SSL VPNs.
3) Client-to-Server VPN:
•
This form of VPN connection is akin to connecting a home PC to the company
using an extension cable.
•
Employees access the company network from their home offices through a VPN
client, simulating an office setting. Installation and configuration of a VPN client
on the computer are prerequisites.
•
The VPN client establishes a direct connection, bypassing the user's Internet
Service Provider (ISP), enhancing efficiency. This is particularly advantageous for
providers of insecure public WLAN, preventing unauthorized access to the
network connection and encrypting data until it reaches the provider.
•
This VPN type ensures universal access to company resources, allowing
employees to seamlessly work from home while maintaining the appearance of
being in the office.
2.3 How improper configuration of firewalls, VPNs and
other network infrastructure will affect to the
METROPOLIS CAPITAL Bank system
An incorrect or improper configuration for network infrastructure components, such as
firewalls and VPNs, could have severe consequences for the security, functionality, and
overall operations of METROPOLIS CAPITAL Bank. Here are some potential impacts,
1)Security Vulnerabilities:
•
Firewall Misconfigurations: Incorrect firewall configurations may lead to
unintended openings in the network's defenses, allowing unauthorized access and
potential exploitation by malicious actors.
•
VPN Misconfigurations: Improper VPN settings might result in unsecured
connections, leading to data interception and exposure during transmission.
2) Unauthorized Access:
•
Firewall Issues: Misconfigurations may allow unauthorized access to sensitive
systems or data, compromising the confidentiality and integrity of financial
information.
•
VPN Issues: Incorrect VPN configurations can result in unauthorized users gaining
access to the bank's internal network, posing a significant security risk.
3) Data Breaches:
•
Firewall Weaknesses: Inadequate firewall configurations may expose critical data to
cybercriminals, leading to potential data breaches and financial losses.
•
VPN Insecurity: Vulnerabilities in VPN configurations can result in unauthorized
parties intercepting or manipulating sensitive data during transmission.
4) Service Disruptions:
•
Firewall Blockages: Incorrect firewall rules might block legitimate traffic, causing
disruptions to banking services and affecting customer experience.
•
VPN Connectivity Issues: Improper VPN settings can lead to connectivity problems,
hindering remote access for employees and impacting the bank's day-to-day
operations.
5) Compliance Violations:
•
Regulatory Non-Compliance: Misconfigurations may lead to violations of
regulatory requirements, such as data protection laws and financial industry standards,
resulting in legal consequences and financial penalties.
6) Loss of Customer Trust:
•
Security Incidents: Breaches or disruptions resulting from network
misconfigurations can erode customer trust in the bank's ability to secure their
financial information.
•
Service Outages: Customer dissatisfaction may arise if banking services are
unavailable or unreliable due to network issues.
7) Reputation Damage:
•
Public Perception: Security incidents and service disruptions can damage the bank's
reputation in the eyes of customers, investors, and the public, potentially leading to
long-term consequences.
8) Operational Inefficiencies:
•
Productivity Impact: Network misconfigurations can lead to increased
troubleshooting time, affecting the productivity of IT staff and causing delays in
addressing security or connectivity issues.
9) Increased Operational Costs:
•
Remediation Expenses: Addressing security incidents resulting from
misconfigurations may involve significant costs for incident response, forensics, and
system recovery.
10) Regulatory Scrutiny:
•
Investigations: Regulatory authorities may investigate security incidents, service
disruptions, or compliance violations, leading to additional scrutiny and potential
legal actions.
To mitigate these risks, METROPOLIS CAPITAL Bank should regularly conduct
comprehensive security audits, implement best practices in firewall and VPN configurations,
and ensure that the network infrastructure aligns with industry standards and regulatory
requirements. Continuous monitoring and timely updates to configurations are crucial to
maintaining a secure and resilient network environment.
2.4 Assessing the IT security risks that may face by the
employees of METROPOLIS CAPITAL Bank and
propose how the organization can facilitate their
employees with a Secure remote working environment.
2.4.1 Assets, Vulnerabilities, threats and risk identification
Assets
Computers
Vulnerability
•
•
•
•
Outdated
Software
Weak
Passwords
Using crack
software’s
Unpatched
Security
Flaws
Threats
•
•
•
•
•
Malware
Infections –
(A1)
Hacker attacks
– (A2)
Unauthorized
Access – (A3)
Ransomware
Phishing
attacks – (A4)
Risks
•
•
•
•
•
Important Data
leek to public
Financial Loss
Reputational
Damage to the
bank
Work Disruption
Clients and
employees
Identity breaches
to public
•
•
Mobile
devices
•
•
•
Unsecured
Wi-Fi
Connections
Lost or Stolen
Devices
Malicious
Apps
•
•
•
•
•
Remote
Access Tools
•
•
•
Home
Networks
•
•
•
Printed
Documents
•
•
Weak
Authentication
Unencrypted
Connections
Misconfigured
Access
Controls
•
Default
Passwords
Unpatched
Firmware
Lack of
Network
Segmentation
•
Unsecured
Storage
Improper
Disposal
•
•
•
•
•
•
•
•
Worm
infection –
(A5)
MIM attacks –
(A6)
Malware
Infections –
(B1)
Hacker attacks
– (B2)
Unauthorized
Access – (B3)
Ransomware –
(B4)
Phishing
attacks – (B5)
Unauthorized
Access – (C1)
Malware
Infections –
(C2)
Hacker attacks
– (C3)
Phishing
attacks – (C4)
•
Privacy rules
Violations
•
•
Data Loss
Privacy rules
Violations
Work
Interruption
Data leaks to
public
Reputational
Damage to the
bank
Hacker attacks
– (D1)
Unauthorized
Access – (D2)
Phishing
attacks – (D3)
MIM attack –
(D4)
•
•
Data theft –
(E1)
Unauthorized
Access – (E2)
•
•
•
•
•
•
•
•
•
•
•
•
Data Leakage to
public
Data Loss
Identity Theft
Reputational
Damage to the
bank
Data Leakage
Reputational
Damage to the
bank
Data Loss
Privacy rules
Violations
Data Breaches to
the public
Privacy rules
Violations
Reputational
damaged to the
bank
2.4.2 Analyzing the risk
Risk Metrix for Computers
HIGH
A2,A3
Probability MID
A1,A5
A4
LOW
LOW MID
HIGH
Impact
Risk Metrix for mobile devices
HIGH
B5
Probability MID
B1,B3
LOW
B2
B4
LOW MID
HIGH
Impact
Risk Metrix for remote access tools
HIGH
Probability MID
LOW
C1
C2
C3
C3,C4
LOW
MID
HIGH
Impact
Risk Metrix for employee’s home network devices
HIGH
D1,D2,D3,D4
Probability MID
LOW
LOW MID HIGH
Impact
Risk Metrix for printed documents
HIGH
E1,E2
Probability MID
LOW
LOW
MID
Impact
HIGH
2.4.3 Solution for mitigate risks and Secure remote working
environment.
To mitigate the risks associated with the vulnerabilities mentioned earlier and address the
threats faced by METROPOLIS CAPITAL Bank and its employees, several solutions can be
implemented:
Computers:
o Implement regular software updates and patch management to address vulnerabilities
in operating systems and software applications.
o Enforce strong password policies and multi-factor authentication to protect against
unauthorized access to computers.
o Deploy endpoint security solutions such as antivirus software and intrusion
detection/prevention systems to detect and mitigate malware threats.
o Encrypt sensitive data stored on computers to prevent unauthorized access in case of
theft or compromise.
o Provide employee training on security best practices, including safe browsing habits
and recognizing phishing attempts.
Mobile Devices:
o Implement mobile device management (MDM) solutions to enforce security policies,
such as device encryption and remote wipe capabilities.
o Require the use of strong passwords or biometric authentication on mobile devices to
prevent unauthorized access.
o Enable device tracking and remote locking features to mitigate the risks of lost or
stolen devices.
o Educate employees on mobile security best practices, including avoiding public Wi-Fi
networks and only installing apps from trusted sources.
Remote Access Tools:
o Implement strong authentication mechanisms, such as multi-factor authentication, for
remote access tools to prevent unauthorized access.
o Encrypt remote access sessions to protect data transmitted over the network from
interception.
o Monitor remote access activities for suspicious behavior and unauthorized access
attempts.
o Regularly update and patch remote access tools to address security vulnerabilities and
mitigate the risk of exploitation.
Home Networks:
o Provide employees with guidelines for securing their home networks, including
changing default passwords, updating firmware regularly, and enabling encryption.
o Encourage the use of virtual private network (VPN) connections when accessing
corporate resources from home networks to secure data transmission.
o Implement network segmentation to isolate corporate devices and data from personal
devices on home networks.
o Educate employees on the importance of securing their home networks and
recognizing potential threats, such as phishing emails or malicious websites.
Printed Documents:
o Implement document management solutions to digitize and encrypt sensitive
documents, reducing the risk of physical theft or loss.
o Establish clear policies and procedures for the secure storage and disposal of printed
documents, including shredding or secure recycling.
o Limit the printing of sensitive information and encourage digital distribution and
storage whenever possible.
o Educate employees on the proper handling and disposal of printed documents,
including the importance of keeping sensitive information confidential.
Continuous employee education, regular security training, and the implementation of security
policies and technologies are essential to mitigate these risks effectively. Additionally,
fostering a culture of cybersecurity awareness among employees can significantly contribute
to the overall security posture of METROPOLIS CAPITAL Bank.
2.5 Static IPs
A static IP address remains constant and does not undergo changes over time. IP addresses,
serving as numerical identifiers, facilitate the transmission of data packets between our
networks and devices. While the majority of IP addresses are dynamic, meaning they undergo
occasional changes, a static IP remains consistently unchanged, retaining the same sequence
of numbers.
2.5.1 Usages of Static Ips
The usage of static IP addresses encompasses several practical applications, including,
1) Remote Access Solutions
•
In Virtual Private Networks (VPNs), static IP addresses are often employed to
regulate access to company resources and databases. Users with specific static
IP addresses can use a VPN application to connect to a company server,
enabling privileged access and facilitating the utilization of company files and
networks.
2) Server Hosting
•
Hosting a server is made more straightforward by using a static IP address.
This ensures that devices can easily locate and connect to the server,
streamlining the hosting process.
3) Faster Data Transfer
•
Configuring a device with a static private IP address can lead to slightly faster
data transfer from the internet gateway (router or modem) to that specific
device. Although the speed boost may be marginal, it contributes to more
efficient data transmission.
4) Networked Devices and Services
•
Static IP addresses are beneficial for devices and services that require constant
and predictable network addresses. This is particularly useful for networked
devices such as printers, cameras, and other Internet of Things (IoT) devices.
5) Security and Access Control
•
Static IP addresses are employed in security measures, allowing organizations
to restrict access to their networks based on specific IP addresses. This
enhances security by ensuring that only authorized devices with predetermined
static IPs can access sensitive resources.
2.5.2 advantaged and disadvantages of static Ips
Advantages of Static IP Addresses:
•
Consistent Access: Static IP addresses provide a constant and unchanging
identifier for devices, ensuring consistent access to specific services or
resources.
•
Remote Access and VPNs: Ideal for remote access solutions, such as VPNs,
where specific IP addresses are required for privileged access to company
resources.
•
Server Hosting: Simplifies server hosting by making it easier for devices to
locate and connect to the server using a static IP address.
•
Security Measures: Enhances security by allowing organizations to restrict
access to their networks based on specific, predetermined IP addresses.
•
Quality of Service (QoS) Configuration: Useful for configuring Quality of
Service (QoS) settings, ensuring priority access to bandwidth and network
resources for specific devices or services.
Disadvantages of Static IP Addresses:
•
Complex Configuration: Setting up and configuring static IP addresses can be
more complex than relying on dynamic IP assignments, especially in large
networks.
•
Manual Management: Requires manual management and assignment of IP
addresses, which can be time-consuming and impractical in dynamic
environments.
•
Potential for Address Conflicts: If IP addresses are not carefully managed, there
is a risk of conflicts where two devices attempt to use the same static IP address,
leading to network issues.
•
Limited Scalability: In large networks or environments with frequently changing
devices, static IP addresses may not be scalable or practical.
•
Cost Considerations: Some internet service providers may charge additional fees
for static IP addresses, making them a cost consideration for businesses.
2.6 Network Address Translation (NAT)
Network Address Translation (NAT) is a technology used in networking to modify network
address information in packet headers while in transit. NAT plays a crucial role in managing
the allocation and conservation of IP addresses within a network, especially in scenarios
where the number of internal devices exceeds the available pool of public IP addresses.
Key aspects of NAT include,
1) IP Address Translation:
NAT translates private IP addresses used within a local network into a single public IP
address that is visible to the external network (usually the internet). This allows
multiple devices within the private network to share the same public IP address.
2) Private and Public IP Addresses:
Private IP addresses are reserved for use within private networks and are not routable
on the internet. Commonly used private IP address ranges include those defined in
RFC 1918, such as 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and
192.168.0.0 to 192.168.255.255. NAT enables devices with private IP addresses to
communicate with external networks using a shared public IP address.
3) Types of NAT:
There are different types of NAT, including:
•
•
•
Static NAT: Maps a private IP address to a specific public IP address,
providing a one-to-one mapping.
Dynamic NAT: Maps private IP addresses to public IP addresses from a pool
of available addresses dynamically as needed.
PAT (Port Address Translation): Also known as NAT overload, PAT maps
multiple private IP addresses to a single public IP address by using different
ports to differentiate between connections.
4) Conservation of Public IP Addresses:
•
NAT allows organizations to use private IP addresses internally, conserving the
limited pool of public IP addresses. This is particularly important in scenarios
where the number of internal devices is much larger than the available public
IP addresses.
5) Enhanced Security:
•
NAT provides a level of security by acting as a barrier between internal
devices with private IP addresses and external networks. External entities only
see the public IP address, adding a layer of obscurity to internal network
structures.
6) IPv6 Transition:
•
NAT has been widely used to ease the transition from IPv4 to IPv6. As IPv6
adoption increases, the need for NAT may decrease, given the larger address
space provided by IPv6.
7) Port Mapping and Address Mapping:
•
In PAT, port mapping is utilized to distinguish between multiple private
devices sharing the same public IP address. Each connection is assigned a
unique port number to maintain differentiation.
NAT is a fundamental technology in networking, addressing the challenges associated
with IP address scarcity and providing a level of security for internal networks.
However, it can introduce complexities for certain applications and services,
particularly those that rely on end-to-end connectivity.
2.7 Demilitarized Zone (DMZ)
A Demilitarized Zone (DMZ) in the context of computer networks is a designated area within
a network that sits between the internal secure network and the external untrusted network,
typically the internet. The purpose of a DMZ is to add an additional layer of security by
segregating and isolating certain services and resources from the internal network.
Key characteristics and functions of a DMZ include:
1) Segregation of Services:
•
The DMZ houses services that need to be accessible from the internet,
such as web servers, email servers, or application servers. By placing these
services in the DMZ, organizations can restrict direct access to the internal
network.
2) Security Buffer:
•
The DMZ acts as a security buffer zone between the internal network
(which contains sensitive data and resources) and the external network
(internet). This helps in preventing direct attacks on the internal network.
3) Access Control:
•
Access controls and security measures are implemented in the DMZ to
regulate and monitor traffic. This ensures that only authorized
communication passes between the internal network, DMZ, and external
network.
4) Firewalls and Security Appliances:
•
Firewalls are commonly deployed at the boundaries of the DMZ to control
the flow of traffic. These firewalls enforce rules that allow or deny specific
types of communication between the DMZ and the internal/external
networks.
5) Types of Servers in DMZ:
•
Web servers, email servers, FTP servers, and application servers are
examples of servers often placed in the DMZ. These servers provide
services to external users while maintaining a level of isolation from the
internal network.
6) Public-Facing Services:
•
Services exposed to the public, such as a company's website or email
portal, are placed in the DMZ. This allows external users to access these
services without compromising the security of the internal network.
7) Intrusion Prevention:
•
Intrusion prevention systems (IPS) and other security appliances may be
deployed within the DMZ to monitor and prevent malicious activities.
8) Logically and Physically Separate:
•
The DMZ is both logically and physically separate from the internal
network. This separation minimizes the risk of unauthorized access to
internal resources.
9) Redundancy and High Availability:
•
For critical services, redundancy and high availability measures may be
implemented in the DMZ to ensure continuous availability even in the face
of hardware or software failures.
The DMZ architecture is a fundamental component of network security strategies,
providing a controlled environment for external services while safeguarding the
internal network from potential threats originating from the internet.
2.8 How Static IP, NAT, DMZ technologies would benefit
METROPOLIS CAPITAL Bank and its Clients to
increase network performance.
2.8.1 Benefit of using Static IP in METROPOLIS CAPITAL
Bank
•
Improved Network Stability: Assigning a static IP address to critical infrastructure
components, such as servers and network devices, provides a stable and predictable
network environment. This stability is crucial for banking operations that require
constant and reliable access to services.
•
Enhanced Security: Static IPs allow for more precise control over access
permissions. Firewalls and access control lists (ACLs) can be configured to permit or
deny traffic based on specific IP addresses. This contributes to a more secure network
environment for sensitive financial transactions.
•
Easier Network Management: Static IPs simplify network management tasks as the
assigned addresses do not change over time. This makes it easier to monitor and
troubleshoot network devices, reducing the likelihood of configuration errors that can
impact network performance.
2.8.2 Benefit of NAT (Network Address Translation) to
METROPOLIS CAPITAL Bank
•
metropolis capital bank
Servers
devices
IP Address Conservation: NAT allows multiple devices within
theand
bank's
internal
Staticon
IPsthe internet.
network to share a single public IP address when accessing with
resources
This conserves the limited pool of public IP addresses and reduces costs associated
with acquiring additional IPs.
•
Enhanced Security: NAT acts as a natural firewall, providing a level of security by
hiding internal IP addresses from external networks. This makes it more challenging
for external entities to initiate unsolicited connections to internal devices, bolstering
overall network security.
•
Scalability: NAT facilitates the growth of the bank's internal network without
requiring a corresponding increase in the number of public IP addresses. This
scalability is essential for accommodating the expanding needs of the bank's
operations.
Internal Network (Private IPs) ----> NAT Device ----> Router ----> Internet (Public IP)
2.8.3 Benefit of DMZ (Demilitarized Zone) to
metropolis
capital
METROPOLIS
CAPITAL Bank:
bank Servers Internal
• Enhanced
Security
Network
(Private
IPs) Segmentation: The DMZ serves as an isolated network segment
that houses servers accessible from both the internal network and the internet. This
ensures that external users can access public-facing services without directly reaching
the internal network, providing an additional layer of security.
•
Protection for Public-Facing Services: Web servers, email servers, and other public
services can reside in the DMZ, separating them from critical internal systems. This
protects internal assets in case of a security breach in public-facing services.
•
Improved Performance for External Services: By hosting public services in the
DMZ, the bank can optimize the performance of these services for external clients.
This segregation ensures that external traffic does not directly interact with internal
network components, minimizing potential bottlenecks.
Internet ----> Firewall ----> DMZ (Web Server, Email Server) ----> Internal Network
Metropolis capital
bank internal Servers
and Internal Network
with highly important
servers
Activity 3
3.1 Review risk assessment procedures for METROPOLIS
CAPITAL Bank to protect itself and its clients.
To review risk assessment procedures for METROPOLIS CAPITAL Bank to protect itself
and its clients, we need to consider several key aspects:
1. Comprehensive Risk Identification:
•
Ensure that all potential risks, including those related to technology, operations,
compliance, and external factors, are identified through regular risk assessments.
•
Utilize various methods such as interviews, documentation review, and historical
data analysis to identify risks comprehensively.
2. Risk Classification and Prioritization:
•
Classify identified risks based on their nature, impact on the bank and its clients,
likelihood of occurrence, and regulatory implications.
•
Prioritize risks according to their severity and potential impact on the bank's
operations, financial health, reputation, and client trust.
3.Risk Analysis and Evaluation:
•
Conduct thorough risk analysis to assess the potential consequences of identified
risks and their likelihood of occurrence.
•
Evaluate the effectiveness of existing controls and mitigation measures in place to
address identified risks.
•
Determine the residual risk level after considering the effectiveness of controls
and mitigation measures.
4. Risk Mitigation and Control Measures:
•
Develop and implement robust control measures and mitigation strategies to
address identified risks effectively.
•
Ensure that control measures are aligned with industry best practices, regulatory
requirements, and the specific needs of METROPOLIS CAPITAL Bank and its
clients.
•
Continuously monitor and review the effectiveness of control measures and adjust
them as necessary to address emerging risks.
5. Risk Monitoring and Reporting:
•
Establish a framework for ongoing risk monitoring to track changes in the risk
landscape and identify new risks in a timely manner.
•
Implement regular reporting mechanisms to communicate risk assessment
findings, risk mitigation strategies, and risk management activities to relevant
stakeholders, including senior management and the board of directors.
6. Integration with Business Processes:
•
Integrate risk assessment procedures into METROPOLIS CAPITAL Bank's
overall business processes and decision-making frameworks.
•
Ensure that risk assessment outcomes inform strategic planning, resource
allocation, and business continuity efforts to mitigate potential risks effectively.
7. Continuous Improvement:
•
Foster a culture of continuous improvement by encouraging feedback, lessons
learned, and best practices sharing across the organization.
•
Regularly review and update risk assessment procedures in response to changes in
the business environment, regulatory requirements, and emerging threats.
8. Collaboration and Communication:
•
Foster collaboration and communication among different departments, teams, and
external stakeholders involved in risk assessment and management efforts.
•
Encourage proactive engagement with clients to understand their risk profiles,
concerns, and expectations, and tailor risk assessment procedures accordingly.
By ensuring robust risk assessment procedures aligned with these key aspects,
METROPOLIS CAPITAL Bank can effectively protect itself and its clients from potential
risks and enhance overall resilience and trust in its operations.
3.2 Mandatory data protection laws and procedures which
will be applied to data storage solutions provided by
METROPOLIS CAPITAL Bank.
3.2.1. Data Protection Laws:
1. General Data Protection Regulation (GDPR):
The General Data Protection Regulation (GDPR) is a regulation in EU law on data
protection and privacy in the European Union and the European Economic Area. It
also addresses the transfer of personal data outside the EU and EEA areas. GDPR was
adopted on 14 April 2016, and became enforceable beginning 25 May 2018. It
replaced the 1995 Data Protection Directive. GDPR aims to give individuals more
control over their personal data and to simplify the regulatory environment for
international business by unifying the regulation within the EU.
