Unit-5: Security

Assignment-2

GUSTO University

Aung Myat Min

RG19024
HND-53 Aung Myat Min

Table of Contents
Introduction.......................................................................................................................................................
Task-1...............................................................................................................................
What is a Risk?.............................................................................................................
What is Risk Assessment?............................................................................................
Guideline of doing a risk assessment in organisation..................................................
Review of Risk Assessment Procedures.......................................................................
Task-2...............................................................................................................................
What is Data Protection?..............................................................................................
Data Protection Process and Regulation in an UAB bank (GDPR, DPA)........................
Why are data protection and security regulation important?......................................
Task 2.1 - (Summarising an appropriate risk management approach in
IT security)...................................................................................................................
A brief about risk management approach...............................................................
Summarization of ISO 31000: 2018 / ISO 17799: 2005 related to UAB
Bank........................................................................................................................
Task-2.2.......................................................................................................................
Definition of IT Security Audit......................................................................................
Possible Impacts to UAB Bank Security Resulting from an IT Security
Audit.............................................................................................................................
Task-2.2.1................................................................................................................
Definition of an Organisational Policy and Its Purposes...........................................
Impacts of a UAB Bank Policy on IT Security...........................................................
Impacts of Misalignment Between UAB Bank Policy and IT Security........................
Recommendations for Aligning IT Security with UAB Bank Policy............................
Task-3..............................................................................................................................
What is a security policy?.............................................................................................
Designing a Proper Security Policy...............................................................................
Main elements of Security Policy.................................................................................
Organisational Disaster Recovery Plan........................................................................
Task-4..............................................................................................................................
What is Stakeholder?...................................................................................................
What are their roles in an organisation?..................................................................
Security Audit...............................................................................................................
Task 4.1........................................................................................................................
Steps required in the disaster recovery process..........................................................
Evaluation of tools can be used in a UBA Bank’s policy to meet
business needs........................................................................................................
Conclusion........................................................................................................................................................
References.......................................................................................................................

1
HND-53 Aung Myat Min

2
HND-53 Aung Myat Min

Introduction
As a Junior Security Engineer at BIM Cybersecurity, Myanmar's
largest cybersecurity solutions provider, I am responsible for a critical
project for UAB Bank, one of the country's leading financial institutions.
Our company offers comprehensive services, including information
security consulting, assessment, monitoring, and enhancement of
application and network infrastructure protection. My current assignment
involves identifying and assessing IT security risks associated with UAB
Bank’s critical data and infrastructure. This requires using advanced
equipment, tools, and techniques to conduct thorough risk analysis and
security assessments. The goal is to create a detailed report
recommending robust technology solutions and management strategies
aligned with security policies and procedures. Additionally, I will evaluate
various tools and software to ensure effective IT security measures are in
place, managing risks related to access authorization, regulatory
compliance, and contingency planning. This project is crucial for
safeguarding the bank's operations and strengthening its cybersecurity
framework.

Task-1
What is a Risk?
Risk refers to the potential for loss, damage, harm, or negative
impacts on objectives. It can arise from various sources including
uncertainty in financial markets, threats from project failures, legal
liabilities, accidents, natural disasters, and deliberate attacks from
adversaries.
(Times, 2024)

3
HND-53 Aung Myat Min

What is Risk Assessment?

Risk assessment is a crucial process that involves the identification,
analysis, and evaluation of potential risks that may impact an
organisation's objectives. This process helps determine the likelihood of a
risk occurring and the severity of its impact. The main goal of risk
assessment is to prioritise risks according to their significance and
develop strategies to effectively mitigate or manage them. By doing so,
organisations can make informed decisions to minimise potential risks and
safeguard their objectives.
(Readt, 2024)

Guideline of doing a risk assessment in organisation

With a risk assessment, companies can identify and prepare for
potential risks in order to avoid catastrophic consequences down the road
and keep their personnel safe. Here are the 5 steps involved in a risk
assessment.
1. Hazard Identification: A Comprehensive Approach
a. Environmental Scan: Systematically examine the workplace
for hazards including natural disasters, biological agents,
ergonomic stressors, chemical hazards, and electrical hazards.
b. Task Analysis: Break down employee tasks to identify
potential hazards, considering routine and non-routine
activities, maintenance tasks, and emergency protocols.
c. Incident Review: Analyse past incidents and near misses to
understand root causes and prevent similar occurrences.
d. External Resources: Utilise safety data sheets (SDS) and
industry best practices to identify sector-specific hazards.
2. Risk Evaluation: Assessing Likelihood and Severity
a. Likelihood Assessment: Estimate the likelihood of hazards
occurring based on historical data, industry experience, or
expert judgement, using qualitative or quantitative methods.

