EFG Federal Credit Union is one of the nation’s critical infrastructures and as a financial institution, stores non- public personal information such as social security number, bank account, credit card information, names and addresses. In order to improve its security program and make it more effective, it is recommended that EFG FCU implements best practices and standards in all aspect of its security controls.
2. Security controls
Security controls
Countermeasures to implement organizational
standards in order to safeguard against attacks
Selected and applied based on the risk assessment
Technology dependent
Goals
Maintain integrity
Protect confidentiality
Assure availability
3. The need for security controls
in EGF FCU
Financial institution
One of the nation’s critical infrastructures
Stores non public personal information
Social security number
Bank account
Credit card information
Names and addresses
5. Policies, procedures, standards, laws,
regulations, and guidelines which form the
framework upon which the organization
operates
Risk assessment
Vehicle used to verify that the implementers and operators of
information systems are meeting their stated security goals and
objectives
6. Management controls
Security Awareness and Training
Familiarize employees with the security policy and communicate
standards and procedures
7. Technical Controls
Protect the technological components of the
information systems such as the system
architectural design, hardware, software and
firmware
Access control
grants or denies resources and services
Access control models:
Mandatory access control (MAC) model ensures the end user cannot
implement, modify or transfer any controls. It is the most restrictive
model
8. Technical Controls
Access control models
Discretionary access control (DAC) model allows a subject to have
a total control over any objects that he or she owns and other
programs associated with those objects.
Role-based access control (RBAC) model assigns role to a
particular roles in the organization and then assigns users to that
role
Rule-based access controls (RBAC) model assigns roles based on a
set of defined rules
9. Technical controls
Identification
Users accessing the organizational computer system must present
credentials or identification such as username
Authentication
checks users’ credentials to ensure that they are authentic and not
fabricated
Authorization
grants the user permission to access only the resources needed to
perform one’s duties
10. Technical controls
Physical access control protects computer
equipment and prevent unauthorized access
Video surveillance
Computer security
Door security
Access logs
Badges
11. Technical controls
System and Communication Protection
Nonrepudiation
Provides undeniable proof that a user took a specific action such as
account transactions, money transfer or sending a message
Encryption
Converts electronic data into unreadable form to protect the integrity
and the confidentiality
Firewall
First line of defense that inspects network traffics and allows or blocks
traffics based on a set rule.
12. Technical controls
System and Communication Protection
Network-based firewall
Inspects traffic as it flows between networks
Host-based firewall
Inspects traffic received by a host
Anti-Virus
Scans the organizational computer, emails attachments for infections
and monitor computer activities
13. Technical controls
System and Communication Protection
Anti-Virus
Acts as detective and corrective control and is updated frequently in
order to recognize new viruses
Intrusion detection and preventive systems
(IDS/IPS)
IDS is detective in nature, looks for pattern anomaly
activities and logs it
IPS both recognizes the suspicious traffic and responds to
the potential threat.
14. Technical controls
System and Communication Protection
Audit and accountability
Monitor, track, log system behavior and report those that are not in
accordance with the norms.
Essential for detecting, understanding and recovering from security
breaches.
15. Operational controls
Defines how employees in EFG FCU use data,
resources, software and hardware
Incidence response
Identifies and contains the problem, investigates, removes, eradicates
the cause and repairs the damage
Documents, reports the incident and implements countermeasures to
reduce the likelihood of a future attack
Media access control and disposal
Ensure that only authorized users have access to sensitive
information
Ensure that media such as tapes, USB, CD, DVD and external hard
drives are protected from theft and damage
16. Operational controls
Media access control and disposal
Ensure that EFG FCU uses formatting to delete, sanitization to clean
all remnants of the data, and crushing, incineration, acid dipping, and
shredding to properly dispose data
Business continuity
Availability of backup systems and offsite backup storage to help
restore data in case of natural disaster
Emergency backup power protects sensitive electronic systems and
data during power outages ensures members have uninterrupted
access to their accounts.
17. Operational controls
Conclusion
Control depends on
Cost comparison,
Policies, standards and procedures
Resources
Training
Testing
Technology design.
EFG FCU considers all the above including senior
management support and the organizational culture
to effectively implement its security controls.
18. Recommendation for improvement
Best Practices
Collection of informally standardized techniques,
methods or process that have gained wide
acceptance in the organization
Widely accepted as an effective and efficient
method to complete a task
Goals
Ensures uniform development
Ensures uniform distribution
Ensures acceptance of standard
19. Recommendation for improvement
Recommendation
Best practices not currently mandated by the
organization standard
EFG FCU should apply best practices in all aspect
of their security controls to improve its security
program an make it more effective
Recommended best practices:
Segregation of duty requires a process be divided between two or
more individuals to avoid a fraudulent application process resulting
in a breach of security
20. Recommendation for improvement
Recommended best practices:
Dual control assures that two people participate in a transaction to
create a system of checks and balances in order to reduce opportunity
for fraud
Audit and Management reviews of accounts to ensure that the level
of access conforms with the least privilege control
Email policy ensures that the organizational email use is limited only
to what is absolutely necessary to complete a task, to avoid misuse
and employee inadvertently clicking on viruses and Trojan horse that
can compromise the organizational information security.