❖ Applicability:
Mandatory GDPR compliance for METROPOLIS CAPITAL Bank if handling
personal data of individuals in the European Union (EU).
❖ Key Principles:
•
Processing personal data lawfully and transparently.
•
Limiting data collection for specific purposes and minimizing stored data.
•
Maintaining data accuracy and observing storage limitations.
•
Ensuring the integrity and confidentiality of data.
2. Personal Information Protection and Electronic Documents Act (PIPEDA):
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a
Canadian federal law relating to data privacy. PIPEDA governs how private sector
organizations collect, use, and disclose personal information in the course of
commercial business. It came into effect in stages beginning on January 1, 2001, with
full implementation by January 1, 2004.
❖ Applicability:
Relevant for METROPOLIS CAPITAL Bank when processing personal
information of individuals in Canada.
❖ Key Principles:
•
Obtaining consent for data collection and processing.
•
Restricting the collection of personal information.
•
Safeguarding personal information.
•
Providing individuals access to their own information.
3. Gramm-Leach-Bliley Act (GLBA):
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services
Modernization Act of 1999, is a federal law in the United States that primarily aims to
control the ways that financial institutions deal with the private information of
individuals. Enacted on November 12, 1999, GLBA repealed part of the GlassSteagall Act of 1933, removing barriers in the market among banking companies,
securities companies, and insurance companies. Its provisions concerning privacy are
particularly significant.
❖ Applicability:
Applies to U.S. financial institutions, including banks like METROPOLIS
CAPITAL Bank.
❖ Key Requirements:
•
Safeguarding customer information.
•
Issuing privacy notices to customers.
•
Establishing and maintaining information security programs.
4. Personal Data Protection Act (PDPA):
The Personal Data Protection Act (PDPA) is a data protection law in several
jurisdictions, most notably Singapore and Thailand, aimed at protecting the personal
data of individuals and establishing standards of practice for the handling of such data
by organizations. I'll focus on the Singaporean PDPA as it's one of the most wellknown versions. Singapore's PDPA, which came into effect in phases starting from 2
July 2014, establishes a data protection regime that balances the need to protect
individual's personal data with the need for organizations to use data for legitimate
and reasonable purposes.
❖ Applicability:
Mandatory for METROPOLIS CAPITAL Bank if operating in Singapore.
❖ Key Principles:
•
Obtaining consent for data collection and processing.
•
Limiting data processing purposes and notifying individuals.
•
Protecting personal data against unauthorized access.
3.2.2. Data Storage Procedures:
1. Data Encryption:
•
Ensure encryption of sensitive data stored by METROPOLIS CAPITAL
Bank, both during transmission and at rest, to maintain protection in the
event of unauthorized access.
2. Access Controls:
•
Implement stringent access controls, allowing data access only to
authorized personnel. Enforce role-based access to align with employee
responsibilities.
3. Regular Audits and Monitoring:
•
Conduct frequent audits of data storage systems to identify and rectify
vulnerabilities. Implement continuous monitoring for prompt detection and
response to unusual activities.
4. Data Minimization:
•
Adhere to the data minimization principle, storing only necessary data for
its intended purpose. Regularly review stored data and delete unnecessary
information.
5. Data Retention Policies:
•
Establish clear data retention policies, specifying the duration for storing
different data types. Ensure compliance with legal requirements related to
data retention.
6. Data Backup and Recovery:
•
Establish effective protocols for backing up and recovering data to
safeguard against potential data loss caused by unexpected incidents.
Regularly evaluate the functionality of backup systems through testing.
7. Vendor Management:
•
Conduct thorough assessments of security measures for third-party data
storage solutions used by METROPOLIS CAPITAL Bank. Ensure vendor
compliance with data protection laws and high-security standards.
8. Incident Response Plan:
•
Develop and regularly update an incident response plan outlining steps to
be taken in case of a data breach. Include communication strategies,
notification procedures, and remediation steps.
9. Employee Training:
•
Train employees on data protection policies, procedures, and the
significance of safeguarding customer information. Foster a culture of data
security within the organization.
10. Privacy Impact Assessments (PIAs):
•
Conduct privacy impact assessments for new data storage solutions or
significant changes to existing systems. This aids in identifying and
addressing potential privacy risks.
3.3 ISO 31000 risk management methodology
ISO 31000 is an international standard that provides principles, framework, and a
process for managing risk effectively within an organization. It offers guidelines for
developing, implementing, and continuously improving a risk management
framework and process. The objective is to assist organizations in making informed
decisions, enhancing their ability to achieve objectives, and improving overall
governance.
Summary of ISO 31000 Risk Management Methodology:
1) Principles:
•
Integration: Integrate risk management into the organization's governance,
culture, and structure.
•
Customization: Tailor the risk management process to the organization's
external and internal context.
•
Continuous Improvement: Continuously improve the risk management
framework and process.
2) Framework:
•
Leadership and Commitment: Establish leadership's commitment to risk
management.
•
Integration with Governance: Integrate risk management into the
organization's governance structure.
•
Framework Design: Develop a framework for managing risk that aligns
with the organization's objectives.
3) Process:
•
Communication and Consultation: Ensure open communication and
consultation regarding risk.
•
Risk Assessment: Systematically identify, assess, and analyze risks.
•
Risk Treatment: Develop and implement strategies to treat or respond to
identified risks.
•
Monitoring and Review: Regularly monitor and review the effectiveness
of risk management strategies.
3.3.1 ISO 31000 Risk Management Methodology Application
in IT Security:
In the context of IT security, ISO 31000 provides a structured approach to identifying,
assessing, and managing risks associated with information and technology assets. This
includes:
1. Risk Identification:
•
Identify potential risks to IT systems, data, and infrastructure.
•
Consider external and internal factors that may impact IT security.
2. Risk Assessment:
•
Evaluate the likelihood and potential impact of IT security risks.
•
Prioritize risks based on their significance and potential consequences.
3. Risk Treatment:
•
Develop and implement strategies to mitigate, transfer, or accept IT security risks.
•
Establish security controls and measures to protect against identified threats.
4. Monitoring and Review:
•
Regularly monitor the effectiveness of IT security measures.
•
Adapt and improve security protocols based on evolving threats and changes in
the IT landscape.
By applying the ISO 31000 risk management methodology in IT security, organizations can
establish a robust risk management framework, enhance decision-making processes, and
systematically address the dynamic landscape of cybersecurity threats.
3.4 Analyze possible impacts to organizational security
resulting from an IT security audit
An IT security audit can have various impacts on METROPOLIS CAPITAL Bank's
organizational security, both positive and negative. Here's an analysis of possible impacts:
3.4.1 Positive Impacts:
1. Improved Security Posture:
An IT security audit can help identify vulnerabilities, weaknesses, and areas of
non-compliance within the bank's security infrastructure and practices.
Addressing these issues can lead to an improved overall security posture.
2. Enhanced Compliance:
Audits often assess compliance with industry standards and regulatory
requirements. Successful audit outcomes can demonstrate the bank's
commitment to meeting legal and regulatory obligations, reducing the risk of
fines and penalties.
3. Risk Mitigation:
By identifying and addressing security vulnerabilities and weaknesses, the
bank can proactively mitigate risks associated with data breaches, financial
losses, and reputation damage.
4. Increased Awareness:
Security audits raise awareness among employees and stakeholders about the
importance of security measures and adherence to policies and procedures.
This heightened awareness can lead to better compliance and a securityconscious culture.
5. Streamlined Processes:
Audits may identify areas where security processes and procedures can be
streamlined or improved, leading to greater operational efficiency and cost
savings.
6. Client and Investor Confidence:
Successful security audits can enhance client and investor confidence in the
bank's ability to protect their data and assets, potentially attracting more
business and investments.
3.4.2 Negative Impacts:
1. Reactive Measures:
In some cases, an audit may reveal serious security flaws that require
immediate remediation. This could result in unplanned expenses and resource
allocation to address urgent issues.
2. Operational Disruption:
The audit process itself can be disruptive as it may require the cooperation and
engagement of various departments and teams. This can temporarily affect
normal business operations.
3. Resource Demands:
Preparing for and participating in an audit can be resource-intensive, requiring
time, personnel, and financial resources that may divert attention from other
critical tasks.
4. Reputation Damage:
If audit findings are unfavorable or if the bank fails to address identified issues
promptly, it could damage the bank's reputation in the eyes of clients,
investors, and regulatory authorities.
5. Increased Regulatory Scrutiny:
A failed audit may attract increased regulatory scrutiny, potentially leading to
stricter oversight and more frequent audits in the future.
6. Loss of Business:
Clients or partners may lose confidence in the bank's security capabilities
following a negative audit report, potentially resulting in the loss of business
relationships.
To maximize the positive impacts and minimize the negative impacts of an IT security audit,
METROPOLIS CAPITAL Bank should adopt a proactive approach to security, regularly
conduct internal assessments, and be prepared to address audit findings promptly. This
proactive stance can help the bank continuously improve its security posture and maintain
trust among clients, stakeholders, and regulatory authorities.
3.5 Recommendation of how IT security can be aligned
with METROPOLIS CAPITAL Bank's Policies
Aligning IT security with METROPOLIS CAPITAL Bank's organizational policies is crucial
to ensure a cohesive and effective security strategy. Here are recommendations on how IT
security can be aligned with organizational policies, along with the security impact of
misalignment: (review this 42.18 )
3.5.1 Alignment Strategies:
1. Policy Review and Updates:
•
Alignment: Regularly review and update IT security policies to ensure they
are in line with the bank's overarching organizational policies and objectives.
•
Benefits: Ensures that security measures are consistent with the bank's
mission, values, and strategic goals, fostering a unified approach to security.
2. Policy Integration:
•
Alignment: Integrate IT security policies seamlessly into the broader
organizational policy framework, highlighting the importance of security in all
operations.
•
Benefits: Demonstrates the bank's commitment to security, emphasizing its
role as a fundamental aspect of corporate governance.
3. Policy Training and Awareness:
•
Alignment: Conduct training sessions and awareness programs for employees
to ensure they understand and adhere to IT security policies.
•
Benefits: Enhances employee compliance with security policies, reducing the
risk of human errors or negligence.
4. Risk Assessment and Policy Adjustments:
•
Alignment: Conduct regular risk assessments to identify new threats and
vulnerabilities, adjusting IT security policies accordingly.
•
Benefits: Helps the bank adapt to evolving security challenges, ensuring
policies remain effective in mitigating current risks.
3.5.2 Misalignment and Negative Impact:
1. Compliance Failures:
•
Misalignment: If IT security policies are not aligned with organizational
policies, the bank may fail to meet regulatory compliance requirements.
•
Negative Impact: Non-compliance can lead to regulatory fines and legal
consequences, tarnishing the bank's reputation.
2. Inconsistent Practices:
•
Misalignment: Misaligned policies may result in inconsistent security
practices across different departments or teams within the bank.
•
Negative Impact: Inconsistencies can create security gaps, leaving some areas
vulnerable to breaches and threats.
3. Data Protection Issues:
•
Misalignment: Failure to align security policies with data protection
regulations may result in inadequate data protection measures.
•
Negative Impact: Data breaches or privacy violations could lead to financial
losses, legal actions, and damage to the bank's reputation.
4. Resource Misallocation:
•
Misalignment: Misaligned policies may lead to resource allocation
inefficiencies, with resources not aligned with the most critical security needs.
•
Negative Impact: Limited resources may be misdirected, leaving essential
security measures underfunded and ineffective.
5. Missed Strategic Opportunities:
•
Misalignment: Lack of alignment with organizational goals may cause the
bank to miss strategic opportunities to leverage security as a competitive
advantage.
•
Negative Impact: The bank may fail to capitalize on security investments and
innovations that could enhance its market position.
To prevent these negative impacts, METROPOLIS CAPITAL Bank should establish a strong
governance framework that fosters alignment between IT security and organizational policies.
This includes regular policy reviews, training programs, and ongoing risk assessments to
ensure that security measures are in harmony with the bank's strategic objectives while
minimizing risks associated with misalignment
Activity 4
4.1. METROPOLIS CAPITAL Bank - Security Policy
Document
4.1.1 Introduction
Purpose:
This Security Policy Document is crafted to establish a comprehensive framework for
maintaining the highest standards of information security within METROPOLIS
CAPITAL Bank. In light of our expansive operations, which include a significant
number of branches, ATMs, a primary data center in Colombo, a secondary data
center in Galle, and a substantial digital footprint, the importance of robust security
measures cannot be overstated. This policy is particularly pertinent as we navigate the
complexities introduced by the increasing need for remote work capabilities. It aims
to protect our critical financial infrastructure, safeguard sensitive customer data, and
ensure the integrity and availability of our banking services, both on-premises and
remotely.
Scope:
This document applies to all employees of METROPOLIS CAPITAL Bank, including
full-time, part-time, contract workers, the Technical Support Team, and any thirdparty vendors who access our network and systems. The policy encompasses all forms
of data and communication, whether digital or physical, that occur across our network
of branches, ATMs, data centers, and remote work environments. The guidelines
outlined herein are mandatory and must be adhered to in all relevant operational
contexts to ensure the highest level of security and compliance with regulatory
standards.
Context and Background:
METROPOLIS CAPITAL Bank operates in a dynamic and increasingly
interconnected financial landscape. With the proliferation of digital banking services,
the rise of sophisticated cyber threats, and the evolving regulatory environment, it is
imperative to have a clear, enforceable, and adaptive security policy. The recent shift
towards remote working models, driven by emergency scenarios, further accentuates
the need for this policy. Our commitment to customer trust and regulatory compliance
underpins our approach to data protection and cybersecurity.
Objective:
The primary objective of this Security Policy Document is to define clear guidelines
and protocols for protecting the bank's information assets. This encompasses ensuring
the confidentiality, integrity, and availability of data; managing access controls;
maintaining secure communication channels; and instituting a culture of security
awareness among all employees and associates. Additionally, the policy aims to
establish a structured approach to responding to and managing security incidents,
especially in remote work scenarios.
4.1.2. Roles and Responsibilities
The effectiveness of our security policy hinges on the clear definition and
understanding of roles and responsibilities within METROPOLIS CAPITAL Bank.
This section outlines the key responsibilities of various stakeholders in upholding the
security standards and protocols.
1. Board of Directors and Senior Management:
•
Ensure that the bank’s information security strategy aligns with business
objectives and regulatory requirements.
•
Provide oversight and allocate resources for the implementation and
maintenance of information security measures.
•
Promote a culture of security awareness throughout the organization.
2. Chief Information Security Officer (CISO) / Head of IT Security:
•
Develop and enforce the bank’s information security policies and
procedures.
•
Lead the IT security team in identifying, evaluating, and mitigating risks.
•
Oversee the implementation of security technologies and incident response
plans.
•
Report to senior management on the effectiveness of security measures
and any needed improvements.
3. IT Department and Technical Support Team:
•
Implement and manage security technologies (firewalls, VPNs, EDR, DLP,
etc.).
•
Monitor network and system activities for security incidents and breaches.
•
Conduct regular security audits and vulnerability assessments.
•
Provide technical support for secure remote work setups.
4. Human Resources Department:
•
Collaborate in developing security training programs for all employees.
•
Manage the onboarding and offboarding process to ensure access rights are
appropriately assigned and revoked.
•
Enforce compliance with the security policy in HR processes.
5. Supply Chain Management Officer:
•
Ensure third-party vendors and service providers comply with the bank's
security policies.
•
Manage contracts and agreements with a focus on security requirements
and compliance.
6. Employees:
•
Adhere to all aspects of the security policy in daily operations.
•
Complete mandatory security awareness training.
•
Report any suspicious activities or security incidents to the relevant
authority.
7. Third-Party Vendors and Contractors:
•
Comply with all relevant aspects of the security policy.
•
Ensure their employees and subcontractors who interact with the bank’s
systems and data are equally compliant.
•
Promptly report any security incidents or vulnerabilities related to the
bank’s data or systems.
8. Customers:
•
Follow the guidelines provided by the bank for secure transactions,
especially in online and mobile banking.
•
Report any suspicious activities or security breaches related to their
accounts.
The assignment of these roles and responsibilities ensures a comprehensive and
layered approach to information security, with each stakeholder playing a critical
part in protecting the bank's assets and maintaining the trust of its customers.
4.1.3. Data Protection and Privacy
The protection of personal and financial data is of paramount importance to
METROPOLIS CAPITAL Bank. This section outlines the bank’s commitment to
data protection and privacy, ensuring compliance with relevant laws and
regulations, and instilling trust in our customers and stakeholders.
1. Data Classification:
•
Data must be categorized into classifications such as Confidential,
Internal, and Public based on sensitivity and access requirements.
•
Confidential data, including customer financial information, must be
handled with the highest level of security.
2. Data Handling and Processing:
•
All employees and third-party vendors must handle data according to its
classification.
•
Data processing should be limited to legitimate and necessary business
purposes, with clear consent from data subjects where required.
3. Data Encryption:
•
All sensitive data, both in transit and at rest, must be encrypted using
industry-standard encryption protocols.
•
Encryption keys must be securely managed and periodically reviewed.
4. Access Control:
•
Access to personal and sensitive data should be restricted based on the
principle of least privilege.
•
User access rights must be reviewed regularly and adjusted or revoked as
necessary.
5. Data Retention and Disposal:
•
Data must not be retained longer than necessary for the defined purpose or
as required by law.
•
Secure and proper disposal methods must be used for data that is no longer
required.
6. Privacy by Design:
•
New projects and business practices must incorporate data protection and
privacy from the design phase.
•
Regular privacy impact assessments should be conducted for new and
existing systems and processes.
7. Cross-Border Data Transfer:
•
Any transfer of personal data outside the jurisdiction must comply with
local and international data protection laws.
•
Adequate safeguards must be implemented for international data transfers.
8. Data Breach Response:
•
A clear and effective data breach response plan must be in place.
•
In the event of a data breach, appropriate measures must be taken to
mitigate damage, and necessary notifications must be made to authorities
and affected parties.
9. Training and Awareness:
•
Regular training on data protection and privacy must be provided to all
employees.
•
Awareness campaigns should be conducted to keep data protection and
privacy at the forefront of the bank's culture.
10. Compliance Monitoring:
•
Regular audits and reviews should be conducted to ensure compliance with
this policy, as well as local and international data protection laws.
This Data Protection and Privacy policy ensures that METROPOLIS CAPITAL Bank
not only complies with legal requirements but also demonstrates a commitment to
protecting the privacy and security of its customer’s data, thereby maintaining their
trust and confidence in our banking services.
4.1.4. Network Security
The security of METROPOLIS CAPITAL Bank’s network infrastructure is
fundamental to protecting our data, systems, and services from cyber threats and
ensuring the continuous availability of our banking operations. This section
outlines the measures and protocols for maintaining robust network security,
particularly in light of the diverse operations encompassing branches, ATMs, data
centers, and remote work environments.
1. Network Access Control:
•
Implement strict access control measures to regulate who can access the
network and under what conditions.
•
Utilize Multi-Factor Authentication (MFA) for all users accessing the
bank’s network remotely.
2. Firewall Management:
•
Deploy and maintain state-of-the-art firewall systems to monitor and
control incoming and outgoing network traffic based on predetermined
security rules.
•
Regularly update firewall rules to respond to new and emerging threats.
3. Intrusion Detection and Prevention Systems (IDPS):
•
Use IDPS to monitor network traffic for suspicious activities and potential
threats, and take automatic action to prevent or mitigate breaches.
4. Secure VPN Services:
•
Mandate the use of Virtual Private Networks (VPNs) for establishing
secure connections, especially for remote access to the bank’s internal
network.
•
Ensure that all VPNs use strong encryption standards.
5. Regular Network Audits and Monitoring:
•
Conduct regular network audits to identify vulnerabilities and noncompliance with security policies.
•
Implement continuous monitoring tools to detect and respond to unusual
network activities in real-time.
6. Segregation of Networks:
•
Implement network segmentation to separate sensitive areas of the
network (e.g., core banking systems) from less sensitive areas.
•
Use Demilitarized Zones (DMZs) for public-facing services to add an
additional layer of security.
7. Secure Wireless Networks:
•
Secure all wireless networks within the bank’s premises, particularly those
designated for staff and guest use.
•
Enforce strong encryption and access controls on all wireless networks.
8. MPLS and ISP Link Security:
•
Ensure that the MPLS services and ISP links are secured and monitored to
prevent interception or disruption of data traffic.
•
Regularly review and renew agreements with ISPs to ensure compliance
with security standards.
9. Patch Management:
•
Regularly update network devices and systems with the latest security
patches and updates.
•
Implement a centralized patch management system to manage and track
updates.
10. Remote Work Security:
•
Establish specific protocols for securing remote work environments,
including guidelines for home network security and the use of personal
devices.
11. Incident Response Plan for Network Security:
•
Develop and maintain a comprehensive incident response plan specifically
for network security incidents.
•
Regularly test and update the incident response plan.
Through the adherence to these network security measures, METROPOLIS CAPITAL
Bank ensures the integrity and resilience of its network infrastructure against cyber
threats, thus safeguarding the confidentiality, integrity, and availability of our banking
services and customer data.
4.1.5. Device Management
Effective device management is crucial in safeguarding METROPOLIS CAPITAL
Bank's information assets. This section outlines the policies and procedures for
managing all devices that access the bank's network, including bank-owned and
personal devices under the Bring Your Own Device (BYOD) policy.
1. Device Inventory and Control:
•
Maintain a comprehensive inventory of all devices (including laptops,
desktops, mobile devices, and servers) used to access the bank's network.
•
Implement controls to ensure only authorized devices can connect to the
bank's network.
2. Security Configuration:
•
Devices must be configured in accordance with the bank’s security
standards, ensuring that unnecessary services and features are disabled.
•
Regularly review and update configuration settings to maintain security
and functionality.
3. BYOD Policy:
•
Clearly define which types of personal devices are allowed to access the
bank's network and under what conditions.
•
Require installation of security software and adherence to security
protocols on personal devices used for work purposes.
4. Endpoint Protection:
•
All devices, including BYOD, must have up-to-date antivirus and antimalware software installed and actively running.
•
Implement an Endpoint Detection and Response (EDR) system to monitor,
analyze, and respond to cybersecurity threats on endpoints.
5. Secure Remote Access:
•
Implement secure methods such as VPNs for remote access to the bank's
network.
•
Ensure that remote access is strictly controlled and monitored.
6. Patch and Vulnerability Management:
•
Regularly apply security patches and updates to all devices.
•
Conduct periodic vulnerability assessments to identify and remediate
potential security weaknesses.
