Identify security risks and propose an information

security management system

Case study: Banking System

NGWE BECKKY AWAH: SC24P103

TCHAKOUNTE GODWILL TCHAKOUNTE: SC24P106

Introduction

Banks are pivotal institutions in the global economy, facilitating financial transactions,
safeguarding assets, and providing credit. As they increasingly adopt digital technologies to
enhance services, they become more susceptible to cyber threats. Cybercriminals exploit
vulnerabilities in banking systems to commit fraud, steal sensitive data, and disrupt
operations, posing significant risks to both the institutions and their customers.

Components of a Modern Bank

Understanding the various components of a bank is essential to identify potential security

risks. These components can be categorized into physical and digital assets.

1. Physical Components

 Branch Offices: Physical locations where customers conduct transactions.

 Automated Teller Machines (ATMs): Machines that provide cash withdrawal and
other services.
 Data Centers and Server Room: Facilities housing critical IT infrastructure.
 Vaults and safe-deposit boxes: Vaults store large sums of money and valuable assets
(jewelry, documents).
 Security and surveillance equipment: Banks use CCTV cameras, intrusion alarms,
motion sensors, and badge-access controls to protect facilities.
 Employee Workstations: Computers and terminals used by bank staff.

2. Digital Components

 Core Banking Systems: Centralized platforms managing customer accounts and

transactions.
  Online and Mobile Banking Platforms: Applications enabling customers to access
banking services remotely.
 Payment Processing Systems: Infrastructure facilitating electronic transactions.
 Customer Relationship Management (CRM) Systems: Tools managing customer
interactions and data.
 Authentication and identity systems: These verify users, both employees and
customers via usernames, passwords, tokens, or biometric scans.
 Email and Communication Systems: Channels for internal and external
communication. Banks rely on telephone lines, internet connections, and private
networks.
 Third-party services and vendors: Banks often use external providers (cloud hosting,
software as a service, payment processors, ATM networks). These third parties
become extensions of the bank’s system
 Databases and sensitive data stores: Customer personal and financial data are
stored in databases.

Security Risks Associated with Bank Components

Each component of a bank faces specific security threats that can be broadly classified into
physical and cyber risks.

1. Physical Security Risks

 Robbery and burglary: Bank branches and ATM sites can be attacked by armed
robbers seeking cash or negotiable instruments. In branches, tellers and managers
are targets. In transit (cash pickup/delivery), security vehicles can be ambushed.
 ATM physical attacks: As noted, attackers exploit ATMs by tampering or using force
and explosives to break in. Some gangs specifically target service technicians to steal
ATM cash cassettes.
 Vandalism and sabotage: Angry customers or protestors might damage property.
Disgruntled insiders could sabotage equipment. Alarms and tamper-evident seals
help mitigate these.
 Building management system compromise: Modern bank buildings often have
automated controls (for heating, ventilation, security locks). Attackers could hack
these if they are networked.
 Insider threats: Employees or contractors might misuse physical access.
 System failures: IT outages disrupting transactions
 Counterfeit currency: ensuring banknotes are secure against forgery
2. Cybersecurity Risks

 Phishing Attacks: Attackers frequently use deceptive emails, texts, or calls to trick
bank employees or customers into revealing credentials or personal information.
 Malware and Ransomware: Malicious software compromising systems or encrypting
data for ransom.
 Distributed Denial of Service (DDoS) Attacks: In a DDoS attack, attackers flood a
bank’s online services (website, online banking portal) with fake traffic to overwhelm
it. This makes the service unavailable to legitimate users.
 Data Breaches: Unauthorized access to confidential data.
 Credential Theft and Account Takeovers: Attackers use stolen or guessed passwords
to log into systems. If employees reuse passwords across systems, one breach can
lead to broader access.
 Man-in-the-Middle Attacks: Intercepting communications between parties to steal
information.
 Advanced Persistent Threats (APTs): These are sophisticated, long-term attacks by
well-funded groups. APTs often start with phishing or exploiting a vendor, then lie
dormant, slowly creeping deeper into the bank’s network to steal data or spy on
transactions.
 SQL Injection: Exploiting vulnerabilities in databases to access or manipulate data.
 Zero-Day Exploits: Attacks targeting unknown vulnerabilities in software.
 Third-Party / Vendor Risks: Banks use many external providers (cloud platforms,
payment gateways, IT support). If a supplier has weak security, attackers can pivot
through them.
 Insider Cyber Threats: A disgruntled employee or contractor with network access
can intentionally damage systems or infiltrate data.
 Payment and Card Fraud: Digital theft of account data and payment credentials is
common. Fraudsters may steal credit card data or hack online payment interfaces.
They can then make unauthorized transfers or purchases.
 Money laundering: bank must enforce strict Anti-Money Laundering policies

