Higher Nationals

Internal verification of assessment decisions – BTEC (RQF)

INTERNAL VERIFICATION – ASSESSMENT DECISIONS

Programme title BTEC Higher National Diploma in Computing

Mr. Ravindu
Assessor Ishara Internal Verifier
Unit 05: Security
Unit(s)
Providing a suitable security solution for METROPOLIS CAPITAL
Assignment title Bank
Y. Karan Hasintharan
Student’s name

List which assessment Pass Merit Distinction

criteria the Assessor
has awarded.

INTERNAL VERIFIER CHECKLIST

Do the assessment criteria

awarded match those shown in the
assignment brief? Y/
N

Is the Pass/Merit/Distinction grade

awarded justified by the assessor’s Y/
comments on the student work? N

Has the work been assessed

accurately? Y/
N

Is the feedback to the student:

Give details:

• Constructive?
Y/
• Linked to relevant assessment N

Page 1 of 125
Karan Hasintharan | Security | Assignment
 criteria? Y/
N
• Identifying opportunities
for improved performance?
Y/
• Agreeing actions? N
Y/
N

Does the assessment decision need

amending? Y/
N

Assessor signature Date

Internal Verifier signature Date

Programme Leader signature

(if required) Date

Confirm action completed

Remedial action taken

Give details:

Assessor
Internal signature Date

Verifier Date
signature
Programme Leader
signature (if Date
required)

Page 2 of 125
Karan Hasintharan | Security | Assignment
 Higher Nationals - Summative Assignment Feedback Form

Student Name/ID Y. Karan Hasintharan / E204347

Unit Title Unit 05: Security

Assignment Number 1 Assessor

Date Received 1st
Submission Date submission
Date Received 2nd
Re-submission Date submission
Assessor Feedback:

LO1. Assess risks to IT security

Pass, Merit & P1 P2 M1 D1

Distinction Descripts
LO2. Describe IT security solutions.

Pass, Merit & P3 P4 M2 D1

Distinction Descripts

LO3. Review mechanisms to control organisational IT security.

Pass, Merit & P5 P6 M3 M4 D2
Distinction Descripts

LO4. Manage organisational security.

Grade:
Pass, Merit & Assessor
P7 Signature:
P8 M5 D3 Date:
Resubmission Feedback:
Distinction Descripts

Grade: Assessor Signature: Date:

Internal Verifier’s Comments:

Signature & Date:

Page 3 of 125
Karan Hasintharan | Security | Assignment
Pearson
Higher Nationals in Computing
Unit 05: Security

Page 4 of 125
Karan Hasintharan | Security | Assignment
 General Guidelines

1. A Cover page or title page – You should always attach a title page to your assignment.
Use previous page as your cover sheet and make sure all the details are accurately filled.
2. Attach this brief as the first section of your assignment.
3. All the assignments should be prepared using a word processing software.
4. All the assignments should be printed on A4 sized papers. Use single side printing.
5. Allow 1” for top, bottom , right margins and 1.25” for the left margin of each page.

Word Processing Rules

1. The font size should be 12 point, and should be in the style of Time New Roman.
2. Use 1.5 line spacing. Left justify all paragraphs.
3. Ensure that all the headings are consistent in terms of the font size and font style.
4. Use footer function in the word processor to insert Your Name, Subject,
Assignment No, and Page Number on each page. This is useful if individual sheets
become detached for any reason.
5. Use word processing application spell check and grammar check function to help
editing your assignment.

Important Points:

1. It is strictly prohibited to use textboxes to add texts in the assignments, except for the
compulsory information. eg: Figures, tables of comparison etc. Adding text boxes in
the body except for the before mentioned compulsory information will result in
rejection of your work.
2. Avoid using page borders in your assignment body.
3. Carefully check the hand in date and the instructions given in the assignment. Late
submissions will not be accepted.
4. Ensure that you give yourself enough time to complete the assignment by the due date.
5. Excuses of any nature will not be accepted for failure to hand in the work on time.
6. You must take responsibility for managing your own time effectively.
7. If you are unable to hand in your assignment on time and have valid reasons such as
illness, you may apply (in writing) for an extension.

Page 5 of 125
Karan Hasintharan | Security | Assignment
8. Failure to achieve at least PASS criteria will result in a REFERRAL grade .
9. Non-submission of work without valid reasons will lead to an automatic RE FERRAL.
You will then be asked to complete an alternative assignment.
10. If you use other people’s work or ideas in your assignment, reference them properly
using HARVARD referencing system to avoid plagiarism. You have to provide both
in-text citation and a reference list.
11. If you are proven to be guilty of plagiarism or any academic misconduct, your grade
could be reduced to A REFERRAL or at worst you could be expelled from the course

Page 6 of 125
Karan Hasintharan | Security | Assignment
 Student Declaration

I hereby, declare that I know what plagiarism entails, namely to use another’s work
and to present it as my own without attributing the sources in the correct way. I
further understand what it means to copy another’s work.

1. I know that plagiarism is a punishable offence because it constitutes theft.

2. I understand the plagiarism and copying policy of the Edexcel UK.
3. I know what the consequences will be if I plagiaries or copy another’s work in any of
the assignments for this program.
4. I declare therefore that all work presented by me for every aspects of my program, will
be my own, and where I have made use of another’s work, I will attribute the source in
the correct way.
5. I acknowledge that the attachment of this document signed or not, constitutes a binding
agreement between myself and Edexcel UK.
6. I understand that my assignment will not be considered as submitted if this document
is not attached to the attached.

[email protected] 2024/07/14
Student’s Signature: Date:
(Provide E-mail ID) (Provide
Submission Date)

Page 7 of 125
Karan Hasintharan | Security | Assignment
 Student Name /ID Number

Unit Number and Title Unit 5- Security

Academic Year 2022/23

Unit Tutor

Assignment Title METROPOLIS CAPITAL Bank

Issue Date

Submission Date

IV Name & Date

Submission Format:

The submission is in the form of an individual written report. This should be written in a concise, formal
business style using single spacing and font size 12. You are required to make use of headings, paragraphs
and subsections as appropriate, and all work must be supported with research and referenced using the
Harvard referencing system. Please also provide an end list of references using the Harvard referencing
system.

Assignment Brief

Unit Learning Outcomes:

LO1 Assess risks to IT security.

LO2 Describe IT security solutions.

LO3 Review mechanisms to control organizational IT security.

LO4 Manage organizational security.

Page 8 of 125
Karan Hasintharan | Security | Assignment
Assignment Brief and Guidance:

Page 9 of 125
Karan Hasintharan | Security | Assignment
METROPOLIS CAPITAL Bank is one of the leading private banking service providers in Sri
Lanka. It operates over 100 branches and 500 ATM machines across the island as well as 8
Branches overseas. In order to provide their services, METROPOLIS CAPITAL Bank has
a primary datacenter located in Colombo and a Secondary datacenter located in Galle.
Each branch and ATM must have connectivity to the core banking system to be able to
operate normally. In order to establish the connectivity between datacenters, branches and
ATM machines, each location has a single ISP link. This link provides VPN services
between branches, ATMs and datacenters as well as MPLS services for the bank and it
establishes connectivity between datacenters, ATMs, and branches.

METROPOLIS CAPITAL Banks Head Office is a 5 Story Building in Kollupitiya with the
Ground Floor allocated for Customer Services, the First Floor allocated for HR, the
Second Floor allocated for Meeting Rooms and Senior Executive Staff, the Third Floor is
allocated for the Technical Support Team and the Fourth Floor hosts High Performance
Servers running core banking systems. Fifth Floor is for some other outside companies that
are not related with the METROPOLIS CAPITAL Bank. Other than this, METROPOLIS
CAPITAL bank provides a lot of services to customers including online and mobile
banking facilities. Therefore, their core banking system must communicate with several
outside systems and all communication between outside systems, Data centers and the
Head Office is protected by a single firewall. In Addition, METROPOLIS CAPITAL Bank
has recently implemented a bring your own device (BYOD) concept for Senior Executive
Staff and HR Departments and to facilitate this, they are providing employee WiFi as well
as a guest WiFi Hotspot.
The bank has signed agreements, AMCs, contracts and NDAs with several Local and foreign
IT service vendors. Some local vendors provide services and supports to foreign
companies. METROPOLIS CAPITAL Banks Technical Support Team is a local third-
party vendor, contracted by METROPOLIS CAPITAL Bank and managed by their Supply
chain management officer. The Technical Support Team provides onsite and remote
support for their customers.

Page 10 of 125
Karan Hasintharan | Security | Assignment
 METROPOLIS CAPITAL bank strictly follows the rules and regulations enforced by the
government and the Central Bank. Therefore, they have obtained the ISO 31000:2009
certification. In addition to this, the areas of datacenters, branches, ATM and HQ is
covered by CCTV and 24x7 monitoring is happening. Other security functions like VA
scanning, internal auditing, and security operation done by the bank employees. They have
purchased a VA scanning tool, Privilege access management (PAM) system, Endpoint
detection and respond (EDR) system, Data loss prevention (DLP) tool, Web application
firewall (WAF) and Secure mail gateway which are managed by the Technical Support
Team.

It has been reported that an emergency is likely to occur where a work from home situation
may be initiated. Therefore, you have been employed by METROPOLIS CAPITAL Bank
as a Network Security Analyst to recommend and implement a suitable Security solution
to facilitate this situation.

Activity 01
Discuss and assess the security procedures and types of security risks METROPOLIS CAPITAL
Bank may face under its current status and evaluate a range of physical and virtual security measures
that can be employed to ensure the integrity of organizational IT security. You also need to analyze
the benefits of implementing network monitoring systems for METROPOLIS CAPITAL Bank with
valid reasons in order to minimize security risks identified and enhance the organizational security.

Activity 02
2.1 Discuss how an incorrect/improper configuration for network infrastructure such as firewall and VPN
could impact METROPOLIS CAPITAL Bank. Assess IT security risks that may face by the employees of
METROPOLIS CAPITAL Bank and propose how the organization can facilitate their employees with a
“Secure remote working environment”.

2.2. Discuss how following technologies would benefit METROPOLIS CAPITAL Bank and its Clients to
increase network performance. (Support your answer with suitable illustrations).
i) Static IP,

Page 11 of 125
Karan Hasintharan | Security | Assignment
 ii) NAT
iii)DMZ

Activity 03
Review risk assessment procedures for METROPOLIS CAPITAL Bank to protect itself and its
clients. Explain the mandatory data protection laws and procedures which will be applied to
data storage solutions provided by METROPOLIS CAPITAL Bank. Explain the topic "ISO
31000 risk management methodology" and summarize the ISO 31000 risk management
methodology and its application in IT security. Analyze possible impacts to organizational
security resulting from an IT security audit. Recommend how IT security can be aligned
with organizational Policy, detailing the security impact of any misalignment.

Activity 04
4.1 Design and Implement suitable security policy to prevent misuse and exploitations in line
with METROPOLIS CAPITAL Bank using the Organizational policy tools for the given
scenario,
While evaluating and justifying the suitability of the tools used in an organizational policy to
meet business needs. Identify the stakeholders who are subject to the METROPOLIS
CAPITAL Bank and describe the role of these stakeholders to build security audit
recommendations for the organization.

4.2 Discuss and present a disaster recovery plan for METROPOLIS CAPITAL Bank for all
their sites to guarantee maximum reliability to their clients. (Student must develop a
PowerPoint-based presentation which illustrates the recovery plan within 15 minutes of
time including justifications and reasons for decisions and options used).

Page 12 of 125
Karan Hasintharan | Security | Assignment
Grading Rubric
Grading Criteria Achieved Feedback

LO1 Assess risks to IT security

P1 Discuss types of security risks to organizations.

P2 Assess organizational security procedures.

M1 Analyze the benefits of implementing network monitoring

systems with supporting reasons.
D1 Evaluate a range of physical and virtual security measures that
can be employed to ensure the integrity of organizational IT security.
LO2 Describe IT security solutions

P3 Discuss the potential impact to IT security of incorrect

configuration of firewall policies and third- party VPNs.

P4 Discuss, using an example for each, how implementing a DMZ,

static IP and NAT in a network can improve network security.
M2 Propose a method to assess and treat IT security risks.

LO3 Review mechanisms to control organizational IT

Security

P5 Review risk assessment procedures in an organization.

P6 Explain data protection processes and regulations as applicable to

an organization.
M3 Summarize the ISO 31000 risk management methodology and its
application in IT security.

Page 13 of 125
Karan Hasintharan | Security | Assignment
M4 Analyze possible impacts to organizational security resulting
from an IT security audit.
D2 Recommend how IT security can be aligned with organizational
Policy, detailing the security impact of any misalignment.
LO4 Manage organizational security

P7 Design a suitable security policy for an organization, including

the main components of an organizational disaster recovery plan.
P8 Discuss the roles of stakeholders in the organization in
implementing security audits.
M5 Justify the security plan developed giving reasons for the
elements selected.
D3 Evaluate the suitability of the tools used in an organizational
policy to meet business needs

Page 14 of 125
Karan Hasintharan | Security | Assignment
 1 Table of Contents
1 Activity 01 ........................................................................................................... 20

1.1 What is IT Security ......................................................................................................... 20

1.1.1 Notable effects of IT security on an organization ............................................... 20

1.1.2 Why IT Security for Banking Systems Is Important ............................................. 21

1.2 Overview of Metropolitan Capital Bank ........................................................................ 21

1.2.1 Security ................................................................................................................ 22

1.3 Discussing types of security risks to Metropolis Capital Bank ....................................... 23

1.4 Assessment of Security Procedures at Metropolis Capital Bank ................................... 25

1.5 Evaluating a range of Virtual and Physical Security Measures to Protect the Integrity of
the Metropolis Capital Bank .......................................................................................... 28

1.6 What is a Network Monitoring System? ........................................................................ 32

1.6.1 Analyzing the benefits of implementing Network Monitoring Systems for

METROPOLIS CAPITAL Bank ....................................................................................... 33

2 Activity 02 ........................................................................................................... 38

2.1 The Impact of Incorrect Configuration of Firewalls and VPNs on METROPOLIS CAPITAL
Bank................................................................................................................................ 38

2.2 What is a Firewall? ......................................................................................................... 38

2.2.1 Incorrect Configuration of Firewalls on METROPOLIS CAPITAL Bank ................. 38

2.2.2 What is a VPN? .................................................................................................... 40

2.2.3 Incorrect Configuration of VPN and Using third-party VPNs on METROPOLIS

CAPITAL Bank ............................................................................................................. 41

2.3 Assessing IT Security Risks for Employees of METROPOLIS CAPITAL Bank ................... 43

2.3.1 Proposing a “Secure Remote Working Environment” ........................................ 44

2.4 Discussing how implementing a static IP, NAT, and DMZ in a network can improve
network security for Metropolis Capital Bank and benefit both the bank and Clients. 46

Page 15 of 125
Karan Hasintharan | Security | Assignment
3 Activity 03 ........................................................................................................... 51

3.1 Review Risk Assessment Procedures for METROPOLIS CAPITAL Bank .......................... 51

3.1.1 Importance of Risk Assessment .......................................................................... 51

3.1.2 Review Risk Assessment Procedures .................................................................. 52

3.1.3 Application of Data Protection Laws to METROPOLIS CAPITAL Bank ................. 59

3.2 ISO 31000 Risk Management Methodology .................................................................. 61

3.2.1 Application of ISO 31000 Risk Management Methodology In IT Security .......... 62

3.3 How IT Security Audit Impacts On An Organizational Security ..................................... 63

3.4 Recommending how IT security can be aligned with organizational Policy .................. 65

3.5 How Misalignment of IT organizational policies impact security .................................. 67

4 Activity 04 .......................................................................................................... 69

4.1 Designing a Suitable Security Policy to Prevent Misuse and Exploitations in line with
METROPOLIS CAPITAL Bank. .......................................................................................... 69

4.1.1 Organizational Security Policy Components ....................................................... 69

4.1.2 Policy Statement ................................................................................................. 70

4.2 Evaluating and justifying the suitability of the tools used in an organizational policy to
meet business needs...................................................................................................... 77

4.3 Identifying the stakeholders who are subject to the METROPOLIS CAPITAL Bank. ...... 81

4.3.1 Describing the Roles of Stakeholders in Building Security Audit

Recommendations ..................................................................................................... 83

4.4 Disaster Recovery Plan for METROPOLIS CAPITAL Bank ............................................... 86

4.4.1 Importance of Disaster Recovery Plan ................................................................ 86

4.4.2 Main Components of Disaster Recovery Plan (DRP) ........................................... 86

4.4.3 Justifications and reasons for decisions and options used. ................................ 89

4.5 Metropolis Capital Bank’s Disaster Recovery Plan ........................................................ 90

4.5.1 Information Technology Statement of Intent ..................................................... 90

Page 16 of 125
Karan Hasintharan | Security | Assignment
4.5.2 Policy Statement ................................................................................................. 91

4.5.3 Objectives of Metropolis Capital Bank’s Disaster Recovery Plan ....................... 91

4.5.4 Key Personnel Contact Info ................................................................................. 92

4.5.5 Notification Calling Tree ...................................................................................... 94

94

4.5.6 External Contact .................................................................................................. 95

4.5.7 External Contacts Calling Tree ............................................................................ 96

4.5.8 Plan Overview...................................................................................................... 96

4.5.9 Risk Management................................................................................................ 97

4.5.10 Emergency ....................................................................................................... 99

4.5.11 DR Procedures for Management ................................................................... 101

4.5.12 Contact with Employees ................................................................................ 101

4.5.13 Backup Staff ................................................................................................... 101

4.5.14 Recorded Messages / Updates ...................................................................... 101

4.5.15 Alternate Recovery Facilities / Hot Site ......................................................... 101

4.5.16 Personnel and Family Notification ................................................................ 102

4.5.17 Media ............................................................................................................. 102

• Taking Advantage of Opportunities for Useful Publicity: ........................................ 102

4.5.18 Insurance ....................................................................................................... 103

4.5.19 Financial and Legal Issues .............................................................................. 104

4.5.20 Legal Actions .................................................................................................. 106

4.5.21 DRP Exercising ............................................................................................... 106

4.5.22 Disaster Recovery Plan for Remote Connectivity .......................................... 107

4.5.23 Disaster Recovery Plan for Local Area Network (LAN) .................................. 108

4.5.24 Disaster Recovery Plan for Wide Area Network (WAN) ................................ 109

Page 17 of 125
Karan Hasintharan | Security | Assignment
 4.5.25 Disaster Recovery Plan for Data Center (Example) ....................................... 110

4.5.26 Damage Assessment Form (Example) ........................................................... 111

4.5.27 Disaster Recovery Event Recording Form (Example) .................................... 112

4.5.28 Mobilization of Disaster Recovery Team Members (Example) ..................... 113

4.5.29 Communication Coordination Form (Example) ............................................. 113

4.5.30 Presentation Slides ........................................................................................ 114

5 References .......................................................................................................... 124

Page 18 of 125
Karan Hasintharan | Security | Assignment
Acknowledgment

While finishing this assignment, and making it successful, I had to get help and guidelines
from some respected people. I am quite happy that the report is completed. I thank our
Lecturer, Mr. Ravindu Ishara, for guiding me for this assignment. He helped me in
challenging situations and gave us great guidance. His dedication and assistance were
very helpful in getting the task done successfully. I could not have finished such difficult
work without his help. I'm grateful.