7. Data Encryption:
•
Enforce encryption of sensitive data stored on all devices, particularly
laptops and mobile devices.
•
Manage encryption keys securely and effectively.
8. Lost or Stolen Device Reporting and Response:
•
Implement a clear process for employees to report lost or stolen devices
immediately.
•
Remotely wipe data on lost or stolen devices to prevent unauthorized
access.
9. Device Disposal and Recycling:
•
Ensure secure disposal or recycling of devices, with all sensitive data
being properly erased or destroyed.
10. Employee Training and Awareness:
•
Provide regular training to employees on secure use of devices, especially
for those enrolled in the BYOD program.
•
Educate employees on the risks associated with device loss or theft and
their responsibilities in such scenarios.
11. Monitoring and Compliance:
•
Continuously monitor the use of all devices for compliance with this
policy.
•
Periodically audit device management practices and take corrective actions
where necessary.
Through the implementation of these device management policies, METROPOLIS
CAPITAL Bank aims to maintain a secure and controlled environment for all devices
accessing its network, thereby reducing the risk of data breaches and cyber threats.
4.1.6. Remote Access Protocol
With the increasing necessity for remote work capabilities, METROPOLIS
CAPITAL Bank recognizes the importance of establishing a secure and efficient
remote access protocol. This section details the guidelines and requirements for
accessing the bank's network and systems from outside the physical premises of
the bank.
1. Authorized Remote Access:
•
Only employees with approved remote access privileges are allowed to
connect to the bank’s network from off-site locations.
•
Approval for remote access is contingent upon the specific needs and roles
of employees.
2. Use of Virtual Private Networks (VPNs):
•
All remote access to the bank’s internal network must be done via a secure
VPN.
•
VPNs used must employ strong encryption standards to protect data
transmission.
3. Multi-Factor Authentication (MFA):
•
Implement MFA for all remote access to enhance security beyond just
username and password.
•
MFA devices or methods should be provided or approved by the IT
department.
4. Secure Wi-Fi Connections:
•
Employees must use secure and private Wi-Fi networks for remote work,
avoiding public or unsecured Wi-Fi networks.
•
Guidelines for securing home Wi-Fi networks should be provided to
employees.
5. Access Control and User Authentication:
•
Implement strict user authentication procedures to verify the identity of
users accessing the network remotely.
•
Access rights for remote users should be carefully managed and reviewed
regularly.
6. Endpoint Security:
•
Ensure that all devices used for remote access, including personal devices
under BYOD policy, have up-to-date antivirus and anti-malware
protection.
•
Regular security checks and updates should be mandatory for these
devices.
7. Data Transmission and Handling:
•
Sensitive data transmitted over remote connections must be encrypted.
•
Employees should avoid downloading sensitive data to personal devices
unless absolutely necessary and approved.
8. Remote Work Environment Security:
•
Employees are responsible for ensuring the physical security of their
remote work environments.
•
Confidential conversations and data should be safeguarded from
unauthorized access by household members or others.
9. Regular Security Training and Awareness:
•
Provide regular training to remote employees on best practices for
maintaining security and privacy.
•
Update employees on new threats and security updates relevant to remote
work.
10. Monitoring and Incident Reporting:
•
Monitor remote access activities for unusual or unauthorized access
patterns.
•
Employees must promptly report any security incidents or anomalies
experienced during remote access.
11. Compliance with Policy and Procedures:
•
All remote access must comply with the existing policies and procedures
of METROPOLIS CAPITAL Bank.
•
Violations of remote access protocols will be subject to disciplinary action.
This Remote Access Protocol is designed to ensure that the transition to and the
management of remote work are conducted securely, thereby protecting the bank's
assets and data while maintaining operational efficiency.
4.1.7 Employee Training and Awareness
At METROPOLIS CAPITAL Bank, we believe that a well-informed workforce is our
first line of defense against cyber threats. Therefore, we are committed to providing
comprehensive training and ongoing awareness programs to ensure that all employees
are equipped with the necessary knowledge and skills to protect the bank's assets and
information.
1. Regular Security Training Programs:
•
Conduct mandatory security awareness training for all new employees as part
of their orientation program.
•
Provide annual refresher training for all staff to keep them updated on the
latest security practices and policies.
2. Specialized Training for Specific Roles:
•
Offer specialized training sessions for employees in roles that handle sensitive
data or have elevated access privileges.
•
Tailor training content to the specific security needs and responsibilities of
different departments.
3. Cybersecurity Awareness Campaigns:
•
Launch regular cybersecurity awareness campaigns to educate employees
about current cyber threats, phishing scams, social engineering tactics, and
safe online practices.
•
Utilize diverse communication channels such as email bulletins, intranet
articles, and interactive webinars to engage employees.
4. Simulation Exercises:
•
Conduct simulated phishing and social engineering attacks to test employees'
awareness and response.
•
Provide feedback and additional training to those who fall for the simulations
to improve their vigilance.
5. Policy and Procedure Updates:
•
Keep all employees informed about updates to security policies and
procedures.
•
Ensure easy access to all security policy documents for employee reference.
6. Role of Management in Promoting Security Culture:
•
Encourage management at all levels to lead by example in following and
promoting good security practices.
•
Include security awareness as a key performance indicator in managerial
assessments.
7. Reporting Mechanisms for Security Incidents:
•
Educate employees on the importance of reporting security incidents promptly,
regardless of severity.
•
Provide clear guidelines and channels for reporting security concerns or
incidents.
8. Feedback and Continuous Improvement:
•
Encourage feedback from employees on the security training and awareness
programs to identify areas for improvement.
•
Regularly review and update training materials based on employee feedback
and evolving cyber threats.
9. Integration of Security Awareness into Corporate Culture:
•
Embed cybersecurity awareness into the bank’s corporate culture.
•
Recognize and reward employees who demonstrate exemplary security
practices.
10. Legal and Regulatory Compliance Training:
•
Include training on relevant legal and regulatory requirements related to data
protection and privacy.
•
Highlight employees’ roles and responsibilities in maintaining compliance.
Through these comprehensive training and awareness initiatives, METROPOLIS
CAPITAL Bank aims to foster a robust security culture, where every employee is
aware of the cybersecurity risks and their role in mitigating these risks, thereby
enhancing the overall security posture of the bank.
4.1.8 Incident Response Plan
In the event of a security incident, METROPOLIS CAPITAL Bank is committed to a
rapid and effective response to minimize the impact and restore normal operations as
quickly as possible. This Incident Response Plan outlines the steps and procedures for
managing and responding to various types of security incidents.
1. Incident Response Team Formation:
•
Establish a dedicated Incident Response Team (IRT) with clear roles and
responsibilities. This team should include members from IT, security, legal,
communications, and other relevant departments.
•
Ensure that the IRT is trained and prepared to respond to different types of
security incidents.
2. Incident Identification and Reporting:
•
Implement mechanisms for the detection and reporting of potential security
incidents.
•
Ensure that all employees know how to recognize and report an incident
through established channels.
3. Initial Assessment and Classification:
•
Upon receiving an incident report, the IRT will assess and classify the incident
based on its severity, impact, and type.
•
The classification will determine the response actions and escalation
procedures.
4. Containment and Mitigation:
•
Implement immediate actions to contain the incident and prevent further
damage. This may include isolating affected systems, revoking access, or
changing passwords.
•
Continuously assess the situation and adjust containment strategies as
necessary.
5. Investigation and Analysis:
•
Gather and analyze data to determine the cause of the incident, the extent of
the impact, and the steps needed for recovery.
•
Preserve evidence for potential legal actions or regulatory compliance needs.
6. Communication and Notification:
•
Communicate the incident internally to relevant stakeholders and externally if
required (e.g., customers, regulatory bodies).
•
Ensure communications are clear, accurate, and timely, and protect the bank’s
reputation and customer trust.
7. Recovery and Restoration:
•
Work to restore affected systems and services to normal operation.
•
Implement measures to prevent similar incidents in the future.
8. Post-Incident Review and Lessons Learned:
•
Conduct a post-incident review to evaluate the response effectiveness and
identify areas for improvement.
•
Update policies, procedures, and response strategies based on lessons learned.
9. Documentation and Reporting:
•
Document all actions taken during the incident response for accountability and
future reference.
•
Prepare a comprehensive incident report detailing the incident timeline,
impact, response actions, and recommendations.
10. Compliance and Legal Considerations:
•
Ensure that the incident response is conducted in compliance with applicable
laws and regulations.
•
Consult with legal counsel to address any legal implications of the incident.
This Incident Response Plan is a critical component of METROPOLIS CAPITAL
Bank’s overall security strategy, ensuring preparedness and a structured approach to
managing security incidents. By following this plan, the bank aims to rapidly mitigate
the impacts of incidents, maintain transparency, and uphold the highest standards of
security and trust.
4.1.9 Third-Party and Vendor Management
Given the extensive use of third-party vendors and service providers in
METROPOLIS CAPITAL Bank's operations, managing the security risks associated
with these external entities is crucial. This section outlines the bank’s approach to
ensuring that third-party engagements do not compromise our security posture.
1. Vendor Risk Assessment:
•
Conduct thorough security assessments of potential vendors before onboarding
and periodically thereafter.
•
Evaluate vendors' security policies, practices, and compliance with industry
standards and regulatory requirements.
2. Security Requirements in Contracts:
•
Clearly define security expectations, responsibilities, and requirements in all
contracts with third-party vendors.
•
Include clauses for compliance with relevant laws and regulations, and the
right to audit the vendor’s compliance with the contract terms.
3. Access Control and Monitoring:
•
Limit third-party access to the bank’s systems and data to what is strictly
necessary for them to perform their contractual duties.
•
Monitor and log all vendor activities within the bank’s network.
4. Data Protection:
•
Ensure that vendors implement adequate measures for data protection,
especially when handling sensitive or confidential information.
•
Require vendors to report any data breaches or security incidents involving the
bank’s data immediately.
5. Regular Audits and Reviews:
•
Conduct regular audits of third-party vendors to ensure ongoing compliance
with the security requirements.
•
Review and reassess vendor relationships periodically to ensure they continue
to meet the bank’s security standards.
6. Incident Response Coordination:
•
Include provisions in contracts for vendors to cooperate in incident response
activities, including providing necessary information and assistance.
•
Ensure vendors have their own incident response plans that align with the
bank’s requirements.
7. Training and Awareness:
•
Require vendors to provide their employees with adequate training on security
best practices, especially those who will interact with the bank’s systems and
data.
•
Share relevant security updates and threat intelligence with vendors as
appropriate.
8. Subcontractor Management:
•
Require vendors to obtain the bank’s approval before engaging any
subcontractors.
•
Ensure that subcontractors, if used, are held to the same security standards as
the primary vendor.
9. End-of-Contract Data Handling:
•
Define procedures for the return or secure disposal of the bank’s data upon
termination of the contract.
•
Ensure all access rights are revoked and data is securely erased from the
vendor’s systems.
10. Compliance and Legal Obligations:
•
Regularly review and update third-party management policies to ensure
compliance with evolving legal and regulatory landscapes.
•
Document all vendor management activities for audit and compliance
purposes.
This Third-Party and Vendor Management policy is designed to ensure that
METROPOLIS CAPITAL Bank’s security standards are upheld throughout its supply
chain and that risks associated with external partnerships are effectively managed.
4.1.10. Compliance and Legal Requirements
METROPOLIS CAPITAL Bank is committed to upholding the highest standards of
legal and regulatory compliance in all aspects of its operations. This section outlines
the bank's approach to ensuring adherence to applicable laws, regulations, and
standards related to information security and data protection.
1. Adherence to Laws and Regulations:
•
Comply with all relevant local and international laws and regulations that
govern financial institutions and data protection, including but not limited to
GDPR, PIPEDA, and any Sri Lankan-specific regulations.
•
Stay informed about changes and updates in legal and regulatory requirements
affecting the bank’s operations.
2. Regulatory Compliance Audits:
•
Conduct regular audits to assess and ensure compliance with various
regulatory requirements.
•
Address any identified compliance gaps promptly and effectively.
3. Data Protection Compliance:
•
Adhere to global and local data protection laws, ensuring that customer and
employee data is managed in a compliant manner.
•
Implement and maintain policies and procedures for data privacy and
protection.
4. Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF):
•
Implement strict measures to comply with AML and CTF regulations,
including customer due diligence (CDD) and transaction monitoring.
•
Provide regular training to employees on AML and CTF detection and
reporting.
5. ISO Certifications and Standards Compliance:
•
Maintain compliance with ISO 31000:2009 and other relevant ISO standards
related to risk management and information security.
•
Regularly review and update processes to align with ISO standards and best
practices.
6. Employee Training on Legal Requirements:
•
Provide ongoing training to employees on legal and compliance matters
relevant to their roles.
•
Ensure that employees are aware of the implications of non-compliance.
7. Contractual Compliance:
•
Ensure that all contracts with customers, vendors, and partners include
necessary clauses for compliance with applicable laws and regulations.
•
Regularly review contracts for compliance and legal sufficiency.
1. 8. Reporting and Documentation:
•
Maintain comprehensive records of compliance activities, audits, training, and
incident responses.
•
Ensure transparency and readiness for regulatory reviews and external audits.
9. Collaboration with Legal and Regulatory Bodies:
•
Foster open communication and cooperation with legal and regulatory
authorities.
•
Promptly respond to requests from regulators and participate in regulatory
inquiries or investigations.
10. Ethical Standards and Corporate Governance:
•
Uphold high ethical standards in all operations.
•
Implement policies that reflect the bank’s commitment to legal compliance
and ethical conduct.
This Compliance and Legal Requirements policy is integral to maintaining
METROPOLIS CAPITAL Bank's reputation as a trustworthy and reliable financial
institution. By rigorously adhering to these guidelines, the bank ensures that it not
only meets its legal obligations but also upholds its commitment to ethical business
practices and customer trust.
4.1.11. Continuous Monitoring and Improvement
To maintain the highest level of security and respond effectively to the evolving threat
landscape, METROPOLIS CAPITAL Bank is committed to continuous monitoring
and ongoing improvement of its security practices. This section outlines the strategies
and processes for maintaining an adaptive and proactive security posture.
1. Continuous Security Monitoring:
•
Implement 24/7 monitoring of the bank’s networks, systems, and data for
signs of unauthorized access, security incidents, or unusual activities.
•
Utilize advanced monitoring tools and technologies to detect and alert on
potential security threats.
2. Regular Security Assessments and Audits:
•
Conduct regular internal and external security audits to identify vulnerabilities
and non-compliance issues.
•
Perform periodic risk assessments to understand the evolving risk landscape
and the effectiveness of current controls.
3. Vulnerability Management:
•
Establish a robust vulnerability management program that includes regular
scanning, assessment, and remediation of identified vulnerabilities.
•
Prioritize vulnerabilities based on risk and implement timely patches and
mitigations.
4. Feedback Mechanism:
•
Encourage feedback from employees, customers, and third-party vendors on
the bank’s security measures.
•
Use feedback to identify areas for improvement and to enhance user
experience without compromising security.
5. Incident Response and Learning:
•
After any security incident, conduct a thorough review to identify lessons
learned and areas for improvement in the incident response process.
•
Update the Incident Response Plan and related procedures based on these
insights.
6. Security Training and Awareness Updates:
•
Regularly update security training programs to reflect the latest threats,
security trends, and best practices.
•
Ensure that all employees receive ongoing awareness training to recognize and
respond to security threats.
7. Technology and Process Upgrades:
•
Continuously evaluate and upgrade security technologies and processes to stay
ahead of threats.
•
Adopt new security tools and practices that align with the bank's evolving
security needs and technological advancements.
8. Policy Review and Updates:
•
Regularly review and update security policies and procedures to ensure they
remain effective and relevant.
•
Ensure that policy updates are promptly communicated to all relevant
stakeholders.
9. Benchmarking and Best Practices:
•
Benchmark the bank’s security practices against industry standards and peers.
•
Adapt and integrate best practices from the industry to enhance the bank's
security posture.
10. Collaboration and Information Sharing:
•
Participate in relevant security forums and information-sharing platforms to
stay informed about the latest security trends and threat intelligence.
•
Collaborate with other financial institutions, regulatory bodies, and security
organizations to enhance collective security knowledge and defense strategies.
Through these continuous monitoring and improvement practices, METROPOLIS
CAPITAL Bank aims to establish a dynamic and resilient security culture. These
efforts ensure that the bank not only addresses current security challenges but is also
well-prepared to adapt to future threats and technological advancements.
4.1.12. Emergency Protocols for Work from Home
In response to emergency situations that necessitate a transition to remote work,
METROPOLIS CAPITAL Bank has established a set of emergency protocols to
ensure business continuity while maintaining the highest level of security. These
protocols are designed to enable a swift and secure shift to a work-from-home
environment.
1. Activation of Work from Home Plan:
•
Define clear criteria and triggers for activating the work-from-home plan.
•
Ensure that all employees are informed promptly when the plan is activated.
2. Secure Remote Access:
•
Ensure that all employees have the necessary tools and technologies, such as
VPN access, to securely connect to the bank's network from home.
•
Mandate the use of multi-factor authentication for all remote access.
3. Device Security:
•
Provide guidelines for securing personal devices if used for work purposes,
including the installation of required security software.
•
Ensure that bank-issued devices are equipped with necessary security
protections and are used exclusively for work-related activities.
4. Data Protection and Privacy:
•
Remind employees of the importance of data privacy and the need to protect
sensitive information when working remotely.
•
Provide clear guidelines on handling and storing sensitive data in a home
environment.
5. Communication and Collaboration Tools:
•
Provide secure and approved communication and collaboration tools for
employees to use while working remotely.
•
Prohibit the use of unapproved third-party applications for work-related
communication.
6. Network Security at Home:
•
Offer guidelines for securing home Wi-Fi networks and other personal
network connections.
•
Advise employees to avoid using public or unsecured Wi-Fi networks for
work purposes.
7. Incident Reporting and Response:
•
Ensure that employees know how to report security incidents promptly, even
in a remote work setting.
•
Adapt the incident response plan to accommodate remote working scenarios.
8. Ongoing Support and Assistance:
•
Provide continuous IT support to address technical issues faced by employees
in the remote work setting.
•
Set up a dedicated helpline or chat support for immediate assistance.
9. Regular Updates and Communication:
•
Keep employees updated on any changes to the work-from-home policy and
provide regular guidance on best practices.
•
Maintain open lines of communication between teams, management, and IT
support.
10. Training and Awareness:
•
Conduct virtual training sessions on cybersecurity best practices specific to
remote work.
•
Regularly remind employees of the importance of maintaining a secure home
working environment.
11. Review and Adaptation:
•
Continuously monitor the effectiveness of the work-from-home protocols and
make adjustments as necessary.
•
Collect feedback from employees to identify challenges and areas for
improvement.
These Emergency Protocols for Work from Home are designed to ensure that
METROPOLIS CAPITAL Bank remains operational and secure during unforeseen
circumstances that require a swift transition to remote work. By following these
protocols, the bank can minimize disruptions while prioritizing the security and
privacy of its operations and customer data.
1.1.13. Review and Update Cycle
To ensure that METROPOLIS CAPITAL Bank’s security policy remains effective and
relevant in the face of evolving threats and changing business needs, a structured
review and update cycle is essential. This process will ensure that the policy adapts to
new challenges, technological advancements, and regulatory changes.
1. Regular Policy Review Schedule:
•
Establish a regular schedule for reviewing the entire security policy document.
This review should occur at least annually or more frequently if significant
changes in the threat landscape or business operations occur.
•
Special reviews should be triggered by major incidents, significant changes in
IT infrastructure, or new regulatory requirements.
2. Cross-Departmental Review Committee:
•
Form a review committee comprising members from various departments,
including IT, security, legal, compliance, HR, and operations. This diverse
representation ensures that different perspectives are considered.
•
The committee is responsible for reviewing, suggesting revisions, and
approving changes to the security policy.
3. Incorporation of Feedback and Insights:
•
Include feedback from employees, audit findings, incident reports, and new
threat intelligence in the review process.
•
Consider input from external experts or consultants for a fresh perspective and
expertise on emerging threats and best practices.
4. Assessment of Technological Changes:
•
Evaluate the impact of new technologies adopted by the bank on the existing
security policy.
•
Update the policy to address any new risks or compliance issues introduced by
technological advancements.
5. Regulatory Compliance Updates:
•
Regularly review changes in legal and regulatory requirements affecting data
protection, privacy, and cybersecurity.
•
Adjust the policy as necessary to maintain compliance with these
requirements.
6. Documentation of Changes:
•
Clearly document any changes made to the policy, including the rationale
behind these changes.
•
Maintain a version history of the policy document to track its evolution over
time.
7. Communication of Updates:
•
Communicate any changes in the security policy to all relevant stakeholders in
a clear and timely manner.
•
Ensure that all employees are aware of the updated policy and understand their
responsibilities.
8. Training and Awareness:
•
Update training programs and awareness materials to reflect changes in the
security policy.
•
Provide additional training sessions if significant changes are made to policy
or procedures.
9. Monitoring and Effectiveness Assessment:
•
Continuously monitor the effectiveness of the security policy in reducing risks
and protecting the bank’s assets.
•
Use metrics and indicators to assess the policy’s impact and identify areas for
further improvement.
10. External Audit and Certification:
•
Conduct external audits of the security policy and practices to ensure
alignment with industry standards and best practices.
•
Pursue relevant certifications to demonstrate the bank's commitment to
maintaining a high standard of security.
Through this structured Review and Update Cycle, METROPOLIS CAPITAL
Bank ensures that its security policy remains dynamic, comprehensive, and
aligned with the latest in cybersecurity, regulatory requirements, and business
objectives. This ongoing process of evaluation and adaptation is vital for
maintaining robust security defenses in an ever-changing digital landscape.
4.1.14 Implementation Steps
To effectively implement the Security Policy Document at METROPOLIS CAPITAL
Bank, a structured approach is necessary to ensure comprehensive adoption and
compliance. The following steps outline the process for implementing the security
policies and procedures across the bank.
1. Official Policy Approval and Endorsement:
•
Obtain formal approval of the Security Policy Document from senior
management and the board of directors.
•
Ensure the policy is endorsed at the highest level, demonstrating the bank's
commitment to security.
2. Communication of the Policy:
•
Distribute the Security Policy Document to all employees, contractors, and
relevant third-party vendors.
•
Use multiple communication channels such as email, internal portals, and staff
meetings to ensure wide dissemination.
3. Training and Awareness Programs:
•
Develop and execute comprehensive training programs for all employees to
educate them about the policy, their specific roles, and responsibilities.
