EFG Federal Credit Union is one of the nation’s critical infrastructures and as a financial institution, stores non- public personal information such as social security number, bank account, credit card information, names and addresses. In order to improve its security program and make it more effective, it is recommended that EFG FCU implements best practices and standards in all aspect of its security controls.

1. SECURITY CONTROLS PUT IN
PLACE TO IMPLEMENT EFG
FEDERAL CREDIT UNION
STANDARDS

2. Security controls
Security controls
 Countermeasures to implement organizational
standards in order to safeguard against attacks
 Selected and applied based on the risk assessment
 Technology dependent
Goals
 Maintain integrity
 Protect confidentiality
 Assure availability

3. The need for security controls
in EGF FCU
Financial institution
One of the nation’s critical infrastructures
Stores non public personal information
 Social security number
 Bank account
 Credit card information
 Names and addresses

4. Types of security controls
Management controls
Technical controls
Security controls

5. Policies, procedures, standards, laws,
regulations, and guidelines which form the
framework upon which the organization
operates
 Risk assessment
 Vehicle used to verify that the implementers and operators of
information systems are meeting their stated security goals and
objectives

6. Management controls
 Security Awareness and Training
 Familiarize employees with the security policy and communicate
standards and procedures

7. Technical Controls
Protect the technological components of the
information systems such as the system
architectural design, hardware, software and
firmware
 Access control
 grants or denies resources and services
 Access control models:
 Mandatory access control (MAC) model ensures the end user cannot
implement, modify or transfer any controls. It is the most restrictive
model

8. Technical Controls
 Access control models
 Discretionary access control (DAC) model allows a subject to have
a total control over any objects that he or she owns and other
programs associated with those objects.
 Role-based access control (RBAC) model assigns role to a
particular roles in the organization and then assigns users to that
role
 Rule-based access controls (RBAC) model assigns roles based on a
set of defined rules

9. Technical controls
 Identification
 Users accessing the organizational computer system must present
credentials or identification such as username
 Authentication
 checks users’ credentials to ensure that they are authentic and not
fabricated
 Authorization
 grants the user permission to access only the resources needed to
perform one’s duties

10. Technical controls
 Physical access control protects computer
equipment and prevent unauthorized access
 Video surveillance
 Computer security
 Door security
 Access logs
 Badges

11. Technical controls
System and Communication Protection
 Nonrepudiation
 Provides undeniable proof that a user took a specific action such as
account transactions, money transfer or sending a message
 Encryption
 Converts electronic data into unreadable form to protect the integrity
and the confidentiality
 Firewall
 First line of defense that inspects network traffics and allows or blocks
traffics based on a set rule.

12. Technical controls
System and Communication Protection
 Network-based firewall
 Inspects traffic as it flows between networks
 Host-based firewall
 Inspects traffic received by a host
 Anti-Virus
 Scans the organizational computer, emails attachments for infections
and monitor computer activities

13. Technical controls
System and Communication Protection
 Anti-Virus
 Acts as detective and corrective control and is updated frequently in
order to recognize new viruses
 Intrusion detection and preventive systems
(IDS/IPS)
 IDS is detective in nature, looks for pattern anomaly
activities and logs it
 IPS both recognizes the suspicious traffic and responds to
the potential threat.

14. Technical controls
System and Communication Protection
 Audit and accountability
 Monitor, track, log system behavior and report those that are not in
accordance with the norms.
 Essential for detecting, understanding and recovering from security
breaches.

15. Operational controls
Defines how employees in EFG FCU use data,
resources, software and hardware
 Incidence response
 Identifies and contains the problem, investigates, removes, eradicates
the cause and repairs the damage
 Documents, reports the incident and implements countermeasures to
reduce the likelihood of a future attack
 Media access control and disposal
 Ensure that only authorized users have access to sensitive
information
 Ensure that media such as tapes, USB, CD, DVD and external hard
drives are protected from theft and damage

16. Operational controls
 Media access control and disposal
 Ensure that EFG FCU uses formatting to delete, sanitization to clean
all remnants of the data, and crushing, incineration, acid dipping, and
shredding to properly dispose data
 Business continuity
 Availability of backup systems and offsite backup storage to help
restore data in case of natural disaster
 Emergency backup power protects sensitive electronic systems and
data during power outages ensures members have uninterrupted
access to their accounts.

17. Operational controls
Conclusion
 Control depends on
 Cost comparison,
 Policies, standards and procedures
 Resources
 Training
 Testing
 Technology design.
 EFG FCU considers all the above including senior
management support and the organizational culture
to effectively implement its security controls.

18. Recommendation for improvement
Best Practices
 Collection of informally standardized techniques,
methods or process that have gained wide
acceptance in the organization
 Widely accepted as an effective and efficient
method to complete a task
Goals
 Ensures uniform development
 Ensures uniform distribution
 Ensures acceptance of standard

19. Recommendation for improvement
Recommendation
 Best practices not currently mandated by the
organization standard
 EFG FCU should apply best practices in all aspect
of their security controls to improve its security
program an make it more effective
 Recommended best practices:
 Segregation of duty requires a process be divided between two or
more individuals to avoid a fraudulent application process resulting
in a breach of security

20. Recommendation for improvement
 Recommended best practices:
 Dual control assures that two people participate in a transaction to
create a system of checks and balances in order to reduce opportunity
for fraud
 Audit and Management reviews of accounts to ensure that the level
of access conforms with the least privilege control
 Email policy ensures that the organizational email use is limited only
to what is absolutely necessary to complete a task, to avoid misuse
and employee inadvertently clicking on viruses and Trojan horse that
can compromise the organizational information security.