Page 19 of 125
Karan Hasintharan | Security | Assignment
1 Activity 01

1.1 What is IT Security

Cybersecurity, another name for IT security, guards against theft, damage, interruption,
and illegal access to information systems. It involves several procedures and tools
designed to protect information on networks, devices, applications, and data.
Information availability, confidentiality, and integrity protect organizational assets from
various forms of risk.

1.1.1 Notable effects of IT security on an organization

• Data Protection: ensures the privacy, availability, and integrity of sensitive data
while guarding against breaches and illegal access.
• Customer Trust: builds loyalty and reputation, protects financial and personal
information, and promotes consumer confidence.
• Business Continuity: protection against cyberattack interruptions, guaranteeing
that services and systems continue to function.
• Cost Savings: reduces the possible financial losses brought by cyberattacks,
including recovery expenses, penalties, and lost revenue.
• Regulatory Compliance: assists in complying with industry and legal
requirements, preventing fines and legal proceedings related to data breaches.
• Risk Management: reduces the impact of security events and increases overall
resilience by identifying and mitigating threats.
• Intellectual Property Protection: protects trade secrets and confidential
information, avoiding financial loss and competitive disadvantage.
• Employee Productivity: protects trade secrets and confidential information,
avoiding financial loss and competitive disadvantage.
• Enabling Innovation: assures the security of new technologies, facilitating their
acceptance and promoting the expansion and development of businesses.

Page 20 of 125
Karan Hasintharan | Security | Assignment
1.1.2 Why IT Security for Banking Systems Is Important

• Safeguarding Sensitive Information: Protects proprietary data, financial

records, and customer information from loss, hacking, and illegal access.
• Preventing Financial Loss: Eliminates the possibility of facing large
financial losses by mitigating the risks related to fraud, theft, and
cyberattacks.
• Maintaining Customer Trust: Builds and maintains client trust by
protecting their financial and personal data, which is essential for drawing in
new business and keeping existing ones.
• Enhancing Reputation: A robust security posture increases the bank's
competitive advantage by maintaining its standing as a trustworthy and safe
organization.
• Reducing Fraud: Establishes policies in place to stop and identify
fraudulent activity, shielding the bank and its clients from financial crime.
• Digital transformation and innovation: Encourages the safe deployment of
new technologies, safeguarding against new risks and promoting innovation
and digital transformation.
• Internal Security: Protects sensitive data and internal operations by
thwarting insider threats and employee illegal access.
• Ensuring Business Continuity: Ensures the ongoing availability of services
and systems while protecting banking operations against disruptions brought
on by cyber events.
• Compliance with Regulations: Ensures compliance with national banking
regulations, PCI DSS, GDPR, and other legal and regulatory requirements
to prevent fines and legal consequences.

1.2 Overview of Metropolitan Capital Bank

A leading supplier of private banking services in Sri Lanka, METROPOLIS

CAPITAL Bank is well-known for its wide network and focus on quality. The
bank serves a wide range of customers with more than 100 branches, 500 ATMs,
and 8 overseas locations, providing full financial services. Strong connection and
dependable service delivery are guaranteed by the major data center in Colombo

Page 21 of 125
Karan Hasintharan | Security | Assignment
 and the secondary data center in Galle. The main office, which is housed in a five-
story facility in Kollupitiya, is home to vital divisions including technical
support, HR, and customer services in addition to high-performance servers that
handle essential banking systems.

Based on its adherence to strict government and Central Bank requirements, the
bank takes great satisfaction in its ISO 31000:2009 approval. METROPOLIS
CAPITAL Bank offers cutting-edge online and mobile banking services with a
focus on security and innovation. These services are supported by cutting-edge
security measures, such as a full suite of security tools and 24/7 surveillance.

The bank has implemented a bring-your-own-device (BYOD) policy for senior

executive personnel and HR departments in response to the changing business
landscape. This policy is made possible by secure Wi-Fi networks for both guests
and employees. In addition, METROPOLIS CAPITAL Bank works with regional
and global IT service providers to guarantee smooth service delivery and support
while upholding a strong commitment to operational excellence and customer
satisfaction.

1.2.1 Security

In the context of cybersecurity and information technology, security refers to the

precautions taken to guard against cyber threats, damage, theft, interruption, and
unauthorized access to computer systems, networks, and data. Today's connected world
presents many cyber risks and vulnerabilities for sensitive data and critical systems, so
putting strong security measures in place is critical to protecting these assets.
Key features of security include:
• Integrity: Keeping data and information reliable, consistent, and accurate
throughout its existence.
• Confidentiality: Ensuring that only authorized people or systems have access to
sensitive information.
• Authentication: Confirming a user's or system's identity to stop illegal access.
• Authorization: granting authorized users the proper access rights and permissions
by their jobs and responsibilities.

Page 22 of 125
Karan Hasintharan | Security | Assignment
 • Availability: Ensuring that, when needed, authorized individuals may access and
use information and services.
• Monitoring and Response: Keeping an eye out for security problems and acting
quickly to lessen any potential effects.
• Compliance: Respecting the security and privacy obligations set out by law,
regulation, and organization.

1.3 Discussing types of security risks to Metropolis Capital Bank

Metropolis Bank is a financial organization, hence it has particular and increased security
threats. The following discusses distinct security threats that are particularly significant to
Metropolis Bank.

1. Financial Fraud: For banks, financial fraud is a serious risk. This can involve
loan fraud, identity theft, and fraudulent transactions. Attackers may access bank
accounts and carry out illegal activities using credentials that they have stolen or
created, causing the bank and its clients to suffer large financial losses.

2. Ransomware Attacks: Malicious software used in ransomware attacks encrypts

bank data, making it unreadable until a ransom is paid. These assaults have the
potential to stop banking operations, resulting in lost revenue and delays. The
bank's network may be breached via phishing emails, malware, or hacked
websites that include ransomware.

3. Data Breaches of Customer Information: Banks manage tons of sensitive

customer data, such as account information, financial transactions, and personal
identifying information. This data may be exposed due to a data breach, which
might result in serious harm to one's reputation, penalties from the authorities, and
a decline in consumer confidence. Insider threats, phishing assaults, and hacking
are often cited reasons for data breaches.

4. ATM and Point of Sale (POS) Skimming: The unauthorized collection of card
details at POS or ATM terminals is known as "skimming." Attackers install
devices known as "skimming devices," which read card magnetic stripe data and

Page 23 of 125
Karan Hasintharan | Security | Assignment
 record PINs. Following the creation of fake cards or fraudulent transactions using
this information, the bank and its clients suffer financial losses.

5. Phishing and Social Engineering Attacks: Attacks using social engineering and
phishing are directed against both Metropolis Bank staff members and clients. The
purpose of these assaults is to deceive people into exposing private information or
doing actions that threaten security. Phishing emails, for instance, might pose as
correspondence from the bank to fool clients into divulging their login
information.

6. Insider Threats: If they abuse their authority, insiders such as contractors,

employees, or other parties with proper access to the bank's systems might be very
dangerous. Financial fraud, data theft, and IT infrastructure sabotage are examples
of insider risks. Because the people involved are trusted, these risks are more
difficult to identify and counter.

7. Third-Party Vendor Risks: Metropolis Bank frequently uses outside suppliers to

provide a range of services, including cloud storage, IT support, and payment
processing. If these third parties don't have enough protection, they may cause
more security problems. A vendor breach could compromise the data and business
operations of the bank.

8. Distributed Denial of Service (DDoS) Attacks: DDoS attacks have the potential
to overload Metropolis Bank's online services by flooding them with excessive
traffic, including mobile applications and Internet banking. Customers may
experience service interruptions as a result, making it difficult for them to access
their accounts and complete transactions. Extended periods of inactivity may harm
the bank's image and cause losses.

9. Regulatory Compliance Risks: AML guidelines, the General Data Protection

Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI
DSS), and other regulations and standards must all be followed by financial

Page 24 of 125
Karan Hasintharan | Security | Assignment
 institutions like Metropolis Bank. There may be severe fines, legal repercussions,
and reputational harm for non-compliance.

10. Advanced Persistent Threats (APTs): APTs are specifically targeted

cyberattacks in which the attackers compromise the bank's network and evade
detection for a long time. The intention is either to spy on network activity or to
steal sensitive data, including bank records and client information. Because APTs
are constant and hidden, they pose a danger.

To handle these dangers, Metropolis Bank needs to have strong security measures in
place. This entails using modern security technology, carrying out regular security audits,
educating employees on security best practices, and making sure that legal requirements
are met. Metropolis Bank may protect its resources, maintain trust among customers, and
guarantee the honesty of its business dealings by taking proactive measures to manage
these risks.

1.4 Assessment of Security Procedures at Metropolis Capital Bank

Strong security policies are required by METROPOLIS CAPITAL Bank to guarantee the
integrity of organizational IT security. An assessment of the bank's internal security is
provided below.

Network Infrastructure and Connectivity:

1. Head Office Network

• The Head Office in Kollupitiya is set up over five levels, with distinct
departments like as executive staff, meeting rooms, HR, customer service,
and high-performance servers housing core banking systems assigned to
each floor.
• To ensure unified security management, a single firewall safeguards
the connection between the Head Office, data centers, branches, ATMs,
and external systems.

Page 25 of 125
Karan Hasintharan | Security | Assignment
 2. Datacenters and Branch Connectivity
• The major and secondary data centers for METROPOLIS CAPITAL Bank
are in Colombo and Galle, respectively.
• ISP links that offer VPN services for secure communication between
branches, ATMs, and data centers guarantee connectivity to these data
centers.
• The bank's activities depend on effective and dependable connections,
which are provided via MPLS services.

BYOD and Workforce Mobility:

1. Bring Your Own Device (BYOD)

• The HR department and top executives are the target audience for
the recently introduced BYOD policy.
• To ensure flexibility and convenience, Wi-Fi hotspots for guests and
employees are available throughout the premises to enable connectivity.

Cybersecurity Measures:

1. Security Operations

• The bank's specialized security staff carries out internal audits, monitoring,
and VA (Vulnerability Assessment) scanning as security activities.
• The Technical Support Team deploys and maintains products including
Web Application Firewalls (WAF), Secure Mail Gateways, Data Loss
Prevention (DLP) systems, Privilege Access Management (PAM), and
Endpoint Detection and Response (EDR) systems to defend against a
variety of cyber-attacks.

2. Compliance and Certification

1. The bank demonstrates its dedication to risk management and
compliance with regulations set by the government and Central Bank
by adhering to ISO 31000:2009 standards.

Page 26 of 125
Karan Hasintharan | Security | Assignment
 3. Vendor Management and Support

• The bank's supply chain management officer oversees a local third-

party technical support team that offers crucial onsite and remote
support services.
• The bank has created contracts, non-disclosure agreements (NDAs),
annual maintenance contracts (AMCs), and agreements with several
domestic and international IT service providers.

Possible Home-Based Employment Situation:

1. Emergency Preparedness

• Strong security measures are needed to protect distant connections

from hackers and other unwanted access.
• To prepare for future situations that could call for work-from-home
arrangements, the bank must make sure that vital systems and data are
securely accessed remotely.

Recommendations:
• Enhanced Remote Access Security: For every remote access,
utilize multi-factor authentication (MFA) to bolster access controls
and safely confirm user identities.
• Endpoint Protection: Boost endpoint security by utilizing cutting-
edge EDR technologies to quickly identify, look into, and address
possible security problems.
• Incident Response Planning: Develop and keep up an incident
response strategy that is specific to remote work environments and
outlines specific procedures for identifying, handling, and
recovering from cybersecurity issues.
• Network Segmentation and Access Controls: To separate
sensitive data and important systems, use network segmentation.

Page 27 of 125
Karan Hasintharan | Security | Assignment
 Strict access rules based on the least privilege principle should be
put in place.
• Continuous Monitoring and Auditing: Maintain 24/7
surveillance of network operations and carry out periodic internal
audits to guarantee adherence to security protocols, legal mandates,
and industry benchmarks.
• Security Awareness Training: Provide staff with frequent
security awareness training sessions and programs that highlight
safe remote work procedures, phishing prevention, and data
protection policies.

1.5 Evaluating a range of Virtual and Physical Security Measures to Protect the
Integrity of the Metropolis Capital Bank

Security Measure Description Evaluation

Virtual Security
Measures
Incoming and outgoing An essential virtual security measure is
network traffic is the bank's usage of a single firewall to
monitored and protect communication between data
controlled by a firewall centers, branches, ATMs, and external
Firewall Protection using pre-established systems. It helps to efficiently
security rules. implement access controls and
centralizes security administration.

Page 28 of 125
Karan Hasintharan | Security | Assignment
Endpoint Devices are equipped By offering real-time visibility into
Protection (EDR) with Endpoint endpoint activity, EDR improves
Detection and Response endpoint security by facilitating quick
(EDR) systems, which identification, investigation, and
are used to keep an eye mitigation of security problems.
out for questionable
activity and any
security risks.

Privileged Access Solutions for Privileged By limiting access to critical resources

Management Access Management to just authorized workers, PAM
(PAM) (PAM) control keep an lowers the possibility of insider threats
eye on privileged access and unauthorized access attempts.
to important data and
systems.

Encryption (VPN Multi-Protocol Label This protects client data and sensitive
and MPLS): Switching (MPLS) and financial transactions between
Virtual Private branches, ATMs, and datacenters by
Networks (VPNs) are guaranteeing data security and integrity
used to encrypt data that throughout transmission.
is sent between sites
across network
connections.

Data Loss DLP tools keep an eye By locating and protecting private data
Prevention (DLP) on and manage private across endpoints, networks, and
information to stop datacenters, DLP helps METROPOLIS
illegal access, usage, or CAPITAL Bank abide by data
transfer. protection laws and avoid data
breaches.

Page 29 of 125
Karan Hasintharan | Security | Assignment
Web Application Web application By filtering and monitoring HTTP
Firewall (WAF) firewalls (WAF) defend traffic between web applications and
against typical online clients, WAF deployments protect
threats including SQL online financial services against attacks
injection and cross-site that target weaknesses in web
scripting (XSS). applications.

Physical Security
Measures
Surveillance Cameras on closed- Constant CCTV surveillance improves
(CCTV) circuit television total security monitoring capabilities
(CCTV) keep an eye on throughout branches, ATMs, and data
and document activity centers, and the Head
within and around bank Office discourages illegal activity, and
buildings. supplies evidence for investigations.