•
Include specialized training for teams with critical security roles, such as IT,
HR, and the technical support team.
4. Integration into Existing Systems and Processes:
•
Integrate the security policy requirements into existing business processes, IT
systems, and operational workflows.
•
Ensure that security practices are embedded into everyday business activities.
5. IT Systems and Infrastructure Alignment:
•
Review and update IT systems, networks, and infrastructure to align with the
security policy requirements.
•
Implement necessary security tools and technologies as outlined in the policy.
6. Monitoring and Enforcement Mechanisms:
•
Establish monitoring mechanisms to ensure ongoing compliance with the
policy.
•
Implement enforcement procedures for non-compliance, including disciplinary
actions if necessary.
7. Regular Audits and Assessments:
•
Conduct regular internal audits to assess compliance with the policy and
identify any gaps or weaknesses.
•
Utilize external auditors for independent assessments of the bank's security
posture.
8. Feedback Loop and Continuous Improvement:
•
Establish a feedback mechanism for employees and stakeholders to report
concerns or suggestions related to the security policy.
•
Regularly review and update the policy based on feedback, audit findings, and
evolving threats.
9. Incident Response Plan Activation:
•
Test and validate the Incident Response Plan to ensure its effectiveness in case
of security incidents.
•
Conduct regular drills and simulations to keep the Incident Response Team
prepared.
10. Documentation and Record Keeping:
•
Maintain thorough documentation of all security policies, procedures, training
materials, and compliance records.
•
Ensure that documentation is accessible for review, audits, and regulatory
inspections.
11. Vendor and Third-Party Compliance:
•
Ensure that all third-party vendors and service providers are aware of and
comply with the relevant aspects of the security policy.
•
Conduct regular reviews of vendor compliance.
4.2 METROPOLIS CAPITAL Bank - Disaster Recovery
Plan Document
4.2.1. Introduction
The Disaster Recovery Plan (DRP) of METROPOLIS CAPITAL Bank is a
comprehensive, structured approach for responding to unplanned incidents that
threaten the bank's IT infrastructure, data integrity, and continued business operations.
This plan is designed to ensure the rapid and efficient recovery of critical systems and
operations, thereby minimizing operational disruptions and maintaining service
continuity for our customers.
Scope of the Plan:
This DRP encompasses all critical components of METROPOLIS CAPITAL Bank's
operations, including but not limited to our primary data center in Colombo,
secondary data center in Galle, over 100 branches, 500 ATM machines across Sri
Lanka, overseas branches, and our digital banking platforms. The plan covers a range
of scenarios, including natural disasters, technological failures, cyber-attacks, and any
other events that could significantly disrupt our banking services.
Objectives:
•
Rapid Recovery: To restore critical operations and IT systems with minimal
downtime.
•
Data Integrity and Security: To ensure the protection and quick recovery of vital
data.
•
Business Continuity: To maintain essential functions and services during and
after a disaster.
•
Risk Mitigation: To reduce the potential impact of operational disruptions on the
bank and its customers.
Plan Activation Criteria:
The DRP will be activated in response to incidents that severely impair or have the
potential to severely impair the bank’s operational capabilities. These incidents
include, but are not limited to, significant IT system failures, data breaches, natural
disasters affecting physical infrastructure, or any other events that endanger the bank's
ability to operate effectively.
Responsibilities and Leadership:
The successful implementation of this DRP requires clear leadership and defined
responsibilities. A Disaster Recovery Team (DRT), comprising members from various
critical departments such as IT, technical support, operations, and senior management,
will be established to oversee the implementation of this plan. This team will be
responsible for coordinating the recovery efforts, making crucial decisions during a
disaster, and communicating effectively with all stakeholders.
4.2.2 METROPOLIS CAPITAL Bank Organization IT
Disaster Recovery Plan Revision History
Document Creation Date: June 1, 2023
Revision
No.
Date
Description of Revisions
Revised By
1.0
John Doe, DRP
June 1, 2023 Initial creation of the Disaster Recovery Plan document. Manager
1.1
August 15,
2023
1.2
November 5, Revised the Key Personnel Contact Info to reflect
2023
staffing changes.
John Doe, DRP
Manager
1.3
January 10,
2024
Added a new section for BYOD policy under the "Policy
Statement" to address remote work scenarios.
Michael Chen,
CISO
1.4
March 22,
2024
Updated the "External Contacts" list and verified all
contact information. Minor edits to the "Notification
Calling Tree" for clarity.
Jane Smith, IT
Director
1.5
April 30,
2024
Integrated a new risk management strategy focusing on Michael Chen,
cyber threats and response mechanisms.
CISO
Updated the Backup Strategy to include cloud storage
options.
Jane Smith, IT
Director
Note: All revisions are subject to review by the Disaster Recovery Planning Committee. Each
revision is documented with a unique number, date, a brief description of changes, and the
name of the individual responsible for the revision. This log is maintained as part of the DRP
documentation and is available for audit purposes and historical reference.
4.2.3 Information Technology Statement of Intent
The Information Technology Statement of Intent for METROPOLIS CAPITAL
Bank's Disaster Recovery Plan (DRP) establishes the foundational principles and
objectives that guide our approach to disaster recovery and business continuity. As a
leading banking institution with a significant presence in Sri Lanka and abroad, our
commitment is to maintain resilient and secure IT operations that support the bank's
services and responsibilities to our customers, employees, and stakeholders.
Purpose:
The primary purpose of this statement is to underscore the bank's dedication to:
•
•
•
Ensuring the continuous operation of our IT systems and infrastructure, which
are critical to the day-to-day operations of the bank.
Protecting the integrity, confidentiality, and availability of data against any
form of disruption, whether due to natural disasters, cyber incidents, or
operational failures.
Providing a clear and structured response to incidents that may impact our IT
services, minimizing downtime and facilitating a rapid return to normal
operations.
Scope:
This IT Statement of Intent covers all aspects of METROPOLIS CAPITAL Bank's IT
infrastructure, including but not limited to:
•
•
•
•
•
•
Core banking systems hosted in our high-performance server environments.
Branch and ATM network connectivity, including VPN and MPLS services.
Online and mobile banking services.
Data centers and backup facilities located in Colombo and Galle.
Remote work infrastructure, including BYOD and wireless connectivity.
IT security systems, including firewalls, endpoint protection, and intrusion
detection systems.
Commitment:
METROPOLIS CAPITAL Bank commits to:
•
•
Implementing and maintaining a robust IT disaster recovery strategy that
aligns with industry best practices and regulatory requirements.
Regularly reviewing and updating the DRP to address emerging threats,
technological advancements, and changes in business operations.
•
•
•
Training and preparing our staff to respond effectively to IT disruptions,
ensuring they are familiar with the DRP procedures and their roles within
those procedures.
Engaging with external partners, vendors, and regulatory bodies to ensure a
coordinated response to disasters that may affect the broader financial
ecosystem.
Investing in technology and infrastructure that enhance our disaster recovery
capabilities and resilience against disruptions.
Objectives:
Through this statement, METROPOLIS CAPITAL Bank aims to achieve the
following objectives:
•
•
•
Minimize the impact of IT disruptions on bank operations, customers, and
other stakeholders.
Ensure a swift and efficient recovery of IT services in the event of a disaster,
with clear priorities set for critical systems.
Foster a culture of preparedness and resilience within the organization,
emphasizing the importance of disaster recovery planning in our overall
business strategy.
4.2.4. Policy Statement
The Policy Statement of the METROPOLIS CAPITAL Bank Disaster Recovery Plan
(DRP) articulates the bank's overarching policies regarding disaster recovery and
business continuity. It delineates the framework within which all activities related to
disaster recovery are conducted, ensuring alignment with the bank's strategic
objectives, compliance with legal and regulatory requirements, and the safeguarding
of the bank's reputation, assets, and stakeholder interests.
Commitment to Disaster Recovery and Business Continuity:
METROPOLIS CAPITAL Bank is committed to establishing, implementing, and
maintaining a comprehensive disaster recovery and business continuity plan. This
commitment is driven by the necessity to protect the bank’s operations, information
technology assets, and data against significant adverse events. It is our policy to:
•
Ensure the continuity of our critical business operations under all conditions.
•
Protect and secure our information assets against unauthorized access, data
loss, and breaches.
•
Comply with all relevant laws, regulations, and standards, including but not
limited to the ISO 31000:2009 risk management guidelines, and the directives
of the Central Bank of Sri Lanka.
Scope:
This policy applies to all departments, employees, contractors, and third-party service
providers associated with METROPOLIS CAPITAL Bank. It encompasses all aspects
of the bank's operations, including but not limited to its primary and secondary data
centers, branch network, ATM services, online and mobile banking platforms, and
remote work infrastructure.
Responsibilities:
•
•
•
Board of Directors and Senior Management are responsible for endorsing the
DRP and ensuring that sufficient resources are allocated for its implementation
and maintenance.
Disaster Recovery Planning Committee is tasked with the development,
testing, and updating of the DRP. This committee operates under the guidance
of the Chief Information Security Officer (CISO) and includes representatives
from key functional areas.
All Employees are required to familiarize themselves with the DRP relevant to
their roles and responsibilities and participate in training and drill exercises.
DRP Principles:
•
Preparedness: We shall maintain a state of readiness through regular training,
drills, and updates to our DRP to address evolving threats and technological
changes.
•
•
•
Response: In the event of a disaster, we shall activate the DRP promptly to
mitigate impacts, recover critical operations swiftly, and communicate
effectively with all stakeholders.
Recovery: We are dedicated to the rapid restoration of services to customers
and the resumption of business operations, prioritizing systems critical to our
mission.
Review and Continuous Improvement: The DRP shall be subject to regular
reviews and updates based on lessons learned from drills, actual incidents, and
changes in the operating environment.
Data Protection and Privacy:
In executing the DRP, METROPOLIS CAPITAL Bank will adhere to stringent data
protection and privacy standards, ensuring the confidentiality, integrity, and
availability of customer and corporate data at all times.
Compliance and Reporting:
Compliance with this policy is mandatory. All deviations and exceptions must be
formally documented and reported to the Disaster Recovery Planning Committee for
review.
4.2.5 Objectives
The objectives section of the METROPOLIS CAPITAL Bank Disaster Recovery Plan (DRP)
delineates the specific goals the bank aims to achieve through its disaster recovery and
business continuity strategies. These objectives are integral to ensuring the bank's resilience
in the face of disruptions and maintaining continuous operations to meet the needs of
customers, employees, and other stakeholders.
1. Minimize Operational Downtime:
Objective: To minimize the downtime of critical operations to the shortest possible duration.
The bank targets to resume essential services within a predefined timeframe, ensuring
minimal disruption to customer services and internal operations.
2. Ensure Data Integrity and Security:
Objective: To protect the integrity, confidentiality, and availability of data before, during, and
after a disaster. This includes implementing robust backup strategies, data encryption, and
secure data recovery processes to prevent data loss and unauthorized access.
3. Rapid Recovery of IT Services and Critical Functions:
Objective: To establish and maintain the capability for rapid and efficient recovery of IT
services and critical business functions. This entails predefined recovery time objectives
(RTOs) and recovery point objectives (RPOs) for all critical systems and applications.
4. Maintain Customer Trust and Confidence:
Objective: To maintain and, where necessary, restore customer trust and confidence in the
bank's services through effective communication, swift recovery actions, and transparent
operations during and after any disruption.
5. Compliance with Regulatory Requirements:
Objective: To ensure full compliance with all applicable laws, regulations, and standards
governing financial institutions and disaster recovery practices, including but not limited to
the directives of the Central Bank of Sri Lanka and international standards such as ISO
31000:2009.
6. Protect and Preserve the Bank's Reputation:
Objective: To implement disaster recovery measures that protect the bank's brand and
reputation, minimizing negative publicity and customer dissatisfaction through effective risk
management and disaster response strategies.
7. Employee Safety and Well-being:
Objective: To ensure the safety and well-being of all employees during a disaster, including
clear communication of safety protocols, provision of remote work capabilities, and support
for employees affected by the disaster.
8. Continuous Improvement of Disaster Recovery Capabilities:
Objective: To adopt a continuous improvement approach to disaster recovery planning,
regularly reviewing, testing, and updating the DRP to address new risks, technological
advancements, and lessons learned from exercises and actual events.
9. Effective Stakeholder Communication:
Objective: To establish and maintain effective communication channels with all stakeholders,
including customers, employees, regulators, and partners, ensuring timely and accurate
information dissemination during and after a disaster.
10. Financial Stability and Operational Viability:
Objective: To ensure the bank's financial stability and operational viability post-disaster,
through effective risk management, insurance strategies, and financial planning to cover
potential losses and recovery expenses.
4.2.6 Key Personnel Contact Info
The Key Personnel Contact Information section of the METROPOLIS CAPITAL Bank
Disaster Recovery Plan (DRP) provides essential contact details for individuals and teams
critical to disaster recovery and business continuity efforts. This directory ensures that all
stakeholders know whom to contact in various scenarios, facilitating swift communication
and coordination during and after a disaster.
Role
Name
Contact
Position Number
Email
Disaster
Recovery
Planning
Committee:
Chairperson
Mr. Ashan
Perera
Finance
Director
Chief
Information
Security
Officer
(CISO)
+94-XXXXX-XXXX
ashan.perera@metropoliscapitalbank.lk
Ms. Lakshmi Finance
Fernando
Director
+94-XXXXX-XXXX
lakshmi.fernando@metropoliscapitalbank.lk
IT Director
Mr. Nimal
Jayawardena IT Director
+94-XXXXX-XXXX
nimal.jayawardena@metropoliscapitalbank.lk
Operations
Manager
Ms. Thilini
Rajapaksa
+94-XXXXX-XXXX
thilini.rajapaksa@metropoliscapitalbank.lk
HR Manager
Mr. Ravi De
+94-XXSilva
HR Manager XXX-XXXX
ravi.desilva@metropoliscapitalbank.lk
Technical
Ms. Anusha Support
Kumari
Team Lead
anusha.kumari@techsupportvendor.lk
Operations
Manager
Technical
Support
Team (ThirdParty
Vendor):
Vendor
Manager
+94-XXXXX-XXXX
Supply Chain
Management:
Supply Chain
Management
Officer
Branch
Managers
Mr. Kamal
Perera
Supply Chain
Management +94-XXOfficer
XXX-XXXX
kamal.perera@metropoliscapitalbank.lk
Role
Name
Contact
Position Number
Email
(Key
Locations):
Colombo
Branch
Manager
Colombo
Ms. Priyanka Branch
Silva
Manager
Galle Branch
Manager
Mr. Suresh
Gamage
+94-XXXXX-XXXX
Galle Branch +94-XXManager
XXX-XXXX
priyanka.silva@metropoliscapitalbank.lk
suresh.gamage@metropoliscapitalbank.lk
Emergency
Services
Contacts:
Police
National
Emergency
Number
119
Fire Brigade
National
Emergency
Number
110
Medical
Emergency
National
Emergency
Number
112
Mr. Harith
Wijesinghe
Regulatory
Affairs
Contact
+94-XXXXX-XXXX
harith.wijesinghe@cbsl.gov.lk
Ms.
Geethika
Bandara
Account
Manager
+94-XXXXX-XXXX
geethika.bandara@insuranceprovider.lk
Regulatory
Contact:
Central Bank
of Sri Lanka
Insurance
Provider:
Insurance
Contact
This section must be regularly reviewed and updated to reflect any changes in roles or contact
information. It is recommended that all personnel listed in this section have access to a digital
and physical copy of the DRP, including this contact list, to ensure accessibility in various
scenarios.
4.2.7 Notification Calling Tree
The Notification Calling Tree is a structured system designed to facilitate swift and efficient
communication among METROPOLIS CAPITAL Bank personnel and key stakeholders in
the event of a disaster. This protocol ensures that critical information is disseminated quickly
and effectively, minimizing confusion and enabling a coordinated response.
The calling tree operates on a tiered basis, with each individual responsible for contacting a
specific set of people as outlined below. The process initiates from the top level, with each
subsequent level responsible for further dissemination of information to ensure
comprehensive coverage.
Tier
Individual/Role
Responsibility
Contacted By
To Contact
Chief Information
Security Officer
(CISO)
Initiates the calling tree. N/A
IT Director, Finance
Director, Operations
Manager, HR Manager
IT Director
Notifies IT department
heads and key IT
personnel.
CISO
Tier 3 IT Team Leaders
2
Finance Director
Notifies finance
department heads and
key finance personnel. CISO
Tier 3 Finance Team
Leaders
2
Notifies operations
department heads and
Operations Manager key personnel.
CISO
1
2
Tier 3 Operations Team
Leaders
Tier
Individual/Role
Responsibility
Contacted By
To Contact
2
HR Manager
Notifies HR department
heads and coordinates
external notifications. CISO
3
Team
Leaders/Managers
Notifies all team
members.
Their respective
Department Head
All team members (Tier
4)
4
All Employees
Receive notification
and follow DRP
instructions.
Their respective
Team
Leader/Manager
N/A
5
Supply Chain
Notifies key external
Management Officer partners and vendors.
Operations
Manager
External Partners,
Vendors
5
Safety Officer
Contacts emergency
services if required.
Tier 3 HR Team Leaders,
Communications
Department
CISO or Operations
Manager
Emergency Services
Tier 1: Initial Notification
•
Chief Information Security Officer (CISO): Initiates the calling tree by notifying Tier
2 individuals.
Tier 2: Department Heads and Key Personnel
•
•
•
•
IT Director
Finance Director
Operations Manager
HR Manager
Tier 3: Functional Teams and Units
•
Each Department Head (Tier 2) is responsible for notifying their respective team
leaders or managers within their departments.
Tier 4: All Employees
•
Team leaders or managers (Tier 3) are responsible for contacting each member of
their teams.
Tier 5: External Stakeholders
•
•
Supply Chain Management Officer: Notifies key external partners, including technical
support vendors and service providers.
HR Manager: Coordinates with the Communications Department to issue
notifications to external stakeholders, such as regulatory bodies, if necessary.
Emergency Services Contacts:
•
Designated Safety Officer: Responsible for contacting emergency services if required.
Procedure:
•
•
•
•
Activation: The CISO activates the calling tree in response to a disaster or when the
DRP is invoked.
Confirmation: Each recipient is asked to confirm receipt of the message and to
proceed with their designated contacts.
Documentation: Each individual logs their calls, including time, recipient, and
confirmation, to track the progress and ensure complete coverage.
Feedback Loop: Any issues, non-contacts, or critical information gathered during the
notification process are reported back to the DRP Committee for real-time situational
awareness and response adjustment.
4.2.8 External Contacts
The External Contacts section of the METROPOLIS CAPITAL Bank Disaster Recovery Plan
(DRP) is crucial for establishing and maintaining communication with outside entities that
play a significant role in disaster recovery and business continuity efforts. This includes local
and international IT service vendors, emergency services, regulatory bodies, insurance
providers, and other critical stakeholders.
No
.
1
Category
IT Service
Vendors
Company
Name/Service
Global Tech
Solutions
Contact
Person
Position
Ms. Anjali Account
Gupta
Manager
Contact
Number
Email
+94-XX-XXX- anjali.gupta@globalte
XXXX
chsolutions.com
2
Innovative Software Mr. Rajiv
Ltd.
Singh
Customer
Relations
Manager
3
Ms. Fiona
CloudNet Dynamics Chen
Cloud
Services
+94-XX-XXX- fiona.chen@cloudnet
Consultant XXXX
dynamics.com
National Police
Service
Disaster
Response
Unit
5
Fire and Rescue
Services
Special
+94-XX-XXXOperations XXXX
6
Medical Emergency
Services
+94-XX-XXXXXXX
Central Bank of Sri
Lanka
Regulatory
Mr. Harith Affairs
+94-XX-XXX- harith.wijesinghe@cb
Wijesinghe Department XXXX
sl.gov.lk
4
7
Emergency
and Public
Services
Regulatory
and
Compliance
+94-XX-XXX- rajiv.singh@innovativ
XXXX
esoftware.lk
+94-XX-XXXXXXX
8
National Data
Ms. Priya
Protection Authority Fernando
Compliance +94-XX-XXX- priya.fernando@data
Officer
XXXX
protection.lk
9
Insurance
Provider
Ms.
Geethika
SecureLife Insurance Bandara
Account
Manager
10
Miscellaneou Utility Services
s Contacts
(Electricity, Water)
11
Mr.
Telecommunications Dilshan
Provider
Perera
+94-XX-XXX- geethika.bandara@se
XXXX
curelifeinsurance.lk
+94-XX-XXXXXXX
Business
Account
Manager
+94-XX-XXX- dilshan.perera@lanka
XXXX
com.com
This section must be reviewed and updated regularly to ensure that all contact information is
current and accurate. Inclusion of these external contacts in the DRP ensures that
METROPOLIS CAPITAL Bank has a comprehensive list of all critical stakeholders required
for effective disaster recovery and business continuity management.
4.2.9 External Contacts Calling Tree
The External Contacts Calling Tree for METROPOLIS CAPITAL Bank is a structured
protocol designed to streamline communication with critical external partners, vendors,
emergency services, and regulatory bodies in the event of a disaster. This protocol ensures
that essential external stakeholders are promptly informed and engaged as necessary,
facilitating a coordinated response to the disaster.
Contact
Order
METROPOLIS
CAPITAL Bank
Official
Responsibility
External Entity to Contact
1
Supply Chain
Notify IT service vendors
Management Officer and partners
2
National Police Service, Fire and
Coordinate with emergency Rescue Services, Medical
Operations Manager and public services
Emergency Services
3
Chief Information
Security Officer
(CISO)
Liaise with regulatory and
compliance bodies
Central Bank of Sri Lanka, National
Data Protection Authority
HR Manager
Communicate with
insurance provider
SecureLife Insurance
4
Global Tech Solutions, Innovative
Software Ltd., CloudNet Dynamics
METROPOLIS
CAPITAL Bank
Official
Contact
Order
5
Facilities Manager
Responsibility
Contact utility and
telecommunications
providers
External Entity to Contact
Utility Services,
Telecommunications Provider
Purpose:
The purpose of the External Contacts Calling Tree is to:
•
•
•
Ensure timely notification and engagement of external entities critical to the disaster
recovery process.
Facilitate the rapid acquisition of services, support, and information from external
partners.
Maintain regulatory compliance by notifying relevant authorities as required.
Procedure:
•
•
•
•
Activation: The calling tree is activated by the Disaster Recovery Planning
Committee Chairperson or designated official upon the declaration of a disaster.
Sequential Notification: Each designated METROPOLIS CAPITAL Bank official is
responsible for contacting the assigned external entities following the pre-defined
sequence.
