The provided scenario pertains to the XYZ Credit Union/Bank. The issues or risks that could or would be faced by the XYZ Credit Union/Bank starts with the fact it must meet the government mandated compliance with Gramm-Leach-Bliley Act (GLBA). The major aspect of GLBA is the security of customer data, which incudes the confidentiality and integrity of the customer data. The confidentiality and integrity of customer data should be controlled by the level of access provided to each employee. Other factors include how each branch is electronically connected to headquarters and each other. The connection between branches and headquarters will need to secured. The availability of the network, systems and servers will be critical to the customer
…show more content…
Each policy addresses one or more potions of the requirements spelled out in the scenario. The internet use policy would address that employee internet access will be monitored and the content will be filtered. The monitoring will provide detection of customer information or other controlled data that is being egressed out of the company. The content filtering would allow the company to limit access to websites that could be create a hostile work environment and limit access to sites that host malware. The external device use policy will provide direction to the IT department to limit or eliminate the ability for external devices to be recognized and used on a system by technological methods. It would also explain how employees are not allowed to use external devices without signed authorization from the Chief Information Officer (CIO). The employee ID policy would state that each employee who needs to access the network, systems or server would need their own login credentials. The policy would as include login credentials shall not be shared with others, employees will be provided the least amount of access needed to complete their duties, passwords must be changed every 90 days and review of access will be completed monthly, access will be removed upon termination and changed when job duties are changed. The …show more content…
The encryption policy would pertain to the use of encryption for all customer data at rest or in transit. The policy would pertain to all systems, servers and networks in the company. The personal device use policy will dictate that personal devices shall not be connected to the company’s network and shall not be used to capture any customer data. The email use policy will state that company email system is to be used for business purposes only, will be monitored to prevent the egress of customer data and shall not be used to harass, intimidate or bully other employees or customers. The network segmentation policy would state that the network would be segmented to limit access to every area of the network in a least privileged method and segment the different branches to limit the potential for a hacker to pivot to another branch. The third party access policy would dictate what circumstance must be met for a consultant to access the network, systems or servers. The policy would also reference the network segmentation policy in regards to the separation of third party networks like HVAC controls must be separated and air gapped from the company’s network. The camera monitoring policy will alert employees to the fact cameras are used to monitor
Each policy addresses one or more potions of the requirements spelled out in the scenario. The internet use policy would address that employee internet access will be monitored and the content will be filtered. The monitoring will provide detection of customer information or other controlled data that is being egressed out of the company. The content filtering would allow the company to limit access to websites that could be create a hostile work environment and limit access to sites that host malware. The external device use policy will provide direction to the IT department to limit or eliminate the ability for external devices to be recognized and used on a system by technological methods. It would also explain how employees are not allowed to use external devices without signed authorization from the Chief Information Officer (CIO). The employee ID policy would state that each employee who needs to access the network, systems or server would need their own login credentials. The policy would as include login credentials shall not be shared with others, employees will be provided the least amount of access needed to complete their duties, passwords must be changed every 90 days and review of access will be completed monthly, access will be removed upon termination and changed when job duties are changed. The …show more content…
The encryption policy would pertain to the use of encryption for all customer data at rest or in transit. The policy would pertain to all systems, servers and networks in the company. The personal device use policy will dictate that personal devices shall not be connected to the company’s network and shall not be used to capture any customer data. The email use policy will state that company email system is to be used for business purposes only, will be monitored to prevent the egress of customer data and shall not be used to harass, intimidate or bully other employees or customers. The network segmentation policy would state that the network would be segmented to limit access to every area of the network in a least privileged method and segment the different branches to limit the potential for a hacker to pivot to another branch. The third party access policy would dictate what circumstance must be met for a consultant to access the network, systems or servers. The policy would also reference the network segmentation policy in regards to the separation of third party networks like HVAC controls must be separated and air gapped from the company’s network. The camera monitoring policy will alert employees to the fact cameras are used to monitor