SECURITY

S.Piravaksan
Higher Nationals
Internal verification of assessment decisions – BTEC (RQF)

INTERNAL VERIFICATION – ASSESSMENT DECISIONS

Programme title BTEC Higher National Diploma in Computing

V.Sulojan
Assessor Internal Verifier
Unit 05: Security
Unit(s)
Providing a suitable security solution for METROPOLIS CAPITAL Bank
Assignment title
Sivaneswaran Piravaksan
Student’sname
List which assessment Pass Merit Distinction
criteria the Assessor has
awarded.
INTERNAL VERIFIER CHECKLIST

Do the assessment criteria awarded match

those shown in the assignment brief? Y/N

Is the Pass/Merit/Distinction grade awarded

justified by the assessor’s comments on the Y/N
student work?

Has the work been assessed

Y/N
accurately?
Is the feedback to the student:
Give details:

• Constructive?
Y/N
• Linked to relevant assessment
criteria? Y/N

• Identifying opportunities for

improved performance? Y/N

• Agreeing actions? Y/N

Does the assessment decision need

Y/N
amending?
Assessor signature Date

Internal Verifier signature Date

Programme Leader signature(if
Date
required)
 Confirm actioncompleted
Remedial action taken

Give details:

Assessor signature Date

Internal Verifier
Date
signature
Programme Leader
Date
signature(ifrequired)
Higher Nationals - Summative Assignment Feedback Form

Sivaneswaran Piravaksan/E187238
Student Name/ID
Unit 05: Security
UnitTitle
Assignment Number 1 Assessor Mr.V.Sulojan
2024.02.04 Date Received 1st 2024.02.04
Submission Date
submission
Date Received 2nd
Re-submission Date
submission
Assessor Feedback:

LO1. Assess risks to IT security

Pass, Merit & Distinction P1 P2 M1 D1

Descripts
LO2. Describe IT security solutions.

Pass, Merit & Distinction P3 P4 M2 D1

Descripts

LO3. Review mechanisms to control organisational IT security.

Pass, Merit & Distinction P5 P6 M3 M4 D2
Descripts

LO4. Manage organisational security.

Pass, Merit & Distinction P7 P8 M5 D3
Descripts

Grade: Assessor Signature: Date:

ResubmissionFeedback:

Grade: Assessor Signature: Date:

Internal Verifier’s Comments:

Signature & Date:

* Please note that grade decisions are provisional. They are only confirmed once internal and external moderation has taken place and grades decisions have
been agreed at the assessment board.
Pearson
Higher Nationals in
Computing
Unit 5 : Security
General Guidelines

1. A Cover page or title page – You should always attach a title page to your assignment. Use previous page as your cover
sheet and make sure all the details are accurately filled.
2. Attach this brief as the first section of your assignment.
3. All the assignments should be prepared using a word processing software.
4. All the assignments should be printed on A4 sized papers. Use single side printing.
5. Allow 1” for top, bottom , right margins and 1.25” for the left margin of each page.

Word Processing Rules

1. The font size should be 12 point, and should be in the style of Time New Roman.
2. Use 1.5 line spacing. Left justify all paragraphs.
3. Ensure that all the headings are consistent in terms of the font size and font style.
4. Use footer function in the word processor to insert Your Name, Subject, Assignment No, and Page Number on each
page. This is useful if individual sheets become detached for any reason.
5. Use word processing application spell check and grammar check function to help editing your assignment.

Important Points:

1. It is strictly prohibited to use textboxes to add texts in the assignments, except for the compulsory information. eg: Figures,
tables of comparison etc. Adding text boxes in the body except for the before mentioned compulsory information will result
in rejection of your work.
2. Avoid using page borders in your assignment body.
3. Carefully check the hand in date and the instructions given in the assignment. Late submissions will not be accepted.
4. Ensure that you give yourself enough time to complete the assignment by the due date.
5. Excuses of any nature will not be accepted for failure to hand in the work on time.
6. You must take responsibility for managing your own time effectively.
7. If you are unable to hand in your assignment on time and have valid reasons such as illness, you may apply (in writing) for
an extension.
8. Failure to achieve at least PASS criteria will result in a REFERRAL grade .
9. Non-submission of work without valid reasons will lead to an automatic RE FERRAL. You will then be asked to complete
an alternative assignment.
10. If you use other people’s work or ideas in your assignment, reference them properly using HARVARD referencing system
to avoid plagiarism. You must provide both in-text citation and a reference list.
11. If you are proven to be guilty of plagiarism or any academic misconduct, your grade could be reduced to A REFERRAL
or at worst you could be expelled from the course.
Student Declaration

I hereby, declare that I know what plagiarism entails, namely to use another’s work and to present it as my
own without attributing the sources in the correct way. I further understand what it means to copy another’s
work.

1. I know that plagiarism is a punishable offence because it constitutes theft.

2. I understand the plagiarism and copying policy of the Edexcel UK.
3. I know what the consequences will be if I plagiaries or copy another’s work in any of the assignments
for this program.
4. I declare therefore that all work presented by me for every aspects of my program, will be my own,
and where I have made use of another’s work, I will attribute the source in the correct way.
5. I acknowledge that the attachment of this document signed or not, constitutes a binding agreement
between myself and Edexcel UK.
6. I understand that my assignment will not be considered as submitted if this document is not attached
to the attached.

Student’s Signature: E187238@esoft.academy Date:2024.02.04

(Provide E-mail ID) (Provide Submission Date)
Assignment Brief
Student Name /ID Number Sivaneswaran Piravaksan/E187238

Unit Number and Title Unit 5- Security

Academic Year 2022/23

Unit Tutor Mr.V.Sulojan

Assignment Title METROPOLIS CAPITAL Bank

Issue Date 2024.01.01

Submission Date 2024.02.04

IV Name & Date

Submission Format:

The submission is in the form of an individual written report. This should be written in a concise, formal
business style using single spacing and font size 12. You are required to make use of headings, paragraphs
and subsections as appropriate, and all work must be supported with research and referenced using the
Harvard referencing system. Please also provide an end list of references using the Harvard referencing
system.

Unit Learning Outcomes:

LO1 Assess risks to IT security.

LO2 Describe IT security solutions.
LO3 Review mechanisms to control organizational IT security.
LO4 Manage organizational security.

Assignment Brief and Guidance:

METROPOLIS CAPITAL Bank is one of the leading private banking service providers in Sri Lanka. It
operates over 100 branches and 500 ATM machines across the island as well as 8 Branches overseas. To
provide their services, METROPOLIS CAPITAL Bank has a primary datacenter located in Colombo and
a Secondary datacenter located in Galle. Each branch and ATM must have connectivity to the core
banking system to be able to operate normally. In order to establish the connectivity between datacenters,
branches and ATM machines, each location has a single ISP link. This link provides VPN services
between branches, ATMs and datacenters as well as MPLS services for the bank and it establishes
connectivity between datacenters, ATMs, and branches.

METROPOLIS CAPITAL Banks Head Office is a 5 Story Building in Kollupitiya with the Ground Floor
allocated for Customer Services, the First Floor allocated for HR, the Second Floor allocated for Meeting
Rooms and Senior Executive Staff, the Third Floor is allocated for the Technical Support Team and the
Fourth Floor hosts High Performance Servers running core banking systems. Fifth Floor is for some other
outside companies that are not related with the METROPOLIS CAPITAL Bank. Other than this,
METROPOLIS CAPITAL bank provides a lot of services to customers including online and mobile
banking facilities. Therefore, their core banking system must communicate with several outside systems
and all communication between outside systems, Data centers and the Head Office is protected by a single
firewall. In Addition, METROPOLIS CAPITAL Bank has recently implemented a bring your own device
(BYOD) concept for Senior Executive Staff and HR Departments and to facilitate this, they are providing
employee WiFi as well as a guest WiFi Hotspot.
The bank has signed agreements, AMCs, contracts and NDAs with several Local and foreign IT service
vendors. Some local vendors provide services and supports to foreign companies. METROPOLIS
CAPITAL Banks Technical Support Team is a local third-party vendor, contracted by METROPOLIS
CAPITAL Bank and managed by their Supply chain management officer. The Technical Support Team
provides onsite and remote support for their customers.

METROPOLIS CAPITAL bank strictly follows the rules and regulations enforced by the government and
the Central Bank. Therefore, they have obtained the ISO 31000:2009 certification. In addition to this, the
areas of datacenters, branches, ATM and HQ is covered by CCTV and 24x7 monitoring is happening.
Other security functions like VA scanning, internal auditing, and security operation done by the bank
employees. They have purchased a VA scanning tool, Privilege access management (PAM) system,
Endpoint detection and respond (EDR) system, Data loss prevention (DLP) tool, Web application firewall
(WAF) and Secure mail gateway which are managed by the Technical Support Team.

It has been reported that an emergency is likely to occur where a work from home situation may be
initiated. Therefore, you have been employed by METROPOLIS CAPITAL Bank as a Network Security
Analyst to recommend and implement a suitable Security solution to facilitate this situation.
Activity 01
Discuss and assess the security procedures and types of security risks METROPOLIS CAPITAL
Bank may face under its current status and evaluate a range of physical and virtual security measures
that can be employed to ensure the integrity of organizational IT security. You also need to analyze
the benefits of implementing network monitoring systems for METROPOLIS CAPITAL Bank with
valid reasons in order to minimize security risks identified and enhance the organizational security.