Confirmation: Recipients are asked to confirm receipt of the notification and provide
any immediate feedback or information relevant to the disaster recovery efforts.
Escalation: Should there be any issues in contacting an external entity, the issue is
escalated back to the Disaster Recovery Planning Committee for alternative action.
Follow-up and Reporting:
•
•
Each METROPOLIS CAPITAL Bank official involved in the calling tree must
document the outcome of their communications, including confirmations received and
any critical information or instructions provided by the external entities.
A consolidated report is submitted to the Disaster Recovery Planning Committee for
review and action.
Review and Update:
•
•
The External Contacts Calling Tree is reviewed and updated regularly to ensure
accuracy and effectiveness. Updates may be triggered by changes in external partners,
regulatory requirements, or the bank’s disaster recovery strategy.
All officials involved in the calling tree are informed of updates and provided with
revised protocols as necessary.
4.2.10. Plan over view
The Plan Overview section of the METROPOLIS CAPITAL Bank Disaster Recovery
Plan (DRP) provides a high-level summary of the bank's disaster recovery strategy
and its commitment to maintaining business continuity in the face of unforeseen
disruptions. This section serves as an introduction to the comprehensive DRP,
outlining its key components and objectives.
4.2.10.1 Plan Updating
The Plan Updating section of the METROPOLIS CAPITAL Bank Disaster Recovery
Plan (DRP) outlines the procedures for regularly reviewing, updating, and
maintaining the DRP to ensure its continued relevance, effectiveness, and alignment
with the bank's operational and strategic goals. Given the dynamic nature of
technology, threats, and business operations, it is imperative that the DRP evolves to
address new challenges and incorporates lessons learned from drills and actual
disaster events.
1. Review Schedule:
•
Annual Review: The DRP is subject to a comprehensive review on an
annual basis. This review assesses all aspects of the plan, including contact
lists, recovery strategies, technology dependencies, and procedures for
emergency response, data backup, and recovery.
•
Ad-Hoc Reviews: In addition to the scheduled annual review, ad-hoc
reviews are conducted in response to significant changes within the bank
or its operating environment. Such changes may include major IT system
upgrades, expansion or reduction of operations, organizational
restructuring, or after the occurrence of a disaster or significant incident.
2. Responsibility:
•
Disaster Recovery Planning Committee: This committee, led by the
Chief Information Security Officer (CISO), is responsible for overseeing
the review and updating process of the DRP. It includes representatives
from all critical business units and IT departments.
•
External Consultants: Where necessary, external consultants with
expertise in disaster recovery and business continuity may be engaged to
provide objective insights and recommendations during the review
process.
3. Updating Process:
•
Gathering Information: Collect feedback from departments and teams on
the effectiveness and challenges experienced with the current DRP during
drills or actual disaster events.
•
Assessment: Evaluate the current DRP against new threats, technological
advancements, and changes in business processes or regulatory
requirements.
•
Revision: Update the DRP to address identified gaps, incorporating new
recovery strategies, technologies, and procedures as necessary.
•
Approval: The revised DRP is presented to senior management for review
and approval. Once approved, the updated plan is communicated to all
relevant stakeholders.\
4. Documentation and Communication:
•
Document Changes: All changes to the DRP are documented, including a
summary of the changes, the reasons for the changes, and the date of the
revision.
•
Communication: The updated DRP is communicated to all relevant
parties, including internal teams, external partners, and regulatory bodies if
required. This ensures that everyone understands their roles and
responsibilities according to the latest plan.
5. Training and Drills:
•
Training: Update training materials to reflect changes in the DRP and
conduct training sessions for all relevant staff, ensuring they understand
their roles and responsibilities under the new plan.
•
Drills: Schedule drills to test the updated DRP, focusing on new or
significantly revised areas to ensure their effectiveness and the
preparedness of the team.
6. Continuous Improvement:
•
Feedback Mechanism: Establish a feedback mechanism for continuous
improvement, encouraging employees to provide insights and suggestions
on the DRP based on their experiences and observations.
•
Monitoring and Evaluation: Continuously monitor the effectiveness of
the DRP and evaluate its performance during drills and actual incidents.
Use these insights to inform future updates.
4.2.10.2 Plan Documentation Storage
The Plan Documentation Storage section of the METROPOLIS CAPITAL Bank
Disaster Recovery Plan (DRP) outlines the strategies and locations for storing the
DRP documents. Ensuring that the DRP is accessible in the event of a disaster is
critical for a swift and effective response. This section details the methods and
locations both digital and physical, where DRP documents are stored, safeguarded,
and made accessible to authorized personnel.
1. Digital Storage:
•
Centralized Document Management System: The DRP, along with all
related documents, is stored in a centralized, secure document
management system accessible to authorized personnel. This system is
backed up regularly and is accessible remotely to ensure availability even
if the bank's primary facilities are compromised.
•
Cloud Storage: A secure, encrypted copy of the DRP is stored in the
cloud, providing redundancy and ensuring that the plan can be accessed
from any location, at any time, by authorized users. Cloud storage
providers are selected based on their compliance with industry-standard
security protocols and their ability to guarantee data integrity and
availability.
•
Secure, Encrypted Drives: For added security and redundancy, encrypted
copies of the DRP are stored on secure, removable drives. These drives are
kept in secure, accessible locations, known and accessible to the DRP
Committee and other key personnel.
2. Physical Storage:
•
On-Site Storage: Hard copies of the DRP are stored in secure, fireproof,
and waterproof safes or cabinets at the bank's primary facilities. These
locations are accessible to the Disaster Recovery Planning Committee and
designated staff members.
•
Off-Site Storage: To mitigate the risk of simultaneous loss of on-site and
digital copies, hard copies of the DRP are also stored at a secure off-site
location. This location is geographically distant from the bank's primary
facilities to ensure survival in the event of a localized disaster.
3. Accessibility:
•
Access Control: Access to both digital and physical copies of the DRP is
strictly controlled and limited to authorized personnel. Permissions are
regularly reviewed and updated to reflect changes in roles and
responsibilities.
•
Regular Updates and Synchronization: All stored copies of the DRP,
both digital and physical, are updated simultaneously to ensure consistency
across all versions. A version control system is in place to track changes
and ensure that only the most current version of the DRP is activated in the
event of a disaster.
4. Testing and Validation:
•
•
Regular Testing: The accessibility and integrity of stored DRP documents
are regularly tested as part of the DRP maintenance schedule. This
includes testing remote access capabilities, validating the integrity of
digital files, and ensuring that physical copies are in good condition and
up-to-date.
Recovery Simulations: As part of DRP drills, recovery simulations
include the process of accessing both digital and physical copies of the
DRP to validate the effectiveness of storage strategies and access controls.
5. Documentation and Training:
•
Clear Documentation: Procedures for accessing the DRP documents,
both digital and physical, are clearly documented and included within the
DRP itself. This ensures that in the event of a disaster, the process for
retrieving the DRP is straightforward and understood by all relevant
personnel.
•
Training: Regular training sessions for the Disaster Recovery Planning
Committee and other key personnel include walkthroughs of how to access
the DRP under various scenarios, ensuring that in the event of an actual
disaster, there is no confusion or delay in accessing the plan.
4.2.10.3 Backup Strategy
The Backup Strategy section of the METROPOLIS CAPITAL Bank Disaster
Recovery Plan (DRP) outlines the comprehensive approach to data backup and
restoration, ensuring the bank's data integrity, availability, and confidentiality are
maintained at all times, even in the event of a disaster. This strategy is a cornerstone
of the bank's ability to recover from catastrophic events, minimizing data loss and
ensuring rapid restoration of services.
1. Backup Types and Frequency:
•
Full Backups: Conducted weekly, full backups capture the entirety of the
bank's data across all systems. These backups are scheduled during offpeak hours to minimize impact on bank operations.
•
Incremental Backups: Performed daily, incremental backups save
changes made to data since the last full backup. This method provides an
efficient way to maintain up-to-date backups without the need for
complete daily backups.
•
Differential Backups: Occurring every three days, differential backups
capture all changes made since the last full backup. This strategy offers a
balance between resource utilization and recovery time.
2. Backup Media and Storage:
•
On-Site Storage: Initial backups are stored on high-capacity, secure onsite storage systems. These systems are equipped with redundancy, fault
tolerance, and encryption to protect data integrity and confidentiality.
•
Off-Site Storage: Copies of all backups are also stored at a secure,
geographically distant off-site location. This ensures data availability in
the event that the primary site is compromised.
•
Cloud Storage: In addition to physical storage, backups are replicated to
secure cloud storage solutions. This adds another layer of redundancy and
facilitates remote access and recovery if needed.
3. Data Encryption:
•
All backup data, both in transit and at rest, is encrypted using industrystandard encryption protocols. This ensures data confidentiality and
security, protecting against unauthorized access.
4. Backup Testing and Validation:
•
•
Regular Testing: Backup processes are regularly tested to ensure that data
can be effectively backed up and restored. This includes testing the
integrity of backup files and the successful restoration of data to its
original state.
Validation Procedures: Each backup operation includes validation steps to
confirm the completeness and integrity of the backup data. Any issues
detected during these checks are addressed immediately to ensure the
reliability of backup data.
5. Version Control:
•
A robust version control system is in place to manage multiple iterations of
backup data. This system tracks changes over time, allowing for the
restoration of data from specific points as needed.
6. Backup Access and Security:
•
Access to backup data is strictly controlled, with permissions limited to
authorized personnel only. Audit logs are maintained for all access and
restoration activities to ensure accountability and traceability.
7. Regulatory Compliance and Documentation:
•
•
The backup strategy complies with all relevant data protection and privacy
regulations, including those enforced by the Central Bank of Sri Lanka and
international data protection standards.
Detailed documentation of the backup strategy, including policies,
procedures, and logs, is maintained for audit purposes and regulatory
compliance.
8. RPO and RTO Objectives:
•
The backup strategy is aligned with the bank’s Recovery Point Objective
(RPO) and Recovery Time Objective (RTO), ensuring that data loss is
minimized and that critical systems can be restored within the targeted
timeframes following a disaster.
4.2.10.4 Risk Management
The Risk Management section of the METROPOLIS CAPITAL Bank Disaster
Recovery Plan (DRP) outlines the bank's strategic approach to identifying, assessing,
mitigating, and monitoring risks that could impact its operations and IT infrastructure.
This comprehensive risk management framework is designed to ensure the bank's
resilience, safeguarding its assets, and maintaining continuous operations even in the
face of potential disasters.
1. Risk Identification:
•
Systematic Identification: Regularly conduct assessments to identify
potential risks associated with natural disasters, cyber threats,
technological failures, human error, and external attacks. This includes a
review of all critical systems, processes, and dependencies.
•
Stakeholder Input: Engage with stakeholders across all levels of the
organization to identify risks from diverse perspectives, including
operational, technical, and strategic viewpoints.
2. Risk Assessment:
•
Risk Analysis: Evaluate identified risks to determine their potential
impact on the bank's operations and the likelihood of their occurrence.
This analysis considers both qualitative and quantitative factors.
•
Vulnerability Assessment: Perform regular vulnerability assessments and
penetration testing on IT systems and infrastructure to identify weaknesses
that could be exploited by potential threats.
3. Risk Mitigation:
•
Preventive Measures: Implement measures to prevent identified risks
from occurring. This includes robust cybersecurity protocols, physical
security measures, employee training programs, and regular maintenance
of IT systems.
•
Contingency Planning: Develop and maintain contingency plans for each
identified risk, detailing specific steps to be taken in response to different
types of disasters. These plans include backup and recovery procedures,
emergency response actions, and communication protocols.
•
Insurance Coverage: Ensure adequate insurance coverage for various
types of risks, including property damage, cyber incidents, and business
interruption, to mitigate financial impacts.
4. Risk Monitoring and Reporting:
•
Continuous Monitoring: Establish a continuous monitoring program to
detect early signs of potential risks and vulnerabilities. This includes the
use of automated tools and regular security audits.
•
Reporting Mechanism: Implement a clear reporting mechanism for any
incidents or emerging risks, including a defined process for escalating
significant risks to the appropriate level of management.
5. Risk Review and Update:
•
Regular Review: Conduct regular reviews of the risk management plan to
ensure it remains relevant and effective in the face of changing internal
and external environments. This includes updating risk assessments and
mitigation strategies based on new threats, technological changes, and
lessons learned from incident responses.
•
Stakeholder Engagement: Involve key stakeholders in the review process
to ensure a comprehensive understanding of operational changes and
emerging risks. Feedback from stakeholders is crucial for refining risk
mitigation strategies.
6. Compliance and Regulatory Requirements:
•
Regulatory Compliance: Ensure that the risk management plan complies
with relevant regulatory requirements, including those set forth by the
Central Bank of Sri Lanka and international standards such as ISO
31000:2009.
•
Documentation and Record-Keeping: Maintain detailed documentation
of the risk management process, including risk assessments, mitigation
strategies, incident reports, and review records. This documentation
supports regulatory compliance and provides valuable insights for
continuous improvement.
7. Employee Training and Awareness:
•
Training Programs: Implement comprehensive training programs to raise
awareness among employees about potential risks and their roles in
preventing and responding to incidents.
•
Awareness Campaigns: Conduct regular awareness campaigns to keep
risk management and disaster recovery top of mind for all employees,
emphasizing the importance of adherence to policies and procedures.
4.2.11 Emergency
The Emergency section of the METROPOLIS CAPITAL Bank Disaster Recovery
Plan (DRP) outlines the bank's approach to managing and responding to emergency
situations. This section is critical for ensuring the safety of personnel, minimizing the
impact of disasters, and initiating an effective disaster recovery process.
4.2.11.1 Alert, escalation and plan invocation
The Alert, Escalation, and Plan Invocation section of the METROPOLIS CAPITAL
Bank Disaster Recovery Plan (DRP) details the procedures and protocols for
detecting, escalating, and initiating the disaster recovery plan in response to triggering
events or emergencies.
4.2.11.1.1 Plan Triggering Events
The Plan Triggering Events section of the METROPOLIS CAPITAL Bank
Disaster Recovery Plan (DRP) outlines specific scenarios and conditions that
would necessitate the activation of the disaster recovery procedures.
Identifying these events clearly helps in the swift decision-making process
during critical situations, ensuring that the bank can respond promptly and
effectively to mitigate impacts on its operations and services.
1. Natural Disasters:
•
•
•
Earthquakes: Significant seismic activity that damages or has the
potential to damage the bank’s physical infrastructure or disrupt
operations.
Floods: Water damage caused by flooding that impacts the bank’s
facilities, including data centers, branches, or critical infrastructure.
Cyclones/Typhoons: Severe weather conditions that result in damage
to facilities, power outages, or pose significant risks to employee
safety.
2. Technological Failures:
•
Data Center Failures: Any event leading to the loss of operational
capability in the primary or secondary data centers, including power
failures, hardware malfunctions, or system crashes.
•
Critical System Failures: Malfunction or failure of critical banking
systems or applications that support customer transactions, data
processing, or other essential operations.
3. Cybersecurity Incidents:
•
Ransomware Attacks: Encryption or locking of critical data by
unauthorized parties demanding payment for release.
•
Data Breaches: Unauthorized access and extraction of sensitive
customer or business data.
•
DDoS Attacks: Distributed Denial of Service attacks that render
banking services inaccessible to users.
4. Human Error or Malicious Activities:
•
Operational Mistakes: Significant operational errors by employees
that result in data loss, system failures, or financial discrepancies.
•
Insider Threats: Malicious activities conducted by employees or
contractors leading to system sabotage, data theft, or fraud.
5. External Threats:
•
Terrorist Attacks: Acts of terrorism that impact the bank’s physical
locations or cyber infrastructure.
•
Pandemics: Health crises that significantly impact staff availability,
branch operations, or require a shift to remote working conditions,
potentially stressing the bank’s IT infrastructure.
6. Regulatory or Legal Actions:
•
Compliance Failures: Situations where regulatory inspections reveal
non-compliance that requires immediate remediation to avoid penalties
or operational restrictions.
•
Legal Injunctions: Legal actions that necessitate the retrieval or
protection of data, potentially disrupting normal operations.
Activation Protocol:
•
Immediate Assessment: Upon the occurrence or imminent threat of
any triggering event, a rapid assessment is conducted by the Disaster
Recovery Planning Committee or designated officials to evaluate the
impact and necessity for activating the DRP.
•
Decision to Activate: The decision to activate the DRP is made by the
Chief Information Security Officer (CISO) in consultation with the
Disaster Recovery Planning Committee, based on the assessment of the
event’s impact on the bank’s operations and infrastructure.
•
Notification: Following the decision to activate the DRP, the
Notification Calling Tree is initiated to inform all relevant
stakeholders, both internal and external, about the activation and the
steps to follow.
4.2.11.1.2 Assembly Points
The Assembly Points section of the METROPOLIS CAPITAL Bank Disaster
Recovery Plan (DRP) specifies predetermined locations where employees
should gather in the event of an emergency that necessitates evacuation of the
bank’s facilities. These assembly points are critical for ensuring the safety of
personnel, facilitating roll calls, and providing instructions for the next steps
during a disaster recovery operation.
1. Primary Assembly Points:
•
Head Office (Kollupitiya): The primary assembly point for the Head
Office is the public park located two blocks west of the building. This
location provides ample space for gathering while being a safe distance
away from potential hazards.
•
Colombo Data Center: Employees at the Colombo Data Center
should assemble at the parking lot of the nearby shopping center,
designated due to its open space and accessibility.
•
Galle Secondary Data Center: The assembly point for the Galle
location is the community hall's parking area, situated half a kilometer
north of the data center.
2. Secondary Assembly Points:
In the event that primary assembly points are inaccessible or deemed unsafe,
secondary assembly points have been designated:
•
Head Office (Kollupitiya): Secondary assembly point is the municipal
library's front courtyard, located three blocks east of the Head Office.
•
Colombo Data Center: The secondary location is the public ground
adjacent to the Colombo Municipal Council, chosen for its central
location and ease of access.
•
Galle Secondary Data Center: The Galle International Cricket
Stadium’s north entrance plaza serves as the secondary assembly point,
offering a large, open area that can accommodate all employees.
3. Branches and ATMs:
•
Each branch and ATM location across the island, as well as overseas
branches, are required to have their own designated primary and
secondary assembly points, identified based on local circumstances
and safety considerations. These locations are documented in branchspecific annexes to the DRP.
4. Safety and Headcount Procedures:
•
Safety Officers: Each assembly point has designated safety officers
responsible for guiding employees to safety, conducting headcounts,
and communicating with emergency services.
•
Headcount: Upon arrival at the assembly point, a roll call is conducted
to ensure all employees are accounted for. The safety officer then
reports the headcount to the Disaster Recovery Planning Committee or
the designated emergency response leader.
5. Communication:
•
Emergency Communication: Employees are informed of the
assembly point locations during regular disaster recovery training
sessions. Additionally, emergency communication channels are
established to provide updates or change instructions if necessary.
•
Information Board: At each assembly point, an information board
will display important updates, contacts, and instructions for
employees during the emergency.
6. Review and Update:
•
The locations of assembly points, along with the safety and headcount
procedures, are reviewed annually as part of the DRP review process
or following any significant changes to the bank’s operations or
infrastructure. This ensures that the designated areas remain suitable
and accessible.
4.2.11.1.3 Activation of Emergency Response Team
The Activation of Emergency Response Team section of the METROPOLIS
CAPITAL Bank Disaster Recovery Plan (DRP) outlines the protocol for
mobilizing the bank's Emergency Response Team (ERT) in the event of a
disaster. This team plays a crucial role in the initial response efforts, ensuring
the safety of personnel, securing bank assets, and initiating recovery
operations.
1. Composition of the Emergency Response Team:
The ERT is composed of key personnel from various departments,
including but not limited to:
•
Team Leader: Typically, the Chief Information Security Officer
(CISO) or a designated senior manager with comprehensive knowledge
of the DRP.
•
Safety Officers: Individuals responsible for ensuring employee safety,
managing evacuations, and coordinating with emergency services.
•
IT Specialists: Members tasked with securing IT infrastructure,
assessing damage, and implementing initial recovery steps.
•
Facilities Managers: Personnel overseeing the physical security and
integrity of bank properties.
•
Communications Coordinators: Responsible for internal and external
communications, including updates to employees, customers, and the
media.
•
Human Resources Representatives: Ensuring employee welfare,
managing headcounts, and providing support as needed.
2. Activation Protocol:
•
Disaster Notification: The ERT is activated by the Team Leader
following the receipt of a credible disaster notification that impacts the
bank's operations or facilities.
•
Communication Channels: Activation and subsequent
communications are conducted through pre-established channels,
including secure messaging apps, email, and emergency hotlines, to
ensure reliability and redundancy.
•
Emergency Operations Center (EOC): Upon activation, the ERT
assembles at the designated Emergency Operations Center, a secure
location equipped with the necessary communication and logistical
support for managing the disaster response.
3. Initial Response Actions:
Upon activation, the ERT undertakes the following initial actions:
•
Assessment: Conduct a rapid assessment of the situation to understand
the scope and impact of the disaster.
•
Employee Safety: Ensure the safety of all employees through
evacuation, assembly point coordination, or shelter-in-place
instructions, as appropriate.
•
Communication: Initiate communication protocols to inform all
stakeholders of the situation and the actions being taken.
•
Secure Assets: Implement measures to secure physical and IT assets,
including activating data backups and physical security systems.
4. Coordination with External Agencies:
•
The ERT coordinates with local emergency services, utility companies,
and other relevant agencies to manage the immediate impacts of the
disaster and facilitate recovery efforts.
5. Documentation and Reporting:
•
All actions taken by the ERT are documented in real-time, including
decision-making processes, communications sent, and resources
deployed. This documentation is critical for post-disaster analysis and
reporting requirements.
6. Transition to Recovery:
•
Once the immediate response phase is under control, the ERT
facilitates the transition to the broader recovery efforts led by the
Disaster Recovery Planning Committee, ensuring a seamless handover
of responsibilities and information.
7. Training and Drills:
•
Members of the ERT participate in regular training sessions and drills
to ensure they are prepared to respond effectively in the event of a
disaster. These exercises cover various disaster scenarios, response
procedures, and recovery protocols.
8. Review and Continuous Improvement:
•
The composition, protocols, and performance of the ERT are reviewed
regularly, with adjustments made based on lessons learned from drills,
actual events, and changes in the bank's operational landscape.