4
HND-53 Aung Myat Min

b. Severity Assessment: Evaluate potential consequences of

hazards, considering harm ranging from minor injuries to
fatalities, property damage, or environmental contamination.
3. Risk Prioritisation: A Targeted Approach
a. Risk Matrix: Develop a risk matrix to prioritise hazards based
on likelihood and severity, focusing on high-risk areas for
mitigation efforts.
b. Qualitative Factors: Consider legal implications,
reputational damage, and business disruption when
prioritising hazards.
4. Risk Mitigation: Implementing Controls
a. Elimination: Strive to remove hazards entirely or modify
processes to render them safe.
b. Substitution: Replace hazardous materials or processes with
safer alternatives.
c. Engineering Controls: Implement physical controls like
machine guards or ventilation systems.
d. Administrative Controls: Establish safe work procedures,
training programs, and permit systems, and provide personal
protective equipment (PPE).
5. Documentation and Review: Maintaining a Continuous Process
a. Risk Assessment Plan: Document findings including
identified hazards, likelihood and severity ratings, prioritised
risks, and mitigation strategies.
b. Communication and Training: Share risk assessment
findings with employees and provide relevant training on
hazards and controls.
c. Regular Review and Update: Schedule periodic reviews to
ensure the risk assessment remains current, especially after
workplace changes.
By following these steps, we can conduct a thorough risk assessment to
safeguard the workplace and employees. Continuous improvement is key
to maintaining a safe and healthy work environment.

5
HND-53 Aung Myat Min

(Content, 2024)

6
HND-53 Aung Myat Min

Review of Risk Assessment Procedures

Task-2
What is Data Protection?
Data protection is the process of protecting sensitive information
from damage, loss, or corruption. As the amount of data being created
and stored has increased at an unprecedented rate, making data
protection increasingly important.
(imperva, 2024)

7
HND-53 Aung Myat Min

Data Protection Process and Regulation in an UAB bank

(GDPR, DPA)
UAB Bank has implemented a robust data protection procedure and
adheres to various regulations to ensure the security and privacy of
sensitive information. Data protection processes within an UAB bank
involve implementing policies, procedures, and technologies to manage
and secure data throughout its lifecycle. Two significant regulations that
govern data protection practices are the General Data Protection
Regulation (GDPR) and the Data Protection Act (DPA).
The GDPR is a comprehensive data protection regulation that came into
effect in May 2018 in the European Union (EU) and the European
Economic Area (EEA). It applies to organisations that process the personal
data of EU/EEA residents, regardless of the organisation's location. Key
aspects of GDPR include granting individuals’ data subject rights to
access, rectify, erase, and restrict processing of their data. Data
controllers and processors have specific obligations regarding data
protection, and organisations are required to report data breaches to the
relevant supervisory authority and, in certain cases, to affected
individuals. Organisations are also required to conduct DPIAs for high-risk
data processing activities to assess and mitigate potential risks to data
subjects' rights and freedoms.
On the other hand, the DPA is a UK-specific legislation that governs data
protection and privacy. It complements GDPR and provides additional
provisions and exemptions applicable to the UK context. Key provisions of
DPA include outlining principles for the fair and lawful processing of
personal data, specifying lawful bases for processing personal data, such
as consent, contractual necessity, legal obligation, vital interests, public
task, and legitimate interests, mirroring GDPR's provisions regarding data
subject rights and obligations of data controllers and processors.
(Journal, 2024)

8
HND-53 Aung Myat Min

Why are data protection and security regulation

important?

Data protection and security regulations are essential for UAB Bank
due to several reasons:
1. Legal Compliance: It is mandatory for UAB Bank to comply with
regulations such as GDPR and DPA. Failure to comply can result in
severe penalties, including hefty fines, legal action, and reputational
damage.
2. Customer Trust and Reputation: Implementing effective data
protection measures enhances customer trust and confidence in
UAB Bank's ability to safeguard their sensitive information. A
reputation for robust data protection practices can differentiate the
bank in a competitive market and attract and retain customers.
3. Risk Mitigation: Data breaches and security incidents can have
significant financial and reputational consequences for UAB Bank.
Compliance with data protection regulations helps mitigate the risk
of data breaches by establishing security protocols, implementing
safeguards, and conducting regular audits and assessments.
4. Global Business Operations: Compliance with regulations like
GDPR becomes imperative as UAB Bank expands its operations
globally or engages with international partners. Ensuring alignment
with global standards facilitates smooth business transactions and
partnerships while avoiding regulatory conflicts and legal
challenges.

9
HND-53 Aung Myat Min

Task 2.1 - (Summarising an appropriate risk

management approach in IT security)

A brief about risk management approach

A risk management approach is a well-structured method that
organisations use to recognize, evaluate, prioritise, and manage risks that
may impact their objectives. This approach involves the development of
processes, policies, and procedures that enable the organisation to handle
risks effectively and ensure its resilience in the face of uncertainty. One
example of a risk management approach is the COSO Enterprise Risk
Management framework. This framework provides a comprehensive
structure for managing risks across the organisation.