Activity 02
2.1 Discuss how an incorrect/improper configuration for network infrastructure such as firewall and VPN
could impact METROPOLIS CAPITAL Bank. Assess IT security risks that may face by the employees of
METROPOLIS CAPITAL Bank and propose how the organization can facilitate their employees with a
“Secure remote working environment”.

2.2. Discuss how following technologies would benefit METROPOLIS CAPITAL Bank and its Clients to
increase network performance. (Support your answer with suitable illustrations).
i) Static IP,
ii) NAT
iii)DMZ

Activity 03
Review risk assessment procedures for METROPOLIS CAPITAL Bank to protect itself and its clients.
Explain the mandatory data protection laws and procedures which will be applied to data storage solutions
provided by METROPOLIS CAPITAL Bank. Explain the topic "ISO 31000 risk management
methodology" and summarize the ISO 31000 risk management methodology and its application in IT
security. Analyze possible impacts to organizational security resulting from an IT security audit.
Recommend how IT security can be aligned with organizational Policy, detailing the security impact of any
misalignment.

Activity 04
4.1 Design and Implement suitable security policy to prevent misuse and exploitations in line with
METROPOLIS CAPITAL Bank using the Organizational policy tools for the given scenario,
While evaluating and justifying the suitability of the tools used in an organizational policy to meet
business needs. Identify the stakeholders who are subject to the METROPOLIS CAPITAL Bank and
describe the role of these stakeholders to build security audit recommendations for the organization.

4.2 Discuss and present a disaster recovery plan for METROPOLIS CAPITAL Bank for all their sites to
guarantee maximum reliability to their clients. (Student must develop a PowerPoint-based presentation
which illustrates the recovery plan within 15 minutes of time including justifications and reasons for
decisions and options used).
Grading Rubric

Grading Criteria Achieved Feedback

LO1 Assess risks to IT security

P1 Discuss types of security risks to organizations.

P2 Assess organizational security procedures.

M1 Analyze the benefits of implementing network monitoring systems

with supporting reasons.
D1 Evaluate a range of physical and virtual security measures that can
be employed to ensure the integrity of organizational IT security.
LO2 Describe IT security solutions

P3 Discuss the potential impact to IT security of incorrect

configuration of firewall policies and third- party VPNs.

P4 Discuss, using an example for each, how implementing a DMZ,

static IP and NAT in a network can improve network security.
M2 Propose a method to assess and treat IT security risks.

LO3 Review mechanisms to control organizational IT

Security

P5 Review risk assessment procedures in an organization.

P6 Explain data protection processes and regulations as applicable to

an organization.
M3 Summarize the ISO 31000 risk management methodology and its
application in IT security.

M4 Analyze possible impacts to organizational security resulting from

an IT security audit.

D2 Recommend how IT security can be aligned with organizational

Policy, detailing the security impact of any misalignment.

LO4 Manage organizational security

P7 Design a suitable security policy for an organization, including the

main components of an organizational disaster recovery plan.
P8 Discuss the roles of stakeholders in the organization in
implementing security audits.
M5 Justify the security plan developed giving reasons for the elements
selected.

D3 Evaluate the suitability of the tools used in an organizational policy

to meet business needs
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING

Table of contents
Table of figures .................................................................................................................. 17

Table of tables .................................................................................................................... 19

ACKNOWLEDGEMENT.................................................................................................. 21

IT security .......................................................................................................................... 22

Network security ................................................................................................................ 22

Differences between IT security and Network security ..................................................... 23

Importance of network security.......................................................................................... 23

Types of network security .................................................................................................. 24

The benefits of implementing network security measures for METROPOLIS CAPITAL

Bank ................................................................................................................................... 25

Introduction to METROPOLIS CAPITAL Bank............................................................... 26

Internet of Things (IoT)...................................................................................................... 27

The benefits of implementing IoT in Data Centers ............................................................ 28

Activity 01.......................................................................................................................... 29

Threat ............................................................................................................................. 29

Vulnerability ................................................................................................................... 29

Difference between vulnerability and security risks .................................................. 29

Security risk ................................................................................................................... 30

Types of Security Risks of METROPOLIS CAPITAL bank and its impact ................. 31

Physical risks.................................................................................................................. 33

Internal Physical Risks ............................................................................................... 33

External Physical Risks .............................................................................................. 33

Man made Physical Risks .......................................................................................... 33

Virtual risks .................................................................................................................... 34

Types of virtual security risks .................................................................................... 34

Conclusion .................................................................................................................. 35

S.Piravaksan SECURITY ID: RE63300 12 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING
Security procedure.......................................................................................................... 36

Organizational security procedures ................................................................................ 36

Organizational security procedures for METROPOLIS CAPITAL Bank ..................... 36

Network monitoring system ........................................................................................... 37

Benefits of network monitoring system ..................................................................... 37

Importance of network monitoring system ................................................................ 37

Suggested security procedures for the METROPOLIS CAPITAL Bank ...................... 38

Benefits of using Network Monitoring Systems for METROPOLIS CAPITAL Bank.39

Justification ................................................................................................................ 40

Physical and virtual security measures for IT security at METROPOLIS CAPITAL

Banks .............................................................................................................................. 41

Activity 02.......................................................................................................................... 46

Firewall .......................................................................................................................... 46

Importance of firewall .................................................................................................... 46

Types of firewall ............................................................................................................ 47

Benefits of using firewalls.............................................................................................. 50

Firewall configuration .................................................................................................... 50

The impact of firewall misconfiguration on Network Security ..................................... 51

VPN (Virtual Private Network)...................................................................................... 52

Types of VPN................................................................................................................. 52

The impact of VPN misconfiguration in METROPOLIS CAPITAL Bank ................... 54

Conclusion .................................................................................................................. 55

Trusted network ............................................................................................................. 56

DMZ (Demilitarized Zone) Network ............................................................................. 56

Benefits of DMZ network .......................................................................................... 57

Examples of DMZ (Demilitarized Zone) network ......................................................... 59

Static IP .......................................................................................................................... 60

Benefits of Static IP ................................................................................................... 60

S.Piravaksan SECURITY ID: RE63300 13 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING
Implementation of Static IP for METROPOLIS CAPITAL Bank................................. 62

Network Address Translation (NAT) ............................................................................. 63

Benefits of Network Address Translation .................................................................. 63

Examples of NAT ...................................................................................................... 64

Implementing Network Address Translation (NAT) for METROPOLIS CAPITAL

Bank ............................................................................................................................... 65

Conclusion .................................................................................................................. 66

Evaluation of identified physical and virtual risks of METROPOLIS CAPITAL bank67

Risk management process .............................................................................................. 71

Step 01: Identify the risk ............................................................................................ 72

Step 02: Analyze the risk ........................................................................................... 73

Step 03: Evaluate the risk ........................................................................................... 74

Step 04:Treat the risk ................................................................................................. 75

Step 05: Monitor and review the risk ......................................................................... 75

Conclusion .................................................................................................................. 75

Activity 03.......................................................................................................................... 76

Risk assessment .............................................................................................................. 76

Benefits of Risk assessment ....................................................................................... 76

Risk Assessment Procedure report for METROPOLIS CAPITAL Bank ...................... 78

Responsibilities of core team members .......................................................................... 80

Assets identification of METROPOLIS CAPITAL BANK........................................... 82

Risk classification of METROPOLIS CAPITAL BANK .............................................. 83

Risk matrix ................................................................................................................... 83

Risk rating description ................................................................................................... 84

Risk register tables for identified risks........................................................................... 84

Conclusion .................................................................................................................. 94

Data protection and regulations in IT security ............................................................... 94

Data protection and regulation at METROPOLIS CAPITAL bank............................... 94

S.Piravaksan SECURITY ID: RE63300 14 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING
Data Protection Act ........................................................................................................ 97

Data Protection Act (DPA) 1998 ................................................................................... 97

Principals of Data Protection Act (DPA) 1998 .............................................................. 98

Conclusion ...................................................................................................................... 99

IT Security Audit............................................................................................................ 99

Importance of IT security audit for METROPOLIS CAPITAL Bank ..................... 100

Impacts of IT security audit on METROPOLIS CAPITAL Bank ........................... 101

Conclusion ................................................................................................................ 102

The ISO 31000 Risk management framework ............................................................. 102

Application of ISO 31000 risk management methodology in METROPOLIS CAPITAL

Bank for effective risk reduction .................................................................................. 103

Conclusion ................................................................................................................ 105

Organizational security ............................................................................................ 106

Potential impacts to organizational security for METROPOLIS CAPITAL Bank...... 106

Conclusion ................................................................................................................ 107

Organizational policy ................................................................................................... 107

The importance of organizational policies in METROPOLIS CAPITAL Bank.......... 108

The benefits of well-defined organizational policies ................................................... 109

Impacts of misaligned organizational policy on IT security in METROPOLIS

CAPITAL Bank............................................................................................................ 110

Conclusion .................................................................................................................... 111

Activity 04........................................................................................................................ 112

Security policy ............................................................................................................. 112

Introduction .................................................................................................................. 113

Purpose ......................................................................................................................... 113

Scope ............................................................................................................................ 113

