Bank Enterprise Information Security Policy (EISP)
The organization that we will use is a small community bank. This type of organization was selected because everyone in the course should have some familiarity with banks, a community bank has a smaller scope, the banking industry has regulatory requirements to follow, and public trust in banking is very important. (Maryland SECU is an example of this type of bank.)
Here are some technical parameters of the Bank of Bowie.
· Headquarters is located in Bowie, MD
· Headquarters building has corporate offices and a branch on the lower level
· Two branch offices are located in Bowie and Laurel
· Each of the three branches employees the following staff
o Branch Manager
o Branch Security Officer
o Six Tellers
o Two Loan Officers
· Corporate Headquarters employs the following staff
o Officers and Directors
§ Chairman/CEO/President/Director
§ Vice-President/Secretary/Director
§ Financial Officer/Treasurer
§ Assistant Treasurer
§ Six Directors – Corporate Strategy, Branch Oversight, Personnel Oversight, Regulatory Implementation, Customer Focus, Policy/Standards/Processes
§ Chief Compliance Officer
o Employees
§ Head Loan Officer
§ Senior Loan Administrator
§ Two Loan Processors
§ Escrow Processor
§ Eight Customer Service Representatives
§ Internal Auditor
§ Compliance Officer
§ Two Human Resources Personnel
§ Five Information Technology Personnel
· Bank Offerings
o Savings and Checking Accounts
o Loans
o Deposit Products such as IRAs
o Online Banking
Information Technology Landscape
· Primary corporate databases are maintained at the Headquarters and a backup location
· Data is replicated routinely from the branches to the Headquarters
· Headquarters and branch personnel use desktops for their day-to-day activities
· Software consists of a number of standard applications, e.g., Office, and customized banking applications
· The Bank of Bowie website provides static information about the bank
· Electronic banking activities are outsourced to other providers
· Data is archived by a third-party provider
· Data protection mechanisms include encryption, digital signatures, access control firewalls, and other measures
Vision/Mission
Bank of Bowie is built on weeks of dedication to the community, Bank of Bowie will “continue in our rich tradition of providing impeccable customer service within a community environment.”
[1]
Regulation
We will simplify the government regulations for this activity. You must account for federal requirements for the following.
· All financial transactions must have integrity.
· All financial transactions must be audited and audit data must be retained for a period of six years.
· Social Security Numbers must be kept confidential.
· Customers must have access to their accounts at least every 48 hours.
· Interest rates and other loan terms and conditions must be clearly disclosed to customers.
Submission One – Policies
Bank of Bowie requires a set of policies to guide their efforts.
Write an Enterprise Information Security Policy for the Bank of Bowie. See Page 148, Table 4-1 for an example. Make certain the policy includes what the information security needs are and not how to achieve them. Include the five federal requirements and three additional requirements based on market competitors (local banks – such as MECU, SECU, PointBreeze Credit Union, 1st Mariner Bank, Rosedale Federal Savings and Loan). Please detail the mission, vision, and values to support the justification for the “information security needs”.
Create an Issue-specific security policy (ISSP) on a relevant topic of your choosing. It can be for internal system users or for customers or services provided to customers.
Create a system specific policy that addresses audit logs and backup of the audit logs. Make certain that it is compliant with the laws indicated in the background.
Each policy document should be well organized per the outlines presented in the text or another reference. Each policy should be between 2 and 4 pages and it will be graded based on its completeness in addressing the topic, not on its length. Finally, it should follow all of the guidelines for each policy type in the text.
.
Enterprise Information Security Policy
Mission, Vision, and Values
Section 1: Purpose
Section 2: Policy Definitions
Policy 1: XXXX
Policy 2: XXXX
Policy 3: XXXX
Policy 4: XXXX
Policy 5: XXXX
Policy 6: XXXX
Section 3: Necessity
Section 4: Roles and Responsibilities
Section 5: External Standards and Guidelines
Issue-Specific Security Policy
Section 1: XXXX
Section 2: XXXX
Section 3: XXXX
Section 3: XXXX
Section 4: Violation of Policy (Example)
If any policy listed in this document is violated in any way as defined by the institution, an investigation into the violation/s will be thorough, and repercussions will be swiftly administered. Penalties will be based on the severity of the violation, and can range from a verbal warning to expulsion from the company and/or legal prosecution. All employees and related associates of the Bank of Bowie are required to report any suspected violation of policy to their superior, or to the anonymous hotline, which can be reached by calling 1-800-555-5555. Any person making a report of a suspected policy violation will in no way be penalized for their report.
Section 5: XXXX
Section 6: XXXX
System Specific Security Policy
· Branches
· Corporate Headquarters
References Used for Enterprise Information Security Policy:
References Used for Issue-Specific Security Policy:
References Used for System Specific Security Policy