4.2.12 Disaster Recovery
The Disaster Recovery section of the METROPOLIS CAPITAL Bank Disaster
Recovery Plan (DRP) delineates the structured approach and specific procedures for
restoring the bank’s operations and IT infrastructure following a disaster. This
comprehensive strategy is designed to minimize downtime, ensure the continuity of
critical services, and maintain customer confidence and trust.
1. Recovery Strategy:
•
Prioritization of Systems and Functions: Identify and prioritize
critical systems, applications, and business functions based on their
importance to the bank’s operations. Recovery efforts are focused first
on restoring these critical components to minimize impact on services.
•
Recovery Sites: Utilize the bank's secondary data center in Galle for
immediate failover of critical systems. Additionally, arrangements with
third-party providers for hot site and cold site facilities support the
recovery of operations if both primary and secondary data centers are
compromised.
•
Data Restoration: Implement procedures for the rapid restoration of
data from backups, ensuring that the most recent and relevant data is
available to resume operations. This includes data stored in off-site
locations and cloud storage to ensure redundancy.
2. Recovery Teams:
•
Formation of Recovery Teams: Assign specific recovery teams
responsible for different aspects of the recovery process, including IT
infrastructure, customer services, financial transactions, and human
resources.
•
Roles and Responsibilities: Clearly define the roles and
responsibilities of each recovery team and its members to ensure a
coordinated and efficient recovery process.
3. Communication Plan:
•
Internal Communication: Establish clear channels for
communication within the bank, ensuring that all employees are
informed of the disaster's status, recovery efforts, and their roles in the
recovery process.
•
External Communication: Maintain transparent and timely
communication with customers, regulators, and other stakeholders,
providing updates on the recovery process and any impact on services.
4. Restoration of IT Systems and Services:
•
System Restoration: Follow predefined procedures for the restoration
of IT systems, including hardware, software, and network
infrastructure, based on the prioritization of critical systems.
•
Validation and Testing: Once systems are restored, conduct thorough
testing to validate that they are fully functional and secure before
resuming normal operations.
5. Business Continuity:
•
Temporary Measures: Implement temporary measures, if necessary,
to continue offering critical services to customers while recovery
efforts are ongoing. This may include manual processes or the use of
alternative technology solutions.
•
Phased Resumption of Operations: Plan for a phased resumption of
operations, starting with the most critical services, until full
functionality is restored across the bank.
6. Review and Debrief:
•
Post-Recovery Review: Conduct a comprehensive review of the
disaster recovery efforts to identify lessons learned, challenges
encountered, and areas for improvement.
•
Debrief Sessions: Hold debrief sessions with recovery teams and key
stakeholders to discuss the recovery process, outcomes, and feedback
for future enhancements to the DRP.
7. Documentation and Reporting:
•
Recovery Documentation: Maintain detailed documentation of the
disaster event, recovery efforts, timelines, and resources utilized. This
documentation is essential for regulatory compliance, insurance
claims, and future planning.
•
Regulatory Reporting: Ensure timely reporting to regulatory bodies,
as required, detailing the nature of the disaster, impact on operations,
and steps taken to recover.
8. Continuous Improvement:
•
Update DRP: Update the Disaster Recovery Plan based on insights gained
from the recovery process and post-recovery analysis. This ensures that the
DRP evolves to address new risks and incorporates best practices for
disaster recovery.
4.2.13 Disaster Recovery Team
The Disaster Recovery Team section of the METROPOLIS CAPITAL Bank Disaster
Recovery Plan (DRP) specifies the organizational structure, roles, and responsibilities
of the teams dedicated to managing and executing the recovery process in the event of
a disaster. This multidisciplinary team is crucial for coordinating efforts across
different departments and ensuring the swift restoration of operations and IT
infrastructure.
1. Organizational Structure:
•
The disaster recovery effort is coordinated by a central Disaster Recovery
Team, which is subdivided into specialized units focused on specific areas
of recovery. Each unit is led by a team leader who reports to the Disaster
Recovery Manager, ensuring a cohesive and coordinated response.
2. Core Units of the Disaster Recovery Team:
•
Disaster Recovery Management:
Leader: Chief Information Security Officer (CISO)
Responsibilities: Overseeing the entire disaster recovery process,
making strategic decisions, liaising with senior management, and
ensuring communication with all stakeholders.
•
IT Recovery Unit:
Leader: IT Director
Responsibilities: Restoring critical IT infrastructure, systems, and
data. Managing backup restoration, system testing, and ensuring the
security of IT systems during the recovery process.
•
Business Continuity Unit:
Leader: Operations Manager
Responsibilities: Ensuring that key business operations continue
during the recovery process. Implementing alternative processes and
coordinating with external partners to maintain service delivery.
•
Communications Unit:
Leader: Communications Director
Responsibilities: Managing internal and external communications,
updating employees, customers, and stakeholders on the status of
recovery efforts, and handling media inquiries.
•
Facilities and Logistics Unit:
Leader: Facilities Manager
Responsibilities: Assessing and repairing physical damage to
facilities, managing logistics for the recovery operation, and ensuring
the safety and security of physical assets.
•
Human Resources Unit:
Leader: HR Manager
Responsibilities: Supporting employee needs during the disaster
recovery process, managing staffing requirements for recovery efforts,
and communicating with employees about disaster-related changes and
procedures.
•
Finance and Administration Unit:
Leader: Finance Director
Responsibilities: Managing financial aspects of the disaster recovery
process, including cost tracking, insurance claims, and procuring
resources for recovery efforts.
3. Team Activation and Deployment:
•
Upon identification of a disaster event that triggers the DRP, the Disaster
Recovery Manager activates the Disaster Recovery Team. Each unit leader
then assembles their respective units and initiates the pre-defined recovery
procedures relevant to their area of responsibility.
4. Training and Preparedness:
•
Regular Training: All members of the Disaster Recovery Team
participate in regular training sessions and drills to ensure they are
prepared to execute their duties effectively under the stress of a disaster
scenario.
•
Cross-Training: Cross-training is provided within units to ensure
redundancy in critical roles, enhancing the team's resilience to potential
unavailability of key personnel.
5. Communication and Coordination:
•
Central Coordination Point: The Disaster Recovery Manager serves as
the central coordination point for all recovery activities, ensuring that
efforts across units are synchronized and that resources are allocated
efficiently.
•
Regular Updates: Unit leaders provide regular updates to the Disaster
Recovery Manager, who then consolidates information for strategic
decisions and stakeholder updates.
6. Post-Recovery Evaluation:
•
Following the conclusion of the disaster recovery efforts, the Disaster
Recovery Team participates in a post-recovery evaluation to assess the
effectiveness of the response, identify lessons learned, and recommend
updates to the DRP based on the experience.
4.2.14 Emergency Alert, Escalation and DRP Activation
The Emergency Alert, Escalation, and DRP Activation section of the METROPOLIS
CAPITAL Bank Disaster Recovery Plan (DRP) outlines the protocols for detecting
emergencies, escalating concerns, and formally activating the disaster recovery
procedures. This systematic approach ensures timely responses to threats and
minimizes the impact on the bank’s operations.
4.2.14.1 Emergency Alert
The Emergency Alert section of the METROPOLIS CAPITAL Bank Disaster
Recovery Plan (DRP) establishes the protocols for promptly notifying internal
and external stakeholders of a disaster or emergency situation. This system is
designed to ensure rapid dissemination of critical information, enabling swift
action to protect employees, secure assets, and minimize operational
disruptions.
1. Alert System Overview:
•
Integrated Alert System: METROPOLIS CAPITAL Bank employs a
state-of-the-art integrated alert system capable of reaching all
employees, stakeholders, and relevant external parties through multiple
channels, including email, SMS, automated phone calls, and the bank's
internal communication platforms.
•
Activation Criteria: The system is activated under various scenarios,
including natural disasters, cybersecurity breaches, significant
operational failures, or any incident posing a substantial threat to the
bank's personnel, operations, or infrastructure.
2. Internal Notification Process:
•
Immediate Notification: Upon identification of a potential or actual
emergency, the designated official or department responsible for initial
detection sends an immediate alert to the Disaster Recovery Planning
Committee and senior management.
•
Employee Alerts: Concurrently, an emergency alert is issued to all
employees, providing initial information about the nature of the
emergency, expected actions (such as evacuation or shelter in place),
and references to safety protocols.
•
Continuous Updates: Follow-up communications are sent to provide
ongoing updates, additional instructions, and the status of the disaster
recovery efforts as the situation evolves.
3. External Notification Process:
•
Regulatory and Emergency Services Notification: If required,
regulatory bodies (such as the Central Bank) and emergency services
are notified about incidents impacting the bank's operations or
requiring external assistance.
•
Customer Communication: Customers are informed about the impact
on banking services through the bank’s website, social media channels,
and direct communication when necessary, ensuring transparency and
maintaining trust.
•
Vendor and Partner Communication: Key vendors and partners are
alerted if the disaster affects operational processes or service delivery,
ensuring they are prepared to support recovery efforts or adjust their
operations accordingly.
4. Alert Content and Guidance:
•
Clear and Concise Information: Alerts contain clear, concise
information about the nature of the emergency, recommended actions,
and sources for further updates, avoiding technical jargon to ensure
understanding across diverse audiences.
•
Safety Instructions: Primary emphasis is placed on safety
instructions, including evacuation orders, assembly point locations, or
shelter-in-place directives, ensuring the well-being of all employees
and stakeholders.
5. System Testing and Maintenance:
•
Regular Testing: The alert system is tested regularly to ensure its
functionality and reliability. This includes testing all communication
channels, message delivery speeds, and system capacity to handle high
volumes of messages simultaneously.
•
System Updates: The system is reviewed and updated based on test
results, technological advancements, and changes in the bank's
operational needs, ensuring the alert mechanism remains effective and
efficient.
6. Training and Awareness:
•
Employee Training: Regular training sessions are conducted to
familiarize employees with the emergency alert system, including how
to respond to alerts and the importance of maintaining updated contact
information in the system.
•
Stakeholder Awareness: Information about the emergency alert
protocols is shared with customers, vendors, and partners, ensuring
they are aware of how they will be informed in the event of a disaster.
4.2.14.2 DR Procedures for Management
The DR Procedures for Management section of the METROPOLIS CAPITAL
Bank Disaster Recovery Plan (DRP) outlines specific actions and protocols
that senior management must follow in the event of a disaster. These
procedures ensure that leadership can effectively oversee and direct disaster
recovery efforts, safeguard the bank's assets, maintain stakeholder confidence,
and ensure the continuity of critical operations.
1. Initial Response and Assessment:
•
Immediate Activation: Upon notification of a potential disaster,
senior management is responsible for the immediate activation of the
Disaster Recovery Planning Committee and relevant emergency
response teams.
•
Situation Assessment: Conduct a rapid initial assessment to
understand the scope and impact of the disaster. This involves
gathering information from the emergency response team, IT
department, facilities management, and external sources.
2. Communication and Coordination:
•
Stakeholder Communication: Ensure timely and accurate
communication with internal and external stakeholders, including
employees, customers, regulators, and shareholders, about the nature of
the disaster, its impact on operations, and the steps being taken.
•
Coordination of Efforts: Oversee the coordination of recovery efforts
across different departments and units, ensuring that resources are
allocated efficiently and recovery tasks are prioritized based on the
criticality of systems and operations.
3. Decision-Making and Strategy Implementation:
•
Strategic Decisions: Make strategic decisions regarding the allocation
of resources, activation of alternate sites, and implementation of
contingency plans. This includes decisions on whether to declare a
disaster formally and activate the full DRP.
•
Policy Adjustments: Approve any necessary temporary adjustments to
policies or procedures to facilitate recovery efforts, ensuring these
adjustments are compliant with regulatory requirements and do not
compromise security or operational integrity.
4. Financial Oversight:
•
Financial Resources: Mobilize financial resources needed for the
disaster recovery efforts. This may involve accessing emergency funds,
reallocating budgets, or engaging with financial institutions for
necessary support.
•
Expense Tracking: Implement mechanisms for tracking disasterrelated expenses to ensure accurate accounting and facilitate future
insurance claims or audits.
5. Legal and Regulatory Compliance:
•
Regulatory Notifications: Ensure timely notification to regulatory
bodies as required by law or industry standards, maintaining
transparency about the disaster's impact and recovery efforts.
•
Legal Counsel: Consult with legal counsel to understand the potential
legal implications of the disaster and recovery actions, ensuring
compliance with contractual obligations and regulatory requirements.
6. Review and Adaptation:
•
Ongoing Assessment: Continuously assess the effectiveness of the
recovery efforts, adapting strategies as needed based on evolving
circumstances and new information.
•
Post-Disaster Review: Lead a comprehensive post-disaster review to
evaluate the response, document lessons learned, and identify areas for
improvement in the DRP and overall disaster preparedness.
7. Leadership and Morale:
•
Visible Leadership: Maintain a visible leadership presence, both
physically and through communication channels, to provide
reassurance to employees, customers, and other stakeholders.
•
Support and Morale: Ensure that support mechanisms are in place for
employees affected by the disaster, recognizing the emotional and
physical toll and fostering resilience within the organization.
4.2.14.3 Contact with Employees
The Contact with Employees section of the METROPOLIS CAPITAL Bank
Disaster Recovery Plan (DRP) delineates the strategies and protocols for
maintaining clear, continuous, and effective communication with the bank's
employees before, during, and after a disaster. This communication is essential
for ensuring employee safety, providing instructions for disaster response
activities, and maintaining morale and operational continuity.
1. Pre-Disaster Preparedness Communication:
•
Awareness and Training: Regularly communicate with employees
about disaster preparedness, including training sessions on emergency
procedures, evacuation plans, and the importance of keeping personal
contact information up to date in the bank's records.
•
DRP Overview: Provide employees with an overview of the DRP,
emphasizing their roles and responsibilities in the event of a disaster, to
ensure they understand how to respond effectively.
2. Immediate Disaster Response Communication:
•
Emergency Alerts: Utilize the bank's emergency alert system to send
immediate notifications to employees about the disaster, including the
nature of the incident, expected impact, and initial actions to take (e.g.,
evacuation, working remotely).
•
Regular Updates: Provide regular updates through established
communication channels (email, SMS, intranet, etc.) about the ongoing
situation, including changes to operating hours, alternate working
locations, and safety instructions.
3. Ongoing Communication During Recovery:
•
Status Updates: Continuously inform employees about the status of
recovery efforts, including timelines for restoring operations,
availability of systems and facilities, and any temporary operational
adjustments.
•
Support and Resources: Communicate available support and
resources for employees affected by the disaster, including counseling
services, financial assistance, and information on local recovery
resources.
4. Post-Disaster Reintegration and Feedback:
•
•
Reintegration Plans: Once recovery efforts are underway,
communicate plans for reintegration back into normal work
environments or processes, including phased returns to work,
continued remote work arrangements, or relocation of workspaces if
necessary.
Feedback and Debriefings: Solicit feedback from employees about
the disaster response and recovery process, and conduct debriefing
sessions to discuss lessons learned, challenges faced, and suggestions
for improvement.
5. Communication Channels:
•
Multi-Channel Approach: Employ a multi-channel approach for
communication to ensure messages reach all employees, considering
email, SMS, phone calls, the bank's internal communication platforms,
and physical bulletin boards as necessary.
•
Emergency Contact Information: Maintain an up-to-date emergency
contact list for all employees to facilitate direct communication in
critical situations.
6. Psychological Support and Well-being:
•
Emotional Support: Acknowledge the psychological impact of
disasters on employees, providing access to counseling services and
support groups to address stress, anxiety, and other emotional
concerns.
•
Regular Check-Ins: Implement regular check-ins by managers or HR
representatives with their teams or individual employees, especially
those directly affected by the disaster, to assess well-being and provide
support.
7. Training and Awareness:
•
Continuous Training: Ensure ongoing training and awareness
programs are in place for disaster preparedness and recovery
procedures, incorporating lessons learned from past incidents to
improve responsiveness and resilience.
4.2.14.4 Backup Staff
The Backup Staff section of the METROPOLIS CAPITAL Bank Disaster
Recovery Plan (DRP) outlines the strategy for ensuring the availability of
critical personnel who can step in and maintain the bank's key functions
during and after a disaster. This approach is essential for sustaining operations
when primary staff members are unavailable due to the disaster's impact.
1. Identification of Critical Roles:
•
Critical Role Analysis: Conduct a comprehensive analysis to identify
roles that are critical for the bank’s daily operations, focusing on
functions that must be sustained without interruption to maintain
service levels and compliance.
•
Skillset and Responsibility Mapping: Map the specific skills,
knowledge, and responsibilities associated with each critical role,
ensuring a clear understanding of the requirements for backup
personnel.
2. Selection and Training of Backup Staff:
•
Backup Personnel Roster: Create a roster of backup personnel for
each critical role, selected based on their skills, experience, and
potential to fulfill the responsibilities of the primary role holder.
•
Cross-Training Programs: Implement cross-training programs to
ensure that backup personnel are adequately prepared to take on the
duties of critical roles, including training on specific systems,
processes, and decision-making protocols.
3. Rotation and Familiarization:
•
Regular Rotation: Where feasible, regularly rotate backup personnel
into critical roles for short periods to ensure they remain familiar with
the responsibilities and workflows, enhancing their readiness to step in
during a disaster.
•
Familiarization Exercises: Conduct regular exercises and simulations
that involve backup staff, allowing them to practice their roles in
disaster scenarios and receive feedback on their performance.
4. Communication and Accessibility:
•
Contact Information: Maintain up-to-date contact information for all
backup personnel, ensuring they can be reached quickly in the event of
a disaster.
•
Remote Access: Ensure backup personnel have the necessary access to
systems and information required to perform critical functions
remotely, if needed.
5. Psychological and Logistical Support:
•
Support Mechanisms: Establish support mechanisms for backup
personnel, recognizing the potential for increased stress and workload
during a disaster. This includes access to counseling services, clear
guidance from management, and logistical support for remote work or
travel.
6. Succession Planning:
•
Long-Term Succession Planning: Incorporate backup staffing into
the bank’s broader succession planning efforts, ensuring a pipeline of
trained personnel ready to step into critical roles as part of long-term
organizational resilience.
7. Regular Review and Updates:
•
Annual Review: Regularly review and update the backup staff plan to
reflect changes in organizational structure, critical functions, and
personnel. This includes reassessing the roster of backup personnel and
updating training programs.
•
Post-Disaster Evaluation: After any disaster recovery operation,
evaluate the effectiveness of backup staff in fulfilling their roles. Use
insights from this evaluation to refine the backup staffing strategy and
training programs.
4.2.14.5 Recorded Messages / Updates
The Recorded Messages / Updates section of the METROPOLIS CAPITAL
Bank Disaster Recovery Plan (DRP) details the use of recorded messages and
updates as a means to communicate critical information to employees,
customers, and other stakeholders during a disaster. This communication
strategy ensures consistent, accurate, and timely information dissemination,
especially when live communication channels might be compromised or
overwhelmed.
1. Purpose and Scope:
•
Emergency Communication: Utilize recorded messages and updates
to convey essential information regarding the disaster, including status
updates, instructions for safety, and information on banking services
availability.
•
Accessibility: Ensure that recorded messages are accessible through
multiple channels, such as the bank’s main phone line, website, mobile
app, and social media platforms, to reach a broad audience.
2. Content of Recorded Messages:
•
Initial Alert: A brief message acknowledging the disaster, assuring
stakeholders of the bank’s response efforts, and providing basic
instructions or safety guidelines.
•
•
•
Status Updates: Regular updates regarding the status of the bank’s
operations, recovery efforts, and any changes to banking services or
hours of operation.
Instructions for Customers: Specific instructions for customers
regarding account access, alternative banking options (e.g., online,
mobile, ATM), and where to find further information or assistance.
Employee Information: Instructions for employees regarding work
arrangements, safety procedures, and channels for regular updates.
3. Creation and Approval Process:
•
Content Development: Develop a template for recorded messages that
can be quickly adapted to specific disaster scenarios, ensuring
consistency in communication.
•
Approval: All recorded messages are subject to approval by the
Communications Unit or designated senior management to ensure
accuracy, appropriateness, and alignment with the bank’s
communication strategy.
4. Updating and Maintenance:
•
Regular Updates: Recorded messages are regularly updated as new
information becomes available or as the situation evolves to ensure
stakeholders have access to the latest information.
•
Technical Support: Ensure technical support is available to maintain
and update recorded message systems, including backup power
solutions to keep systems operational during power outages.
5. Feedback and Contact Information:
•
Feedback Mechanism: Include information on how stakeholders can
provide feedback or obtain further assistance, such as a dedicated
hotline, email address, or web form.
•
Contact Information: Provide contact details for further inquiries,
emphasizing any 24/7 support channels available for urgent needs.
6. Accessibility and Inclusivity:
•
Multiple Languages: Offer recorded messages in multiple languages
relevant to the bank’s customer base to ensure inclusivity and
accessibility.
•
Accessibility Features: Incorporate features for individuals with
disabilities, such as text transcripts of audio messages for the hearing
impaired.
7. Testing and Preparedness:
•
System Testing: Regularly test the recorded message system to ensure
functionality and the ability to update messages promptly in response
to a disaster.
•
Employee Training: Train relevant staff on how to update and manage
the recorded message system, including content creation, technical
maintenance, and accessibility considerations.
4.2.14.6 Alternate Recovery Facilities / Hot Site
The Alternate Recovery Facilities / Hot Site section of the METROPOLIS
CAPITAL Bank Disaster Recovery Plan (DRP) outlines the strategy for
utilizing alternate facilities to ensure the continuity of critical operations in the
event that primary sites are rendered unusable due to a disaster. This
component is crucial for minimizing downtime and maintaining service
delivery to customers.
1. Definition and Purpose:
•
Hot Site: A hot site is a fully equipped alternate facility where the
bank can quickly relocate its operations following a disaster. This site
is pre-configured with the necessary hardware, software,
telecommunications, and infrastructure to resume critical functions
with minimal delay.
•
Purpose: The primary purpose of a hot site is to provide a swift and
efficient transition of critical operations to ensure business continuity
and minimal service disruption.
2. Hot Site Location and Configuration:
•
Strategic Location: The hot site is strategically located at a significant
distance from the primary facilities to reduce the likelihood of being
affected by the same disaster. Consideration is given to factors such as
geographic risks, accessibility, and infrastructure stability.
•
Configuration: The hot site is configured to mirror the critical
functions of the primary sites, including necessary hardware, secure
network connections, critical data replicas, and access to essential
software applications.
3. Activation Protocol:
•
Activation Decision: The decision to activate the hot site is made by
the Disaster Recovery Planning Committee based on the assessment of
the impact on primary facilities and the projected downtime.