Objectives ..................................................................................................................... 113

Security Policies for METROPOLIS CAPITAL Bank ................................................ 114

S.Piravaksan SECURITY ID: RE63300 15 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING
Conclusion ................................................................................................................ 117

Organizational policy tools .......................................................................................... 117

Benefits of using organizational policy tools ............................................................... 118

Network security tools for METROPOLIS CAPITAL Bank network protection ....... 119

Password security tools for METROPOLIS CAPITAL Bank password protection .... 121

Database security tools for METROPOLIS CAPITAL Bank ..................................... 122

Web application security tools for METROPOLIS CAPITAL Bank .......................... 124

Encryption security tools for METROPOLIS CAPITAL Bank................................... 125

Email security tools for METROPOLIS CAPITAL Bank ........................................... 126

Network monitoring security tools for METROPOLIS CAPITAL Bank .................... 127

Video surveillance security tools for METROPOLIS CAPITAL Bank ...................... 128

Incident response security tools for METROPOLIS CAPITAL Bank ........................ 129

User authentication tools for METROPOLIS CAPITAL Bank ................................... 131

Conclusion ................................................................................................................ 132

Presentation of METROPOLIS CAPITAL Bank’s Disaster Recovery Plan ............... 133

Stakeholder ................................................................................................................... 149

Types of stakeholders ............................................................................................... 149

Internal stakeholders of METROPOLIS CAPITAL Bank and their roles and

descriptions................................................................................................................... 149

External stakeholders ................................................................................................... 150

Conclusion .................................................................................................................... 153

References .................................................................................................................... 154

Figure Reference .......................................................................................................... 158

S.Piravaksan SECURITY ID: RE63300 16 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Table of figures
Figure 1:Internet of Things (IoT) ....................................................................................... 27
Figure 2:Equation for risk .................................................................................................. 30
Figure 3:Firewall ................................................................................................................ 46
Figure 4:Packet filtering firewalls ...................................................................................... 47
Figure 5:Stateful inspection firewalls ................................................................................ 47
Figure 6:Proxy firewalls ..................................................................................................... 48
Figure 7:A next-generation firewall ................................................................................... 48
Figure 8:Virtual firewalls. .................................................................................................. 49
Figure 9:Hardware firewalls............................................................................................... 49
Figure 10:VPN ................................................................................................................... 52
Figure 11:DMZ (Demilitarized Zone) Network................................................................. 56
Figure 12:Static IP ............................................................................................................. 60
Figure 13:Network Address Translation (NAT) ................................................................ 63
Figure 14:Risk management process.................................................................................. 71
Figure 15:Risk assessment process .................................................................................... 76
Figure 16:Risk Assessment Procedure report for METROPOLIS CAPITAL Bank ......... 78
Figure 17:Risk matrix. ....................................................................................................... 83
Figure 18:Data Protection Act (DPA) 1998. ...................................................................... 97
Figure 19:Process of ISO 31000 Risk Management Standard ......................................... 105
Figure 20:Security policy for Metropolis Capital Bank ................................................... 112
Figure 21:Slide 1 .............................................................................................................. 133
Figure 22:Slide 2 .............................................................................................................. 133
Figure 23:Slide 3 .............................................................................................................. 134
Figure 24:Slide 4 .............................................................................................................. 134
Figure 25:Slide 5 .............................................................................................................. 135
Figure 26:Slide 6 .............................................................................................................. 136
Figure 27:Slide 7 .............................................................................................................. 136
Figure 28:Slide 8 .............................................................................................................. 137
Figure 29:Slide 9 .............................................................................................................. 138
Figure 30:Slide 10 ............................................................................................................ 138
Figure 31:Slide 11 ............................................................................................................ 139
Figure 32:Slide 12 ............................................................................................................ 140
Figure 33:Slide 13 ........................................................................................................... 140

S.Piravaksan SECURITY ID: RE63300 17 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Figure 34:Slide 14 ............................................................................................................ 141

Figure 35:Slide 15 ............................................................................................................ 142
Figure 36:Slide 16 ........................................................................................................... 142
Figure 37:Slide 17 ............................................................................................................ 143
Figure 38:Slide 18 ............................................................................................................ 144
Figure 39:Slide 19 ............................................................................................................ 144
Figure 40:Slide 20 ........................................................................................................... 145
Figure 41:Slide 21 ........................................................................................................... 146
Figure 42:Slide 22 ............................................................................................................ 146
Figure 43:Slide 23 ............................................................................................................ 147
Figure 44:Slide 24 ............................................................................................................ 147
Figure 45:Slide 25 ........................................................................................................... 148

S.Piravaksan SECURITY ID: RE63300 18 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Table of tables
Table 1:Types of Security Risks of METROPOLIS CAPITAL bank and Its Impact. ...... 32
Table 2:Physical and virtual security measures for IT security at METROPOLIS
CAPITAL Banks ................................................................................................................ 41
Table 4:Evaluation of Identified Physical and Virtual Risks of METROPOLIS CAPITAL
bank. ................................................................................................................................... 67
Table 5:Identify the risk. .................................................................................................... 72
Table 6:Analyze the risk. ................................................................................................... 73
Table 7:Evaluate the risk. ................................................................................................... 74
Table 8:Risk Assessment Procedure .................................................................................. 80
Table 9:Responsibilities of Core Team Members. ............................................................. 81
Table 10:Internal Assets ..................................................................................................... 82
Table 11:External Assets.................................................................................................... 82
Table 12:Risk classification. .............................................................................................. 83
Table 13:Risk rating description. ....................................................................................... 84
Table 14:Risk Register table for phishing .......................................................................... 84
Table 15:Risk Register table for social engineering attack ............................................... 85
Table 16:Risk Register table for malware attack ............................................................. 86
Table 17:Risk Register table for SQL injection ................................................................ 87
Table 18:Risk Register table for DoS attack ..................................................................... 88
Table 19:Risk Register table for insider threats ................................................................ 89
Table 20:Risk Register table for ransomware ................................................................... 90
Table 21:Risk Register table for human errors ................................................................. 91
Table 22:Risk Register table for natural disasters ............................................................. 92
Table 23:Risk Register table for physical security breaches ............................................. 93
Table 24:Network security tools for METROPOLIS CAPITAL Bank network protection
.......................................................................................................................................... 119
Table 25:Password security tools for METROPOLIS CAPITAL Bank password
protection.......................................................................................................................... 121
Table 26:Database security tools for METROPOLIS CAPITAL Bank.......................... 122
Table 27:Web application security tools for METROPOLIS CAPITAL Bank ............... 124
Table 28:Encryption security tools for METROPOLIS CAPITAL Bank ....................... 125
Table 29:Email security tools for METROPOLIS CAPITAL Bank................................ 126
Table 30:Network Monitoring Security Tools for METROPOLIS CAPITAL Bank ...... 127

S.Piravaksan SECURITY ID: RE63300 19 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Table 31:Video surveillance security tools for METROPOLIS CAPITAL Bank ........... 128
Table 32:Incident Response Security Tools for METROPOLIS CAPITAL Bank .......... 129
Table 33:User Authentication tools for METROPOLIS CAPITAL Bank....................... 131
Table 34:Internal stakeholders of METROPOLIS CAPITAL Bank and their roles and
descriptions....................................................................................................................... 150
Table 35:External Stakeholders of METROPOLIS CAPITAL Bank and Their Roles ... 153

S.Piravaksan SECURITY ID: RE63300 20 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

ACKNOWLEDGEMENT
I would like to express my deepest appreciation to all those who provided me with the
possibility to complete this assignment. I would like to sincerely express my gratitude to
my lecturer Mr.V.Sulojan for his suggestions and cooperation to complete my
assignment. It has taken so much effort and time to complete the assigned work. Without
his support the assignment wouldn’t have been completed. Also, I would like to express
my thanks to our Programme coordinator Mr.S.Premnath for his valuable suggestion and
guidance. My special thanks should go to Mr.Gajanan Balasubramaniam, branch manager
E-soft Metro Campus, Jaffna. His guidance and advice also helped me to complete my
assignment successfully. Finally, I would also like to take this opportunity to thank my
friends & family members, without them this assignment couldn’t have been completed in
a short duration.
Thank you.
Piravaksan Sivaneswaran
Esoft Metro Campus – Jaffna.

