Answer To: Question in the files.
Soumyadeep answered on Apr 09 2021
CASE STUDE: NAB DATA BREACH
Author Name
Student ID
Name of the University
Email
Table of Contents
Overview
Common Security Issues an Auditor Needs to Investigate
NAB’s Response to the Data Breach
Information Security Measures NAB Should Adopt
Role of Cloud Computing in Information Security
References
Overview
The 4th largest bank in Australia, the National Australian Bank spent 26th July, 2019 contacting almost 13,000 customers to inform them about a data breach. Customers provide some personal information whenever they open an account or sign-up for banking services. But without any consent or authorization, the bank uploaded the personal information of these customers to insecure servers of two data service providing companies. The information uploaded included personal information such as names, contact details, dates of birth and government issued identification numbers such as driver’s license numbers. When NAB’s security team contacted the two companies, they were advised that the information had been deleted within two hours of uploading them. NAB’s Chief Data Officer, Glenda Crisp has said that the bank has taken full responsibility of the incident, but she has also insisted that it was not a cybersecurity issue. She is of the opinion that NAB’s data security policies have been breached by human error, but customer’s account credentials have not been exposed as the bank’s system were still secure. NAB being one of the “Big Four” lenders, has reported the incident to regulators, including the Office of the Australian Information Commissioner. NAB has also assured that the uploaded information has not further copied or disclosed. The data breach happened just after a week Ross McEwan, who revolutionized Royal Bank of Scotland, was hired as NAB’s new CEO to instil trust in customers after negative revelations resulting from public inquiry on the financial sector. The data security or privacy policy of NAB states that it may disclose personal information to third parties such as authorised representatives of the NAB Group, credit reporting bodies, insurance, investment, superannuation and managed funds organisations, medical professionals, medical facilities or health, real estate agents, valuers and insurers, brokers, other financial institutions, debt collectors, fraud reporting agencies and detection service providers, loyalty program partners, rating agencies, parties related to Reserve Bank of Australia, payments systems organisations, mailing houses and telemarketing agencies and media organisations and some other instances where the customer has provided consent. Nowhere is it mentioned that personal information can be disclosed to data service providers. So this is a clear breach of NAB’s privacy policy. The breach is a clear testimony of the fact that no matter how many technical controls have been implemented, their utility can be totally negated by human error. This is why accidents caused by human error or insider threats is a big area of concern, especially in financial institutions like banks which deal with personal information and sensitive personal information.
Common Security Issues an Auditor Needs to Investigate
An auditor will need to investigate the following issues with reference to the guidelines for information security risk management provided by the ISO/IEC 27005:2018, as per the Australian Government Information Security Manual documented by the Australian Cyber Security Centre (ACSC).
1. Availability of a well-documented security policy and whether IT assets and policies related to IT are a part of it. Current level of GDPR compliance and compliance gaps. Clarity of language and mention of customer consent.
2. PC and LAN, MAN and WAN security, physical security related to information security, handling of confidential information and security incidents. Patch management policies, to evaluate average time taken to implement patch from release and frequency of updates. Coverage of patched for IoT devices.
3. Securities related to Email, application program interface (APIs), Password security and password policy, Operating System, Database and servers, Firewall etc. Device encryption standards, covering mobile phones and laptops. Implementation of multifactor identification etc. Only websites required for business needs to be allowed
4. Access management policies and controls, implementation of user access privileges by defined business needs and business cases. Amendment of access roles to accommodate change of personnel. Classification of data as per confidentiality policy. Data retention policy, destruction of data etc.
5. Third-party contracts and Service Level Agreements, adequate information security clauses and compliance efforts. Third-party regulatory requirements and efficiency of management in communication regulatory requirements to all related business parties, including third party vendors
6. Continuous training on data protection and information security policies, strict adherence to training to be followed by all employees and records to be audited. Blocking of...