•
Notification: Upon activation, employees designated to relocate to the
hot site are notified, along with instructions on logistics and timelines.
4. Staffing and Operations:
•
Designated Personnel: A pre-determined list of essential personnel
required to operate critical functions is maintained, with roles and
responsibilities clearly defined for hot site operations.
•
Rotation and Training: Regular training and rotation exercises are
conducted to ensure that designated personnel are familiar with hot site
operations, minimizing transition time during an actual disaster.
5. Data and System Replication:
•
Regular Replication: Critical data and systems are regularly
replicated to the hot site, ensuring that the most current information is
available for recovery operations. This includes both electronic data
replication and the physical transfer of necessary documents.
•
System Updates: The configuration of the hot site is regularly
reviewed and updated to reflect changes in technology, operations, and
business requirements at the primary facilities.
6. Communication and Connectivity:
•
Telecommunications: The hot site is equipped with robust
telecommunications systems to maintain connectivity with customers,
employees, and other stakeholders.
•
Remote Access: Secure remote access capabilities are provided to
allow additional personnel to support hot site operations from alternate
locations if necessary.
7. Testing and Maintenance:
•
Regular Testing: The functionality of the hot site is tested regularly
through drills and exercises that simulate the transfer of operations.
This testing includes verifying data integrity, system functionality, and
employee readiness.
•
Maintenance and Upgrades: Ongoing maintenance is performed to
ensure that hardware, software, and infrastructure at the hot site are in
optimal condition and aligned with current technologies and
operational requirements.
8. Vendor Agreements and Partnerships:
•
Vendor Support: Agreements with vendors for the rapid provision of
additional equipment, supplies, or services required during hot site
activation are maintained.
•
Partnerships: Partnerships with local services and utilities at the hot
site location are established to ensure operational support and
infrastructure stability.
4.2.14.7 Personnel and Family Notification
The Personnel and Family Notification section of the METROPOLIS
CAPITAL Bank Disaster Recovery Plan (DRP) outlines the procedures and
responsibilities for notifying employees and their families about a disaster
situation and the bank's response efforts. This aspect of the plan addresses the
need for clear communication to ensure the safety and well-being of
employees and their loved ones during a crisis.
1. Immediate Personnel Notification:
•
Designated Notification Team: A team of designated individuals is
responsible for initiating personnel notifications in response to a
disaster or emergency.
•
Notification Criteria: Personnel notifications are triggered by
predefined criteria, such as the declaration of a disaster, activation of
the DRP, or any situation that poses an immediate threat to employee
safety.
2. Methods of Personnel Notification:
•
Multiple Channels: Utilize multiple communication channels to
ensure that all employees are reached promptly. These channels may
include phone calls, SMS, email, mobile app notifications, and
emergency broadcast systems.
•
Clear and Concise Messages: Notifications to employees are clear,
concise, and provide information on the nature of the emergency,
recommended actions (e.g., evacuation, shelter-in-place), and
instructions for accessing further updates.
3. Employee Family Notification:
•
Family Contact Information: Encourage employees to provide
emergency contact information for their family members or loved
ones. This information is stored securely and accessed only in
emergency situations.
•
Family Notification Team: A separate team is responsible for
notifying the families of affected employees in the event of a
significant disaster, ensuring they are informed about the employee's
safety and whereabouts.
4. Safety and Well-being Support:
•
Employee Support: Provide access to counseling services and support
for employees who may be experiencing stress, anxiety, or emotional
distress as a result of the disaster.
•
Family Support: Offer support and information to the families of
affected employees, addressing their concerns and ensuring their wellbeing during the crisis.
5. Family Reunification Plan:
•
Reunification Center: Establish a designated location where family
members can reunite with employees after a disaster, providing a
secure and organized environment for reunification.
•
Communication with Families: Communicate the location and
operational details of the reunification center to family members
through designated channels.
6. Regular Updates:
•
Ongoing Communication: Provide regular updates to both employees
and their families regarding the status of the disaster, the bank's
response efforts, and any changes in safety instructions or evacuation
procedures.
•
Family Contact Updates: Maintain contact with families to provide
ongoing information and support, ensuring their peace of mind during
the recovery process.
7. Training and Awareness:
•
Employee Training: Conduct regular training sessions for employees
on how to update their emergency contact information, the bank's
notification procedures, and the importance of family preparedness.
•
Family Communication: Share information with employees about the
bank's commitment to notifying their families in the event of an
emergency, encouraging them to keep their contact information up to
date.
4.2.15. Media
The Media section of the METROPOLIS CAPITAL Bank Disaster Recovery Plan
(DRP) outlines the bank's strategy for managing communication with various media
outlets and stakeholders during and after a disaster. Effective media management is
crucial for maintaining public trust, ensuring accurate information dissemination, and
managing the bank's reputation in times of crisis.
4.2.15.1 Media Contact
The Media Contact section of the METROPOLIS CAPITAL Bank Disaster Recovery
Plan (DRP) provides a list of key media contacts and outlets that the bank will engage
with during a disaster or crisis situation. Maintaining accurate and up-to-date media
contacts is essential for effective communication and timely information
dissemination.
•
Local Newspapers:
o Newspaper Name: [Insert Name]
o Contact Person: [Insert Contact Person]
o Contact Email: [Insert Email]
o Contact Phone: [Insert Phone Number]
•
Television Stations:
o TV Station Name: [Insert Name]
o Contact Person: [Insert Contact Person]
o Contact Email: [Insert Email]
o Contact Phone: [Insert Phone Number]
•
Radio Stations:
o Radio Station Name: [Insert Name]
o Contact Person: [Insert Contact Person]
o Contact Email: [Insert Email]
o Contact Phone: [Insert Phone Number]
Online News Outlets:
o News Outlet Name: [Insert Name]
o Contact Person: [Insert Contact Person]
o Contact Email: [Insert Email]
o Contact Phone: [Insert Phone Number]
•
•
Press Agencies:
o
o
o
o
Press Agency Name: [Insert Name]
Contact Person: [Insert Contact Person]
Contact Email: [Insert Email]
Contact Phone: [Insert Phone Number]
•
Social Media Accounts:
o Official Twitter Account: [Insert Twitter Handle]
o Official Facebook Page: [Insert Facebook Page]
o Official LinkedIn Page: [Insert LinkedIn Page]
•
Other Relevant Media Contacts:
o Media Outlet/Contact Name: [Insert Name]
o Contact Person: [Insert Contact Person]
o Contact Email: [Insert Email]
o Contact Phone: [Insert Phone Number]
4.2.15.2 Media Strategies
The Media Strategies section of the METROPOLIS CAPITAL Bank Disaster
Recovery Plan (DRP) outlines the bank's approach to managing communication with
various media outlets and stakeholders during and after a disaster. These strategies are
designed to ensure effective, timely, and consistent communication while maintaining
the bank's reputation and public trust.
1. Transparency and Accuracy:
•
Open and Honest Communication: The bank will communicate openly and
honestly with the media, providing accurate information to the extent possible
while considering security and privacy concerns.
•
Timely Updates: The bank will strive to provide timely updates to the media
to keep them informed of the situation's progress and the bank's response
efforts.
2. Message Consistency:
•
Consistent Messaging: The bank will ensure that messaging across all media
channels is consistent to avoid confusion and maintain credibility.
•
Approved Messages: All messages communicated to the media will be
approved by the designated media spokesperson or media relations team to
ensure accuracy and alignment with the bank's communication strategy.
3. Media Spokesperson:
•
Designated Spokesperson: A designated media spokesperson, trained in crisis
communication, will serve as the primary point of contact for all media
inquiries.
•
Alternate Spokesperson: An alternate spokesperson will be available in the
event that the primary spokesperson is unavailable.
4. Media Relations Team:
•
Dedicated Media Team: The bank will establish a dedicated media relations
team, including individuals with expertise in public relations and crisis
communication.
•
Training: Members of the media relations team will receive training in crisis
communication, interview techniques, and message consistency.
5. Media Policy and Guidelines:
•
Clear Media Policy: The bank will maintain a clear media policy that outlines
its approach to media communication, including guidelines for interactions,
message approval processes, and confidentiality.
•
Response Time: The bank will define response timeframes for media
inquiries, ensuring that all requests for information are addressed promptly.
6. Social Media and Online Presence:
•
Social Media Management: The bank will designate individuals responsible
for managing its social media accounts during a disaster, ensuring accurate
and consistent messaging.
•
Website Updates: A dedicated section on the bank's website will provide
disaster-related updates, including safety instructions, service availability, and
contact information.
7. Media Monitoring:
•
Media Monitoring Tools: The bank will utilize media monitoring tools to
track news coverage and social media conversations related to the disaster,
allowing for timely responses to emerging issues and misinformation.
•
Reputation Management: Strategies for addressing any negative media
coverage or rumors will be in place to protect the bank's reputation.
8. Media Training and Preparedness:
•
Regular Training: The bank will conduct regular training and drills for the
media team and designated spokespeople to ensure they are prepared to handle
media inquiries during a crisis.
•
Scenario-Based Exercises: Scenario-based exercises will be conducted to
simulate media interactions and practice crisis communication strategies.
9. Post-Disaster Analysis:
•
Post-Event Analysis: After the disaster and recovery efforts are complete, the
bank will conduct a comprehensive analysis of its media communication
during the crisis to identify strengths and areas for improvement.
•
Lessons Learned: Insights from the analysis will be used to update and refine
the media strategy and policies for future disasters.
4.2.15.3 Media Team
The Media Team section of the METROPOLIS CAPITAL Bank Disaster Recovery
Plan (DRP) outlines the composition and roles of the dedicated team responsible for
managing media relations during a disaster or crisis situation. This team plays a
crucial role in ensuring effective communication with various media outlets and
stakeholders.
Media Team
Role
Media
Spokesperson
Primary point of contact for media
inquiries during a disaster.
Alternate
Spokesperson
Available in case the primary
spokesperson is unavailable.
Media
Relations
Officer
Supports the spokesperson(s) in
managing media interactions.
Backup Media
Relations
Officer
Available as a contingency in case
the primary media relations officer
is unavailable.
Contact Information
Roles and Responsibilities:
•
The media spokesperson(s) is responsible for responding to media inquiries,
conducting interviews, and providing accurate information to the media while
adhering to the bank's communication policies and guidelines.
•
The media relations officer(s) supports the spokesperson(s) in managing
media interactions, coordinating interviews, and ensuring that messages are
consistent and aligned with the bank's communication strategy.
Training and Preparedness:
•
All members of the media team undergo regular training in crisis
communication, interview techniques, and message consistency to ensure they
are well-prepared to handle media inquiries during a crisis.
•
Scenario-based exercises and drills are conducted to simulate media
interactions and practice crisis communication strategies, helping the media
team build confidence and readiness.
4.2.15.4 Rules for Dealing with Media
The Rules for Dealing with Media section of the METROPOLIS CAPITAL Bank
Disaster Recovery Plan (DRP) provides clear guidelines and protocols for interacting
with various media outlets during and after a disaster or crisis situation. These rules
are essential to ensure consistent and effective communication while safeguarding the
bank's reputation and public trust.
1. Designated Media Spokesperson:
•
Primary Point of Contact: The designated media spokesperson is the
primary point of contact for all media inquiries. No other employees are
authorized to speak on behalf of the bank to the media during a crisis.
2. Media Response Protocol:
•
•
Prompt Response: All media inquiries should be addressed promptly, with
the goal of providing timely and accurate information while adhering to the
bank's communication policies and guidelines.
Approval Process: Messages communicated to the media must be approved
by the designated media spokesperson or media relations team to ensure
accuracy and alignment with the bank's communication strategy.
3. Message Consistency:
•
Consistent Messaging: Messages communicated to the media should be
consistent across all media channels to avoid confusion and maintain
credibility.
4. Media Requests for Information:
•
Handling Requests: Media requests for information should be directed to the
designated media spokesperson or media relations team. Employees should
not provide information directly to the media.
•
Response Timeframes: The bank will define response timeframes for media
inquiries to ensure that all requests for information are addressed promptly.
5. Confidentiality and Security:
•
Confidential Information: Do not disclose confidential or sensitive
information to the media. Prioritize security and privacy considerations in all
interactions.
6. Avoid Speculation:
•
No Speculation: Do not speculate or provide unverified information to the
media. Stick to verified facts and information.
7. Managing Negative Coverage:
•
Negative Coverage: In the event of negative media coverage or rumors, the
media team will follow predefined strategies for addressing and mitigating the
impact on the bank's reputation.
8. Media Monitoring:
•
Media Monitoring Tools: The bank will utilize media monitoring tools to
track news coverage and social media conversations related to the disaster,
allowing for timely responses to emerging issues and misinformation.
9. Social Media and Online Presence:
•
Social Media Management: Designated individuals will manage the bank's
social media accounts during a disaster, ensuring accurate and consistent
messaging.
•
Website Updates: A dedicated section on the bank's website will provide
disaster-related updates, including safety instructions, service availability, and
contact information.
10. Post-Disaster Analysis:
•
Analysis: After the disaster and recovery efforts are complete, the bank will
conduct a comprehensive analysis of its media communication during the
crisis to identify strengths and areas for improvement.
•
Lessons Learned: Insights from the analysis will be used to update and refine
the rules for dealing with media and the media strategy for future disasters.
4.2.16. Insurance
The Insurance section of the METROPOLIS CAPITAL Bank Disaster Recovery Plan
(DRP) outlines the bank's approach to insurance coverage in the event of a disaster.
Having appropriate insurance policies in place is essential for mitigating financial
risks and ensuring the bank's ability to recover and resume operations after a disaster.
Policy Name
Property
Insurance
Coverage Type
Property
Damage
Business
Interruption
Insurance
Business
Interruption
Liability
Insurance
Liability
Coverage
Coverage
Period
Annual
Annual
Annual
Amount of
Coverage
Person
Responsible for
Coverage
Next
Renewal
Date
$XX,XXX,XXX
[Insert
Responsible
Person's Name]
[Insert
Renewal
Date]
$XX,XXX,XXX
[Insert
Responsible
Person's Name]
[Insert
Renewal
Date]
$XX,XXX,XXX
[Insert
Responsible
Person's Name]
[Insert
Renewal
Date]
Policy Name
Cyber Insurance
Business
Continuity
Insurance
Coverage Type
Cybersecurity
Protection
Business
Continuity
Coverage
Period
Annual
Annual
Amount of
Coverage
Person
Responsible for
Coverage
Next
Renewal
Date
$XX,XXX,XXX
[Insert
Responsible
Person's Name]
[Insert
Renewal
Date]
$XX,XXX,XXX
[Insert
Responsible
Person's Name]
[Insert
Renewal
Date]
1. Financial Assessment:
•
Regular Insurance Review: The bank conducts regular reviews of its insurance
policies to assess their adequacy and coverage in the event of different types of
disasters.
•
Risk Assessment: A risk assessment is performed to identify potential financial risks
associated with various disaster scenarios, including damage to physical assets,
business interruption, and liability.
2. Financial Requirements:
•
Adequate Coverage: The bank ensures that it maintains insurance coverage that is
sufficient to address the financial impacts of potential disasters. This includes
coverage for property damage, business interruption, liability, and cyber risks.
•
Business Continuity Insurance: Business continuity insurance is in place to cover
costs associated with resuming operations after a disaster, including temporary
relocation expenses.
3. Legal Actions:
•
Legal Support: In the event of a disaster, the bank has legal support and access to
legal counsel to address any legal actions or claims that may arise.
•
Contractual Agreements: The bank reviews contractual agreements with insurance
providers to ensure that all terms and conditions are clear and favorable to the bank's
interests.
4. Claims Process:
•
Claims Management: The bank has established procedures for efficiently managing
insurance claims, including documenting losses and expenses.
•
Communication: The bank communicates with its insurance providers promptly
following a disaster to initiate the claims process.
5. Coverage Verification:
•
Regular Updates: The bank ensures that its insurance policies are regularly updated
to reflect changes in the bank's operations, assets, and risk profile.
•
Coverage Verification: Coverage is verified with insurance providers to confirm that
all assets and operations are adequately covered.
6. Policy Accessibility:
•
Accessible Policies: Insurance policies and related documents are stored in a secure
and accessible location, both physically and digitally, to facilitate quick reference in
the event of a disaster.
7. Disaster Recovery Funding:
•
Funding Source: Insurance policies serve as a key source of funding for disaster
recovery efforts, including the repair and replacement of damaged assets and the
resumption of business operations.
8. Business Impact Analysis (BIA):
•
BIA Informed by Insurance: The bank's Business Impact Analysis (BIA) process
takes into account insurance coverage and potential financial impacts when assessing
the consequences of a disaster on the bank's operations.
4.2.17. Financial and Legal Issues
The Financial and Legal Issues section of the METROPOLIS CAPITAL Bank
Disaster Recovery Plan (DRP) addresses the bank's approach to managing financial
and legal matters during and after a disaster. Properly addressing these issues is
essential for the bank's financial stability and legal compliance during the recovery
process.
4.2.17.1 Financial Assessment
The Financial Assessment section of the METROPOLIS CAPITAL Bank Disaster
Recovery Plan (DRP) outlines the procedures and considerations for conducting a
financial assessment in the event of a disaster. This assessment is crucial for
determining the financial impact of the disaster and identifying the funding required
for recovery efforts.
1. Immediate Financial Assessment:
In the aftermath of a disaster, an immediate financial assessment will be initiated to
determine the extent of financial losses incurred by the bank. This assessment
includes the evaluation of the following:
•
Property Damage: Assess the damage to physical assets, including buildings,
equipment, and technology infrastructure.
•
Business Interruption: Evaluate the financial impact of business interruption,
including lost revenue and operational disruptions.
•
Liabilities: Identify any immediate financial liabilities or obligations arising
from the disaster.
2. Funding Identification:
Following the financial assessment, the bank will identify potential funding sources to
cover the financial requirements of the recovery efforts. These sources may include:
•
Insurance Policies: Assess the coverage and terms of insurance policies to
determine the extent of financial support available for recovery.
•
Reserves: Utilize any financial reserves or contingency funds that have been
set aside for emergency situations.
•
Financial Resources: Access available financial resources, including cash
reserves, lines of credit, and emergency funds.
3. Business Continuity Funding:
Specific funding will be allocated to support business continuity efforts, ensuring the
timely resumption of critical operations and services. This includes:
•
Temporary Relocation Costs: Budget for temporary relocation expenses if
necessary to maintain operations.
•
Employee Compensation: Ensure that funds are available for employee
compensation during the recovery period.
4. Financial Reporting:
Regular financial reporting will be provided to key stakeholders, including the board
of directors, senior management, and regulatory authorities. This reporting includes:
•
Financial Updates: Ongoing updates on the financial impact of the disaster
and recovery progress.
•
Budget Monitoring: Monitoring of budgetary allocations and expenditures
related to recovery efforts.
5. Post-Disaster Analysis:
After the recovery efforts are complete, a post-disaster financial analysis will be
conducted to evaluate the financial aspects of the recovery process. This analysis
includes:
•
Financial Outcomes: Assessment of the final financial outcomes, including
total costs incurred and sources of funding utilized.
•
Lessons Learned: Identification of lessons learned and insights to improve
financial preparedness for future disasters.
4.2.17.2 Financial Requirements
The Financial Requirements section of the METROPOLIS CAPITAL Bank Disaster
Recovery Plan (DRP) details the financial resources necessary to support the bank's
recovery efforts following a disaster. Ensuring that adequate funding is available is
crucial for a successful recovery and the timely resumption of normal operations.
Financial Support:
The bank will allocate and secure sufficient financial support to cover various
expenses and requirements associated with disaster recovery. These financial
requirements include:
1. Repair and Replacement of Assets:
Funds will be earmarked for the repair, replacement, or restoration of damaged
physical assets, including buildings, equipment, and infrastructure. This includes:
•
•
•
Repairing structural damage to facilities.
Replacing damaged technology and equipment.
Restoring critical infrastructure, such as power and utilities.
2. Temporary Relocation Costs:
Budget provisions will be made to cover temporary relocation expenses if the disaster
renders the bank's primary location unusable. This may include:
•
•
Costs associated with setting up temporary facilities.
Expenses for leasing alternative office spaces.
•
Relocation of essential equipment and resources.
3. Employee Compensation:
Adequate funding will be allocated to ensure that employees are compensated during
the recovery period. This includes:
•
•
Payment of salaries and wages to employees.
Benefits and allowances to support employees affected by the disaster.
4. Business Continuity Funding:
Financial resources will be dedicated to supporting business continuity efforts. This
funding is essential for:
•
•
Maintaining essential operations and services.
Covering additional expenses associated with continuity measures.
5. Regulatory Compliance:
•
•
•
Funding will be set aside to ensure compliance with regulatory requirements
during the recovery process. This includes:
Costs associated with regulatory reporting and compliance activities.
Expenses related to legal and regulatory obligations.
6. Business Impact Analysis (BIA):
The bank's Business Impact Analysis (BIA) will inform the specific financial
requirements needed for different disaster scenarios. This includes:
•
•
Identifying critical functions and processes.
Assessing financial impacts on various aspects of the bank's operations.
7. Financial Reporting:
Regular financial reporting and updates will be provided to key stakeholders,
including senior management, the board of directors, and regulatory authorities. This
reporting includes:
•
•
Ongoing monitoring of budgetary allocations and expenditures related to
recovery efforts.
Communication of financial progress and any adjustments needed.
8. Contingency Planning:
The bank will maintain contingency plans and strategies for addressing unforeseen
financial requirements that may arise during the recovery process. These plans allow
for flexibility in financial decision-making.
4.2.17.3 Legal Actions
The Legal Actions section of the METROPOLIS CAPITAL Bank Disaster Recovery
Plan (DRP) outlines the bank's approach to addressing legal matters that may arise
during and after a disaster. Proper legal actions and compliance are essential for
protecting the bank's interests and maintaining legal obligations.
1. Legal Support:
•
In the event of a disaster, METROPOLIS CAPITAL Bank will engage legal
counsel to provide guidance and support in addressing legal matters. The bank
maintains established relationships with legal firms and individual legal
experts.
2. Contractual Agreements:
All contractual agreements, including those with third-party vendors, suppliers, and
service providers, will be reviewed to assess legal obligations and responsibilities
during the recovery process. This includes:
•
Review of Force Majeure Clauses: Examination of force majeure clauses to
determine their applicability in disaster-related situations.
•
Communication with Third Parties: Open and transparent communication
with contractual partners to address any legal implications of the disaster.