S.Piravaksan SECURITY ID: RE63300 21 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

IT security
IT security is the overarching term used to describe the collective strategies, methods,
solutions, and tools used to protect the confidentiality, integrity and availability of the
organization’s data and digital assets. A comprehensive IT security strategy leverages a
combination of advanced technologies and human resources to prevent, detect and
remediate a variety of cyber threats and cyberattacks. It will include protection for all
hardware systems, software applications and endpoints, as well as the network itself and its
various components, such as physical or cloud-based data centers (Crowdstrike.com, 2021)
Network security
Network security encompasses all the steps taken to protect the integrity of a computer
network and the data within it. Network security is important because it keeps sensitive
data safe from cyber-attacks and ensures the network is usable and trustworthy. Successful
network security strategies employ multiple security solutions to protect users and
organizations from malware and cyber-attacks, like distributed denial of service.
A network is composed of interconnected devices, such as computers, servers, and wireless
networks. Many of these devices are susceptible to potential attackers. Network security
involves the use of a variety of software and hardware tools on a network or as software as
a service. Security becomes more important as networks grow more complex, and
enterprises rely more on their networks and data to conduct business. Security methods
must evolve as threat actors create new attack methods on these increasingly complex
networks.
No matter the specific method or enterprise security strategy, security is usually framed as
everyone's responsibility because every user on the network represents a possible
vulnerability in that network (Barney, 2023)

S.Piravaksan SECURITY ID: RE63300 22 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Differences between IT security and Network security

IT security and network security are two important concepts in the field of information
security. While there is some overlap between the two, they are distinct concepts with
different focuses and objectives. IT security refers to the protection of all types of
information technology assets, such as computers, servers, databases, and software, from
unauthorized access, use, disclosure, disruption, modification, or destruction. It includes a
wide range of practices and technologies, such as access control, encryption, antivirus
software, firewalls, intrusion detection and prevention systems, and security audits. On the
other hand, network security focuses specifically on the protection of computer networks,
including both wired and wireless networks, from various threats and attacks. It includes
a variety of practices and technologies, such as firewalls, virtual private networks (VPNs),
network segmentation, intrusion detection and prevention systems, and network monitoring
and analysis tools. Main difference between IT security and network security is their scope
and focus. While IT security is concerned with protecting all types of IT assets, network
security is specifically focused on protecting computer networks.
Importance of network security
In today's digital era, where technology is heavily relied upon by businesses and individuals
to communicate, store, and transmit sensitive information, network security is considered
of paramount importance. Unauthorized access, data theft, and other malicious activities
that can compromise the integrity and confidentiality of information are prevented by
network security. A robust network security framework, which includes measures such as
firewalls, intrusion detection and prevention systems, encryption, and access controls, is
employed. Effective network security not only protects data but also ensures business
continuity, enhances customer trust, and prevents legal and financial liabilities that can
arise from data breaches.

S.Piravaksan SECURITY ID: RE63300 23 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Types of network security

There are several types of network security measures that can be implemented to protect
against cyber threats and ensure the confidentiality, integrity, and availability of data.
Firewall
Firewall is a network security device that monitors and controls incoming and outgoing
network traffic based on predetermined security rules. It acts as a barrier between a trusted
internal network and an untrusted external network, such as the Internet.
Access control
It is a method of limiting who has access to a particular network or system. This can be
achieved using passwords, biometric authentication, and other methods of user verification.
Anti-virus and antimalware
Antivirus and antimalware are software designed to detect, remove, or prevent viruses and
malware, such as Trojan horses, ransomware, and spyware, from infecting a computer and,
consequently, a network (Techtarget.com, 2022)
VPN (Virtual Private Network)
It creates a secure, encrypted connection between two devices or networks over the Internet.
It provides remote users with secure access to an organization's network resources.
Cloud security
Cloud providers often sell add-on cloud security tools that provide security capabilities in
their cloud. The cloud provider manages the security of its overall infrastructure and offers
tools for the user to protect their instances within the overall cloud infrastructure. For
example, Amazon Web Services provides security groups that control the incoming and
outgoing traffic associated with an application or resource (Techtarget.com, 2022)
Encryption
It is the process of converting data into an unreadable format that can only be deciphered
with a key. It is commonly used to secure sensitive data, such as passwords and financial
information, during transmission over a network.
Multifactor authentication (MFA)
MFA is an easy-to-employ and increasingly popular network security solution that requires
two or more factors to verify a user's identity. An example of this is Google Authenticator,
an app which generates unique security codes that a user enters alongside their password
to verify their identity (Techtarget.com, 2022)

S.Piravaksan SECURITY ID: RE63300 24 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

The benefits of implementing network security measures for METROPOLIS

CAPITAL Bank
By establishing network security measures in place, Metropolis Capital Bank can get a
variety of benefits. The bank, which has more than 100 branches and 500 ATMs, handles
a sizable amount of sensitive consumer information. Unauthorized access and data theft
can be prevented by implementing security measures such as VPN and MPLS services,
which can ensure the confidentiality and integrity of this data. In addition to protecting
customer information, cyberattacks such as malware, phishing, and denial-of-service
attacks can also be prevented by network security measures.
The risk of security breaches due to unsecured devices is increased due to the bank's
adoption of a BYOD concept for Senior Executive Staff and HR departments. Reducing
this risk by providing a secure network for these devices can be achieved by implementing
security solutions such as employee and guest WiFi hotspots.
Several local and foreign IT service vendors have signed agreements with Metropolis
Capital bank. The risk of security breaches through third-party access can be reduced by
implementing network security measures, ensuring that these vendors adhere to the bank's
security standards and protocols.
Metropolis Capital bank has obtained ISO 31000:2009 certification, demonstrating its
commitment to risk management and security. The Network Security Analyst has
recommended implementing a suitable security solution for a potential work from home
situation. Strengthening the bank's security posture and ensuring business continuity can
be achieved by this recommendation.

S.Piravaksan SECURITY ID: RE63300 25 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Introduction to METROPOLIS CAPITAL Bank

METROPOLIS CAPITAL Bank, a leading private banking service provider in Sri Lanka.
The bank operates over 100 branches and 500 ATM machines, with a primary datacenter
located in Colombo and a secondary datacenter located in Galle. Each location has a single
ISP link that provides VPN and MPLS services. The bank's head office is a 5-story building
in Kollupitiya, with each floor allocated for different purposes. The bank provides online
and mobile banking facilities and has implemented a bring your own device (BYOD)
concept for Senior Executive Staff and HR departments, providing employee and guest
WiFi hotspots.

The bank has signed agreements with several local and foreign IT service vendors.
METROPOLIS CAPITAL Bank follows strict rules and regulations enforced by the
government and has obtained ISO 31000:2009 certification. They have implemented
several security measures, including CCTV coverage and 24x7 monitoring, VA scanning,
internal auditing, and security operation. The bank has purchased various security tools,
which are managed by the Technical Support Team.

S.Piravaksan SECURITY ID: RE63300 26 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Internet of Things (IoT)

IoT stands for Internet of Things. It refers to the interconnectedness of physical devices,
such as appliances and vehicles, that are embedded with software, sensors, and connectivity
which enables these objects to connect and exchange data. This technology allows for the
collection and sharing of data from a vast network of devices, creating opportunities for
more efficient and automated systems.

Internet of Things (IoT) is the networking of physical objects that contain electronics
embedded within their architecture to communicate and sense interactions amongst each
other or with respect to the external environment. In the upcoming years, IoT-based
technology will offer advanced levels of services and practically change the way people
lead their daily lives. Advancements in medicine, power, gene therapies, agriculture, smart
cities, and smart homes are just a very few of the categorical examples where IoT is strongly
established. IoT is a network of interconnected computing devices which are embedded in
everyday objects, enabling them to send and receive data. Over 9 billion ‘Things’ (physical
objects) are currently connected to the Internet, as of now. Soon, this number is expected
to rise to a whopping 20 billion (Geeksforgeeks.org, 2018)

Figure 1:Internet of Things (IoT)

S.Piravaksan SECURITY ID: RE63300 27 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

The benefits of implementing IoT in Data Centers

Implementing the Internet of Things in a data center brings significant value and benefits
to the overall operations and management of the facility. IoT enables enhanced monitoring
and control of important infrastructure components, such as power distribution units,
cooling systems, and environmental sensors. By collecting real-time data from these
devices, data center operators can gain better insights into their performance, identify
potential issues or anomalies, and take proactive measures to optimize efficiency and
reduce risks.

IoT integration enables the implementation of predictive maintenance strategies. By

analyzing data from IoT-enabled devices, data center operators can identify patterns and
trends that indicate potential equipment failures or performance degradation. This allows
for timely maintenance and replacement of components, reducing downtime and
minimizing the impact on operations. Another advantage of IoT in data centers is improved
resource allocation. By leveraging IoT devices and sensors, operators can monitor and
optimize the utilization of power, cooling, and space resources. This leads to energy
savings, lower operating costs, and a more sustainable and environmentally friendly data
center infrastructure.

IoT can enhance physical security in data centers. IoT devices, such as surveillance
cameras, access control systems, and motion sensors, can be interconnected to provide
comprehensive monitoring and security coverage. Real-time alerts and notifications can be
sent to operators in case of unauthorized access attempts or security breaches, allowing for
immediate response and reduction.

S.Piravaksan SECURITY ID: RE63300 28 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Activity 01
Threat
Security Threat means any threat or series of connected threats to intentionally attack
Network Systems for the purpose of demanding money, including virtual, digital, and
electronic currency, securities, or other property of value from an Insured; provided,
however, that Security Threat shall not include any such threat made by any governmental
entity or public authority (Lawinsider.com, n.d.)
Vulnerability
A vulnerability is a weakness that can be exploited by cybercriminals to gain unauthorized
access to a computer system. After exploiting vulnerability, a cyberattack can run
malicious code, install malware, and even steal sensitive data.
Vulnerabilities can be exploited by a variety of methods, including SQL injection, buffer
overflows, cross-site scripting (XSS), and open-source exploit kits that look for known
vulnerabilities and security weaknesses in web applications.
Many vulnerabilities impact popular software, placing the many customers using the
software at a heightened risk of data breach, or supply chain attack. Such zero-day
exploits are registered by MITRE as a Common Vulnerability Exposure (Tunggal, 2022)
Difference between vulnerability and security risks
Vulnerability refers to a weakness or flaw in a system, process, or technology that could be
exploited by an attacker to compromise its security. It could be due to outdated software,
misconfiguration, or design flaws. Security risk, on the other hand, is the potential for a
threat or event to exploit vulnerabilities and cause harm or damage to an organization or
system. Security risks could include data breaches, cyber-attacks, physical theft, or natural
disasters. Vulnerability is a weakness or flaw that could be exploited, while security risk is
the potential harm that could result from exploiting that vulnerability.