Physical Barriers External dangers and By adding further levels of protection

and Perimeter unlawful access are to access control and monitoring, these
Security prevented from entering methods help protect people,
bank premises by infrastructure, and physical assets.
physical barriers,
fences, and perimeter
security systems.

Access Control Sensitive places like By preventing unauthorized individuals

Systems data centers, server from accessing restricted locations,
rooms, and executive these methods improve physical
floors are protected security in general and protect essential
from physical access by systems and assets.
access control systems,
which include biometric
scanners, key cards, and
guards.

Page 30 of 125
Karan Hasintharan | Security | Assignment
 Intrusion IDS keeps an eye on
Detection Systems network traffic to spot
(IDS) any unusual activity or
possible security
breaches.
By identifying unwanted attempts to
access networks or facilities and
enabling prompt actions to security
events and possible threats, the
deployment of systems for intrusion
detection (IDS) improves physical
security.

Disaster processes for handling Frequent testing and revision of these

Preparedness and crises, disasters, and
Incident Response physical security issues
are outlined in incident
response plans and
emergency preparation
processes.
strategies minimize delays to banking
operations and ensure staff safety by
assuring quick reaction and efficient
coordination during emergencies.

Integration and Holistic Security Approach

• Evaluation: METROPOLIS CAPITAL Bank shows a strong
integration of physical and virtual security measures to completely
protect its operations, data, and infrastructure. A layered defensive
approach combines physical security measures like access control,
surveillance, and perimeter security with virtual security measures
like firewalls, encryption, and endpoint protection.

• Recommendation: The bank's security posture will be further

strengthened by ongoing monitoring, frequent security audits, and
personnel training on security best practices. Retaining an effective
security architecture also requires staying informed of new threats
and changing regulatory requirements.

Page 31 of 125
Karan Hasintharan | Security | Assignment
In conclusion, METROPOLIS CAPITAL Bank may successfully preserve the integrity of
its business operations and maintain the confidence of customers by assessing and
improving these physical and virtual security measures, which will also secure sensitive
financial data and guarantee continuous banking services.

1.6 What is a Network Monitoring System?

A hardware or software solution intended to monitor and handle a computer network is

called a network monitoring system. It gathers information on the security, availability,
and performance of the network continually to guarantee optimal operation and to quickly
identify and address problems. Some key features of a network monitoring system are as
follows:
• Traffic Monitoring: Analyzing patterns of network traffic to identify irregularities,
including unexpected surges in data consumption or unwanted access attempts.
• Alerting and Notifications: Alerting administrators to possible network problems
or security events by creating alarms and notifications either instantly or in
response to preset criteria.
• Dashboards and Visualization: To speed up insights and decision-making,
network health and performance indicators are presented in dashboards and visual
representations.
• Security Monitoring: keeping an eye out for security events and abnormalities,
such as malware infections, illegal access, or invasion attempts, that could point to
malicious behavior.
• Device Monitoring: keeping an eye on the operational parameters and state of
network equipment, such as servers, firewalls, routers, switches, and endpoints.
• Logging and Reporting: Gathering and keeping track of network data for
reporting, compliance audits, forensic examination, and troubleshooting.
• Performance monitoring: tracking and reporting on parameters related to network
performance, including response times, latency, bandwidth use, and packet loss.

Page 32 of 125
Karan Hasintharan | Security | Assignment
1.6.1 Analyzing the benefits of implementing Network Monitoring Systems for
METROPOLIS CAPITAL Bank

The implementation of network surveillance systems at METROPOLIS CAPITAL

Bank has several advantages that can improve the bank's security posture, operational
effectiveness, and regulatory compliance. These are the main benefits along with
the reasons:

Benefits Description Reason

Improved Security
Posture
Unusual traffic patterns, Early identification
illegal access attempts, lessens the possible
and possible security effects of security events,
breaches may all be safeguarding private
quickly detected by financial information and
Early Threat Detection network monitoring preserving client
systems, enabling quick confidence.
action to reduce risks.

Provide a comprehensive Complete visibility

understanding of network guarantees that all
activity, making it security measures are
possible to find operating as intended and
vulnerabilities and helps avoid data breaches.
guarantee that security
Complete Visibility regulations are applied
uniformly throughout the
network.

Regulatory Compliance

Data Protection Supports compliance with Preserves the bank's

data protection laws by reputation for honesty and

Page 33 of 125
Karan Hasintharan | Security | Assignment
 monitoring and securing reliability while securing
data flow to stop illegal sensitive client data.
access and data breaches.

Produces thorough Guarantees that the bank

network activity records complies with regulatory
and reports, which are standards, protecting it
necessary for adhering to against possible penalties
Audit Trails and industry standards and and harm to its reputation
Reporting financial requirements. that might result from
non-compliance.

Cost Savings
The bank may save Maintains client
money on network happiness, stops revenue
failures and downtime by loss, and guarantees
detecting and fixing continued operations.
Reduced Downtime problems before they
become serious problems.

Efficient Resource Minimizes the need for Reduces running costs

Management unnecessary hardware and and boosts network
software investments by infrastructure return on
optimizing the use of investment.
network resources.

Improved Reliability
and Performance of the
Network

Optimal Resource keeps an eye on how makes sure that network

Utilization network resources are resources are used
being used to maximize effectively, which lowers

Page 34 of 125
Karan Hasintharan | Security | Assignment
 the efficiency and operating costs and
distribution of network improves user experience
devices and apps. in general.

Proactive Issue Network performance Proactive problem-

Resolution measures like packet loss, solving reduces downtime
latency, and bandwidth and guarantees that clients
use may be continuously receive financial services
monitored to help find and continuously.
fix problems before they
affect operations.

Scalability and
Flexibility
Integration with Other provides an integrated builds a unified and
Systems strategy for network compatible system that
administration and improves the bank's IT
security by integrating infrastructure's overall
easily with existing efficacy.
security tools and IT
management systems.

Adaptability to Changes Systems for network supports the bank's

monitoring can evolve growth objectives and
with the bank and adjust ensures that network
to new requirements in monitoring doesn't change
terms of business as the network changes.
operations or network
design.

Efficient Incident
Response

Page 35 of 125
Karan Hasintharan | Security | Assignment
Forensic Analysis stores network data to
provide post-event
assessment and
improvement through
forensic analysis used to
investigate and
comprehend security
issues.
Real-Time Alerts alerts users in real-time to
potentially dangerous
actions and security
incidents, allowing for
quick incident response
and mitigation.
Enhanced Customer
Experience
Faster Issue Resolution Customer service
interruptions are reduced
when network problems
are promptly identified
and fixed.
Reliable Services guarantees the
effectiveness and
reliability of mobile and
online banking services,
giving users a smooth and
safe banking experience.
Page 36 of 125
Karan Hasintharan | Security | Assignment
increases the bank's
capacity to draw lessons
from mistakes and
reinforce defenses against
potential threats.
shortens the time it takes
to respond to incidents,
reducing possible harm
and speeding up recovery.
makes certain that
financial services are
always available and
operating at peak
efficiency, which
improves the client
experience.
keeps up high levels of
client satisfaction and
loyalty by providing
trustworthy and consistent
banking services.
In conclusion, by implementing network monitoring tools, METROPOLIS CAPITAL
Bank may improve security, performance, compliance, and overall operational efficiency
in a variety of ways. These solutions enhance the bank's objectives of maintaining strict
service and security standards by facilitating proactive management, prompt incident
response, cost savings, scalability, and an improved client experience.

Here are some examples of widely used network monitoring systems:

• PRTG Network Monitor: A commercial network monitoring system from
Paessler that offers comprehensive network health, use, and availability
monitoring. offers numerous reporting options and dashboards that may be
customized.
• SolarWinds Network Performance Monitor (NPM): A commercial
network monitoring system that provides thorough reporting, fault monitoring,
and profound insights into network performance. offers a packed with features
UI that is easy to use.
• Wireshark: A network protocol analyzer available as open-source software
that offers thorough network traffic examination. Even though it's not a
complete network monitoring system, it's a useful tool for in-depth
troubleshooting and analysis of network traffic.
• WhatsUp Gold: Real-time network mapping, monitoring, and alerting are
provided by Ipswitch's commercial network monitoring product. Popular for
its wide feature set and simplicity of usage.
• Nagios: A free and open-source program for network monitoring that offers
thorough tracking of network hardware, software, and services. recognized for
having an effective notice and alerting system.

The many advantages and benefits that these network monitoring systems provide can
assist METROPOLIS CAPITAL Bank in preserving the functionality, security, and well-
being of its network infrastructure. The requirements, financial constraints, and current IT
infrastructure of the bank all influence the tool selection.

Page 37 of 125
Karan Hasintharan | Security | Assignment
2 Activity 02

2.1 The Impact of Incorrect Configuration of Firewalls and VPNs on

METROPOLIS CAPITAL Bank

2.2 What is a Firewall?

A firewall is a hardware or software for network security that monitors and regulates
incoming and outgoing network traffic by pre-established security rules. To stop
unwanted access and cyber risks, its main goal is to provide a barrier between a trusted
internal network and untrusted external networks, such as the Internet. Deploying
firewalls using software, hardware, or a mix of the two is possible.

2.2.1 Incorrect Configuration of Firewalls on METROPOLIS CAPITAL Bank

A crucial component of network security for METROPOLIS CAPITAL Bank and all
other financial institutions is firewall setup. A strong firewall setup is necessary for the
bank's several branches, ATMs, and data centers to protect critical data and ensure
smooth operations. On the other hand, misconfigured or inaccurate firewall setups can
result in serious security flaws, interruptions to business operations, disobedience of
regulations, and harm to one's reputation. The possible effects of such misconfigurations
are described in this document, highlighting how crucial it is to have careful firewall
settings to safeguard the bank's data, infrastructure, and customers.

Page 38 of 125
Karan Hasintharan | Security | Assignment
Security Vulnerabilities:

• Unauthorized Access: Access to confidential network locations may be

illegal due to inadequate or incorrectly set firewall controls. This may result in
data breaches, which provide hackers access to private client information,
financial information, and corporate secrets.
• Open Ports and Services: Attackers may get access by opening needless
ports or revealing weak services. These weaknesses provide an opening for
attackers to enter the network and increase their level of privilege.

Regulatory Non-Compliance:

• Audit Failures: Inadequate configurations might lead to audit failures in

security evaluations and compliance inspections. This harms the bank's
standing with regulators and clients and calls for expensive maintenance
operations.
• Data Protection Violations: Inadequate configuration of network security
measures may lead to failure to adhere to data protection standards, such as
GDPR and PCI DSS. Regulatory non-compliance can result in costly
penalties, legal consequences, and increased regulatory monitoring.

Operational Disruptions:

• Network Downtime: Inadequate firewall rules have the potential to obstruct

valid traffic, leading to network disturbances or outages. consumers are unable
to use online banking services and employees are unable to access critical
systems, which results in inefficiencies in operations and dissatisfied
consumers.

Page 39 of 125
Karan Hasintharan | Security | Assignment
Reputational Damage:

• Brand Image: Frequent service interruptions or widely reported security

issues might harm the bank's reputation. Long-term effects of a damaged
reputation might include diminished market position, alliances, and acquiring
customers.
• Customer Trust: Customer trust might be damaged by breaches of security or
service interruptions brought on by incorrect setups. Consumers expect
reliable services and the protection of their sensitive data from their financial
institutions. Any setback in these domains may result in lost business and
negative publicity.

At METROPOLIS CAPITAL Bank, improper firewall setup can have serious

consequences, including operational interruptions, regulatory non-compliance, and
reputational harm in addition to security concerns. Maintaining the security,
effectiveness, and reliability of the bank depends on making sure that these crucial
network components are configured correctly and are continuously monitored.

2.2.2 What is a VPN?

A technique known as a virtual private network, or VPN, establishes a safe, encrypted

connection over a less secure network, like the Internet. As if they were physically linked
to the local area network (LAN) of the private network, it enables users to safely access a
private network and its resources from a distance. VPNs are often utilized to protect
sensitive data transfer across open networks and to give workers who work from home or
on the go safe remote access.

Page 40 of 125
Karan Hasintharan | Security | Assignment
2.2.3 Incorrect Configuration of VPN and Using third-party VPNs on
METROPOLIS CAPITAL Bank

Impacts of Incorrect VPN Configuration:

• Increased Risk of Data Breaches: Data breaches can result from insecure
VPN setups, which allow hackers to intercept or alter sent data. This puts
sensitive information's security and integrity at risk, which might cost
METROPOLIS CAPITAL Bank money and harm the bank's image.
• Compliance Issues: There may be penalties and legal consequences for
violating VPN security best practices and regulatory obligations (such as
GDPR and PCI DSS). Strong VPN settings are required by regulatory
organizations for financial institutions such as METROPOLIS CAPITAL
Bank to guarantee the safe processing and transfer of sensitive data.
• Security Vulnerabilities: The bank may be vulnerable to security flaws
including inadequate encryption technologies or inappropriate authentication
techniques due to misconfigured VPN settings. This makes private company
information, sensitive financial data, and consumer information vulnerable to
illegal access or interception by bad parties.
• Operational Disruptions: VPNs that are improperly configured may cause
frequent disconnections, slow connection speeds, or trouble accessing
important services and apps. Because they depend on VPN connections to do
their work efficiently, remote workers' productivity is impacted, which
influences overall corporate operations.
• Operational Costs: For the bank, fixing VPN misconfigurations and dealing
with the subsequent security problems may be quite expensive. These costs,
which affect the bank's overall financial stability and operational
effectiveness, include those associated with IT troubleshooting, security
remediation initiatives, regulatory fines, and even lawsuit fees.
• Customer Trust and Reputation: Data breaches and other VPN-related
security problems, along with service outages, may reduce customers' trust in
the bank's capacity to protect their financial information. Consumers expect
that their financial institutions will adhere to strict guidelines for data security

Page 41 of 125
Karan Hasintharan | Security | Assignment
 and dependability. Any compromise in these areas runs the risk of alienating
customers and even costing your business.

Impacts of Using Third-Party VPNs:

• Security Vulnerabilities: Third-party VPN providers' security procedures

may fall short of the exacting requirements set by financial institutions. The
bank's data may be subject to illegal access if a third-party VPN provider has
lax security protocols or has a breach, which might result in data theft and the
loss of private information.
• Data Breaches: By using a third-party VPN, there are more opportunities for
data to be intercepted or viewed by unauthorized parties. Confidential
financial and customer information may be exposed in a data breach caused by
a third-party provider's inadequate infrastructure security or network
penetration.
• Vendor Lock-In: Vendor lock-in could result from an excessive reliance on a
single third-party VPN service provider. This might result in higher expenses
and a greater reliance on the technology and support services of the supplier,
as well as prevent the bank's ability to change providers or adjust to evolving
security requirements.
• Data Sovereignty: When employing third-party VPN providers, data
sovereignty issues come up, particularly if the provider's servers are spread
across nations with disparate data protection regulations. The bank is
responsible for making sure the supplier adheres to local data protection laws
and that private information isn't moved to countries where privacy laws are
less stringent.
• Transparency and Accountability: Third-party VPN providers may
be opaque about their incident response procedures and security measures.
The bank might not have complete access to the provider's handling of
security concerns or data breaches, which makes it challenging to accurately
identify and reduce risks.

Page 42 of 125
Karan Hasintharan | Security | Assignment
 • Trust and Control Issues: The bank's ability to manage its data
security decreases when it licenses out VPN services to outside parties.
The third-party provider must be trusted by the bank to put strong
security measures in place and keep them up to date. The operational
integrity and security posture of the bank may be immediately
impacted by any supplier failure or breach.

METROPOLIS CAPITAL Bank's security and operational effectiveness depend heavily

on the proper setup of VPNs as well as the cautious selection and control of third-party
VPN providers. By addressing these risks with thorough service level agreements (SLAs),
ongoing monitoring, and frequent audits, the bank can safeguard its data and guarantee
that it is complying with regulatory standards.

2.3 Assessing IT Security Risks for Employees of METROPOLIS CAPITAL Bank

At METROPOLIS CAPITAL Bank, remote workers are exposed to several IT security

concerns, such as social engineering attacks, network weaknesses, and the possibility of
sensitive data being exposed. These hazards result from using insecure places to connect
to the bank's systems, which can also cause irregular deployment of security protocols.
These issues must be resolved to safeguard the bank's assets, secure client information,
and ensure regulatory compliance. The primary risks include:

• Phishing Attacks: When working remotely, employees can become more

vulnerable to social engineering or phishing emails, which might result in
unauthorized access to confidential information.
• Device Theft or Loss: The danger of unauthorized access to the bank's
systems and data is caused by the loss or theft of laptops, cell phones, and
other devices utilized for remote work.
• Data Leakages: Data breaches may result from employees accidentally
sharing private information over unprotected networks or cloud services.
• Malware and Ransomware: If remote equipment is not kept up to date and
properly protected, it may be more vulnerable to ransomware and malware
assaults.

