Unauthorized Information Systems Access
Scan the Internet for articles or evidence of Bank of America being a victim of hacking. Based on the results of your search, if the bank has been hacked, assess the circumstances around the hacking and the resulting impact to the bank's customers and operations. If the bank has not reported hacking incidents, assess the most likely security measures that the bank has implemented to protect the business from hackers.
Bank of America has experienced many data breaches in the past, yet the most troublesome are the ones where customers' data is stolen and immediately resold on the black market by employees. There are also those instances where employees and subcontractors gain unauthorized access to ATMs and steal money. These are two of the recent incidences of how the Bank of America security systems and processes have been hacked by employees and those operating in the trust of their business (Adams, 2011). The first instance involved a Bank of America employee who gained access to a wealth of customer data that included names, addresses, Social Security numbers, driver's license numbers, birth dates, e-mail addresses, mother's maiden names, account passwords and PINs, even account balances (Adams, 2011). In the second instance a series of seven Bank of America ATMs were broken into by a former contractor with Diebold Inc. (Adams, 2011). Clearly in both of these situations Bank of America had failed to put into place a series of controls that would mitigate the ability of their employees to gain access to customer data. They had also failed to define a process for revoking access to their ATMs to former contractors. This could have potentially been disastrous if the Diebold employee taught a gang or group how to steal the cash out of ATMs. Bank of America was fortunate to have only a $200,000...
In order to protect itself from the potential breach by their own support and customer service staff, Bank of America needs to complete an access audit periodically and seek to define a suitable strategy for managing this risk. There also needs to be more role-based approach to defining who, why and for what purpose a given employee can gain access to the customer data, as this is the essential aspect of security governance (Twum, Ahenkora, 2012). Bank of America also needs to randomly audit the overall security levels for its entire ATM network, ensuring subcontractors cannot get access to systems they are not scheduled to replenish with cash or provide maintenance on. The use of role-based and maintenance service request authorizations as part of a broader enterprise security strategy is essential in diverse operating networks and service organizations (Coppotelli, 1982).
As an IT auditor of Bank of America, create an information security strategy for the bank indicating how implementing this strategy will minimize the risk of the business systems being hacked.
Beginning with a role-based access framework, the proposed information security strategy would center on the need for greater real-time metrics of access, periodic and often unannounced audit of security level performance and monitoring, and a continual re-evaluation of how the system's metrics could be used for deterring fraud. All these of these aspects of an information security strategy are critical to creating a scalable, secure enterprise deterrence and monitoring security platform (Coppotelli, 1982).
In conjunction with these strategies, Bank of America needs to create a security strategy that spans the scope of their value chain as well. In studies of online banking it has been found that using enterprise security…