Summarization of ISO 31000: 2018 / ISO 17799: 2005

related to UAB Bank
ISO 31000:2018:
UAB Bank has implemented the ISO 31000:2018 as its framework
for risk management. This international standard provides guidance to
UAB Bank for managing risks systematically by following principles and
guidelines for risk identification, analysis, evaluation, treatment, and
monitoring. By aligning its risk management practices with ISO
31000:2018, UAB Bank ensures a coordinated and integrated approach to
risk management across all levels of the organisation. This approach
enhances UAB Bank's resilience to various risks and supports informed
decision-making processes. ISO 31000:2018 helps UAB Bank to
proactively identify opportunities and threats, enabling it to allocate
resources effectively for risk treatment and achieve its strategic
objectives with confidence.

10
HND-53 Aung Myat Min

ISO 17799:2005:
UAB Bank uses ISO 31000:2018 and ISO 17799:2005 to establish
best practices for information security management. These standards help
the bank maintain the confidentiality, integrity, and availability of its
information assets. By implementing ISO 17799:2005, UAB Bank develops
strong security management practices that protect sensitive data and
systems from unauthorised access, disclosure, alteration, or destruction.
Compliance with ISO 17799:2005 demonstrates UAB Bank's commitment
to upholding the highest standards of information security and meeting
regulatory requirements. This approach ensures that UAB Bank protects
the interests of its customers, stakeholders, and the integrity of its
operations in the ever-evolving landscape of cybersecurity threats.
Overall, by incorporating ISO 31000:2018 and ISO 17799:2005 into its risk
management and information security practices, UAB Bank demonstrates
its dedication to managing risks effectively and maintaining a secure
operational environment.

Task-2.2

Definition of IT Security Audit

A comprehensive evaluation of an organisation's information
systems, security guidelines, and operational practices is known as an IT
security audit. Its objectives are to evaluate the efficacy of security
measures, pinpoint weaknesses, and guarantee adherence to industry
best practices and legal requirements. Reviewing security controls,
checking system settings, looking at access restrictions, and assessing
incident response procedures are all common steps in the audit process.
Auditors can collect data and offer suggestions for improvement using a
variety of techniques, such as technical testing, observations, and
interviews.
(Gillis, 2022)

11
HND-53 Aung Myat Min

Possible Impacts to UAB Bank Security Resulting from

an IT Security Audit
1. Identification of Vulnerabilities:
Information systems and network infrastructure at UAB Bank may have
vulnerabilities that were previously undiscovered. These may be found
through an IT security assessment. This identification is important
because it allows the bank to fix vulnerabilities before bad actors can take
advantage of them. The audit offers a road map for enhancing the bank's
security posture by identifying these weaknesses.
2. Enhanced Compliance:
UAB Bank and other financial organisations must adhere to regulations.
An IT security audit assists in making sure the bank conforms to
applicable laws, rules, and industry standards, including ISO 27001, GDPR,
and PCI DSS. Legal ramifications, monetary losses, and reputational harm
are all possible outcomes of noncompliance. As a result, it is crucial for
audits to find compliance deficiencies and suggest corrective measures.
3. Improved Security Policies and Procedures:
A detailed examination of the current security policies and processes is
frequently part of the audit process. Auditors have the ability to spot
outmoded or inadequate policies and recommend improvements. As a
result, stronger and more thorough security regulations are created,
better safeguarding the bank's resources and information.
4. Risk Management:
A thorough risk evaluation is given by an IT security audit, which also
highlights possible risks and their effects on the company. With the use of
this data, UAB Bank is able to rank hazards according to likelihood and
severity, allowing for a more efficient use of resources to reduce risk.
Consequently, the bank can lower the possibility of security issues and
handle risks proactively.

12
HND-53 Aung Myat Min

5. Increased Awareness and Training:

Employee knowledge of security procedures and possible risks has grown,
which is one of the major effects of an IT security audit. Targeted training
programs are frequently implemented in response to audit findings in
order to remedy deficiencies in staff knowledge and conduct. The bank
has a more security-conscious culture as a result of this increased
awareness and training.
6. Strengthened Incident Response:
The bank's incident response strategies are frequently found to be
deficient during audits. The audit assists UAB Bank in strengthening its
capacity to recognize, address, and recover from security events by
detecting these weaknesses. The resilience of the bank is increased and
the effect of security breaches is reduced with a better incident response
capacity.
7. Improved Customer Trust:
Consumers anticipate that the financial organisations they use will protect
their financial and personal data. A successful IT security audit indicates
UAB Bank's dedication to security and may increase client loyalty and
confidence. This may provide you a competitive edge in the industry.
8. Financial Implications:
Even though the audit requires investment, there are substantial possible
cash returns. The bank may save a significant amount of money by
avoiding downtime, regulatory fines, and security breaches. Furthermore,
sustaining a robust security posture contributes to the bank's long-term
financial stability.
9. Continuous Improvement:
Even though the audit requires investment, there are substantial possible
cash returns. The bank may save a significant amount of money by
avoiding downtime, regulatory fines, and security breaches. Furthermore,
sustaining a robust security posture contributes to the bank's long-term
financial stability.