S.Piravaksan SECURITY ID: RE63300 29 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Security risk
Potential threats to confidentiality, integrity, and availability of information or systems are
referred to as security risks. These risks can arise from various sources such as human
error, malicious attacks, and natural disasters. Consequences of security breaches can
include financial loss, reputational damage, system downtime, and data theft. Cyberattacks,
which are becoming more sophisticated and widespread, are a significant security risk that
can take various forms, such as malware, phishing, ransomware, and denial-of-service
attacks. Successful cyberattacks can result in the compromise of critical systems and
infrastructure, as well as sensitive data theft or destruction.
Security risks may also arise due to human error when employees are not adequately trained
or do not follow established security procedures. Natural disasters such as fires, floods, or
earthquakes can pose a severe security risk by causing physical damage to data centers,
servers, and other critical infrastructure, resulting in data loss and system downtime. To
reduce security risks, a comprehensive security strategy must be implemented by
organizations that includes regular security audits, employee training, and the use of
security technologies such as firewalls, antivirus software, and intrusion detection systems.
Organizations must ensure they stay up to date with the latest security threats and best
practices to ensure they are well-prepared to defend against potential attacks.

Figure 2:Equation for risk

S.Piravaksan SECURITY ID: RE63300 30 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Types of Security Risks of METROPOLIS CAPITAL bank and its impact

Risks Description Possible impact
Phishing attacks Fack mails or messages that Unauthorized access to
appear to be from a trusted source, accounts or data, financial
often including a link to a fake loss, reputational damage.
website or a malicious attachment.

Social engineering Attempts to manipulate people Unauthorized access to

attacks
into revealing sensitive accounts or data, financial
information, such as passwords or loss, reputational damage.
account details, through deception
or psychological manipulation.
Malware attacks Malicious software that can be Unauthorized access to
used to steal information, damages accounts or data, damage to
systems, or enable unauthorized systems, financial loss.
access.
Human errors This is used to describe an Insiders with malicious
unintentional choice or behavior. intent can gain access to
Violations are conscious attempts network information and
not to commit a purposeful leak it, causing damage to
misdemeanor. Even the most devices and infrastructure.
experienced and skilled individual Devices become vulnerable
may be impacted. because of ignorance,
negligence, and mistakes,
which leads to equipment
damage.
Employees leave with
incomplete work without
making it obvious.

S.Piravaksan SECURITY ID: RE63300 31 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

SQL Injection One of the most popular methods An attacker could add their
for web hacking that enables an own malicious SQL
attacker to take control of the final instructions to access the
database after modifying or enterprise database if an
deleting data is SQL injection. application fails to properly
clear up SQL statements,
which is a security risk.
Through webpage input, the
attacker inserts malicious
code into SQL reports.

Physical security Unauthorized access to physical Theft of assists, damage to

breaches
facilities, such as data centers or systems, financial loss.
ATMs.

Natural Disaster These adverse events include This has the potential to
These risks include lightning, derail a bank's well-planned
floods, and earthquakes. plans and expectations. This
is possible that supply
chains will be disrupted.
This is possible that
employees won't be able to
get to work.
Denial of Service Attempts to overwhelm a system Disruption of services,
attacks
or network with traffic to make it financial loss, reputational
unavailable to users. damage.
Insider threats Malicious or negligent actions Unauthorized access to
taken by employees or contactors, accounts or data, damage to
either intentionally or accidentally. systems, financial loss,
reputational damage.
Ransomware Malware that encrypts data and Financial loss, reputational
demands payment in exchange for damage, legal penalties,
the decryption key. data theft or corruption.
Table 1:Types of Security Risks of METROPOLIS CAPITAL bank and Its Impact.

S.Piravaksan SECURITY ID: RE63300 32 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

To increase the security of the Bank, it is now necessary to evaluate the risks that have been
found, classify them into physical and virtual security threats, and recommend the security
measures to be put into place. Before that need to know what is mean of the physical
security risk and virtual security risk.

Physical risks
Physical risks in security refer to potential dangers that can arise from physical sources
such as unauthorized access, theft, vandalism, and natural disasters. In today's world, where
security threats are becoming more complex and sophisticated, it is essential to address
physical risks in addition to digital threats. Effective physical security measures can protect
an organization's assets, employees, and clients by ensuring the physical safety and
integrity of the premises, equipment, and information. This requires identifying potential
risks, implementing preventative measures, and having a response plan in place to reduces
the impact of any incidents.
Classification of physical risk
Internal Physical Risks
Internal physical risks refer to the potential hazards that can arise from within a system,
device, or object. For example, if a machine is not properly maintained or regularly
inspected, it could malfunction and cause injury to the user or those nearby. Internal
physical risks can also arise from the materials used in a product or system, such as toxic
chemicals or flammable substances that can cause harm if they leak or ignite.
External Physical Risks
External physical risks, on the other hand, refer to the potential hazards that come from
outside of a system or object. Examples of external physical risks include natural disasters
like earthquakes, hurricanes, or tornadoes that can damage buildings, infrastructure, and
harm people. Other external physical risks include fires, explosions, and accidents caused
by human error or negligence.
Man made Physical Risks
Manmade physical risks are hazards that arise from human activities. These can include
intentional or accidental actions that cause harm to people, property, or the environment.
Examples of manmade physical risks include acts of terrorism, industrial accidents, or
transportation mishaps. It can be caused by individuals, organizations, or entire societies,
and can have long-lasting effects on the environment and people's health and well-being.

S.Piravaksan SECURITY ID: RE63300 33 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Virtual risks
Virtual risks in IT security refer to potential threats that exist in the digital realm, such as
malware, phishing scams, and hacking attempts. These risks can lead to the compromise of
sensitive information, financial loss, and reputational damage for individuals and
organizations alike. Virtual risks can also manifest in the form of identity theft and data
breaches, which can have severe consequences for affected individuals. It is important to
implement robust security measures and stay informed about emerging threats to protect
against virtual risks in IT security.
Types of virtual security risks
Ransomware - It is a type of malware that encrypts data on a victim's computer or server
and demands payment in exchange for the decryption key. Ransomware attacks can result
in significant financial losses and can also cause damage to a company's reputation.
Denial of Service (DoS) attacks - DoS attacks are designed to overwhelm a network or
server with a flood of traffic, rendering it inaccessible to legitimate users. This can cause a
loss of revenue, downtime, and damage to a company's reputation.
Password attacks - Password attacks involve an attacker trying to gain access to a system
by guessing or cracking a password. These attacks can be carried out manually or with the
use of automated tools and can be successful if weak or commonly used passwords are in
place.
Insider threats - Insider threats occur when a trusted individual, such as an employee or
contractor, uses their access to a system to steal or compromise sensitive data. Insider
threats can be intentional or accidental and can be caused by negligence or malice.
Malware - It is a type of malicious software that is designed to infiltrate and damage
computers, servers, and other digital devices. Malware can be spread through email
attachments, infected websites, and other means, and can cause data loss, theft, or
destruction.

S.Piravaksan SECURITY ID: RE63300 34 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Conclusion
Both physical and virtual risks pose significant threats to the security and stability of banks
and their operations. Physical risks encompass potential dangers arising from unauthorized
access, theft, vandalism, and natural disasters. It is important for banks to address these
risks by implementing robust physical security measures, conducting regular inspections,
and having comprehensive response plans in place. Internal physical risks can emerge from
within the bank's infrastructure, such as equipment malfunctions or hazardous materials.
Banks must prioritize regular maintenance, adhere to safety protocols, and ensure the use
of safe materials to reduce internal physical risks.
External physical risks, such as natural disasters, fires, accidents, or acts of terrorism, can
have a detrimental impact on bank operations. To minimize these risks, banks should invest
in preventive measures such as building security systems, fire safety protocols, and well-
defined emergency response plans. Man-made physical risks, arising from human
activities, necessitate constant vigilance and the implementation of rigorous security
protocols. Banks must promote a culture of safety, employ surveillance systems, and
conduct regular employee training to reduce the potential harm caused by intentional acts
of violence, industrial accidents, or transportation incidents.
Virtual risks pose significant challenges for banks. These risks include cyberattacks,
malware, phishing scams, ransomware, and denial of service attacks. Banks must adopt
stringent cybersecurity measures, such as firewalls, encryption, robust antivirus software,
and continuous employee training to safeguard sensitive information and systems.
Ransomware attacks, denial of service attacks, password attacks, and insider threats are all
examples of virtual risks that require proactive measures to protect against unauthorized
access and data breaches. The prevalence of malware underscores the importance of
ongoing monitoring, regular software updates, and user awareness to prevent the infiltration
of banking systems and networks.