Comprehensive Information Security Management System (ISMS) Proposal

To combat these risks, banks implement an Information Security Management System

(ISMS) a formal framework of policies, procedures, and controls that governs all aspects of
security. One widely used model is ISO/IEC 27001, an international standard for ISMS. ISO
27001 defines a risk-based, continuous-improvement process. It requires banks to
document their information security policy, identify critical assets, assess threats, and apply
safeguards.
Under an ISMS, a bank would carry out the following key elements:

1. Risk Assessment & Policies:

The bank catalogs assets (hardware, software, data, and people) and determines risk levels
for each. Management establishes clear security policies (acceptable use, data classification,
password rules) to guide employees. For banks, ISO 27001 specifically mandates
documented processes including a Statement of Applicability, Risk Treatment Plan, and
Incident Response Procedure to ensure readiness for security events.

2. Access Control and Authentication:

Strict controls ensure only authorized users can access sensitive systems. This includes role-
based permissions, MFA for remote or admin access, and regular review of user rights.
Employee accounts are promptly disabled when staff leaves. Access logs are monitored for
anomalies.

3. Network and Infrastructure Security:

Firewalls, intrusion detection/prevention systems, and secure network architecture protect

the bank’s networks. Unnecessary services are disabled, and all externally-exposed systems
are hardened. Segmentation (keeping the core banking network separate from the public
internet) limits an attacker’s lateral movement. Regular patch management keeps software
up-to-date against known exploits.

4. Data Protection and Encryption:

All sensitive data customer records, account numbers, PINs are encrypted both at rest and in
transit (using strong cryptographic protocols). Even if disks or database backups are stolen,
encryption renders the data unreadable. PCI DSS and similar regulations require strong
encryption for card data. As PECB recommends, banks should implement “strong encryption
for all sensitive data”.

5. Physical Security Controls:

The ISMS includes physical safeguards: locked server rooms, surveillance cameras, mantraps,
and guards. Access to data centers and vaults is logged and restricted. Environmental
controls (smoke detectors, water sensors) protect against natural hazards. Backup
generators and off-site replicas ensure continuity if a primary site fails.

6. Personnel Security and Training:

Employees are often the first line of defense. Banks must conduct background checks on
staff with privileged access. Regular training and awareness programs teach workers to
recognize phishing, social engineering, and security policies. For example, staff should know
never to share login credentials or plug in unknown USB drives. Periodic drills (e.g. fake
phishing emails) help reinforce vigilance.
7. Vendor and Third-Party Management:

The ISMS covers relationships with outside vendors. Contracts and audits ensure that cloud
providers, software vendors, and ATM networks adhere to security requirements.
Penetration testing or compliance certifications (e.g. ISO 27001 or SOC reports) may be
required from key suppliers.

8. Incident Response and Business Continuity:

Banks must prepare for attacks. An Incident Response Plan defines how to detect, contain,
and remediate breaches. A dedicated response team (CSIRT) investigates incidents to
minimize impact. Separately, a Business Continuity/Disaster Recovery (BC/DR) plan ensures
that, if an outage or attack occurs, core banking services can quickly resume (e.g. by failing
over to a backup data center). The PECB guidance notes the importance of “fast response
approaches” and improving continuity capabilities. Regular exercises test these plans.

9. Monitoring, Logging, and Audits:

Continuous monitoring (using a SIEM system) collects logs from servers, network devices,
and applications to spot unusual activity. Audit logs are retained securely so forensic analysis
can be done after an incident. Periodic internal audits and external compliance audits (e.g.
regulatory IT examinations, PCI audits) verify that security controls are properly
implemented. ISO 27001’s cycle of “Plan–Do–Check–Act” ensures ongoing improvement,
requiring banks to “regularly monitor and review” controls and make enhancements.

10. Ongoing Governance:

Governance is crucial: the board and executive management must support the ISMS. Banks
typically appoint a Chief Information Security Officer (CISO) to lead the program. A security
committee might meet regularly to review risks. Performance metrics (like number of
phishing emails caught, system downtime, and audit findings) are tracked and reported
upward. The goal is to integrate security into the bank’s culture and operations.

11. Regulatory Compliance and Framework Alignment:

In finance, numerous regulations (e.g. PCI DSS for payment cards, GLBA/FFIEC guidelines in
the U.S., GDPR for personal data, etc.) impose security requirements. The ISMS framework
helps meet these: for instance, ISO 27001 and the U.S. NIST Cybersecurity Framework
provide best practices that align with regulatory mandates. Adhering to such frameworks
not only protects the bank, but also maintains customer trust and avoids hefty fines.

Conclusion

Banks face a variety of physical and cyber threats that can compromise their operations and
customer trust. Implementing a comprehensive ISMS tailored to the unique challenges of
the banking sector is crucial. By proactively managing risks, enforcing strick security
measures, and fostering a culture of security awareness, banks can safeguard their assets
and maintain the integrity of the financial system.