Page 43 of 125
Karan Hasintharan | Security | Assignment
 • Unsecured Wi-Fi Networks: Making a connection to a poorly protected
public or home network exposes private data to the risk of being captured by
hostile parties.
• Lack of Security Awareness: Workers may be ignorant of security best
practices or the unique dangers connected to working remotely.
• Inadequate Endpoint Security: Because they may not have firewalls,
antivirus software, or encryption, remote devices are more vulnerable to
assaults.
• Insider Threats: Workers with access to sensitive information may
purposefully or unintentionally abuse their powers, which might result in
security issues.

2.3.1 Proposing a “Secure Remote Working Environment”

METROPOLIS CAPITAL Bank may put these precautions into practice to mitigate these
dangers and provide a secure environment for working remotely:

Technical Measures

• Multi-Factor Authentication (MFA): Add a layer of protection to the bank's

systems and apps by implementing multi-factor authentication (MFA) for all
remote access.
• VPN Usage: Make sure that every remote worker has a secure, appropriately
set-up virtual private network (VPN) to encrypt their internet traffic and
safeguard data transfers between their devices and the bank's network.
• Data Loss Prevention (DLP): Use DLP solutions to oversee and manage the
transmission of private information and stop it from being shared or leaked
without authorization.
• Endpoint Security Solutions: Install complete endpoint security solutions,
such as firewalls, encryption software, antivirus, and anti-malware programs,
on all remote devices.

Page 44 of 125
Karan Hasintharan | Security | Assignment
 • Access Controls: Make sure workers only have access to the information and
systems they require for their jobs by enforcing strict access restrictions based
on the principle of least privilege.
• Regular Software Updates and Patching: To guard against known
vulnerabilities, make sure that all remote devices and apps are frequently
updated and patched.
• Mobile Device Management (MDM): Manage, keep an eye on, and
safeguard employee mobile devices used for remote work by utilizing MDM
solutions.

Administrative Measures

• Remote Work Policies: Create and implement thorough policies for remote
work that include permitted usage, security specifications, and worker
obligations.
• Secure Backup Solutions: To make sure that important data is often backed
up and can be restored in the event of data loss or ransomware attacks, use
secure backup solutions.
• Security Awareness Training: Employees should get frequent training on
security best practices, phishing awareness, and the unique dangers of working
remotely.
• Regular Security Audits: Perform routine security audits and evaluations of
remote work settings to find and fix any vulnerabilities.
• Incident Response Plan: Provide a clear incident response strategy that
remote workers may go to in the case of a security breach or other suspicious
activities.

Page 45 of 125
Karan Hasintharan | Security | Assignment
Physical Measures

• Work Environment: Give staff members tips on how to set up a safe

and secure workspace at home, such as using privacy screens and
secure home offices.
• Device Security: Encourage staff members to use physical security
measures like laptop cable locks and safe storage for unused
equipment.

METROPOLIS CAPITAL Bank may greatly improve the security of its remote working
environment by putting in place a mix of administrative, technical, and physical
precautions. This comprehensive approach will support the preservation of regulatory
compliance, protect sensitive data, and ensure the continued confidence and contentment
of the bank's stakeholders and clients.

2.4 Discussing how implementing a static IP, NAT, and DMZ in a network can
improve network security for Metropolis Capital Bank and benefit both the
bank and Clients.

I. Static IP
An IP address that is fixed and doesn't change over time is known as a static
IP address. For financial organizations like METROPOLIS CAPITAL Bank to
provide uninterrupted services and secure remote access, this guarantees
continuous and dependable network connections.

Improving Network Security:

• Ease of Remote Access: Static IP addresses enable setting up VPNs

for remote access easier. For example, distant workers can use a VPN
to access the bank's network by using the VPN server's static IP, which
guarantees a consistent and secure connection. This is essential for
preserving output and guaranteeing safe lines of communication.

Page 46 of 125
Karan Hasintharan | Security | Assignment
 • Enhanced Network Performance and Reliability: Reliable
connections may be maintained with the use of static IPs. For instance,
static IP addresses might be allocated to the bank's servers that host
online banking apps. This increases the operational stability of the
bank by ensuring the continuous availability of services like online
banking and transaction processing.
• Improved Security: Improved security measures are made possible by
static IPs. Static IPs allow firewalls to be set more efficiently by
limiting traffic to known IP addresses. To mitigate the danger of illegal
access, the bank's internal systems can be configured to only accept
connections from the static IP addresses allocated to the branch offices.

Example: Customers and staff will continue to get uninterrupted service since
the bank's core servers, which handle financial operations, will always be
available via the use of static IPs.

Benefits for the Bank and Clients:

• Secure Transactions: Customers can feel more confident about the

security and stability of their transactions knowing that the bank's
online services are located on static IPs. Security certificates and
encryption algorithms that protect client data can be linked to static IP
addresses.
• Consistent Service Access: Customers who use online banking
services gain from static IPs' reliable and steady connection. This
improves user experience and lowers the likelihood of service
interruptions.

II. NAT (Network Address Translation)

By altering the network address information in packets' IP headers as they are
being sent over a traffic routing device, network address translation, or NAT is a
technique for remapping one IP address field into another. By hiding internal IP

Page 47 of 125
Karan Hasintharan | Security | Assignment
 addresses from outside parties, NAT improves IP address use and provides an
extra degree of protection.

Improving Network Security:

• Enhanced Security: NAT adds an extra degree of protection by hiding

internal IP addresses from outside networks. For example, Network Address
Translation (NAT) makes sure that the internal IP addresses of the bank's
systems are hidden when customers use online banking services, which makes
it more difficult for hackers to target certain devices.
• IP Address Conservation: With NAT, the bank can use a single public IP
address on a private network to connect to many devices. This is especially
helpful for the internal network of the bank, where a lot of devices require
internet connectivity. In addition to managing the network effectively, it
preserves the finite supply of public IP addresses.
• Simplified Network Management: By permitting private IP address schemes
inside, NAT can make network management easier. Without having to worry
about IP conflicts or address exhaustion, this flexibility enables the IT staff to
operate the network more effectively.

Example: By using NAT, the bank can assign private IP addresses to internal
devices and use a single public IP for its internet gateway. By keeping the
underlying network structure hidden from the public, this configuration
improves security and preserves IP addresses.

Benefits for the Bank and Clients

• Stable and Secure Services: Clients that have NAT installed see fewer IP
address conflicts, which guarantees a more reliable and consistent service
while using online banking functions.
• Protected Transactions: NAT helps clients by adding an extra layer of
protection that makes it more difficult for attackers to link the client's

Page 48 of 125
Karan Hasintharan | Security | Assignment
 connections to internal bank systems. This ensures safer data exchanges and
online transactions.

III. DMZ (Demilitarized Zone)

A physical or logical subnet that divides an internal local area network (LAN)
from external untrusted networks—typically the internet—is known as a
demilitarized zone, or DMZ. A demilitarized zone (DMZ) improves security
and manages access to critical internal systems by separating public-facing
services.

Improving Network Security:

• Segmentation of Services: The DMZ makes it possible to divide

services according to security requirements. Less sensitive public
services are separated in the DMZ, while critical internal services are
protected by further firewalls.
• Enhanced Security: The bank can protect its internal network from
direct internet exposure by placing public-facing servers (such as mail
servers and web servers) in the DMZ. An attacker cannot access the
internal network directly if they hack a server located in the
demilitarized zone.
• Controlled Access: While protecting the internal network, the DMZ
enables restricted access for external users to the bank's services.
Servers for online banking, for instance, can be located in the DMZ to
handle client requests without placing the internal network at risk.

Example: The bank can use the DMZ for its online banking interface.
Customers can access their accounts and conduct transactions safely
thanks to this configuration, which also protects the internal banking
systems from any online threats.

Page 49 of 125
Karan Hasintharan | Security | Assignment
Benefits for the Bank and Clients:

• Improved Trust: It increases customer trust that the bank uses cutting-
edge security measures like a DMZ. Customers may rest easy knowing
that the bank takes the security of their data seriously, which is essential to
maintaining business.
• Secure Access to Services: The DMZ offers improved protection for
customers using services like online banking and customer care portals.
This guarantees safe and dependable interactions between them and the
bank's services for the public.

Page 50 of 125
Karan Hasintharan | Security | Assignment
3 Activity 03

3.1 Review Risk Assessment Procedures for METROPOLIS CAPITAL Bank

3.1.1 Importance of Risk Assessment

A successful risk management plan must include risk assessment. A comprehensive risk
evaluation procedure has several significant benefits for METROPOLIS CAPITAL Bank,
which runs a huge network of branches and ATMs and offers a wide range of financial
services:

Prioritization of Risks
Risk assessment helps prioritize the biggest dangers to the bank by analyzing the
possibility and effect of various risks. By addressing the highest-risk areas first, this
prioritizing guarantees that resources are spent efficiently, maximizing the usage of staff,
money, and time.

Identification of Vulnerabilities
The risk assessment process assists in locating weak points in the bank's IT infrastructure,
including core banking platforms, ATM systems, branch networks, and data centers. By
anticipating possible voids, the bank may take appropriate measures to minimize them
before fraudulent actors take advantage of them.

Protection of Customer Data

Since the bank deals with sensitive client information, data protection is of the highest
priority. By identifying possible risks to data security, risk assessment helps banks
preserve consumer trust by putting strong security measures in place to guard against data
breaches and cyberattacks.

Compliance with Regulations

METROPOLIS CAPITAL Bank is bound by several laws and guidelines, including those
imposed by the Central Bank and global norms such as ISO 31000. Regular risk

Page 51 of 125
Karan Hasintharan | Security | Assignment
assessments help with the maintenance of the bank's reputation and assist prevent legal
fines by ensuring compliance with these rules.
Improved Decision Making
A comprehensive risk assessment procedure gives management important insights into
the security environment. Leaders may make well-informed decisions by using this
information to select the most effective plans of action and investments to strengthen the
bank's security posture.

Stakeholder Confidence
The bank's dedication to security appears in the regular risk assessments and the
application of efficient risk management techniques. Customers, staff members,
regulators, and investors will all feel more confident in the bank's capacity to protect their
interests as a result of this commitment.

Business Continuity
The continuation of banking operations is helped by the identification and mitigation of
risks. Even in the case of adverse events, the bank can preserve service availability and
dependability by anticipating such disruptions and having backup measures ready.

3.1.2 Review Risk Assessment Procedures

1. Identification of Assets and Threats

Assets:
• Data Centers:
o Primary Data Center: Located in Colombo.
o Secondary Data Center: Located in Galle.
o High-Performance Servers: Hosted on the fourth floor of the Head
Office in Kollupitiya.
• ATM Network:
o There are 500 ATMs on the island.

o For activities to run smoothly, connectivity to key financial systems is

essential.

Page 52 of 125
Karan Hasintharan | Security | Assignment
 • Customer Data:
o Customers' financial and personal information
o Extremely sensitive and in need of strong security measures.

• Branch Infrastructure:
o More than 100 locations across Sri Lanka.
o Branch connectivity is dependent on MPLS and VPN services being
provided via ISP lines.

• Core Banking Systems:

o The center of all financial activities, including mobile and internet
banking.
o situated at the data centers and head office.

Threats:
• Natural Disasters:
o Data centers and branch offices are among the physical infrastructure
that might be harmed by earthquakes and floods.

• Cyber-Attacks:
o Malware and Ransomware: Can disrupt banking operations and
compromise data integrity.
o Distributed Denial-of-Service (DDoS) Attacks: Can overwhelm
systems, causing downtime.
o Phishing and social engineering: Aim to get illegal access by targeting
workers.

• Equipment Failure:
o Power Outages: If backup power systems are not used appropriately,
they can result in downtime and data loss.

Page 53 of 125
Karan Hasintharan | Security | Assignment
 o Hardware problems: ATMs, servers, and network equipment can all
malfunction and cause operations to be disrupted.

• Insider Threats:
o Accidental Breaches: Employees may unintentionally jeopardize
security by being careless or unaware.
o Malicious Insiders: Employees or contractors who have access to
private information or systems may deliberately harm.

2. Vulnerability Assessment

Regular Scanning:

• Automated Tools:
Weekly or monthly scan schedules are necessary to ensure the most recent
vulnerability finding. Maintaining an updated security posture is made easier by
routinely scanning the network, servers, and endpoints with a vulnerability
assessment (VA) scanning tool. To enable effective and efficient mitigation
efforts, the vulnerabilities found by these scans should be ranked in order of
impact, severity, and exploitability.

• Patch Management:
It is essential to update and patch all installed software regularly to minimize
known vulnerabilities. In addition, maintaining track of each program version and
patch level guarantees that the whole software inventory is regularly secured from
threats and kept up to date.

Penetration Testing:
• Internal Testing:
Internal penetration testing can be used to detect organizational vulnerabilities and
imitate hacks. Crucial systems including ATM networks, data centers, and core
banking should all be included in this testing to ensure a thorough evaluation of
any possible security flaws.

Page 54 of 125
Karan Hasintharan | Security | Assignment
 • External Testing:
Annual testing should occur after significant changes to the IT system. Employing
independent security experts to carry out penetration testing and offer unbiased
insights into the organization's security defenses will ensure an objective
assessment of security posture.

3. Risk Analysis
Qualitative and Quantitative Analysis:
• Qualitative Analysis:
Rely on the knowledge and experience of IT security professionals to
assess the nature and potential consequences of the discovered dangers. To
fully analyze and prepare for prospective threats, develop risk scenarios
for different risks to comprehend the potential effects on operations.

• Quantitative Analysis:
To deliver data-driven insights, and support quantitative analysis using
historical data and trends. To ascertain the probability and financial impact
of risks, employ statistical and financial models. This will provide an
extensive and precise evaluation of possible hazards and their effects.

Risk Matrix:

• Development:
Group threats into four categories: low, medium, high, and critical. Sort
each risk according to its likelihood and potential impact. The risk matrix's
designated axes, "Likelihood" and "Impact," offer a methodical way to
rank and classify hazards.

Page 55 of 125
Karan Hasintharan | Security | Assignment
 • Usage:
With excellent visualization, provide stakeholders with a clear visual image of
the risk environment that the organization is experiencing. Using the risk
matrix, prioritize the risks and concentrate mitigation efforts on the most
urgent ones to ensure that resources are deployed effectively to address the
biggest concerns.

4. Risk Treatment

Mitigation:
• Physical Security:
Install physical access controls, such as biometric scanners and key card
systems. Maintain constant CCTV surveillance in high-risk areas like data
centers, ATMs, and branch offices to improve security oversight and prevent
unwanted entry.

• Security Controls:
To closely monitor and regulate the use of privileged accounts, implement a
strong Privileged Access Management (PAM) system. To identify and respond
to endpoint threats proactively, introduce Endpoint Detection and Response
(EDR) systems. Set up and implement firewalls to stop unwanted users from
accessing the network. To improve overall cybersecurity posture and defend
against typical online assaults like SQL injection and cross-site scripting,
make use of Web Application Firewalls (WAF).

Transfer:

• Insurance
Physical assets like buildings and machinery are protected against hazards like
natural catastrophes by property insurance. Purchasing cyber insurance
policies provides complete risk coverage for both digital and physical assets,
guarding against monetary damages resulting from cyber events.

Page 56 of 125
Karan Hasintharan | Security | Assignment
 • Contractual Agreements:
Create service level agreements (SLAs) to guarantee that vendors meet
security and performance requirements. Incorporate risk-sharing provisions
into vendor agreements with IT service providers to efficiently balance
obligations and reduce risks.

• Avoidance
Put an end to risks that surpass the risk tolerance of the company. Investigate
safer substitutes or different approaches to successfully reduce hazards.

• Acceptance
Assess risks within reasonable bank boundaries and record authorized risks
along with a justification. Monitoring these guarantees openness and well-
informed choices in risk management procedures.

5. Monitoring and Review

• Continuous Monitoring:
o Network Monitoring Systems:
METROPOLIS CAPITAL Bank uses cutting-edge technology for network
monitoring and continuous surveillance. Anomaly detection technologies
help to quickly identify security events. Alerts ensure quick reaction and
mitigation by quickly informing IT security of any irregularities.

o Security Information and Event Management (SIEM):

Integrate Security Information and Event Management (SIEM) systems to
collect, examine, and correlate security data from various sources
to improve response capabilities. With this integration, you can quickly
resolve issues by having full visibility and actionable insights.

Page 57 of 125
Karan Hasintharan | Security | Assignment
 • Regular Audits:
o Internal Audits:
METROPOLIS CAPITAL Bank should regularly carry out internal security
audits to assess put-in-place measures to guarantee ongoing security efficacy.
Complete compliance to regulatory regulations, industry standards, and
company rules is necessary. In-depth audit reports that emphasize conclusions
and offer suggestions for continued growth have to be produced.