S.Piravaksan SECURITY ID: RE63300 35 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Security procedure
A security procedure is a set sequence of necessary activities that performs a specific
security task or function. Procedures are normally designed as a series of steps to be
followed as a consistent and repetitive approach or cycle to accomplish a result. Once
implemented, security procedures provide a set of established actions for conducting the
security affairs of the organization, which will facilitate training, process auditing, and
process improvement. Procedures provide a starting point for implementing the consistency
needed to decrease variation in security processes, which increases control of security
within the organization. Decreasing variation is also a good way to eliminate waste,
improve quality, and increase performance within the security department
(Sciencedirect.com, 2018)
Organizational security procedures
Organizational security procedures are a set of policies and practices designed to protect an
organization's assets, including its physical property, information, and personnel. These
procedures help ensure only authorized personnel have access to sensitive information, and
that physical and digital assets are protected from theft, fraud, and other security threats.
Organizational security procedures may include measures such as access control, physical
security, network security, data encryption, and employee training. By following these
procedures, organizations can help protect against security breaches, data loss, and other
threats that could harm the organization's reputation and financial stability.
Organizational security procedures for METROPOLIS CAPITAL Bank
As a financial institution, a bank holds sensitive information about its customers, including
their account numbers, balances, and transaction histories. It is essential that this
information is kept confidential and only accessed by authorized personnel. To protect
against unauthorized access, banks have strict security procedures in place. These
procedures include measures such as physical security, such as locked doors and security
cameras, as well as digital security, such as firewalls and encryption. The banks often have
policies in place to ensure that employees are trained in security procedures and understand
the importance of keeping sensitive information confidential. By following these
procedures, banks can help protect their customers' assets and maintain their reputation as
a trustworthy financial institution.

S.Piravaksan SECURITY ID: RE63300 36 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Network monitoring system

Network monitoring systems are a software application or hardware device that is used to
monitor and manage a computer network. It provides real-time monitoring of network
performance and alerts network administrators of any issues or potential problems. It can
detects and troubleshoot problems such as slow network speeds, and security breaches. It
can also provide detailed reports on network traffic, device performance, and other key
metrics.

Benefits of network monitoring system

• Early detection of issues - The system can detect network issues, failures, and
bottlenecks before they become critical. This can help prevent downtime and
improve network availability.
• Improved network performance - With real-time monitoring and analysis,
network administrators can identify and resolve performance issues quickly,
leading to improved network performance and user experience.
• Enhanced security - Network monitoring systems can detect and alert
administrators of potential security breaches, such as unauthorized access attempts
or malware infections.
• Increased productivity - By identifying and resolving network issues quickly,
network monitoring systems can minimize network downtime, leading to increased
productivity for employees.
• Better planning - Network monitoring systems provide valuable data and insights
into network usage patterns, which can help administrators plan for future network
upgrades and expansions.
Importance of network monitoring system
The importance of a network monitoring system lies in its ability to detect and alert network
administrators of any potential issues or threats in real-time, allowing for prompt action to
be taken. With a network monitoring system in place, the network can be monitored and
managed remotely, without the need for constant manual checks. This results in increased
efficiency and productivity, as well as improved network security. The significance of a
network monitoring system cannot be overstated, as it ensures the smooth and uninterrupted
operation of a network and minimizes downtime and potential losses.

S.Piravaksan SECURITY ID: RE63300 37 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Suggested security procedures for the METROPOLIS CAPITAL Bank

The purpose of security procedures is to protect an organization's assets, including physical
property, information, and personnel, from theft, fraud, and other security threats. These
procedures help ensure that only authorized personnel have access to sensitive information,
and that physical and digital assets are protected. Organizations may help defend against
security breaches, data loss, and other dangers that could impact their brand and financial
stability by following security protocols.
Implement a Virtual Private Network (VPN) solution
The bank should implement a VPN solution that allows remote employees to securely
access the bank's resources and systems from their home network. VPN solutions should
use strong encryption and authentication methods to protect against unauthorized access
and data breaches.
Enforce multi-factor authentication
It is recommended that MFA be enforced for all remote employees accessing the bank's
resources and systems through the VPN to add an extra layer of security and ensure only
authorized users can access sensitive information and systems.
Monitor remote access
Remote access to the bank's systems and resources should be monitored to detect any
suspicious activity or unauthorized access. This can be accomplished by employing a
Security Information and Event Management system that analyzes log data from various
sources and generates alerts when suspicious activity is detected.
Conduct regular vulnerability assessments
The bank should conduct regular vulnerability assessments to identify and reduce any
vulnerabilities in its systems and applications. This can be done through a VA scanning
tool that scans the network for vulnerabilities and generates reports on the findings.
Monitor BYOD devices
It is recommended that all BYOD devices used by employees be monitored by the bank to
ensure compliance with the bank's security policies. This can be achieved using a Mobile
Device Management solution, which enables employee devices to be managed and secured
remotely by the bank.

S.Piravaksan SECURITY ID: RE63300 38 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Limit access to sensitive data

The bank should limit access to sensitive data only to those employees who need it to
perform their job duties. This can be done using Role-Based Access Control policies.
Regularly update and patch systems
Regular updating and patching of systems and applications to address any known
vulnerabilities should be done by the bank, using automated patch management tools.
Encrypt sensitive data
The bank should encrypt sensitive data both at rest and in transit to prevent unauthorized
access. This can be done with strong encryption algorithms.
Provide security awareness training
Security awareness training should be provided to all employees who will be working from
home at the bank. This will help potential security threats such as phishing scams, malware
attacks, and social engineering attacks to be identified and avoided by them.
The benefits of using network monitoring systems for METROPOLIS CAPITAL
Bank
Network monitoring systems are essential for any organization that relies on network
connectivity and communication for its operations. METROPOLIS CAPITAL Bank, being
a leading private banking service provider, must prioritize network monitoring to maintain
its high level of service delivery and data security. There are some benefits of implementing
network monitoring systems.
It provides a comprehensive view of the network infrastructure. This view helps identify
potential issues that could impact the network's performance and security. Network
monitoring systems can detect and alert IT teams of any anomalies or suspicious activity,
allowing them to take timely corrective action. By monitoring network traffic, the bank can
identify patterns of usage, understand application performance, and optimize network
performance. Network monitoring systems enable proactive maintenance. Network
monitoring can identify potential issues before they become serious and cause significant
disruptions. IT teams can monitor devices and applications for specific issues, such as
performance, availability, and utilization, and act before any outage or downtime occurs.
This proactive approach reduces network downtime and ensures continuous availability of
important services.
The network monitoring systems aid in security compliance. With regulations such as ISO
31000:2009, METROPOLIS CAPITAL Bank must adhere to strict security measures. It
can provide visibility into network activity, identifying potential vulnerabilities and

S.Piravaksan SECURITY ID: RE63300 39 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

malicious activity. This monitoring helps the bank maintain compliance with security
standards and provides evidence of due diligence in security management. It provides
insights into network usage and traffic patterns. This information can help the bank
understand its customers' behavior and preferences, optimize service delivery, and develop
new products and services. By analyzing network usage data, the bank can identify trends,
patterns, and anomalies and use these insights to make informed decisions. Network
monitoring systems can assist in capacity planning. By analyzing network performance
data, IT teams can determine the network's current capacity and predict future capacity
requirements. This allows the bank to allocate resources efficiently and plan for future
network expansions or upgrades.
Systems for network monitoring can help with network troubleshooting. The time it takes
to resolve network issues is decreased when IT personnel have access to extensive
information about network activities. To make it simpler to troubleshoot reoccurring
problems, network monitoring can also provide historical data regarding network behavior.
Monitoring the network can aid in the prevention and identification of cyber-attacks, which
have become increasingly prevalent. By detecting any suspicious activities or security
breaches, network monitoring systems enable IT teams to respond rapidly, reducing the
impact and preventing the exposure of sensitive data.

Justification
Network monitoring systems are important for METROPOLIS CAPITAL Bank to
maintain its high level of service delivery, ensure data security, comply with regulatory
requirements, optimize network performance, and identify network issues proactively.
With network monitoring, banks can gain insights into network traffic, usage patterns,
and potential security vulnerabilities. This information can aid in capacity planning,
service optimization, and developing new products and services. Network monitoring
scans help reduce network downtime and improve response time to network issues,
minimizing their impact on business operations. In a time where cyber threats are on the
rise, network monitoring systems are essential for METROPOLIS CAPITAL Bank to
protect its sensitive data from being compromised.

S.Piravaksan SECURITY ID: RE63300 40 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Physical and virtual security measures for IT security at METROPOLIS CAPITAL

Banks
Table 2:Physical and virtual security measures for IT security at METROPOLIS CAPITAL Banks

Risk Security Measures Related Security Policies

Phishing attacks • Conduct regular phishing Phishing awareness and
awareness training for prevention policy
employees to recognize and Email security and anti-
report phishing attempts. spam policy
• Implement email filters and Security incident response
spam detection systems to and management policy
minimize the risk of phishing
attacks.
• Establish incident response
procedures to address
phishing incidents and reduce
potential damages.
Social • Provide security awareness Social engineering
engineering training to employees to awareness and prevention
attacks educate them about social policy
engineering tactics. Access control and user
• Implement strict access management policy
controls and authentication Information sharing and
mechanisms to prevent disclosure policy
unauthorized access.
• Develop and enforce policies
that prohibit the sharing of
sensitive information with
unauthorized individuals.
Malware attacks • Implement robust antivirus Malware protection and
and anti-malware solutions prevention policy
across all systems and Patch management policy
endpoints.