13
HND-53 Aung Myat Min

Task-2.2.1

Definition of an Organisational Policy and Its Purposes

An organisational policy is a set of formal guidelines established by an
organisation to govern its operations and ensure alignment with its
strategic goals, legal requirements, and ethical standards. The purposes
of such policies include providing clear direction for employees, ensuring
consistent actions and decisions, ensuring compliance with relevant laws
and regulations, mitigating risks, enhancing operational efficiency, and
supporting the organisation’s strategic goals.
(MANAGEMENT, 2020)

Impacts of a UAB Bank Policy on IT Security

Organisational policies significantly influence IT security by establishing a
framework for security practices within the organisation. For UAB Bank, a
well-aligned policy ensures that security measures are integrated into the
bank's culture and operations, providing several key benefits:
● Clear Security Expectations: Policies define security roles and
responsibilities, ensuring everyone understands their obligations,
which helps prevent security lapses.
● Regulatory Compliance: Policies ensure adherence to regulatory
requirements, reducing the risk of legal penalties and protecting the
bank from compliance-related breaches.
● Risk Management: Policies identify potential threats and establish
controls, helping to proactively manage security risks and minimise
the impact of security incidents.
● Resource Allocation: Policies guide the allocation of resources
towards critical security areas, ensuring that investments in security
are aligned with organisational priorities.

14
HND-53 Aung Myat Min

Impacts of Misalignment Between UAB Bank Policy and IT

Security
Misalignment between organisational policies and IT security can have
significant negative impacts:

● Inconsistent Security Practices: Without alignment, security

practices may become inconsistent, creating vulnerabilities. For

instance, if policies mandate strong access controls but IT practices
do not enforce them, unauthorised access could compromise
sensitive data.

● Non-compliance Risks: Misalignment can lead to non-compliance

with regulatory standards. If policies fail to incorporate updated

legal requirements, IT security measures may also fall short, leading
to potential fines, legal action, and reputational damage.

● Inefficient Resource Use: Misaligned policies can result in

inefficient resource allocation. For example, investing in advanced

cybersecurity tools without corresponding policy support, such as
user training or incident response procedures, may lead to
underutilization of these tools and gaps in security.

● Inadequate Risk Management: Misalignment can impair risk

management efforts. Policies that do not reflect the current threat

landscape or the bank's risk appetite may leave critical
vulnerabilities unaddressed, leading to severe security incidents,
financial losses, and operational disruptions.

● Employee Confusion and Non-compliance: Employees rely on

policies for guidance. Misalignment can cause confusion, where

employees are unsure of security protocols or unintentionally violate
security measures. For example, if a policy does not clearly define
acceptable use of personal devices, employees might introduce
security risks through unsafe practices.

15
HND-53 Aung Myat Min

16
HND-53 Aung Myat Min

Recommendations for Aligning IT Security with UAB Bank

Policy
To ensure effective alignment between IT security and organisational
policies at UAB Bank, consider the following steps:
Integrated Policy Development: Involve IT security experts in the
development and review of organisational policies to ensure that security
considerations are embedded from the outset.
Regular Policy Reviews: Conduct periodic reviews of policies and
security practices to ensure they remain aligned with evolving threats,
regulatory changes, and technological advancements.
Clear Communication and Training: Ensure that all employees are
aware of and understand security policies through regular training and
clear communication channels, fostering a security-conscious culture.
Continuous Monitoring and Feedback: Implement mechanisms for
continuous monitoring of policy compliance and gather feedback from
employees to identify areas of misalignment and address them promptly.
Leadership Support: Ensure that senior management actively supports
and enforces the alignment of IT security with organisational policies,
demonstrating the importance of security at all levels of the organisation.
Aligning IT security with organisational policies is crucial for maintaining a
robust security posture at UAB Bank. Clear, well-integrated policies
provide direction, ensure compliance, and optimise resource use, while
misalignment can lead to inconsistencies, non-compliance, and increased
vulnerability. By adopting a holistic approach to policy development,
review, communication, and enforcement, UAB Bank can ensure that its IT
security measures effectively support its strategic goals and protect its
assets.

17
HND-53 Aung Myat Min

Task-3
What is a security policy?
A security policy is a document that states in writing how a
company plans to protect its physical and information technology (IT)
assets. Security policies are living documents that are continuously
updated and changing as technologies, vulnerabilities and security
requirements change.