3.1 Mandatory Data Protection Laws and Procedures

Overview of Data Protection Laws

Legislative frameworks known as data protection laws are intended to secure people's
private information and guarantee that corporations use their data responsibly. The
following significant data protection regulations may be relevant to the bank:

➢ General Data Protection Regulation (GDPR):

GDPR, which is enforced in the EU and EEA, sets stringent guidelines for
processing personal data. These guidelines apply even if a bank operates outside
of these countries but manages the data of EU and EEA residents.

➢ Personal Data Protection Act (PDPA):

Because banks operating in Sri Lanka are close to Singapore, the Personal Data
Protection Act (PDPA), which was implemented there, governs the gathering, use,
disclosure, and protection of personal data.

➢ Payment Card Industry Data Security Standard (PCI DSS):

Mandatory for organizations handling payment card data, PCI DSS ensures secure
handling and protection of cardholder information.

➢ Financial Sector Data Protection Guidelines:

These regulations, which are specific to financial institutions, address security
controls, breach reporting, and customer data protection. Regulators such as the
Central Bank of Sri Lanka have mandated these measures.

Page 58 of 125
Karan Hasintharan | Security | Assignment
According to these regulations, METROPOLIS CAPITAL Bank must have policies in
place that support people's rights over their data, minimize data gathering, provide strong
data security procedures, and quickly identify data breaches. Maintaining confidence,
avoiding fines, and safeguarding consumer data all depend on compliance.

3.1.3 Application of Data Protection Laws to METROPOLIS CAPITAL Bank

To preserve client data and maintain legal compliance, METROPOLIS CAPITAL Bank
must successfully implement regulatory standards into its daily operations. These statutes
are applied as follows:

General Data Protection Regulation (GDPR):

Regardless of where the company managing the data is based, the GDPR establishes strict
standards for the processing and protection of personal data of persons inside the
EU/EEA. This means that METROPOLIS CAPITAL Bank must comply with GDPR if it
handles personal data belonging to people who live in these areas. Strong security
measures need to be put in place by the bank, such as getting explicit permission before
processing data, guaranteeing data accuracy, and protecting the rights of data subjects,
such as the ability to view, correct, and erase their data. These steps are essential for
maintaining GDPR compliance and building trust among consumers in the EU and EEA.

Personal Data Protection Act (PDPA):

METROPOLIS CAPITAL Bank is regulated by the Personal Data Protection Act
(PDPA), which controls the collection, use, and preservation of personal data in Sri Lanka
as a financial organization. Adhering to the PDPA's principles of consent, purpose
restriction, and data decrease is necessary. To prevent unauthorized access, modification,
disclosure, or destruction of personal data, the bank must put in place the necessary
security measures. METROPOLIS CAPITAL Bank adheres to PDPA regulations to
secure client data and fulfill its legal duties regarding data handling procedures.

Page 59 of 125
Karan Hasintharan | Security | Assignment
Payment Card Industry Data Security Standard (PCI DSS):
The Payment Card Industry Data Security Standard (PCI DSS), which specifies strict
security criteria for companies that conduct card transactions, must be followed while
handling payment card information. METROPOLIS CAPITAL Bank is required to have
strong security measures in place and keep them up to date, such as network monitoring,
regular vulnerability assessments, strict access limits, and encryption of cardholder data.
Following PCI DSS guidelines is crucial to safeguarding cardholder data against fraud,
theft, and unauthorized access, guaranteeing safe financial transactions, and maintaining
consumer and payment card provider confidence.

Financial Sector Data Protection Guidelines:

Financial companies are the target audience for certain data privacy standards established
by regulatory organizations such as the Central Bank of Sri Lanka. METROPOLIS
CAPITAL Bank must abide by these regulations, which cover data retention rules,
security measures, and procedures for reporting security breaches. These policies are
intended to improve financial sector data security, reduce the risks of data breaches, and
guarantee quick action and reporting in the case of a security incident. The bank shows
that it is committed to protecting the confidentiality and integrity of sensitive financial
information by following these rules.

Data Security Measures:

To guard against unauthorized access and data breaches and ensure the security and
confidentiality of client information, METROPOLIS CAPITAL Bank uses encryption,
limitations on access, staff training, and routine security assessments.

Data Subject Rights:

By creating transparent procedures for accessing, updating, and erasing personal data
upon request, ensuring compliance with privacy rules, and protecting individuals' rights
over their information, the bank supports the rights of data subjects.

Page 60 of 125
Karan Hasintharan | Security | Assignment
Data Breach Response:
METROPOLIS CAPITAL Bank keeps an extensive data breach response method up to
date to quickly identify, evaluate, and address breaches. It involves ensuring compliance,
reducing the effect of events on data security, and promptly informing impacted parties
and regulatory agencies.

By putting these data protection laws into practice and following them, METROPOLIS
CAPITAL Bank can improve its overall data protection posture in addition to complying
with legal requirements. By putting a high priority on data security and privacy, the bank
builds stronger relationships with its customers, reduces the danger of data breaches, and
supports a safe and stable financial environment.

3.2 ISO 31000 Risk Management Methodology

Explanation:
Risk is the impact of uncertainty on goals, according to ISO 31000. The approach
to risk management that is emphasized is comprehensive and methodical, and it
integrates easily into the organization's broader governance and management
structure. The approach may be used for any kind of risk, including those about IT,
operations, finance, and strategy.

Key principles of ISO 31000:

o Transparent Communication: ensuring that there is open and honest
communication about risks and how they are managed across the
company.
o Risk Management Framework: Putting in place an organized,
methodical framework for risk management that is in line with the
objectives and environment of the company.
o Customization: Customizing the risk management procedure to the
particular requirements of the company, taking into account variables like
scale, complexity, and risk tolerance.
o Continuous Improvement: To adjust to new risks and changing
conditions, the risk management framework should be reviewed and
improved regularly.

Page 61 of 125
Karan Hasintharan | Security | Assignment
 o Integration: Including risk management into all levels of the
organization's decision-making, procedures, and culture.

The following are the main steps of the ISO 31000 risk management methodology:

• Risk identification: This involves identifying potential threats, such as cyber

threats, vulnerabilities, and operational risks, that may influence the organization's
IT security.

• Risk assessment: Assessing the risks that have been discovered according to their
probability and possible influence on data and IT systems. Prioritizing risks in this
manner requires qualitative as well as quantitative evaluation.

• Risk Treatment: according to the organization's risk appetite and tolerance

levels, creating and implementing risk treatment strategies to reduce, transfer,
avoid, or accept risks.

• Monitoring and Review: Constantly maintaining attention on and analyzing how

well risk mitigation and treatment strategies are working. This covers routine
evaluations, audits, and framework changes for risk management.

3.2.1 Application of ISO 31000 Risk Management Methodology In IT Security

Within the framework of IT security, ISO 31000 offers a methodical way to efficiently
handle cybersecurity risks:

• Risk Identification in IT Security: recognizing and evaluating certain IT

risks, such as those providing a risk to the availability, confidentiality, and
integrity of data. This covers weaknesses in apps, networks, and infrastructure.
• Risk Assessment and Analysis: assessing and prioritizing IT risks according
to their possible influence on information assets and business processes using
techniques including risk scoring, threat modeling, and vulnerability
assessments.

Page 62 of 125
Karan Hasintharan | Security | Assignment
 • Risk Treatment Strategies: Creating IT security guidelines, protocols, and
protections to reduce threats that have been discovered. This could include
putting in place operational (like incident response plans and access
restrictions), technological (like firewalls and encryption), and managerial
(like risk awareness training and governance frameworks) controls.

• Continuous Improvement: assessing and upgrading IT security protocols

regularly to take into account new threats, developments in technology, and
adjustments to corporate procedures. This ensures the organization's continued
resistance to changing cyber threats.

Using the ISO 31000 risk management approach, businesses may improve their capacity
to detect, evaluate, and handle IT security threats efficiently. It promotes a proactive
approach to cybersecurity by making sure that risks are controlled in an organized,
methodical way to safeguard vital resources and preserve business continuity.

3.3 How IT Security Audit Impacts On An Organizational Security

While an IT security audit is essential for evaluating how well security measures are
working, it may also have a variety of negative and good effects on corporate security.
This is an examination of potential effects:

Positive Impacts:
1 Compliance Verification
Audits ensure adherence to internal data protection policies and legal obligations
such as GDPR and PCI DSS. By doing this verification, fines are avoided,
reputations are protected, and stakeholder faith in strong security measures is
increased.

Page 63 of 125
Karan Hasintharan | Security | Assignment
 2 Improvement in Security Awareness
Training programs that improve staff knowledge of IT security guidelines and best
practices are part of audits. This lowers insider risks, increases adherence to
security procedures, and promotes a watchful corporate security culture.

3 Identification of Vulnerabilities
System, network, and application vulnerabilities are found through IT security
audits, allowing for proactive remediation before exploitation. Organizations can
strengthen their security posture against possible cyberattacks by rapidly fixing
flaws.

4 Enhanced Incident Response Preparedness

The process of auditing improves incident response strategies and helps
organizations identify, address, and quickly recover from cyber disasters. The
potential harm, disruption of operations, and financial impact resulting from
cybersecurity attacks are reduced by this preparedness.

Challenging Impacts:
5 Discovery of Systemic Issues
IT audits often reveal structural problems with the governance structure or IT
infrastructure that call for significant corrective action. To effectively address
these problems, it may be necessary to make intricate and expensive adjustments
to IT systems and procedures. This will call for careful planning and budget
allocation.

6 Reputation and Stakeholder Perception

The reputation of a business can be severely impacted by the public release of
audit results or security vulnerabilities found during audits. Significant security
flaws or breaches can result in a loss of consumer confidence, bad press, and
reputational harm, which highlights the importance of strong security protocols
and proactive risk management techniques.
7 Resource Intensiveness

Page 64 of 125
Karan Hasintharan | Security | Assignment
 Completing thorough IT security audits requires significant time, manpower, and
financial commitment. This allocation may take focus away from strategic
objectives and day-to-day operations, which might have an impact on the
organization's overall productivity and operational efficiency.

8 Potential Disruption
Comprehensive audits have the potential to temporarily interrupt regular IT
operations, especially if they involve invasive evaluations or penetration testing.
Business continuity and service delivery are put at risk by these interruptions,
which emphasizes the necessity of careful planning and proactive mitigation
techniques to reduce downtime and operational damage.

3.4 Recommending how IT security can be aligned with organizational Policy

For corporate assets to be fully protected and risks to be successfully mitigated, IT

security must be aligned with organizational policy. Here are some key recommendations
for reaching alignment:

• Risk Assessment and Management

To identify and rank the cyber-security threats that might influence the company,
conduct frequent risk assessments. Integrate these discoveries into your IT security
strategy to efficiently distribute resources and swiftly address critical threats.

• Policy Development and Review

Start by creating thorough and well-defined IT security policies that are in line with
industry standards, legal needs, and organizational objectives. Review and update
these rules often to handle new risks and modifications to how the organization is run.

• Employee Awareness and Training

Inform employees about IT security guidelines, protocols, and their obligations for
upholding security norms. Frequent training sessions can ensure that staff members

Page 65 of 125
Karan Hasintharan | Security | Assignment
 understand the importance of following company standards and aid develop a culture
of security awareness.

• Incident Response and Business Continuity

Create and keep up-to-date business continuity and incident response strategies that
are compliant with IT security regulations. It is important to conduct routine testing
and updates of these strategies to successfully address new threats and reduce
business operations' delays in the event of security disasters.

• Third-party and Vendor Management

Include provisions on IT security in contracts with vendors and other parties. To

reduce the risks connected with outsourcing IT services and data management, make
sure that suppliers follow organizational security rules and standards.

• Executive Guidance and Administration

Provide specific guidelines for governance for IT security projects and get support
from the senior leadership. Make certain that top management takes an active part in
establishing the organization's security goals, assigning resources, and promoting a
security-conscious culture.

• Compliance Monitoring and Reporting

Provide systems for keeping updated on compliance with industry standards, legal
obligations, and IT security regulations. Conduct routine evaluations and audits to
assess compliance and pinpoint areas in need of development. Create reporting
systems to provide stakeholders and senior management visibility.

These recommendations can help METROPOLIS CAPITAL Bank successfully align

organizational policies with its IT security practices, improving the overall security
posture, lowering risks, and ensuring adherence to industry standards and legal
requirements.

Page 66 of 125
Karan Hasintharan | Security | Assignment
3.5 How Misalignment of IT organizational policies impact security

A mismatch between organizational policies and IT security can have a major effect on an
organization's security. Important security consequences of misalignment include the
following:

Unreliable Security Posture: Different departments or systems may apply security

measures inconsistently if IT policies are not in line with company objectives. This may
lead to protective holes or overlaps, making vital assets open to cyber-attacks.

Higher Risk Exposure: When security priorities and risk management techniques are not
clearly defined, it is frequently the result of misalignment. Sensitive information, systems,
and infrastructure may not be sufficiently protected due to possible dangers such as
malware attacks, data breaches, and insider threats.

Compliance Difficulties: Inadequate adherence to industry standards and legal

obligations by IT policies may result in disobedience. Customers and partners who
demand adherence to data protection standards lose faith in the company when it fails to
comply, exposing it to legal penalties and fines.

Administrative Inefficiency: Resource allocation and IT operations might become

inefficient due to inconsistent policies. The effectiveness of security as a whole may be
compromised if funds are diverted from important areas or ignored for unnecessary or
outdated security measures.

Staff Conduct and Awareness: Employees may not fully understand their roles and
duties in ensuring security when policies are unclear or poorly expressed. This may lead
to inadvertent security events brought on by mistakes made by people or by ignorance of
security best practices.

Effect on Incident Response: If policies aren't in line, incident response activities might
be disorganized or run beyond schedule. Insufficient protocols may make it more difficult

Page 67 of 125
Karan Hasintharan | Security | Assignment
to identify, control, and resolve security events promptly, which might worsen their
effects on company operations.

Organizations should make sure that IT security policies are routinely evaluated and
modified to comply with changing industry standards, legal requirements, and business
objectives to reduce these risks. Establishing a strong security culture throughout the firm
requires clear policy communication, comprehensive training programs, and persistent
enforcement. Through better alignment of IT policies with organizational objectives,
firms may strengthen their defenses against cyber-attacks and better safeguard their vital
resources.

Page 68 of 125
Karan Hasintharan | Security | Assignment
4 Activity 04

4.1 Designing a Suitable Security Policy to Prevent Misuse and Exploitations in

line with METROPOLIS CAPITAL Bank.

4.1.1 Organizational Security Policy Components

METROPOLIS CAPITAL Bank's Security Policy

Purpose:
• Ensure the accessibility, privacy, and accuracy of information resources.
• Lower risks and reduce the effect of security breaches.

Scope:
• Addresses data security, network infrastructure, access restrictions, staff
duties, and physical security.
• Concerns all workers, independent contractors, and outside suppliers.

Objective:
• Addresses data security, network infrastructure, access restrictions, employee
duties, and physical security.
• Concerns all workers, independent contractors, and outside suppliers.

Key Components:
• Access Controls: establish and manage user privileges and data and system
access.
• Incident Response: Define processes for recognizing, handling, and getting
past security-related incidents.
• Data Protection: Establish policies in place to protect confidential information.
• Employee Responsibilities: Train employees about security risks and their
contributions to security maintenance.
Commitment:
• Regularly assess potential risks and enhance security procedures.
• Exhibit commitment to security, legal compliance, and customer confidence.

Page 69 of 125
Karan Hasintharan | Security | Assignment
4.1.2 Policy Statement

We at METROPOLIS CAPITAL Bank are dedicated to ensuring sure that our

information assets are available, secure, secret, and intact. Our security strategy creates a
thorough structure that guards against threats, illegal access, and breaches of our
networks, systems, data, and assets. This policy outlines the duties of all workers,
contractors, and outside vendors concerning protecting confidential data and maintaining
a secure work environment. We are committed to minimizing the effects of security
events or disruptions to maintain operational continuity, and we place a high priority on
preventing the unauthorized publication, theft, or manipulation of data. We aim to
maintain our clients' trust, adhere to legal obligations, and continuously assess and
improve our security procedures by promoting a security-aware culture through ongoing
training and adherence to strict security measures.

We must align the security policy with the operational and legal criteria of
METROPOLIS CAPITAL Bank to create and execute an appropriate security program.
The objective of this policy is to stop the bank's IT systems and data from being abused or
exploited. The organizational policy tools used in the thorough security policy design
below were specially created to meet the unique requirements of METROPOLIS
CAPITAL Bank.

1. Access Control Policy

Objective:
Maintaining the security, confidentiality, and accessibility of essential assets is
dependent upon the enforcement of the bank's Access Control Policy, which at
METROPOLIS CAPITAL Bank aims to ensure that only authorized
employees have access to the bank's systems and sensitive data.

Policy:
To accomplish this goal, METROPOLIS CAPITAL Bank uses critical procedures.
First, all users accessing the bank's systems must comply with multi-factor
authentication (MFA), which requires two or more verifications to improve
security beyond passwords.