S.Piravaksan SECURITY ID:63300 41 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

• Regularly update and patch Security awareness and

software and systems to training policy
protect against known
vulnerabilities.
• Conduct regular security
awareness training to educate
employees about the risks of
downloading and executing
unknown files.
Human errors • Provide comprehensive Information security
training to employees on awareness and training
information security best policy
practices. Access control and user
• Implement strong access management policy
controls and user management Incident reporting and
processes to minimize the risk management policy
of human errors.
• Establish procedures for
reporting and addressing
human errors promptly.
SQL Injection • Conduct regular code reviews Secure coding and code
and vulnerability assessments review policy
to identify and reduce SQL Web application security
injection vulnerabilities. policy
• Implement input validation Patch management policy
and parameterized queries to
prevent SQL injection attacks.
• Regularly update and patch
web applications and database
systems to protect against
known vulnerabilities
Physical security • Implement physical access Physical security policy
breaches controls, such as surveillance

S.Piravaksan SECURITY ID:63300 42 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

cameras, access cards, and Physical security risk

security guards. assessment policy
• Conduct regular security Emergency response and
assessments and risk evacuation policy
evaluations of physical
infrastructure and premises.
• Establish emergency response
and evacuation procedures in
the event of a physical
security incident.
Natural Disaster • Develop a comprehensive Business continuity and
business continuity and disaster recovery policy
disaster recovery plan to Data backup and storage
ensure continuity of policy
operations. Physical security policy
• Regularly back up critical data
and store it in secure off-site
locations.
• Implement appropriate
physical safeguards to protect
infrastructure from natural
disasters.
Denial of • Implement network security Network security policy
Service attacks measures, such as firewalls security monitoring and
and intrusion detection incident response policy
systems, to detect and prevent Traffic management and
denial of service attacks. load balancing policy
• Regularly monitor network
traffic and system logs to
identify and reduce potential
denial of service attacks.
• Utilize content delivery
networks (CDNs) or load

S.Piravaksan SECURITY ID:63300 43 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

balancing solutions to
distribute traffic and reduce
the impact of denial-of-
service attacks.
Insider threats • Implement role-based access User access management
controls to limit access policy
privileges based on job User activity monitoring
responsibilities. and auditing policy
• Monitor and audit user Insider threat awareness
activities to detect any and prevention policy
suspicious behavior or
unauthorized access.
• Conduct regular security
awareness training to educate
employees about insider
threats and their prevention.
Ransomware • Implement robust backup and Backup and recovery
recovery mechanisms to policy
ensure data can be restored in Malware protection and
case of a ransomware attack. prevention policy
• Deploy and regularly update Security awareness and
anti-malware solutions to training policy
detect and block ransomware
infections.
• Train employees on safe email
and internet practices to
prevent the introduction of
ransomware through phishing
or malicious websites.

S.Piravaksan SECURITY ID:63300 44 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Conclusion
The table presents a comprehensive overview of various risks, suggested security measures,
and related security policies to address threats such as phishing attacks, social engineering,
malware attacks, human errors, SQL injection, physical security breaches, natural disasters,
denial of service attacks, insider threats, and ransomware. To reduce the risks associated
with these threats, organizations like METROPOLIS CAPITAL Bank should prioritize
security measures such as regular security awareness training, implementing robust access
controls and authentication mechanisms, deploying antivirus and anti-malware solutions,
conducting vulnerability assessments, and establishing incident response procedures.
Security policies such as phishing awareness and prevention, access control and user
management, malware protection and prevention, and physical security policies play a main
role in ensuring the integrity and security of the organization's systems and data. By
adopting and implementing these security measures and policies, organizations can
significantly reduce the likelihood and impact of security breaches and protect sensitive
information from unauthorized access, data breaches, and other potential security incidents.
It is important to regularly review and update these measures and policies to stay ahead of
evolving threats and maintain a strong security posture.

S.Piravaksan SECURITY ID:63300 45 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Activity 02
Firewall
A firewall is a network security device that prevents unauthorized access to a network. It
inspects incoming and outgoing traffic using a set of security rules to identify and block
threats. It can be physical hardware, digital software, software as a service (SaaS) or a
virtual private cloud. Firewalls are used in both personal and enterprise settings, and many
devices, including Mac, Windows, and Linux computers, come with a built-in firewall.
Firewalls are widely considered an essential component of network security (Yasar, 2023)

Figure 3:Firewall.

Importance of firewall
The importance of firewalls in modern cybersecurity cannot be overstated, and they play a
main role in securing networks against various cyber threats. A software or hardware-based
system known as a firewall is used to monitor and control incoming and outgoing network
traffic based on predefined security rules. Unauthorized access is blocked, and sensitive
data is protected from hackers and other malicious actors by acting as a barrier between a
secure internal network and the internet. Firewalls are particularly important for
organizations that handle sensitive information such as financial institutions, healthcare
providers, and government agencies, where they can prevent unauthorized access to
customer data, financial records, and other confidential information. By filtering out
unwanted traffic and allowing only authorized traffic through, the risk of a cyber-attack can
be significantly reduced, and protection against malware, viruses, and other types of cyber
threats can be achieved.

S.Piravaksan SECURITY ID:RE63300 46 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Types of firewall
Packet filtering firewalls
As the most “basic” and oldest type of firewall architecture, packet-filtering firewalls create
a checkpoint at a traffic router or switch. The firewall performs a simple check of the data
packets coming through the router inspecting information such as the destination and
origination IP address, packet type, port number, and other surface-level details without
opening the packet to examine its contents. It then drops the packet if the information packet
doesn’t pass the inspection (Dosal, 2019)

Figure 4:Packet filtering firewalls

Stateful inspection firewalls

These firewalls are an enhancement of packet filtering firewalls. In addition to examining
individual packets, stateful inspection firewalls maintain a record of the state of each
connection passing through the firewall. This allows the firewall to understand the context
of the traffic and make more informed decisions about whether to allow or deny traffic.
Stateful inspection firewalls can be more effective at blocking attacks that exploit
vulnerabilities in the way packets are sequenced.

Figure 5:Stateful inspection firewalls

S.Piravaksan SECURITY ID:RE63300 47 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Proxy firewall
It acts as an intermediary between the client and server, and they can examine each packet
in greater detail than packet filtering or stateful inspection firewall. Additional security
capabilities that proxy firewalls can offer include content filtering and application-level
filtering, which can assist defend against risks including malware, phishing, and data leaks.
Proxy firewalls can introduce additional latency and may not be as fast as other types of
firewalls.

Figure 6:Proxy firewalls

A next-generation firewall
It is within the third generation of firewall technology, designed to address advanced
security threats at the application level through intelligent, context-aware security features.
An NGFW combines traditional firewall capabilities like packet filtering and stateful
inspection with others to make better decisions about what traffic to allow. A next-
generation firewall can filter packets based on applications and inspect the data contained
in packets (rather than just their IP headers). It operates at up to layer 7 (the application
layer) in the OSI model, whereas previous firewall technology operated only up to level 4
(the transport layer). Attacks that take place at layers 4–7 of the OSI model are increasing,
making this an important capability (Vmware.com, 2021)

Figure 7:A next-generation firewall

S.Piravaksan SECURITY ID:RE63300 48 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Virtual firewalls
Virtual firewalls are software-based firewalls that can be deployed on virtual machines or
in the cloud. They can be easily deployed and managed and can be scaled up or down as
needed. Virtual firewalls can provide the same level of protection as hardware firewalls,
but they may not be as performant in high traffic environments.

Figure 8:Virtual firewalls.

Hardware firewalls
Hardware firewalls are physical devices that are installed between the network and the
internet. They can be modified to meet needs and are made to offer high levels of security
and performance. Although hardware firewalls can cost more than other kinds of firewalls,
they provide the best levels of security and performance for business networks.

