Unauthorized Information Systems Access

Unauthorized Information Systems Access

Scan the Internet for articles or evidence of Bank of America being a victim of hacking. Based on the results of your search, if the bank has been hacked, assess the circumstances around the hacking and the resulting impact to the bank's customers and operations. If the bank has not reported hacking incidents, assess the most likely security measures that the bank has implemented to protect the business from hackers.

Bank of America has experienced many data breaches in the past, yet the most troublesome are the ones where customers' data is stolen and immediately resold on the black market by employees. There are also those instances where employees and subcontractors gain unauthorized access to ATMs and steal money. These are two of the recent incidences of how the Bank of America security systems and processes have been hacked by employees and those operating in the trust of their business (Adams, 2011). The first instance involved a Bank of America employee who gained access to a wealth of customer data that included names, addresses, Social Security numbers, driver's license numbers, birth dates, e-mail addresses, mother's maiden names, account passwords and PINs, even account balances (Adams, 2011). In the second instance a series of seven Bank of America ATMs were broken into by a former contractor with Diebold Inc. (Adams, 2011). Clearly in both of these situations Bank of America had failed to put into place a series of controls that would mitigate the ability of their employees to gain access to customer data. They had also failed to define a process for revoking access to their ATMs to former contractors. This could have potentially been disastrous if the Diebold employee taught a gang or group how to steal the cash out of ATMs. Bank of America was fortunate to have only a $200,000 loss from this activity. In order to protect itself from the potential breach by their own support and customer service staff, Bank of America needs to complete an access audit periodically and seek to define a suitable strategy for managing this risk. There also needs to be more role-based approach to defining who, why and for what purpose a given employee can gain access to the customer data, as this is the essential aspect of security governance (Twum, Ahenkora, 2012). Bank of America also needs to randomly audit the overall security levels for its entire ATM network, ensuring subcontractors cannot get access to systems they are not scheduled to replenish with cash or provide maintenance on. The use of role-based and maintenance service request authorizations as part of a broader enterprise security strategy is essential in diverse operating networks and service organizations (Coppotelli, 1982).

As an IT auditor of Bank of America, create an information security strategy for the bank indicating how implementing this strategy will minimize the risk of the business systems being hacked.

Beginning with a role-based access framework, the proposed information security strategy would center on the need for greater real-time metrics of access, periodic and often unannounced audit of security level performance and monitoring, and a continual re-evaluation of how the system's metrics could be used for deterring fraud. All these of these aspects of an information security strategy are critical to creating a scalable, secure enterprise deterrence and monitoring security platform (Coppotelli, 1982).

In conjunction with these strategies, Bank of America needs to create a security strategy that spans the scope of their value chain as well. In studies of online banking it has been found that using enterprise security management strategies and initiatives to span the first point of contact with a customer to the generation of profits (or the value chain) of the business, all unified with the quantification of trust through metrics and key performance indicators (KPIs) (Twum, Ahenkora, 2012). This is what's lacking in the Bank of America security ecosystem today, with the focus needing to shift more towards a unified enterprise security strategy that overarches its entire value chain form the customer to the financial intermediaries it completes transactions with.

Conduct an Internet research of security authorization vendors. Based on your research, recommend a product for Bank of America indicating how this product will provide maximum security to the bank's systems.

Bank of America needs to consider adopting the IBM security framework based on that vendors' Tivoli software suite. What differentiates Tivoli from many other potential security systems is the support for governance, risk and compliance (GRC) management in conjunction with role-based access controls, auditing and key performance indicators (KPIs) across global enterprise system implementations (Hulme, 2012). The Tivoli software suite can act as a compliance layer across the entire enterprise systems architecture of the company, ensuring that authorized users and specific roles can only access to the specific customer data and records. The Tivoli suite can also be configured to support peripheral- and subsystem level security and compliance (Hulme, 2012). This will be a highly effective deterrent against the ATM systems being broken into. With a Tivoli suite in use, Bank of America could have defined GRC roles and constraints to the device level, thereby alleviating the potential for seven ATMs to be broken into and cash stolen (Adams, 2011). The Tivoli Suite of enterprise applications could also be used for interpreting inbound threats from a system manageability standpoint, and create deterrents at the application and operating system level as well (Hulme, 2012).

As an IT auditor of Bank of America, suggest a modification that you would make to the IT audit plan given the increased risk of unauthorized access to the bank's information systems and what assurance this will provide to you that the data is reliable.