Designing a Proper Security Policy

18
HND-53 Aung Myat Min

Main elements of Security Policy

Below are the main elements of a security policy:
● Purpose: This security policy is created to protect UAB Bank's
information assets, maintain data confidentiality, integrity, and
availability, and minimise security risks. The policy provides
guidelines for employees, contractors, and third parties on their
responsibilities for maintaining security standards and complying
with relevant laws and regulations.
● Audience: This policy applies to all employees, contractors, and
third parties who access, use, or manage UAB Bank's information
assets. It is relevant for personnel at all levels of the organisation,
including executives, managers, administrators, and technical staff.
● Information Security Objectives:
○ Protect sensitive data from unauthorised access, disclosure, or
alteration.
○ Maintain the integrity and availability of systems, networks,
and services.
○ Ensure compliance with relevant laws, regulations, and
industry standards.
○ Promote a culture of security awareness and accountability
among employees.
○ Continuously improve security measures and adapt to
emerging threats and vulnerabilities.
● Authority and Access Control Policy: Access to UAB Bank's
information assets is granted based on the principle of least
privilege, where individuals are given only the access rights
necessary to perform their job functions. Access control
mechanisms, such as user authentication, role-based access control,
and encryption, are implemented to ensure that only authorised
users can access sensitive data and resources. User access
privileges are periodically reviewed and updated as needed to
maintain security and compliance.

19
HND-53 Aung Myat Min

20
HND-53 Aung Myat Min

● Data Classification: UAB Bank classifies its data into categories

based on sensitivity and criticality to the organisation. The
classification levels include:
○ Confidential: Data that is highly sensitive and requires the
highest level of protection. Examples include financial records,
customer personal information, and trade secrets.
○ Internal Use Only: Data that is intended for internal use
within the organisation but is not considered highly sensitive.
Examples include internal communications, project
documents, and operational procedures.
○ Public: Data that is intended for public consumption and does
not contain sensitive information. Examples include marketing
materials, public statements, and press releases.
● Data Support and Operations: UAB Bank implements robust data
support and operations procedures to ensure the availability,
integrity, and reliability of its information assets. The procedures
include:
○ Regular data backups and offsite storage to prevent data loss
in the event of hardware failure, natural disasters, or other
disruptions.
○ Monitoring and logging of system activities to detect and
respond to security incidents promptly.
○ Implementation of security controls, such as firewalls,
intrusion detection systems, and antivirus software, to protect
against unauthorised access and malware threats.
○ Employee training and awareness programs to educate staff
on security best practices, policies, and procedures.

21
HND-53 Aung Myat Min

Organisational Disaster Recovery Plan

At UAB Bank, unforeseen events such as natural disasters,
cybersecurity breaches, hardware failures, and human errors can disrupt
our operations and compromise the availability, integrity, and
confidentiality of our data. To ensure that we are always prepared to
respond swiftly and effectively to any crisis, we have developed a
comprehensive Organisational Disaster Recovery Plan. By taking proactive
measures and setting clear recovery objectives, our aim is to minimise
downtime, mitigate risks, and safeguard the interests of our customers,
stakeholders, and employees. Our commitment to resilience and
continuity highlights our dedication to providing reliable and secure
financial services, even in the face of adversity.

22
HND-53 Aung Myat Min

Task-4
What is Stakeholder?
A stakeholder is a person, a group, or an organisation that has an
interest in a business, project, or organisation, and can be influenced by
or affect its activities and decision-making. Stakeholders can be members
of the organisation or have no official affiliation, and they can have a
direct or indirect impact on its activities.
(FERNANDO, 2024)

What are their roles in an organisation?

Stakeholders play critical roles in an organisation, contributing to its
success and sustainability. There are several types of stakeholders, each
with unique responsibilities and contributions. These include:
1. Employees: They are responsible for executing tasks,
implementing policies, and upholding security measures. Employees
must adhere to security protocols, report security incidents, and
participate in security training and awareness programs.
2. Managers and Executives: They provide leadership, direction,
and strategic guidance for the organisation. Managers and
executives must set security objectives, allocate resources for
security initiatives, and oversee the implementation of security
policies and procedures.
3. Shareholders: They are investors who have a financial stake in the
organisation. Shareholders must monitor the company's
performance, ensure accountability and transparency in decision-
making, and advocate for the protection of their investments
through effective risk management and security measures.
4. Customers: They are the primary beneficiaries of the organisation's
products or services. Customers must provide feedback on security-
related issues, trust the organisation with their personal and

23
HND-53 Aung Myat Min

financial information, and hold the organisation accountable for

safeguarding their data and privacy.