Page 70 of 125
Karan Hasintharan | Security | Assignment
 Secondly, Role-Based Access Control (RBAC) is used to assign access rights
based on job roles and responsibilities, ensuring that users have access to only the
resources required for their tasks.

Thirdly, access controls are regularly reviewed and revised to stay in line with
changing job roles and security requirements.

Lastly, Privileged Access Management (PAM) tools are used to manage and
monitor privileged accounts, utilizing the principle of least privilege to limit
access rights to the minimum required for performing jobs.

Justification:
The ability of these restrictions to avoid unwanted access to sensitive information
serves as justification. An additional degree of protection against credential theft
and illegal access attempts is provided by the MFA. By ensuring that users have
the proper access rights, RBAC lowers the possibility of illegal access leading to
data breaches. PAM technologies reduce the possibility of insider threats and
illegal system modifications by monitoring and managing privileged accounts. All
things considered, these steps improve the bank's security posture by protecting
critical systems and data and upholding regulatory compliance and consumer
trust.

2. Data Protection Policy

Objective:
The objective of METROPOLIS CAPITAL Bank's data protection policy is to
protect the bank's data from unauthorized access, alteration, or destruction while
maintaining the assets' confidentiality, integrity, and availability.

Page 71 of 125
Karan Hasintharan | Security | Assignment
 Policy:
The bank takes strong action to accomplish this goal. First, robust encryption
standards are used to secure sensitive data while it is in transit and at rest. This
procedure makes sure that data is protected and unreadable even if it is intercepted
or accessed maliciously.

Another crucial element is data classification, which groups information according

to how sensitive it is. The bank can implement suitable security measures, such as
monitoring and access limitations, for each group thanks to this classification. The
policy also specifies how long data must be stored and how to securely dispose of
sensitive data.

The bank lowers the risk of data breaches and ensures compliance with legal
requirements by setting clear standards on how long data should be maintained
and how it should be securely disposed of when no longer needed.

Justification:
These policies' comprehensive approach to data protection serves as justification.
While the classification of data ensures that the proper security measures are taken
based on the sensitivity of the information, encryption protects data from
unauthorized access and maintains its secrecy. In addition to protecting data
throughout its lifecycle, defined retention periods and safe disposal techniques
ensure compliance with legal and regulatory requirements for data privacy and
protection. By putting these measures in place, METROPOLIS CAPITAL Bank
improves its capacity to protect confidential information, maintain client
confidence, and reduce the danger of data breaches.

3. Incident Response Policy

Objective:
The aim of METROPOLIS CAPITAL Bank's incident response policy is to
minimize the negative effects of security incidents on business operations
and consumer trust by ensuring a prompt and efficient response.

Page 72 of 125
Karan Hasintharan | Security | Assignment
 Policy:
To accomplish this objective, the bank set up an Incident Response Team
(IRT) with defined roles and responsibilities for handling security
incidents. This specialized team is essential for quickly containing
incidents, minimizing damage, and returning to regular operations.
Moreover, the bank put in place strong protocols for incident reporting,
documentation, and management, which ensure that all incidents are
reported on time, fully documented, and managed following established
protocols.
In addition, post-incident reviews are carried out to look for areas for
improvement and analyze the root causes of the incident. This proactive
approach enables the bank to quickly implement corrective measures,
improving its overall incident response capability.

Justification:
Because it helps METROPOLIS CAPITAL Bank to efficiently control and
minimize the impact of security events, this policy framework is crucial. The
bank may minimize service disruption, secure sensitive data, and maintain
customer trust by setting up a dedicated incident response team (IRT) and
putting up established incident response protocols. By the identification of
vulnerabilities and enhancement of incident handling procedures, the post-
event analysis reinforces the bank's security posture and ensures ongoing
progress in its reaction to new and emerging cyber threats.

4. BYOD and Remote Work Policy

Objective:
The purpose of METROPOLIS CAPITAL Bank's BYOD and Remote Work
Policy is to enable remote work arrangements and securely manage
personal devices while maintaining the accuracy of the bank's systems and
Data.

Page 73 of 125
Karan Hasintharan | Security | Assignment
 Policy:
The policy requires strict device security measures to accomplish this goal.
Antivirus software, device encryption, and secure setups are required for any
personal devices used for work. By doing this, it is made sure that devices that
connect to the bank's systems are safe from malware and unwanted access.
Furthermore, the usage of Multi-Factor Authentication (MFA) for remote
access and Virtual Private Networks (VPNs) is required to ensure safe
communication. By securing data transfer and verifying user identities, these
security measures reduce the possibility of unwanted access.

Justification:
Implementing this policy is critical as it enables METROPOLIS CAPITAL Bank
to maintain robust security measures while accommodating remote work and
BYOD practices. By mandating device security, secure connectivity, and data
access restrictions, the bank mitigates potential risks associated with remote
access and personal devices. This proactive approach enhances overall security
posture, safeguarding sensitive data against cyber threats and ensuring compliance
with regulatory requirements in a BYOD environment.
5. Network Security Policy
Objective:
METROPOLIS CAPITAL Bank's Network Security Policy aims to protect the
network infrastructure of the bank from online threats and unauthorized
access, ensuring the availability and integrity of vital systems and data.

Policy:
To accomplish that objective, the policy lists some crucial actions. It first
requires strict VPN and firewall management procedures. Strict access control
restrictions are enforced by firewalls, obstructing unwanted attempts to
penetrate the network perimeter. VPNs, or virtual private networks, are used to
create safe, encrypted connections for remote access, ensuring that
information sent over public networks is protected from interception.

Second, the policy requires the installation of systems for intrusion detection

Page 74 of 125
Karan Hasintharan | Security | Assignment
 and prevention (IDPS). These systems maintain an eye on network traffic all
the time to detect unwanted access attempts and suspicious activity. IDPS
contributes to the preservation of the network infrastructure's integrity and the
prevention of security breaches by quickly recognizing and addressing
possible threats.
The policy also highlights network segmentation as an essential strategy.
Splitting the network into separate parts allows for the isolation of critical
systems and data from less secure locations. By limiting the effect of security
incidents and unauthorized access attempts, this segmentation reduces the
possibility that cyber attackers may move laterally within the network.

Justification:
The bank's network defensive systems are reinforced, and potential attack
routes are reduced by putting these measures into action, improving the overall
security stance. Only authorized users can access the network thanks to the
proactive administration of firewalls and VPNs, and IDPS offers real-time
threat detection and response capabilities. By isolating essential resources and
restricting possible breaches, network segmentation further reduces risk. When
combined, these strategies reduce the possibility of cyberattacks and illegal
access, protecting the bank's network infrastructure and ensuring business
continuity.

6. Vendor Management Policy

Objective:
The objective of METROPOLIS CAPITAL Bank's Vendor Management
Policy
is to efficiently handle the risks related to using outside vendors.

Policy:
It involves carrying out thorough risk assessments for every vendor with
access to the systems and information of the bank. To ensure that vendor
contracts adhere to the bank's security rules, the policy requires that vendor

Page 75 of 125
Karan Hasintharan | Security | Assignment
 contracts contain particular security criteria. It also requires routine audits to
check vendor security procedures.

Justification:
This strategy reduces potential risks by imposing strict security requirements
when interacting with third-party vendors. By ensuring that suppliers follow
the bank's security guidelines, confidential data is protected, and operational
integrity is upheld.

7. Security Awareness and Training Policy

Objective:
The objective of METROPOLIS CAPITAL Bank's Security Awareness and
Training Policy is to raise staff members' knowledge of security best practices
and their roles in protecting the bank's assets.

Policy:
It involves educating all employees on cybersecurity procedures through
required security awareness training sessions. Regular phishing simulations
are also required by the policy to assist staff members in identifying and
successfully blocking phishing attacks. Employee acknowledgment of
awareness and adherence to security policies is also necessary.

Justification:
This strategy promotes employees to have a security-conscious mindset, which
reduces the possibility of insider attacks and human mistakes. Through
training and simulations, the bank decreases vulnerabilities to cyber-attacks
and increases its entire security posture through supplying them with the
necessary information and skills.

Page 76 of 125
Karan Hasintharan | Security | Assignment
4.2 Evaluating and justifying the suitability of the tools used in an organizational
policy to meet business needs.

The METROPOLIS CAPITAL Bank's organizational policies and tools are essential for
combating resource misuse and exploitation. These instruments assist in the efficient
implementation and enforcement of security rules. The following are the main
instruments and their justifications and explanations:

Tool Objective Tool Description Justification

Enhance user To access a provides
authentication resource, such as additional protection,
processes. an application or an ensuring that
Multi-Factor online account, compromised
Authentication MFA requires users credentials are not
(MFA) to supply two or enough to give
more verification access and reducing
factors. the possibility of
unauthorized access.

Manage and PAM tools enforce ensures that even

monitor privileged the least privilege high-level access is
Privileged Access accounts. principle, track handled responsibly
Management user activity, and and that any
(PAM) regulate and suspicious behavior
monitor privileged is tracked to prevent
users' access to the exploitation of
vital systems and privileged accounts.
data.

Protect data Sensitive makes sure that data

confidentiality and information is is unreadable and
integrity. protected by useless even in the
Encryption Tools encryption event that it is

Page 77 of 125
Karan Hasintharan | Security | Assignment
 techniques, which intercepted or
render it viewed without
unreadable both in permission.
transit and at rest
(during
transmission and
storage).

Restrict system RBAC makes sure restricts access to

access to that employees systems and
authorized users. have access to just sensitive data,
Role-Based Access the data and tools making sure that
Control (RBAC) required for their workers can only
job duties by access what is
allocating rights to required for their
individuals jobs and lowering
according to their the danger of insider
positions within the threats and data
company. breaches.

Control and secure Firewalls use pre- Firewalls utilize pre-

network traffic. established security defined security
rules to block rules to restrict
Firewall and VPN network traffic network traffic
Solutions both coming in and entering and leaving
going out of the the system, while
system, while VPNs offer
VPNs provide encrypted, secure
secure, encrypted connections for
connections for remote access.
remote access.

Page 78 of 125
Karan Hasintharan | Security | Assignment
Intrusion Detect and prevent IDPS technologies offers real-time
Detection and malicious can take cyber threat
Prevention activities. preventative protection and
Systems (IDPS) measures like monitoring, assisting
blocking or alerting in the early detection
in addition to and mitigation of
monitoring assaults before they
network and have a significant
system activity for negative impact.
malicious activity
and policy
breaches.

Prevent Sensitive makes sure that

unauthorized data information cannot private information
transfer. be sent outside of belonging to the
Data Loss the company bank is not
Prevention (DLP) network because of accidentally or
Tools DLP solutions, intentionally
which monitor and disclosed.
regulate data
transfers.

Protect web WAFs guard blocks harmful

applications from against typical traffic to ensure the
attacks. vulnerabilities like security of online
Web Application SQL injection and applications, which
Firewall (WAF) cross-site scripting are frequently the
(XSS) by filtering target of attackers.
and monitoring
HTTP traffic to and
from an online
application.

Page 79 of 125
Karan Hasintharan | Security | Assignment
Endpoint Monitor and Endpoints ensures the security
Detection and protect endpoints. including PCs, of any device linked
Response (EDR) laptops, and mobile to the network,
devices are guarding against
continuously endpoint-based
monitored and threats.
threats are
responded to with
the help of EDR
solutions.

Protect against Emails are filtered prevents email-based

email-based via secure email attacks, which are a
Secure Email threats. gateways to popular way for
Gateway remove spam, phishing and
phishing attempts, malware to spread.
and harmful
information.

Provide real-time SIEM systems Facilitates quick

analysis of security provide centralized identification and
Security alerts. monitoring and mitigation of
Information and incident response security issues by
Event capabilities by enabling proactive
Management gathering and threat detection and
(SIEM) analyzing log data response.
from several
sources.

Page 80 of 125
Karan Hasintharan | Security | Assignment
4.3 Identifying the stakeholders who are subject to the METROPOLIS CAPITAL
Bank.

The operations and security protocols of METROPOLIS CAPITAL Bank are subject to
the influence and impact of its stakeholders. Meeting their demands, guaranteeing
strategy alignment, and improving overall security all depend on their positions being
understood. Successful stakeholder management is essential to the bank's performance as
well as adherence to audit recommendations and security regulations.

Stakeholder Description Role

Board of Directors
A group of people chosen
to speak on behalf of
shareholders. They are in
charge of the bank's overall
direction, strategy, and
governance.
Verify legal compliance,
provide your approval to
security guidelines, and
supervise big projects.

Executive Management Senior officials overseeing Manage day-to-day

Chief Information Security
Officer (CISO)
the strategic planning and
operations of the bank,
such as the CEO and
department heads.
An executive in charge of
data and information
security at the bank.
operations, distribute
resources, enforce security
protocols, and carry out the
strategic direction
established by the Board.
Create and carry out an
information security
program, control security
threats, and protect data
assets.

IT Department A group of experts in Assure the accessibility,

charge of managing the accuracy, and privacy of

Page 81 of 125
Karan Hasintharan | Security | Assignment
 bank's IT systems, apps,
and infrastructure.
Compliance Department A division in charge of
making sure the bank
complies with both internal
and external rules.
Internal Audit Team A distinct team that
evaluates the governance,
risk management, and
control performance of the
bank.
Human Resources (HR) A division in charge of
hiring, training,
development, and
employee relations
management.
Employees Individuals who work for
the bank in a variety of
capacities.
Third-Party Vendors Other organizations that
supply the bank with goods
and services.
Page 82 of 125
Karan Hasintharan | Security | Assignment
data, put security measures
in place, and handle IT
emergencies.
Coordinate with auditors,
incorporate regulatory
requirements into security
strategies, and ensure
compliance.
Perform internal audits,
evaluate the efficacy of the
controls, pinpoint any
shortcomings, and provide
improvement
recommendations.
Oversee staff compliance,
provide security training,
and enforce security
standards.
Observe security
procedures, take part in
educational initiatives, and
report any suspicious
behavior.
Observe the security
guidelines set out by the
bank, assist with audits,
and make sure their actions
 don't jeopardize the
security of the institution.

Customers People or entities that make Observe security

use of the bank's goods and procedures, protect account
services. details, and report any
security issues.

4.3.1 Describing the Roles of Stakeholders in Building Security Audit

Recommendations

i. Board of Directors
Role:
The bank's security policies and audit recommendations are approved by the
Board of Directors, which also conducts strategic control over them. They
ensure the security protocols comply with both the regulatory requirements
and the bank's overarching strategic goals. Major security initiatives and audit
results are reviewed and approved by the Board, which also makes sure that
sufficient resources are set aside for their execution.

ii. Executive Management

Role:
The task of converting the strategic instructions of the Board into workable
plans falls to Executive Management. They make sure that audit suggestions
are implemented into the bank's operations and supervise the application of
security rules. They provide the required resources, make sure departments
follow the audit's recommendations and strengthen security postures.

iii. Chief Information Security Officer (CISO)

Role:
The information security program of the bank is developed and implemented
under the direction of the CISO. They organize security audits, address audit

Page 83 of 125
Karan Hasintharan | Security | Assignment
 conclusions, and create strategies for corrective measures. To implement
security controls, the CISO coordinates with various departments and makes
sure that security measures are continuously monitored and improved.

iv. IT Department
Role:
During security audits, the IT Department offers support and technical
knowledge. Technical controls like firewalls, intrusion detection systems, and
encryption have been set into place and kept up to date by them. The IT
department is in charge of fixing any technological flaws found during audits
and making sure the bank's IT infrastructure runs securely.

v. Compliance Department
Role:
The Compliance Department makes ensuring that audit recommendations and
security procedures abide by legal standards. They support the bank's security
procedures by helping understand and incorporate regulatory standards. In
addition, they work in conjunction with auditors to guarantee that the bank's
procedures adhere to both internal and external compliance guidelines.

vi. Internal Audit Team

Role:
Independent evaluations of the bank's governance, risk management, and
control procedures are carried out by the Internal Audit Team. They record
audit results and offer feasible recommendations for enhancement. They
ensure the effectiveness of security safeguards and rapid remediation of
vulnerabilities.

vii. Human Resources (HR)

Role:
HR makes sure staff members follow security guidelines and take part in
required training courses. They support security awareness and training

Page 84 of 125
Karan Hasintharan | Security | Assignment
 programs, which contribute to the development of a culture that values
security. Additionally, HR oversees the onboarding and offboarding
procedures to ensure that access rules are correctly upheld.

viii. Employees
Role:
Employees must follow security guidelines and take part in security awareness
training. They are essential in identifying and reporting suspicious activity or
security problems. Workers are crucial in putting security procedures into
place and serve as the first line of defense against security risks.

ix. Third-Party Vendors

Role:
Legally specified security criteria of the bank must be followed to by vendors.
They ensure their procedures won't compromise the security of the bank and
supply the required paperwork and access for security audits. Corrective
action implementation based on audit recommendations is within the authority
of vendors as well.

x. Customers
Role:
Clients must be informed of and comply with the bank's security procedures,
which include creating strong passwords and reporting unusual activity. By
following secure banking procedures, they contribute to protecting their
account information and strengthening the bank's overall security posture.