3. Legal Documentation Review:
A thorough review and validation of all legal documents related to insurance policies,
contracts, agreements, and legal obligations will be conducted. This includes:
•
Document Verification: Ensuring that all legal documents are accurate, up-todate, and accessible during the recovery process.
•
Legal Counsel Engagement: Engaging legal counsel to provide legal advice
and guidance throughout the recovery efforts.
4. Regulatory Compliance:
The bank's legal team will monitor regulatory compliance during the disaster recovery
process to ensure that all legal obligations are met. This includes:
•
Communication with Regulatory Authorities: Maintaining open and
transparent communication with regulatory authorities and government
agencies, if required.
•
Reporting Requirements: Compliance with regulatory reporting and
disclosure requirements, as applicable.
5. Liability Mitigation:
A comprehensive liability assessment will be conducted to identify potential areas of
exposure and liability. Strategies will be developed to mitigate potential legal
liabilities and minimize financial impacts. This includes:
•
Claims Management: Efficiently managing claims and liabilities arising from
the disaster.
•
Legal Defenses: Developing legal defenses, as needed, to protect the bank's
interests.
6. Legal Documentation Accessibility:
•
Legal documentation, including contracts, agreements, and correspondence,
will be securely stored and accessible to the legal team and relevant
stakeholders. This ensures that all parties have access to the necessary legal
information during the recovery process.
7. Post-Disaster Analysis:
After the disaster and recovery efforts are complete, a post-disaster legal analysis will
be conducted to evaluate the legal aspects of the recovery process. This analysis
includes:
•
Legal Outcomes: Assessment of legal outcomes, including any legal actions,
claims, or settlements.
•
Lessons Learned: Identification of lessons learned and insights to improve
legal preparedness for future disasters.
4.2.18. DRP Exercising
The DRP Exercising section of the METROPOLIS CAPITAL Bank Disaster
Recovery Plan (DRP) outlines the bank's approach to regularly testing and exercising
the disaster recovery plan. Regular exercises and simulations are essential to ensure
that the plan is effective, employees are trained, and the bank can respond efficiently
in the event of a disaster.
1. Testing Frequency:
METROPOLIS CAPITAL Bank will conduct regular tests and exercises of the DRP
to ensure its readiness. The testing frequency includes:
•
Annual Tests: A comprehensive test of the entire DRP will be conducted
annually to assess its overall effectiveness.
•
Quarterly Tabletop Exercises: Quarterly tabletop exercises will be
conducted to simulate disaster scenarios and assess the response of key
personnel.
•
Ad-Hoc Tests: Ad-hoc tests and drills may be conducted to address specific
aspects of the DRP or to test newly implemented solutions.
2. Test Scenarios:
Different disaster scenarios will be simulated during exercises to evaluate the bank's
response. These scenarios include:
•
Natural Disasters: Simulating events like earthquakes, floods, or hurricanes.
•
Cybersecurity Incidents: Testing responses to cyberattacks or data breaches.
•
Infrastructure Failures: Assessing readiness for infrastructure failures or
power outages.
3. Involvement of Key Personnel:
Key personnel from various departments and teams will actively participate in the
exercises, including:
•
Emergency Response Team: Activation and coordination of the emergency
response team.
•
IT and Technical Teams: Testing of IT systems and technical recovery
procedures.
•
Human Resources: Evaluating personnel and communication strategies.
•
Legal and Compliance Teams: Assessing legal and regulatory compliance.
•
Communication Teams: Testing internal and external communication
protocols.
4. Evaluation and Improvement:
After each exercise, a thorough evaluation will be conducted to identify strengths,
weaknesses, and areas for improvement. This includes:
•
Post-Exercise Debrief: A post-exercise debriefing session to gather feedback
and insights from participants.
•
Documentation Review: Reviewing the DRP documentation to ensure it
reflects lessons learned from the exercise.
•
Plan Updates: Updating the DRP based on exercise outcomes and
recommendations.
5. Employee Training:
Regular training sessions will be conducted to ensure that all employees are familiar
with the DRP and their roles in disaster recovery. Training includes:
•
Awareness Training: Ensuring that all employees understand the importance
of disaster recovery.
•
Role-Specific Training: Providing role-specific training to employees
involved in disaster recovery efforts.
6. Scenario Variability:
Exercises will vary scenarios and conditions to test the bank's ability to adapt to
different disaster scenarios. Variability includes:
•
Severity Levels: Testing responses to disasters of varying severity.
•
Geographic Locations: Conducting exercises at different branch locations to
account for regional differences.
7. Reporting and Documentation:
Comprehensive reports will be generated following each exercise, documenting the
outcomes, recommendations, and actions taken. These reports include:
•
Exercise Reports: Summarizing the exercise process, findings, and lessons
learned.
•
Action Plans: Developing action plans to address identified weaknesses or
areas for improvement.
8. Senior Management Review:
Senior management will review the outcomes of the exercises and provide guidance
on necessary improvements and resource allocations. This ensures that the DRP
remains aligned with the bank's strategic goals.
By regularly testing and exercising the DRP, METROPOLIS CAPITAL Bank ensures
that it is well-prepared to respond effectively to disasters. These exercises validate the
plan's effectiveness, enhance employee readiness, and facilitate continuous
improvement in disaster recovery capabilities.
4.3. Justify of the security plan
The comprehensive security plan developed for METROPOLIS CAPITAL Bank
encompasses various critical elements, each carefully selected to address specific aspects of
the bank's security needs. Below is a justification for the inclusion of each key component:
1. Security Policy Document
•
Rationale: Establishes a formal set of guidelines and procedures that govern
the bank's approach to security. It serves as a reference point for all
employees, ensuring everyone understands their role in maintaining the bank's
security posture.
•
Selected Elements: The document covers data protection, network security,
device management, etc., to ensure a holistic approach to security.
2. Disaster Recovery Plan (DRP)
•
Rationale: Prepares the bank for unforeseen events that could disrupt
operations. A DRP is critical for financial institutions due to the high stakes
involved in terms of customer trust and regulatory compliance.
•
Selected Elements: The plan includes disaster categorization, response
protocols, recovery procedures, and alternate site operations, ensuring the
bank can quickly recover and resume normal operations after a disaster.
3. Roles and Responsibilities
•
Rationale: Clearly defined roles ensure that all personnel know their specific
responsibilities in maintaining and implementing security measures. This
clarity is crucial for quick decision-making and efficient response to security
incidents or disasters.
•
Selected Elements: The inclusion of various bank departments and external
partners guarantees comprehensive coverage across all aspects of the bank's
operations.
4. Data Backup and Restoration
•
Rationale: Essential for safeguarding against data loss, a critical aspect for
any financial institution. Regular backups and tested restoration processes
ensure data integrity and availability, which are paramount in banking
operations.
•
Selected Elements: Regular testing and secure off-site storage of backups
help mitigate the risk of data loss due to various types of disasters.
5. Network Security and Device Management
•
Rationale: Given the bank's extensive use of digital channels and online
banking, securing the network and managing devices are vital to protect
against cyber threats and ensure the confidentiality, integrity, and availability
of banking services.
•
Selected Elements: VPNs, firewalls, secure Wi-Fi guidelines, and BYOD
policies help protect against unauthorized access and data breaches.
6. Training and Awareness
•
Rationale: Human error is a significant risk factor in cybersecurity. Regular
training and awareness programs ensure employees are equipped to recognize
and respond to security threats, thereby reducing the risk of successful cyberattacks.
•
Selected Elements: The plan incorporates continuous employee education on
security best practices and emerging threats.
7. Compliance and Legal Requirements
•
Rationale: As a financial institution, METROPOLIS CAPITAL Bank is
subject to various regulatory requirements. Ensuring compliance helps avoid
legal penalties and maintains the bank's reputation.
•
Selected Elements: Regular audits, updates in policy, and training on legal
requirements ensure ongoing compliance.
8. Continuous Monitoring and Improvement
•
Rationale: The security landscape is constantly evolving, and so are the
threats. Continuous monitoring and regular updates to security policies and
procedures ensure the bank's defenses remain effective against new threats.
•
Selected Elements: Regular testing, feedback mechanisms, and benchmarking
against industry standards ensure the bank's security measures are up-to-date
and effective.
By incorporating these elements, the security plan aims to create a robust and resilient
security environment for METROPOLIS CAPITAL Bank, ensuring the protection of
its assets, data, and, importantly, its customer trust and reputation.
4.4 Evaluate the suitability of the tools used to meet
business needs
Evaluating the suitability of the tools and strategies outlined in the organizational policy for
METROPOLIS CAPITAL Bank involves considering how well they align with the bank's
business needs. Here's an assessment based on the scenario provided:
1. Security Policy Document
•
Suitability: This document is highly suitable as it sets a clear framework for
security practices within the bank. It aligns with the business need for a structured
approach to managing and mitigating risks associated with handling sensitive
financial data.
•
Business Alignment: Helps in maintaining regulatory compliance and
safeguarding customer trust, which are critical for the bank's reputation and
operational integrity.
2. Disaster Recovery Plan (DRP)
•
Suitability: The DRP is essential for any financial institution, especially
considering the high reliance on data centers and digital banking platforms. The
plan's focus on quick recovery and minimal service disruption aligns with the
need to maintain continuous banking operations.
•
Business Alignment: Ensures business continuity, which is vital for customer
retention and regulatory compliance in the banking sector.
3. Roles and Responsibilities
•
Suitability: Clearly defining roles ensures accountability and efficient response to
security incidents or disasters. This approach is suitable for complex organizations
like banks where coordinated efforts across various departments are crucial.
•
Business Alignment: Directly supports operational efficiency and effective risk
management, key aspects of banking operations.
4. Data Backup and Restoration
•
Suitability: Given the bank's reliance on data for all its operations, this tool is
highly suitable. Regular backups and secure data restoration processes are
fundamental for the bank’s resilience.
•
Business Alignment: Protects against data loss, ensuring the bank can quickly
resume normal operations post-disaster, which is crucial for customer service and
trust.
5. Network Security and Device Management
•
Suitability: In the digital banking era, these tools are extremely suitable. They
provide a robust defense against cyber threats, which are a significant risk for
banks.
•
Business Alignment: Securing the network and managing devices protect the
bank from data breaches and cyber-attacks, thus safeguarding customer data and
the bank’s reputation.
6. Training and Awareness
•
Suitability: This is an appropriate tool, considering the human factor is often the
weakest link in cybersecurity. Regular training can significantly reduce the risk of
breaches due to human error.
•
Business Alignment: Enhances the overall security culture of the bank,
promoting safer practices among employees and reducing operational risks.
7. Compliance and Legal Requirements
•
Suitability: Mandatory for banking institutions. This tool ensures the bank is
always aligned with legal and regulatory standards, which are dynamic and critical
in the financial sector.
•
Business Alignment: Directly contributes to maintaining the bank's legal standing
and public trust, which are fundamental for business operations.
8. Continuous Monitoring and Improvement
•
Suitability: Essential in a rapidly evolving threat landscape. Continuous
monitoring and regular updates ensure the bank’s security measures stay effective.
•
Business Alignment: Supports the bank’s agility and adaptability in its security
posture, crucial for long-term sustainability and competitiveness in the financial
industry.
In conclusion, the tools and strategies in the policy are well-suited to meet the
business needs of METROPOLIS CAPITAL Bank. They align with the bank's
objectives of maintaining operational continuity, protecting customer data, ensuring
regulatory compliance, and upholding the bank's reputation in the marketplace.
4.5 Stakeholders who are subject to the METROPOLIS
CAPITAL Bank and roles of stakeholders to build security
audit recommendations for the organization.
In the context of METROPOLIS CAPITAL Bank, various stakeholders play pivotal roles in
building security audit recommendations for the organization. These stakeholders can be
internal or external to the bank, each contributing uniquely to the bank's security posture.
Below is an identification of these stakeholders and a description of their roles:
1. Senior Management and Board of Directors
•
Role: They provide strategic direction and oversight for security initiatives. Their
support is crucial for allocating resources (budget, personnel) for security
improvements. They also ensure that security audit recommendations align with
the bank’s overall strategic objectives.
2. IT Department
•
Role: Responsible for implementing and managing the bank’s IT infrastructure,
the IT department plays a critical role in executing the technical aspects of
security audit recommendations. They address system vulnerabilities, update
security protocols, and manage network and data security.
3. Chief Information Security Officer (CISO)
•
Role: The CISO leads the development and enforcement of security policies.
They play a key role in interpreting audit findings and translating them into
actionable recommendations. The CISO also ensures continuous improvement in
the bank’s security posture.
4. Risk Management Team
•
Role: This team assesses and manages organizational risk. Their role in security
audit recommendations includes evaluating the potential risks highlighted by the
audit and prioritizing actions based on the risk they pose to the bank.
5. Compliance and Legal Departments
•
Role: They ensure that all audit recommendations comply with relevant laws,
regulations, and standards. Their role is critical in addressing compliance-related
vulnerabilities and avoiding legal and regulatory penalties.
6. Operational Staff and Branch Managers
•
Role: These are the frontline personnel who deal with the bank’s daily operations.
They provide practical insights into how security policies affect day-to-day
operations and customer service, and they are crucial for implementing procedural
changes arising from audit recommendations.
7. Human Resources
•
Role: Responsible for staff training and awareness programs. HR ensures that
employees are educated about security best practices, which is often a key
recommendation from security audits.
8. External Audit Firms
•
Role: External auditors provide an objective assessment of the bank’s security
posture. They identify vulnerabilities and gaps in security, offering an unbiased
perspective in their recommendations.
9. Customers
•
Role: As end-users of the bank’s services, customers can provide feedback on
security measures and their impact. Customer feedback can be valuable in shaping
user-centric security improvements.
10. Technology Vendors and Service Providers
•
Role: Vendors and service providers who supply and maintain critical IT systems
and infrastructure play a role in executing audit recommendations, especially
those related to technical upgrades and enhancements.
11. Regulatory Bodies
•
Role: They set the standards and regulations for security in the banking industry.
Understanding their requirements is crucial for ensuring that audit
recommendations keep the bank compliant with regulatory expectations.
12. Industry Experts and Security Consultants
•
Role: These stakeholders offer expertise in best practices and emerging threats.
They can provide valuable insights for enhancing the bank’s security strategies
based on audit findings.
Each stakeholder contributes a unique perspective and set of skills to the process of
building and implementing security audit recommendations. Their collective involvement
ensures that the bank’s security strategies are comprehensive, practical, and aligned with
both business objectives and industry standards.
4.6 PowerPoint Presentation of METROPOLIS CAPITAL
Bank Recovery Plan
5. References
• Executech. (n.d.). Top 15 Types of Cybersecurity Risks & How To Prevent
Them. [online] Available at: https://www.executech.com/insights/top15-types-of-cybersecurity-attacks-how-to-prevent-them/.
• Sciencedirect.com. (2018). Security Procedure - an overview |
ScienceDirect Topics. [online] Available at:
https://www.sciencedirect.com/topics/computer-science/securityprocedure.
• Rosencrance, L. (2021). Top 10 types of information security threats for
IT teams. [online] TechTarget. Available at:
https://www.techtarget.com/searchsecurity/feature/Top-10-types-ofinformation-security-threats-for-IT-teams.
• Krebs, A. (2023). Guide to physical security controls, planning, policies
and measures. [online] Pelco Blog. Available at:
https://www.pelco.com/blog/physical-security-guide.
• ManageEngine (2019). Network Monitoring Software by ManageEngine
OpManager. [online] ManageEngine OpManager. Available at:
https://www.manageengine.com/network-monitoring/basics-ofnetwork-monitoring.html.
• Cisco (n.d.). What Is Network Monitoring? [online] Cisco. Available at:
https://www.cisco.com/c/en/us/solutions/automation/what-isnetwork-monitoring.html.
• Cisco. (n.d.). What Is a Firewall? [online] Available at:
https://www.cisco.com/c/en/us/products/security/firewalls/what-is-afirewall.html#:~:text=A%20firewall%20is%20a%20network.
• CheckPoint (2023). What is a Firewall. [online] Check Point Software.
Available at: https://www.checkpoint.com/cyber-hub/networksecurity/what-is-firewall/.
• Kaspersky (2020). What is a VPN and how does it work? [online]
www.kaspersky.com. Available at:
https://www.kaspersky.com/resource-center/definitions/what-is-a-vpn.
• azure.microsoft.com. (n.d.). What is a VPN? Why Should I Use a VPN? |
Microsoft Azure. [online] Available at: https://azure.microsoft.com/enus/resources/cloud-computing-dictionary/what-is-vpn.
• Cisco (2019). What Is a VPN? - Virtual Private Network. [online] Cisco.
Available at: https://www.cisco.com/c/en/us/products/security/vpnendpoint-security-clients/what-is-vpn.html.
• Puzder, D. (2023). Vulnerabilities, Threats, and Risks Explained | Office
of Information Security | Washington University in St. Louis. [online]
informationsecurity.wustl.edu. Available at:
https://informationsecurity.wustl.edu/vulnerabilities-threats-and-risksexplained/#:~:text=A%20vulnerability%20is%20a%20flaw.
• Kidd, C. (2022). Security 101: Vulnerabilities, Threats & Risk Explained.
[online] Splunk-Blogs. Available at:
https://www.splunk.com/en_us/blog/learn/vulnerability-vs-threat-vsrisk.html.
• Investopedia. (n.d.). What Is RiskMetrics in Value at Risk (VaR)? [online]
Available at:
https://www.investopedia.com/ask/answers/041615/what-riskmetricsvalue-risk-var.asp.
• Morgan, J.P., Reuters, York, N., Longerstaey, J. and Spencer, M.
(1996). Morgan Guaranty Trust Company Risk Management Advisory.
[online] Available at:
https://www.msci.com/documents/10199/5915b101-4206-4ba0-aee23449d5c7e95a.
• WhatIs.com. (n.d.). What is a Static IP Address? [online] Available at:
https://www.techtarget.com/whatis/definition/static-IP-address.
• Higgins, M. (2022). What Is a Static IP? | NordVPN. [online]
nordvpn.com. Available at: https://nordvpn.com/blog/what-is-staticip/.
• CompTIA (2022). Network Address Translation Definition | How NAT
Works | Computer Networks | CompTIA. [online] CompTIA. Available at:
https://www.comptia.org/content/guides/what-is-network-addresstranslation.
• Fortinet. (n.d.). What is NAT (Network Address Translation)? How does
NAT work? [online] Available at:
https://www.fortinet.com/lat/resources/cyberglossary/networkaddresstranslation#:~:text=Definition%20of%20Network%20Address%20Transl
ation.
• Fortinet (2023). What Is a DMZ and Why Would You Use It? [online]
Fortinet. Available at:
https://www.fortinet.com/resources/cyberglossary/what-is-dmz.
• Network, in (2019). What is a Demilitarized Zone in Network Security? |
Security Wiki. [online] Secret Double Octopus. Available at:
https://doubleoctopus.com/security-wiki/networkarchitecture/demilitarized-zone/.
• Lutkevich, B. (2021). What is a DMZ in Networking? [online]
SearchSecurity. Available at:
https://www.techtarget.com/searchsecurity/definition/DMZ.
• Cole, B. (2021). What is a Risk Assessment? - Definition from
WhatIs.com. [online] SearchSecurity. Available at:
https://www.techtarget.com/searchsecurity/definition/riskassessment.
• Longe, E. (2022). The Promise and Perils of Data Privacy in Florida.
[online] James Madison Institute. Available at:
https://jamesmadison.org/the-promise-and-perils-of-data-privacy-inflorida/.
• DataGuidance. (2019). Sri Lanka - Data Protection Overview. [online]
Available at: https://www.dataguidance.com/notes/sri-lanka-dataprotection-overview.
• IBM (n.d.). What is data storage? [online] www.ibm.com. Available at:
https://www.ibm.com/topics/data-storage.
• Dancuk, M. (2022). What Is Data Storage? {Definition and Types of Data
Storage}. [online] Knowledge Base by phoenixNAP. Available at:
https://phoenixnap.com/kb/what-is-data-storage.
• SUSE Defines. (n.d.). What are Storage Solutions? | Answer from SUSE
Defines. [online] Available at: https://www.suse.com/susedefines/definition/storage-solutions/.
• Posey, B. (2021). ISO 31000 Risk Management. [online] Security.
Available at:
https://www.techtarget.com/searchsecurity/definition/ISO-31000-RiskManagement#:~:text=ISO%2031000%20seeks%20to%20help.
• PECB (2019). ISO 31000 Risk Management – Principles and Guidelines.
[online] Pecb.com. Available at: https://pecb.com/whitepaper/iso31000-risk-management--principles-and-guidelines.
• Varghese, J. (2020). IT Security Audit: Importance, Types, and
Methodology. [online] Available at:
https://www.getastra.com/blog/security-audit/it-securityaudit/#:~:text=An%20information%20security%20audit%20is.
• Gillis, A. (2022). What is a security audit? [online] TechTarget. Available
at: https://www.techtarget.com/searchcio/definition/security-audit.
• Vice Vicente (2021). What Is a Security Audit? The Basics You Need to
Get Started. [online] AuditBoard. Available at:
https://www.auditboard.com/blog/what-is-security-audit/.
• Lutkevich, B. (2021). What is a Security Policy? - Definition from
SearchSecurity. [online] TechTarget. Available at:
https://www.techtarget.com/searchsecurity/definition/security-policy.
• Check Point Software. (n.d.). What is an IT Security Policy? [online]
Available at: https://www.checkpoint.com/cyber-hub/cybersecurity/what-is-it-security/it-security-policy/.
• Adsero Security (2022). Ten IT Security Policies Every Organization
Should Have. [online] Adsero Security. Available at:
https://www.adserosecurity.com/security-learning-center/ten-itsecurity-policies-every-organization-should-have/.
• Kyndryl. (n.d.). What is a Disaster Recovery Plan? [online] Available at:
https://www.kyndryl.com/us/en/learn/disaster-recoveryplan#:~:text=A%20disaster%20recovery%20plan%20(DR.
• Brush, K. (2022). What is a Disaster Recovery Plan (DRP) and How Do
You Write One? [online] TechTarget. Available at:
https://www.techtarget.com/searchdisasterrecovery/definition/disaste
r-recovery-plan.
• www.ibm.com. (n.d.). Example: Disaster recovery plan. [online]
Available at: https://www.ibm.com/docs/en/i/7.3?topic=systemexample-disaster-recovery-plan.
• Druva (n.d.). What is a Disaster Recovery Plan? Definition and Related
FAQs | Druva. [online] www.druva.com. Available at:
https://www.druva.com/glossary/what-is-a-disaster-recovery-plandefinition-and-related-faqs.