24
HND-53 Aung Myat Min

5. Suppliers and Partners: They provide goods, services, or

collaborative efforts that support the organisation's operations.
Suppliers and partners must adhere to security requirements and
standards, share relevant security information, and collaborate with
the organisation to address security challenges and risks.
6. Regulators and Government Agencies: They oversee
compliance with laws, regulations, and industry standards.
Regulators and government agencies must establish security
regulations and guidelines, conduct audits and inspections, and
enforce penalties for non-compliance.
7. Community and Society: The broader community and society at
large may also be considered stakeholders, particularly if the
organisation's activities impact them directly or indirectly.
Community and society must support ethical and responsible
business practices, support industries that promote security and
safety, and hold the organisation accountable for its social and
environmental responsibilities.
(Zaichenko, 2022)

Security Audit
In a security audit, various stakeholders play crucial roles to ensure
a comprehensive and effective review. Top management sets the audit
objectives, reviews findings, and allocates necessary resources. The IT
department provides technical data and assists auditors in understanding
the system's intricacies. The HR department supplies records on
employee training and enforces security policies. Legal and compliance
teams ensure that the organisation adheres to regulatory standards, while
the finance department manages budgets and reviews financial aspects.
The operations team demonstrates daily security practices, and external
auditors or consultants offer independent evaluations. Employees
participate by engaging in surveys and providing feedback, offering
valuable insights into the security culture and practices within the
organisation. Each stakeholder's involvement is essential for identifying

25
HND-53 Aung Myat Min

vulnerabilities and areas for improvement, ensuring a robust security

posture.
Security audits are necessary for several reasons:

26
HND-53 Aung Myat Min

1. To identify and reduce risks: Security audits help find possible

security risks, threats, and vulnerabilities that may harm the
organisation's operations, assets, or reputation. By knowing
weaknesses, organisations can take actions to reduce risks and
improve their security.
2. To comply with regulations: Security audits make sure that the
organisation follows relevant laws, regulations, and industry
standards for information security. Compliance is essential to avoid
legal penalties, maintain trust with stakeholders, and protect
sensitive data.
3. To improve security: Security audits provide helpful information
about the effectiveness of the security measures and practices. By
regularly assessing and evaluating security controls, organisations
can learn where to improve and implement corrective actions to
enhance their security over time.
4. To build trust: Security audits assure stakeholders, like customers,
shareholders, and regulators, that the organisation takes security
seriously and is committed to protecting their interests. By showing
compliance with security standards and best practices,
organisations can build trust and confidence in their ability to
protect sensitive information and reduce security risks.

Task 4.1
Creating plans to make sure that essential company activities continue
both during and after disruptions is known as business continuity
planning. This includes assessing risks, spotting potential threats like
pandemics, cyberattacks, and natural disasters, and putting procedures in
place to mitigate those risks. This entails describing the processes for data
backup and recovery, alternate work locations, and methods of
communication for UAB Bank. The effectiveness of the plan is ensured by
regular tests and updates. UAB Bank maintains regulatory compliance and
client trust by guaranteeing continuous service.

27
HND-53 Aung Myat Min

28
HND-53 Aung Myat Min

UAB Bank's Disaster Recovery Plan is a comprehensive strategy

designed to ensure the organisation can continue its critical functions
during and after disruptions.

● Risk Assessment: Identifying any potential risks that may disrupt

corporate operations is the first step. Natural disasters like

hurricanes, floods, or earthquakes as well as man-made disasters
like cyberattacks or pandemics could be among these risks. UAB
Bank is able to comprehend the possible effects these risks may
have on its operations by evaluating them.

● Mitigation Strategies: UAB Bank creates steps to reduce these

risks as soon as any hazards are detected. This could entail putting
in place protections against cyberattacks, creating emergency
response plans for natural catastrophes, or creating backup plans in
case of a pandemic. Through the use of mitigation techniques, UAB
Bank can lessen the probability and consequences of operational
disruptions.

● Data Backup and Recovery: Any financial organisation depends

on its critical data, so UAB Bank recognises the need to keep it safe
and accessible even in the case of an emergency. The bank has
protocols in place for promptly recovering its vital data in the case
of data loss or corruption, as well as for routinely backing up this
data. This guarantees that clients and bank employees may always
access critical financial information.

● Alternative Work Location: UAB Bank has prepared

arrangements for backup work locations in case a disaster results in

the bank's main office unusable. The infrastructure and resources at
these sites enable bank employees to carry out their responsibilities
with the least amount of disturbance to business operations and
customer service.

● Communication Strategies: During a disaster, it's critical to have

effective communication to keep stakeholders, including consumers

29
HND-53 Aung Myat Min

and staff, informed about developments. During a disaster, UAB

Bank has established processes for both internal and external
communication. These protocols include how to alert staff members,
work with emergency services, and update customers via email,
social media, and the bank's website, among other channels. During
difficult circumstances, UAB Bank can uphold transparency and
confidence with its stakeholders by putting strong communication
strategies in place.