Page 85 of 125
Karan Hasintharan | Security | Assignment
4.4 Disaster Recovery Plan for METROPOLIS CAPITAL Bank

4.4.1 Importance of Disaster Recovery Plan

For businesses like METROPOLIS CAPITAL Bank, having a strong disaster recovery
plan is essential to maintaining operations and reducing downtime from natural disasters,
cyberattacks, or equipment malfunctions. This kind of strategy seeks to minimize
downtime and financial losses by quickly restoring vital systems and operations.
Additionally, it strengthens data security protocols, protecting customer information in
times of emergency. Comprehensive emergency plans are also necessary for regulatory
compliance in the financial sector, as they show the bank's dedication to maintaining legal
requirements and preserving client confidence. At the end of the day, a well-thought-out
disaster recovery plan helps METROPOLIS CAPITAL Bank respond to delays, protect
its operations, and continue providing services to its customers.

4.4.2 Main Components of Disaster Recovery Plan (DRP)

A comprehensive Disaster Recovery Plan (DRP) is essential for METROPOLIS

CAPITAL Bank to ensure data integrity and business continuity throughout its vast
network and activities. The following are the essential elements of their DRP that have to
be present:

• Risk Assessment and Business Impact Analysis

o Business Impact Analysis (BIA): Evaluate how these risks could
affect customer service, data integrity, and important company
operations.
o Risk Identification: Determine any potential risks to the bank's
operations, such as cyberattacks, catastrophic events, and operational
errors.

• Backup and Recovery Strategy

o Backup Testing: To ensure the efficacy and dependability of backup
and restoration processes, test them regularly.

Page 86 of 125
Karan Hasintharan | Security | Assignment
 o Data Backup Procedures: To guarantee data availability and integrity,
regularly create backups of vital data from primary and secondary data
centers.
o Backup Storage: To protect against loss or physical damage to primary
sites, store backups in safe off-site locations.

• Disaster Response Plan

o Resource Mobilization: Determine the manpower, tools, and outside
assistance required for disaster response and recovery.
o Emergency Response Procedures: Specify how disasters should be
responded to right away, including how to activate rescue workers and
follow communication procedures.
o Incident Notification: In the case of a disaster, establish protocols for
alerting relevant parties, such as staff members, clients, and law
enforcement.

• IT Infrastructure Recovery
o Restoration of Hardware and Software: Keep track of any essential
hardware and software, together with licensing information and
configuration parameters, that are required for restoration.
o Establish acceptable downtime and data loss thresholds for vital IT
systems and services through Recovery Time Objectives (RTO) and
Recovery Point Objectives (RPO).
o Alternative IT Infrastructure: Have backup plans in place in case the
main systems are breached. These plans should include cloud services
or activation of a parallel data center as a means of restoring IT
services.
• Communication and Coordination
o Internal Communication Plan: Set up procedures and lines of
communication to alert staff members in the event of an emergency.
o External Communication Plan: To preserve transparency and
confidence, specify communication tactics for clients, suppliers, and
authorities.

Page 87 of 125
Karan Hasintharan | Security | Assignment
 o Coordination with External Partners: To guarantee an integrated and
prompt restoration of services, coordinate recovery activities with
outside vendors and service providers.

• Training and Testing

o Tabletop Exercises: Run through potential crisis scenarios to gauge the
DRP's efficacy, spot any holes, and improve protocols in light of
acquired knowledge.
o Training Programs: Hold regular training sessions for staff members to
familiarize them with DRP protocols and their responsibilities in the
event of a disaster.

• Documentation and Maintenance

o Audit and Compliance: To make sure DRP complies with industry best
practices, legal regulations, and ISO standards, conduct regular audits.
o DRP Documentation: Record every facet of the DRP, such as contacts,
protocols, and workflows for recovery.
o DRP Maintenance: Review and update the DRP regularly to take into
account modifications to business practices, technology, and legal
requirements.

Page 88 of 125
Karan Hasintharan | Security | Assignment
4.4.3 Justifications and reasons for decisions and options used.

DRP Component Justification

Risk Assessment and Business Impact
Analysis
To prioritize vulnerabilities and maintain
regulatory compliance across branches,
ATMs, and online services, regular
assessments and BIAs are conducted by
ISO 31000.

Backup and Recovery Cloud backups provide ongoing banking

operations across primary and secondary
data centers, meet regulatory
requirements, and ensure data availability
during site outages.

Disaster Response Rapid incident handling is made possible

by defined roles and NIST SP 800-61,
preserving operational stability and client
confidence throughout banking operations'
emergencies.

IT Infrastructure Saving hardware, vendor contracts, and

rapid recovery with well-defined RTOs
and RPOs provide low downtime and
reliability for banking services.

Communication To preserve operational confidence and

transparent communication with
stakeholders during interruptions,
automated tools, and selected
spokespersons deliver timely information.

Page 89 of 125
Karan Hasintharan | Security | Assignment
 Training and Testing Regular training sessions and exercises
boost staff readiness by confirming
reaction skills and refining DRP protocols
to increase resistance to possible attacks.

Documentation New risks and regulatory changes are

included in current DRP documentation
and evaluations, which also ensure
compliance and resilience by coordinating
IT security measures with business goals.

In conclusion, METROPOLIS CAPITAL Bank may successfully reduce risks, preserve

operational continuity, and improve overall resilience against potential disasters or
interruptions by putting its comprehensive Disaster Recovery Plan (DRP) into practice. It
ensures unaltered service delivery and regulatory compliance throughout its vast network
of branches, ATMs, and online platforms while protecting vital banking services and
bolstering stakeholder confidence.

4.5 Metropolis Capital Bank’s Disaster Recovery Plan

4.5.1 Information Technology Statement of Intent

METROPOLIS CAPITAL Bank pledges to maintain an efficient and robust IT

infrastructure in the Information Technology (IT) Statement of Intent. The bank
understands how important technology plays in its operations and how important it is to
protect the integrity, confidentiality, and availability of its information assets. The bank's
commitment to implementing best practices, complying with the relevant laws, and
consistently enhancing its IT systems and procedures is reflected in the Statement of
Intent.

Page 90 of 125
Karan Hasintharan | Security | Assignment
4.5.2 Policy Statement

The creation of an extensive IT disaster recovery plan (DRP) that covers all crucial and
important infrastructure components, systems, and networks is emphasized in Metropolis
Capital Bank's policy statement. The precise DRP needs will be determined through a
comprehensive risk assessment. The efficacy of the approach will be checked regularly in
a simulated setting. All employees will also get training about the DRP and their
responsibilities within it. The DRP will be updated to reflect any changes in the market,
ensuring that the bank's requirements and industry best practices are consistently met.

4.5.3 Objectives of Metropolis Capital Bank’s Disaster Recovery Plan

Primary Objective:
Creating, testing, and documenting a well-organized disaster recovery plan is
the main objective. This strategy needs to be thorough and strong to ensure
that the business can recover from any crisis with the least amount of
downtime and loss of services or data.

Ensuring all employees understand their duties:

In the case of a crisis, each employee has to understand their tasks and
responsibilities. To make sure they can carry out the plan properly and efficiently
when needed, regular instruction and exercises are required.

Considering implications for other company sites:

The dependence across various corporate sites should be taken into consideration
in disaster recovery planning. The strategy must make sure that recovery activities
are coordinated amongst all sites and that a crisis at one place does not negatively
impact operations at other locations.

Page 91 of 125
Karan Hasintharan | Security | Assignment
 Adhering to operational policies within planned activities:
The company's current operating policies and its disaster recovery plan need to
align. This ensures that all operations during a disaster follow internal and
regulatory regulations and that recovery efforts do not clash with routine
processes.

Ensuring cost-effective contingency arrangements:

There should be affordable disaster recovery plans in the strategy. Ensure that
financial resources are spent appropriately, this entails assessing different
recovery alternatives and choosing solutions that offer the optimum balance
between cost and efficacy.

Ensuring disaster recovery capabilities for key customers, vendors, and

others:
The strategy ought to take important clients, suppliers, and other stakeholders'
requirements and expectations into account. This entails keeping lines of
communication open, making sure vital services continue, and working with
outside partners to help each other's recovery efforts.

4.5.4 Key Personnel Contact Info

Name Title Contact Option Contact Info

Work 0714555555
Alternate 0718555555
Ruwan Fernando IT Director Mobile 0756965965
Home 0112456568
Email [email protected]
Alternate Email [email protected]

Work 0718555555
Alternate 0719555555
Sasanka Network Mobile 0756964964
Sandaruwan Manager Home 0112456562

Page 92 of 125
Karan Hasintharan | Security | Assignment
 Email [email protected]
Alternate Email [email protected]

Work 0712555555
Alternate 0712555555
Thushara Mobile 0756744964
Jayawardana CISO (Chief Home 0117456562
Information Email [email protected]
Security Officer) Alternate Email [email protected]

Work 0712558855
Alternate 0712554755
Damitha Peris Database Admin Mobile 0756746564
Home 0117452362
Email [email protected]
Alternate Email [email protected]

Yohan Firewall vendor Work 0712778855

Gunasekara contact person Alternate 0712554445
Mobile 0716742564
Home 0117454462
Email [email protected]
Alternate Email [email protected]

Duminda IT Support Lead Work 0712551255

Senanayak Alternate 0712522755
Mobile 0756746464
Home 0374523624
Email [email protected]
Alternate Email [email protected]

Gopinadan Data Center Work 0712448855

Page 93 of 125
Karan Hasintharan | Security | Assignment
 manager Alternate 0712444755
Mobile 0756744564
Home 0117444362
Email [email protected]
Alternate Email [email protected]

Ravi Murugadas HR Manager Work 0712559655

Alternate 0712555655
Mobile 0756733564
Home 0117452362
Email [email protected]
Alternate Email [email protected]

4.5.5 Notification Calling Tree

Page 94 of 125
Karan Hasintharan | Security | Assignment
4.5.6 External Contact

Name Contact Option Contact Info

Tulin Mark Work 0745858656

Mobile 0758488486
(Property Manager) Home 0112123654
Email [email protected]

Lalith Mudali Work 0745888656

(Central Bank)
Mobile 0758445486
Home 0114444654
Email [email protected]

Mark Samuel Work 0745548556

(Telecom Carrier)
Mobile 0758485586
Home 0112124454
Email [email protected]

Jude Perera Work 0748518656

(Server Supplier)
Mobile 0751488486
Home 0112993654
Email [email protected]

Saroja Work 0745852356

(Legal Advisor)
Mobile 0758488445
Home 0112123678
Email [email protected]

Dimuth Wasalage Work 0745842656

(Janashakthi Insurance)
Mobile 0759688486
Home 0112175354
Email [email protected]

Page 95 of 125
Karan Hasintharan | Security | Assignment
4.5.7 External Contacts Calling Tree

4.5.8 Plan Overview

4.5.8.1 Plan Updating

Whenever there is an alteration to the IT infrastructure or business procedures,
METROPOLIS CAPITAL Bank's Disaster Recovery Plan (DRP) has to be reviewed,
updated, and extensively tested. The IT Director will oversee the implementation of
defined change control processes to oversee this update process. This ensures that any
changes are carefully considered and included in the DRP, preserving its usefulness and
relevance.

Page 96 of 125
Karan Hasintharan | Security | Assignment
4.5.8.2 Plan Documentation Storage
The DRP will be safely maintained in physical copy and digital format. To
maintain silence, digital copies will be encrypted and kept on safe servers that
are only accessible by those with authorization. Hard copies shall be maintained
for senior management and members of the Disaster Recovery (DR) team in safe,
easily accessible areas. This ensures that in the event of a digital system failure,
the plan may still be accessed, enabling the DRP to be executed without any
problems.
4.5.8.3 Backup Strategy
METROPOLIS CAPITAL Bank has a strong backup plan with a recovery site that is
completely replicated. This configuration ensures minimum disruption during an incident
by enabling rapid switching between the backup site and the live site for critical business
functions. Real-time data synchronization is used to maintain the mirrored site, protecting
the bank's operations and clients by ensuring that vital business processes may continue
with the least amount of disruption and data loss.

4.5.9 Risk Management

The possible disruptive risks that might affect METROPOLIS CAPITAL Bank's regular
business operations are listed in the section that follows. Every possible environmental
catastrophe or disaster has been evaluated for likelihood and impact, with particular
attention to the probable degree of business interruption. A brief overview of possible
outcomes and corrective measures is provided in the table.

Potential Disaster Probability Impact Brief Description of Potential

Rating Rating Consequences & Remedial Actions
Flood 3 4 Every important piece of equipment is
found on the first floor. There are water
pumps and sandbags available to secure
the area.
Fire 3 4 Primary computer centers are equipped
with an FM200 suppression device. All

Page 97 of 125
Karan Hasintharan | Security | Assignment
 floors include smoke and fire detectors.
There are routine maintenance
inspections and fire drills.
Tornado 5 3 There are storm shelters and structural
reinforcements. Every year, emergency
response strategies are evaluated.

Act of Sabotage 3 2 There are improved cyber and physical

security measures in place. Employee
background checks are conducted, as are
recurring security audits.

Loss of 4 2 Two T1 cables with different routes

Communications entered the structure. Robust voice
Network Services network architecture and WAN
redundancy are used. There are
established backup routes for
communication.
Electrical Storms 5 3 Crucial equipment is equipped with
lightning arresters and surge protectors.
There are regular inspections carried
performed.

Act of Terrorism 3 1 Regular security exercises and

reinforced building constructions are
examples of security measures. Plans for
emergency evacuation are revised often.
Electrical Power 4 2 The auto standby generator and
Failure redundant UPS array are remotely
monitored around the clock and checked
once a week. Additionally, UPSs are
observed remotely.

Page 98 of 125
Karan Hasintharan | Security | Assignment
Probability: 1=Very High Impact: 1=Total destruction
5=Minor annoyance 5=Very Low

4.5.10 Emergency

4.5.10.1 Alert, Escalation, and Plan Invocation

Key Trigger Issues:
When certain trigger conditions seriously impair the bank's operations, the Disaster
Recovery Plan (DRP) is activated. Such are:
• Floods of the Premises: Severe floods affecting the bank's facilities'
accessibility and infrastructure.
• Complete Communication Failure: All internal and external communication
is impossible due to a total breakdown of the communication systems.
• Total Loss of Power: Even when UPS and generator backups are used, an
extended power outage that impacts vital systems and operations qualifies as a
total loss.

The DRP is triggered to reduce the effect and restore operations when certain
triggers are detected. They are continually verified.

4.5.10.2 Assembly Points

Primary Assembly Point:

At the far end of the main parking lot is the designated major assembly site. This spot was
picked since it is close to the structure yet still far enough away to be secure from any
dangers.

Alternate Assembly Point:

The corporate parking lot across the street serves as an alternate assembly location if the
primary assembly place is dangerous or unavailable. This guarantees that workers will
have a place to congregate in case of an emergency that is both accessible and safe.

Page 99 of 125
Karan Hasintharan | Security | Assignment
4.5.10.3 Activation of Emergency Response Team (ERT)
When it comes to the immediate reaction to an emergency, the Emergency Response
Team (ERT) is essential. When a major disturbance is detected, the ERT:

• Notification and Allocation: The ERT makes certain that every worker is
informed of the emergency. They provide tasks for team members, making sure
that everyone is aware of their obligations and what to do in case of an
emergency.
• Immediate Response: The ERT members work quickly to analyze the impact of
the disaster by reacting to the situation as soon as possible.
• Assessment and Decision: Depending on the nature and severity of the disaster
they determine which DRP components need to be triggered after assessing the
amount of the damage.

4.5.10.4 Disaster Recovery Team (DRT)

The DRP's implementation and business operations restoration fall within the authority of
the Disaster Recovery Team (DRT). Among their duties are:

• Recovering to Business as Usual: Depending on the severity of the disaster and

the success of the recovery efforts, the DRT seeks to recover and restore regular
business activities in 8 to 24 hours.

• Establishing Emergency Service Facilities: To assist critical activities, the DRT

establishes emergency service facilities within two hours of the incident.

• Restoring vital Services: To reduce downtime, the team prioritizes the most
important tasks and attempts to restore vital business services within four hours.

METROPOLIS CAPITAL ensures an organized and effective reaction to disasters,

reducing the impact on operations and speeding up the recovery process, by having well-
defined emergency processes and duties.

Page 100 of 125

Karan Hasintharan | Security | Assignment
4.5.11 DR Procedures for Management

The names and phone numbers of every employee in each department will be kept in hard
copy by the management team. Furthermore, if the company's headquarters facility is
destroyed, rendered inoperable, or rendered useless, the management team members will
have a hard copy of the company's disaster recovery and business continuity plans on file
in their homes.