Steps required in the disaster recovery process

Step 1: Business Impact Analysis (BIA)
Identify critical business processes and assess the potential impact of a
disaster on the bank's operations, customers, and reputation. UAB Bank
can determine the maximum tolerable downtime (MTD) for each process,
such as:
● ATMs and branches
● Online banking and mobile banking
● Core banking systems
● Customer data and records

Step 2: Risk Assessment

Identify potential threats to the bank's operations, including:
● Natural disasters (e.g. hurricanes, earthquakes)
● Cyber attacks
● Power outages
● System failures
● Human error
UAB Bank can assess the likelihood and potential impact of each threat.

Step 3: Development of the Disaster Recovery Plan (DRP)

UAB Bank should outline procedures for recovering critical systems and
operations, including:

30
HND-53 Aung Myat Min

● Recovery of core banking systems

● Restoration of customer data and records
● Re-establishment of online and mobile banking services
● Re-opening of ATMs and branches
So, UAB Bank can identify key personnel, vendors, and suppliers involved
in the recovery process.

31
HND-53 Aung Myat Min

Step 4: Identification of Critical Systems

Identify critical systems that must be recovered in the event of a
disaster, including:
● Core banking systems (e.g. T24, Temenos)
● Customer relationship management (CRM) systems
● Enterprise resource planning (ERP) systems
● Data centres and servers
It can help to prioritise systems based on their importance to UAB bank's
operations.

Step 5: Backup and Recovery Procedures

Establish procedures for backing up critical data and systems,
including:
● Regular backups of core banking systems and data
● Offsite storage of backups
● Use of cloud-based backup solutions
Develop procedures for recovering backed-up data and systems,
including:
● Recovery of core banking systems from backups
● Restoration of customer data and records
● Re-establishment of online and mobile banking services

Step 6: Testing and Validation

● Test the DRP to ensure its effectiveness, including:
● Functional testing of critical systems and processes
● Testing of backup and recovery procedures
● Testing of communication plans and emergency response
procedures
UAB Bank can validate the recovery process through regular testing and
exercises

32
HND-53 Aung Myat Min

Step 7: Implementation and Maintenance

UAB Bank can implement the DRP and ensure its availability to all
personnel involved, regularly review and update the DRP to ensure it
remains effective and up-to-date to maintain equipment and
infrastructure to ensure continued availability.

Step 8: Training and Awareness

Provide training to personnel on the DRP and their roles in the
recovery process, including:
· IT staff on backup and recovery procedures
· Branch staff on emergency response procedures
· Senior management on crisis management procedures
UAB Bank should make sure that all personnel are aware of their
responsibilities in the event of a disaster

Step 9: Crisis Management

UAB Bank establish a crisis management team to coordinate
response efforts during a disaster, including:
· IT team to manage technical aspects of recovery
· Branch management team to manage branch operations
· Senior management team to manage overall response effort

Step 10: Monitoring and Review

Regularly monitor the DRP for UAB Bank to ensure it remains
effective and up-to-date, including:
· Regular testing and validation exercises
· Review of backup and recovery procedures
· Review of communication plans and emergency response procedures

33
HND-53 Aung Myat Min

Evaluation of tools can be used in a UBA Bank’s policy to

meet business needs

34
HND-53 Aung Myat Min

Identity and Access Management (IAM) Solution (Tool: Okta)

Centralised Access Control provided by Okta ensures that UAB Bank
maintains strict control over user access to its systems and applications,
adhering to the principle of least privilege. With Okta's Single Sign-On
(SSO) feature, employees can seamlessly access multiple applications
using a single set of credentials, thereby enhancing user experience and
productivity. Furthermore, Okta's Multi-Factor Authentication (MFA) adds
an additional layer of security by requiring users to verify their identity
through multiple factors, such as passwords, biometrics, or OTPs,
significantly reducing the risk of unauthorised access and enhancing
overall security posture.

Endpoint Security Solution (Tool: CrowdStrike Falcon)

CrowdStrike Falcon provides UAB Bank with advanced threat
protection, offering real-time defence against a wide range of threats,
including malware, ransomware, and zero-day attacks. With its Endpoint
Detection and Response (EDR) capabilities, CrowdStrike Falcon ensures
continuous monitoring and visibility into endpoint activities, enabling rapid
detection and response to security incidents. Additionally, CrowdStrike
Falcon's Device Control feature empowers IT administrators to control and
manage device access, preventing unauthorised devices from connecting
to the network. This comprehensive approach to endpoint security helps
UAB Bank mitigate cybersecurity risks and safeguard its IT infrastructure
effectively.

Data Loss Prevention (DLP) Solution (Tool: Symantec Data Loss

Prevention)
Symantec Data Loss Prevention (DLP) provides UAB Bank with
powerful tools to protect sensitive data and ensure compliance with data
protection regulations. The Sensitive Data Discovery feature scans and
identifies sensitive data across the network, endpoints, and cloud
applications, helping UAB Bank identify areas of vulnerability and
potential data breaches. With Content Inspection, Symantec DLP monitors

35
HND-53 Aung Myat Min

and controls the movement of sensitive data, preventing unauthorised

sharing or leakage. Additionally, the Encryption and Redaction feature
automatically encrypts or redacts sensitive data based on predefined
policies, ensuring data security and compliance with regulatory
requirements. By leveraging Symantec DLP's comprehensive data
protection capabilities, UAB Bank can mitigate the risk of data breaches
and safeguard sensitive information effectively.

Network Security Solution (Tool: Palo Alto Networks Next-Generation

Firewall - NGFW)
Palo Alto Networks Next-Generation Firewall (NGFW) equips UAB
Bank with comprehensive security features to protect its network
infrastructure effectively. With Application Visibility and Control, Palo Alto
NGFW provides granular visibility and control over application traffic,
enabling UAB Bank to enforce security policies effectively and prevent
unauthorised access. Furthermore, Palo Alto NGFW offers advanced
Threat Prevention capabilities, including intrusion prevention, antivirus,
and URL filtering, to protect against known and unknown threats.
Additionally, the SSL Decryption feature decrypts and inspects SSL/TLS-
encrypted traffic, preventing attackers from exploiting encrypted channels
to bypass security controls. By leveraging these robust security features,
UAB Bank can ensure the integrity and confidentiality of its network
traffic, mitigating the risk of cyber attacks and data breaches effectively.

Security Information and Event Management (SIEM) Solution (Tool:

Splunk Enterprise Security)
Splunk offers UAB Bank an advanced solution for managing security
events and responding to threats effectively. With Centralised Log
Management, Splunk aggregates and correlates log data from across the
bank's IT infrastructure, providing centralised visibility into security
events. This enables UAB Bank to identify potential threats and security
incidents more efficiently. Moreover, Splunk's Real-Time Threat Detection
utilises advanced analytics and machine learning to detect and respond to

36
HND-53 Aung Myat Min

security threats in real-time, reducing the time to detect and respond to

incidents. Additionally, Splunk's Incident Response Automation features
automated incident response workflows, enabling UAB Bank's security
team to respond quickly and efficiently to security incidents, minimising
the impact of cyber threats on the bank's operations. By leveraging
Splunk's comprehensive security capabilities, UAB Bank can enhance its
security posture and effectively mitigate cyber risks.

37
HND-53 Aung Myat Min

Conclusion
In conclusion, this report emphasises the vital importance of data
protection and security regulations for UAB Bank. It underscores the
necessity of adhering to ISO standards, especially ISO 31000 for risk
management. The report outlines UAB Bank's adoption of these standards
and IT security audits, showing their effectiveness in bolstering the bank's
security measures. Additionally, it evaluates the bank's data security
policy, its objectives, and its success, highlighting the need for alignment
with practical security practices. By including sample security policies, a
disaster recovery plan framework, and identifying key stakeholders, the
report provides UAB Bank with a comprehensive guide for improving its
data protection, security, and risk management strategies.

References
Content, L., 2024. A complete guide to the risk assessment process.
[Online]
Available at: https://www.lucidchart.com/blog/risk-assessment-process
[Accessed 10 May 2024].
FERNANDO, J., 2024. What Are Stakeholders: Definition, Types, and
Examples. [Online]
Available at:
https://www.investopedia.com/terms/s/stakeholder.asp#:~:text=A
%20stakeholder%20has%20a%20vested,%2C%20governments%2C%20or
%20trade%20associations.
[Accessed 14 May 2024].
Gillis, A. S., 2022. security audit. [Online]
Available at: https://www.techtarget.com/searchcio/definition/security-
audit
[Accessed 12 May 2024].

38
HND-53 Aung Myat Min

imperva, 2024. Data Protection. [Online]

Available at: https://www.imperva.com/learn/data-security/data-
protection/
[Accessed 11 May 2024].
Journal, I., 2024. What Is a Data Processing Agreement (DPA)?. [Online]
Available at: https://ironcladapp.com/journal/contracts/what-is-a-data-
processing-agreement-dpa/
[Accessed 11 May 2024].
MANAGEMENT, P., 2020. What is the purpose of policies in the
workplace?. [Online]
Available at: https://www.powerdms.com/policy-learning-center/what-is-
the-purpose-of-policies-in-the-workplace
[Accessed 12 May 2024].
Readt, 2024. Risk Assessment. [Online]
Available at: https://www.ready.gov/business/planning/risk-
assessment#:~:text=A%20risk%20assessment%20is%20a,within%20or
%20because%20of%20it.
[Accessed 10 May 2024].
Times, E., 2024. Economic Times. [Online]
Available at: https://economictimes.indiatimes.com/definition/risk
[Accessed 10 May 2024].
Zaichenko, M., 2022. Internal and External Stakeholders Roles &
Responsibilities. [Online]
Available at: https://maddevs.io/blog/internal-and-external-stakeholders-
in-it/
[Accessed 14 May 2024].

39