4.5.12 Contact with Employees

To address the crisis or tragedy and the company's immediate plans, designated
workers will make calls to other employees, with managers acting as the focal point
for their respective divisions. Workers are recommended to contact the employee's
emergency contact to alert them of the disaster if they are unable to reach the staff
member on their call list.

4.5.13 Backup Staff

The selected backup staff member will handle notification responsibilities if management
or an employee assigned to speak with other employees is unable or unavailable.

4.5.14 Recorded Messages / Updates

Staff members can contact a toll-free hotline included in the DRP wallet card to get the
most recent information on the crisis and the organization's response. Information on the
disaster's nature, assembly locations, and updates on the start of work will all be included
in the announcements.

4.5.15 Alternate Recovery Facilities / Hot Site

If it becomes essential, SunGard's hot site will be initiated, and managers will be notified
either by recorded messages or direct conversations. For the first twenty-four hours, only
members of the disaster recovery team will staff the hot site; additional staff members
will join as needed.

Page 101 of 125

Karan Hasintharan | Security | Assignment
4.5.16 Personnel and Family Notification

It will be important to promptly tell the employee's immediate family members if the
event has led to a scenario that would worry the employee's family, such as the
hospitalization of wounded parties.

4.5.17 Media

Media Contact
Assigned Staff:
After a disaster, certain staff members are in charge of handling media
relations. To ensure accurate and consistent information transmission, they
will follow pre-approved rules in their operations. These recommendations
aim to effectively manage every aspect of communications following a
tragedy.
Media Strategies
• Avoiding Adverse Publicity:
The bank will work to minimize any harm to its image by managing the story
and giving the media accurate, brief, and clear information.

• Taking Advantage of Opportunities for Useful Publicity:

To improve its reputation, the bank will seek chances to emphasize its
strengths, which include the durability of its operations, community support,
and the efficiency of its disaster response.

• Providing Clear Answers to Basic Questions:

The media team will be prepared to address the following fundamental
questions:
What happened?: A clear-cut, factual account of what transpired.
How did it take place? : An account of the events that preceded the incident.
How are you going to handle that? : Information on the bank's prompt
reaction and planned preventative measures.

Page 102 of 125

Karan Hasintharan | Security | Assignment
Media Team
Selected personnel who have received training and authorization to interact with the
media will make up the media team. Based on their responsibilities and level of
experience managing crisis communications and public relations, the particular members
will be determined.
Media Team Members:
• Nilanka De Silva, Communications Manager: Oversees the media strategy
and coordinates the team.
• Dilhani, PR Specialist: Manages press releases and media inquiries.
• Nadeeshani, Senior Executive: Provides executive-level insights and
reassurances to the media.

Rules for Dealing with Media

• Exclusive Media Team Contact:
Direct communication with the media is only allowed for those assigned to the
media team. This policy ensures that every correspondence is regulated,
uniform, and compliant with the authorized message plan of the bank.
• Referral Protocol:
When a media representative calls or visits an employee, they must direct
them to the media team. This procedure guards against unlawful disclosures
and maintains the accuracy of the data made available to the public.

4.5.18 Insurance

METROPOLIS CAPITAL Bank has created many crucial insurance policies as part of its
comprehensive disaster recovery and business continuity plans. The purpose of these
plans is to offer help and financial protection in the case of different disruptive situations.
The principal insurance policies in force consist of:

• Errors and Omissions Insurance:

The bank is protected by this policy against allegations of recklessness or poor
performance. It pays for the expense of legal defense as well as any

Page 103 of 125

Karan Hasintharan | Security | Assignment
 settlements or awards brought about by errors in judgment or performance by
professionals.

• Directors & Officers Liability Insurance:

The bank's directors and executives are protected by this policy from lawsuits
alleging misconduct in their managerial roles, which might result in personal
damages. The expense of legal defense is also covered.

• Business Interruption Insurance:

This insurance guarantees financial stability during recovery periods by
paying the bank for lost income and covering operational expenditures if an
event halts commercial activities.

• General Liability Insurance:

This policy protects against a variety of typical business dangers and
covers claims of property damage or physical harm for which the bank
may be held accountable.

Emergency Insurance Contact Information:

Work 0745842656
Dimuth Wasalage
Mobile 0759688486
(Janashakthi Insurance)
Home 0112175354
Email [email protected]

4.5.19 Financial and Legal Issues

Financial Assessment
Immediately after a disaster, the Emergency Response Team (ERT) is required to do an
initial financial impact assessment. The purpose of this assessment is to put a number on
the incident's direct and indirect financial effects. Important components of the evaluation
must comprise:

Page 104 of 125

Karan Hasintharan | Security | Assignment
 • Cash Loss: Take inventory of any actual money that could have been taken or
lost during the event.
• Revenue Loss: Calculate the amount of money lost as a result of halted
company activities. This computation aids in preparing for recovery and
understanding the current financial gap.
• Loss of Financial documents: Assess the degree of missing or destroyed
financial documents, including contracts, invoices, and receipts, which are
essential for continuing business operations and legal compliance.
• Theft of Checks Books, Credit Cards, Etc.: Look into any instances when
financial instruments were taken or lost, since they may indicate fraudulent
activity or financial losses.

Financial Requirements
METROPOLIS CAPITAL Bank's urgent financial demands must be met to maintain
operations during the recovery stage. Important things to think about are:

• Upcoming Payments: Decide on upcoming financial responsibilities, such as

payroll taxes, Social Security contributions, and tax payments. Make sure these
promises are fulfilled to prevent additional issues.
• Temporary Borrowing Capability: Assess whether short-term borrowing
alternatives are required to meet pressing needs and whether they are available.
• Company Credit Cards: Verify whether there are company credit cards available
to pay for the necessary goods and services required for the recovery process. This
aids in controlling ongoing operating costs as the body heals.
• Cash Flow Position: Evaluate the bank's cash flow condition to make sure it can
pay its short-term debts.

Page 105 of 125

Karan Hasintharan | Security | Assignment
4.5.20 Legal Actions

After a tragedy, the ERT and the legal department work together to assess any possible
legal repercussions. Important activities consist of:

• Regulatory Compliance: Make sure that all measures implemented both during
and following the disaster adhere to applicable legal requirements. This might
entail assisting with any investigations and reporting the occurrence to authorities
in charge of regulations.

• Claims Evaluation: Determine if the bank may be the target of legal claims made
by or against you because of the incident. This involves assessing liabilities
resulting from client complaints, legal penalties, or contractual duties.

• Situation Impact Review: Examine the situation in detail to find out whether
there are any legal ramifications, including any possible infractions of regulations.

4.5.21 DRP Exercising

Regular exercises and testing are necessary to make sure the Disaster Recovery Plan
(DRP) is working properly. Through these exercises, the functioning of the plan will be
confirmed, any flaws or gaps will be found, and everyone involved will be made aware of
their duties and responsibilities in the event of a crisis.

Objectives of DRP Exercising

• Maintain Compliance: Make sure the DRP complies with legal laws and
industry standards.
• Accelerate Response Time: Boost the disaster recovery process's effectiveness
and quickness.
• Find Weaknesses and Gaps: Look for any problems or weaknesses in the DRP
that require attention.
• Employee Training: Make certain that every staff member is aware of their
obligations in the case of an emergency.

Page 106 of 125

Karan Hasintharan | Security | Assignment
 • Validate the DRP: Make sure the DRP can be carried out as intended and is
effective.

4.5.22 Disaster Recovery Plan for Remote Connectivity

Component Disaster Impact Recovery Estimated Contacts

Scenario Assessment Procedures Recovery
Time
Guest Wi-Fi ISP link No guest Switch to 4 Hours IT Support
Hotspot failure Wi-Fi backup ISP Team,
access link, monitor Network
for stability Administrator
Firewall Malware Potential Activate 3 hours IT Security
Configuration breach via data breach firewall Team,
employee emergency Network
WiFi hotspot rules, and Administrator
isolate
affected
devices.
VPN Primary VPN Loss of Activate 2 hours IT Network
Services server failure remote backup VPN Team, VPN
access for servers, and Service
employees reconfigure Provider
VPN settings
if the primary
fails.
Endpoint Phishing Risk of data Quarantine 2 hours IT Security
Security attacks leakage affected Team,
compromising devices, and Endpoint
endpoint initiate Security
devices Provider

Page 107 of 125

Karan Hasintharan | Security | Assignment
 remote wipe
if necessary.
Backup Physical Complete Coordinate 6 hours IT Network
Internet Link damage to loss of with ISP for Team, ISP
primary ISP internet repairs, and Support
infrastructure access switch to an
alternative
backup link.

4.5.23 Disaster Recovery Plan for Local Area Network (LAN)

Component Disaster Impact Recovery Estimated Contacts

Scenario Assessment Procedures Recovery
Time
Router Router Isolation of Restore router 2 hours IT
Configuration misconfiguration LAN configuration Network
leading to segments, from backup, Team
network loss of and verify
segmentation external routing tables.
connectivity
LAN Security breach Potential Activate 3 hours IT Security
Security resulting in data breach, security Team
unauthorized network incident
access compromise response, and
isolate affected
systems.
Core Core switch Complete Activate 4 hours IT
Switches hardware failure loss of LAN backup core Network
connectivity switches, and Team
restore
configurations.

Page 108 of 125

Karan Hasintharan | Security | Assignment
 DNS and DNS or DHCP Network Restart 2 hours IT
DHCP server outage devices services, and Network
Servers unable to restore Team
resolve configurations
hostnames from backups.
or obtain IP
addresses

4.5.24 Disaster Recovery Plan for Wide Area Network (WAN)

Component Disaster Impact Recovery Estimated Contacts

Scenario Assessment Procedures Recovery
Time
ATM ATM Inability to Re-route 4 Hours ATM
Connectivity communication process ATM traffic, Operations
network failure transactions, and restore Manager,
customer connectivity. IT Support
service
impact
WAN Links Primary ISP Loss of Switch to 4 hours IT
link failure connectivity backup ISP Network
to branches, link, Team, ISP
ATMs, and coordinate Support
datacenters with ISP for
resolution.
MPLS MPLS provider Segregation Activate 6 hours IT
Network outage of branch backup Network
connectivity, MPLS Team,
potential routes, and MPLS
service monitor for Provider
disruption stability.

Page 109 of 125

Karan Hasintharan | Security | Assignment
 Datacenter Datacenter Potential Engage 4 hours Datacenter
Connectivity network loss of backup IT Team,
equipment redundancy, links, and IT
failure impact on restore Network
disaster connections. Team
recovery
capabilities

4.5.25 Disaster Recovery Plan for Data Center (Example)

Component Disaster Impact Recovery Estimat Contacts

Scenario Assessment Procedures ed
Recover
y Time
Data Center Natural Physical Activate 24-72 Data Center
Location disasters damage to the operations at hours Manager,
(e.g., facility, loss the secondary Facilities
earthquakes, of data center, Team
floods) infrastructure and restore
backups.
Network ISP outage, Loss of Activate 4-8 IT Network
Connectivity MPLS connectivity backup hours Team, ISP
network to branches, connections, Support
failure ATMs, and and
remote sites coordinate
with
providers.
Data Backup Data Inability to Restore data 4-24 Backup
and Recovery corruption or recover from hours Admin Team,
loss critical data backups, and IT Support

Page 110 of 125

Karan Hasintharan | Security | Assignment
 verify
integrity.
Security A security Risk of Activate 1-4 Security
Systems breach or unauthorized security hours Team,
physical access, data protocols, and Facilities
intrusion breach review CCTV Team
footage.
Hardware Equipment Service Replace or 4-12 IT
Infrastructure failure due disruption, repair hours Infrastructure
to power potential data hardware, and Team,
outage or loss restore from Vendor
malfunction backups if Support
necessary.

4.5.26 Damage Assessment Form (Example)

Key Business Affected Extent of Damage Description of

Process Problem
Customer Service Yes Low Reduced service
capacity due to
network disruption
Core Banking Yes High Servers down, data
Operations corruption
Data Backup and Yes High Backup systems
Recovery offline, unable to
restore data
ATM Transaction Yes Medium Connectivity issues,
Processing unable to process
transactions

Page 111 of 125

Karan Hasintharan | Security | Assignment
 Internal Yes Medium Email and internal
Communications network services
unavailable

4.5.27 Disaster Recovery Event Recording Form (Example)

Activity Date and Outcome Follow-On DR Team Time

Undertaken Time Action Require
d
DRP 2024/07/1 DR plan Assigned DR Team, IT 30
Activation 3 initiated; roles and Management minutes
teams responsibiliti
notified es
Network 2024/07/1 Connectivity Verified Network 6 hours
Restoration 6 restored to network Team, ISP
branches and stability Support
ATMs
Initial 2024/07/1 Identified Activated IT Operations, 1 hour
Incident 4 server failure backup Facilities
Response due to power power supply
outage
Communicati 2024/07/1 Internal and Tested Communicatio 2 hours
on 5 external communicati ns Team, IT
Establishment communicati on protocols Support
on channels
restored

Page 112 of 125

Karan Hasintharan | Security | Assignment
4.5.28 Mobilization of Disaster Recovery Team Members (Example)

Name of Team Response Contacted On

By Whom Contact
Member Start Date (Time / Date)
Details
Required
Thushara Security 0715858585 Immediately 2021/07/15
Officer
Damitha Backup 0755885883 Immediately 2021/07/15
Administrator
Sasanka IT Manager 0712985756 Immediately 2021/07/15
Tulin Network 0714545466 Immediately 2021/07/15
Engineer

4.5.29 Communication Coordination Form (Example)

Groups of Persons Selected Name

Position Contact
Persons or To Coordinate
Details
Organizations Communications
Affected by
Disruption
Customers Customer Service Kushi Customer 0715888888
Manager Service Manager
Media Communications Shanaka Communications 0714568568
Manager Manager
Management & HR Manager Aravind HR Manager 0712565565
Staff
Suppliers Procurement Indrajith Procurement 0760555515
Officer Officer
Stakeholders Public Relations Mark Public Relations 0745235232
Officer Officer

Page 113 of 125

Karan Hasintharan | Security | Assignment
4.5.30 Presentation Slides

Page 114 of 125

Karan Hasintharan | Security | Assignment
 Page 115 of 125
Karan Hasintharan | Security | Assignment
 Page 116 of 125
Karan Hasintharan | Security | Assignment
 Page 117 of 125
Karan Hasintharan | Security | Assignment
 Page 118 of 125
Karan Hasintharan | Security | Assignment
 Page 119 of 125
Karan Hasintharan | Security | Assignment
 Page 120 of 125
Karan Hasintharan | Security | Assignment
 Page 121 of 125
Karan Hasintharan | Security | Assignment
 Page 122 of 125
Karan Hasintharan | Security | Assignment
 Page 123 of 125
Karan Hasintharan | Security | Assignment
5 References

• Symantec, 2020. What is IT Security?. [online] Available at:

https://www.symantec.com/blogs/threat-intelligence/what-is-it-security
[Accessed 20 July 2024].

• SolarWinds, 2023. What is Network Monitoring?. [online] Available at:

https://www.solarwinds.com/network-performance-monitor/use-cases/what-is-
network-monitoring [Accessed 20 July 2024].

• Cisco, 2023. The risks of misconfigured firewalls and VPNs. [online] Available
at: https://www.cisco.com/c/en/us/products/security/firewalls/impact-of-
misconfiguration.html [Accessed 20 July 2024].
• Ernst & Young, 2021. Global Information Security Survey 2021. [pdf] Available
at: https://www.ey.com/en_gl/information-security/global-information-security-
survey-2021 [Accessed 20 July 2024].

• Cisco, 2022. Network Address Translation (NAT) for Security. [online] Available
at: https://www.cisco.com/c/en/us/products/security/nat-for-security.html
[Accessed 20 July 2024].
• ISO, 2018. ISO 31000:2018 – Risk management. [online] Available at:
https://www.iso.org/iso-31000-risk-management.html [Accessed 20 July 2024].
• International Organization for Standardization, 2018. ISO 31000:2018 – Risk
management – Guidelines. [pdf] Available at:
https://www.iso.org/standard/65694.html [Accessed 20 July 2024].
• Verizon, 2022. 2022 Data Breach Investigations Report. [pdf] Available at:
https://enterprise.verizon.com/resources/reports/dbir/ [Accessed 20 July 2024].

• SANS Institute, 2019. Developing a Security Policy. [online] Available at:

https://www.sans.org/security-resources/policies/ [Accessed 20 July 2024].

Page 124 of 125

Karan Hasintharan | Security | Assignment
• FEMA, 2021. Developing a Disaster Recovery Plan. [online] Available at:
https://www.fema.gov/emergency-managers/national-preparedness/plan
[Accessed 20 July 2024].
• Gartner, 2020. The Essential Guide to Disaster Recovery Planning. [pdf]
Available at: https://www.gartner.com/documents/12345 [Accessed 20 July
2024].

Page 125 of 125

Karan Hasintharan | Security | Assignment