Figure 9:Hardware firewalls

S.Piravaksan SECURITY ID:RE63300 49 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Benefits of using firewalls

• Firewalls provide protection against unauthorized access and cyber-attacks.
• They can help prevent data breaches by controlling access to sensitive information.
• Firewalls can block malicious traffic, such as viruses, malware, and phishing
attempts.
• They can help to filter out unwanted traffic, such as spam emails and pop-up ads,
which can improve network performance.
• Firewalls can be configured to allow access to specific applications and services
while blocking others, which can improve network security.
• They can be used to monitor network traffic and detect suspicious activity, such as
attempted intrusions or data theft.
• Firewalls can help to enforce company policies and regulatory compliance, such as
preventing the use of unauthorized software or blocking access to inappropriate
websites.
• Wireless networks can be secured and protected against unauthorized access using
security measures.
• Firewalls can help to prevent denial of service attacks by blocking traffic from
known attackers.
• They can be used to create virtual private networks, which provide secure remote
access to the network.
Firewall configuration
Firewalls are a core component of an enterprise security strategy. Firewalls can protect
against cyber-attacks, data exfiltration, and other threats by monitoring network traffic and
blocking suspected malicious traffic. One of the main ways that firewalls determine
whether to permit or block a connection is based on a set of predefined rules or policies.
These rules may specify that traffic to a particular IP address or port should be permitted
or blocked. Firewall configuration is the process of setting up these rules and configuring
other security settings on a firewall (Checkpoint.com, 2022)

S.Piravaksan SECURITY ID:RE63300 50 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Firewall misconfiguration
It is a common security issue that can have a significant impact on an organization's
network security. A misconfigured firewall can allow unauthorized users to access sensitive
data or systems, which can lead to data breaches, financial losses, and other problems.
The impact of firewall misconfiguration on Network Security
The impact of misconfigured firewalls in METROPOLIS CAPITAL Bank can be main and
pose serious risks to the security and integrity of the bank's network infrastructure and
sensitive data. Misconfigured firewalls can lead to different detrimental consequences, both
internally and externally. Internally, misconfigured firewalls can result in unauthorized
access to the bank's internal network and systems. This can potentially allow malicious
actors to enter sensitive areas of the bank's infrastructure, such as the primary and secondary
data centers or the head office in Kollupitiya. Once inside, these attackers can exploit
vulnerabilities, launch attacks, or compromise critical systems, leading to disruptions in
banking operations, loss of confidential information, and potential financial losses.
Misconfigured firewalls can cause internal communication issues within the bank's
network. Improper configurations may inadvertently block legitimate network traffic or
disrupt essential services, affecting the bank's day-to-day operations. This can result in
reduced productivity, delayed transactions, and dissatisfied customers.
Externally, misconfigured firewalls can create security vulnerabilities that enable
unauthorized access from external sources. Hackers are constantly scanning for weak
points in network defenses, and a misconfigured firewall can serve as an open invitation
for them to exploit. Once attackers breach the network perimeter, they can potentially steal
sensitive customer data, compromise online banking systems, or launch targeted attacks
against the bank's infrastructure or customers. Misconfigured firewalls can also have
compliance implications for METROPOLIS CAPITAL Bank. As a financial institution,
the bank is subject to strict regulations and industry standards, such as ISO 31000:2009.
Compliance with these regulations is important to maintain the trust of customers and
regulators.
To reduce the impact of misconfigured firewalls, METROPOLIS CAPITAL Bank should
establish robust firewall configuration management practices. This includes regular audits,
updates, and monitoring to ensure firewalls are properly configured, up to date with the
latest security patches, and aligned with the bank's security policies. Network Security
Analyst should play a key role in identifying and rectifying any misconfigurations

S.Piravaksan SECURITY ID:RE63300 51 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

promptly. Bank should invest in comprehensive firewall management tools and

technologies that can automate configuration checks, detect vulnerabilities, and provide
real-time alerts for potential misconfigurations. Regular training and awareness programs
should also be conducted for network administrators and IT staff to ensure they have
necessary skills and knowledge to configure firewalls correctly.
VPN (Virtual Private Network)
Virtual Private Network (VPN) adds security and anonymity to users when they connect to
web-based services and sites. VPN hides the user’s actual public IP address and “tunnels”
traffic between the user’s device and the remote server. Most users sign up for a VPN
service online anonymity to avoid being tracked, and they often use public Wi-Fi where
increased risks threaten the safety of their data (Proofpoint.com, 2021)

Figure 10:VPN

Types of VPN
Remote access VPN
This type of VPN allows individual users to connect to a private network securely over the
internet. It enables remote workers or travelers to access resources and services on their
organization's network as if they were directly connected to it.

Site to site VPN

A Site-to-Site VPN is also called as Router-to-Router VPN and is commonly used in the
large companies. Companies or organizations, with branch offices in different locations,
use Site-to-site VPN to connect the network of one office location to the network at another
office location (Pankaj, 2019)
• Intranet based VPN: When several offices of the same company are connected
using Site-to-Site VPN type, it is called as Intranet based VPN.

S.Piravaksan SECURITY ID:RE63300 52 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

• Extranet based VPN: When companies use Site-to-site VPN type to connect to the
office of another company, it is called as Extranet based VPN.
Cloud VPN
Cloud VPNs leverage cloud infrastructure to establish secure connections between users
and cloud-based services. It allows organizations to connect their on-premises network to
cloud resources securely, ensuring secure access to cloud-based applications and services.
Client based VPN
These VPNs require users to install client software on their devices, such as laptops or
smartphones, to establish a secure connection to a VPN server. It provides individual users
with encrypted access to the internet, making it useful for maintaining privacy and security
on public Wi-Fi networks.
Open VPN
OpenVPN is an open-source software application that uses SSL and is highly configurable
and secure. It creates a secure and encrypted connection between two computers by
encapsulating the data packets being sent between them. OpenVPN can be used to access
internal resources such as email, file servers, or databases. It is supported on a wide range
of operating systems and devices and can be easily configured to work with various
network configurations and security settings. It is considered one of the most secure VPN
protocols as it uses the industry standard SSL/TLS encryption protocols, and it offers
advanced features such as two-factor authentication and kill switch (Pankaj, 2019)
MPLS VPN
Multiprotocol Label Switching (MPLS) VPNs are typically used by businesses to connect
multiple locations securely. MPLS technology creates virtual private networks over
existing network infrastructure, providing secure and reliable communication between
different sites.

S.Piravaksan SECURITY ID:RE63300 53 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

The impact of VPN misconfiguration in METROPOLIS CAPITAL Bank

The impact of a misconfigured VPN in METROPOLIS CAPITAL Bank can be significant
and pose several risks to the security and operations of the organization. When a VPN is
misconfigured, it means that settings and parameters of VPN are improperly set, leading
to vulnerabilities and potential breaches in bank's network infrastructure. Misconfigured
VPN can result in unauthorized access to the bank's internal network. Since VPN is used
to establish a secure connection between remote devices and bank's network, any
misconfiguration can create loopholes that can be exploited by malicious actors.
Unauthorized individuals may gain access to sensitive data, and internal systems,
potentially leading to data breaches, financial fraud, and reputational damage.
Misconfigured VPN can lead to network disruptions and downtime. If VPN settings are
not properly optimized, it can cause connectivity issues, slow performance, and frequent
disconnections. This can severely impact the bank's day-to-day operations, online banking
services, and employee productivity. Unreliable VPN connections can lead to frustrated
customers and financial losses. Misconfigured VPN can compromise integrity and
confidentiality of data transmitted through network. Without proper configuration,
encryption protocols may not be correctly implemented, leaving sensitive information
vulnerable to interception and eavesdropping. This can result in exposure of customer
financial data, login credentials, and other confidential information. It can hinder a bank’s
ability to comply with regulatory requirements and industry standards. METROPOLIS
CAPITAL Bank, being a leading private banking service provider, is subject to strict rules
and regulations enforced by the government.
Misconfigured VPN in METROPOLIS CAPITAL Bank can also create a gateway for
potential malware infections and other malicious activities. If the VPN is not properly
configured, it may not have adequate security measures in place to detect and prevent
malware from entering the bank's network. This can result in the spread of malware to
internal systems and devices, compromising the integrity of sensitive information and
causing operational disruptions. a misconfigured VPN can make it difficult for the bank's
IT team to detect and respond to security incidents effectively, as the misconfiguration may
hinder the monitoring and logging capabilities of the VPN infrastructure.

S.Piravaksan SECURITY ID:RE63300 54 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Conclusion
The importance of firewalls and VPNs in the network security infrastructure of financial
institutions lies in the provision of indispensable protection and privacy for both the
organization and its clients. Firewalls are utilized as a safeguard between internal banking
networks and external networks, with incoming and outgoing network traffic vigilantly
monitored and controlled based on predetermined security rules. By unauthorized access,
malicious attacks, and the propagation of malware are guarded against, significantly
enhancing the overall security posture of the banking network. Two primary types of
firewalls exist: network-based firewalls, filtering traffic at the network level, and host-
based firewalls, providing individual device protection. By strategically deploying
firewalls, stringent access control policies can be enforced, suspicious activities swiftly
detected and blocked, and the confidentiality of sensitive financial data ensured.
VPNs offer a paramount level of security and privacy for remote access and communication
over public networks, such as the internet. Through the establishment of an encrypted
tunnel between the user's device and the bank's VPN server, transmitted data is safeguarded
from interception and unauthorized access. The benefits of VPNs within the banking sector
are manifold, including heightened privacy, anonymity, and the ability to circumvent
geographical restrictions. Particularly essential for remote banking operations and
accessing corporate resources, VPNs enable secure connections to the bank's network from
any location, guaranteeing the confidentiality and integrity of important financial
information.
Significant risks to network security within the banking sector can arise from
misconfigurations of firewalls and VPNs. Vulnerabilities can inadvertently be exposed due
to insufficient firewall rules or misaligned VPN configurations, potentially enabling
unauthorized access, or compromising valuable assets. Misconfigurations may stem from
human errors, inadequate testing, or a failure to update configurations as the network
evolves. To reduce the impact of misconfigurations, stringent change management
protocols should be established, regular audits and reviews of firewall and VPN
configurations conducted, and continuous monitoring and maintenance ensured by banks.

S.Piravaksan SECURITY ID:RE63300 55 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Trusted network
Concept of a trusted network is based on the principle of granting only the minimum level
of access required to perform its function, thereby minimizing the risk of unauthorized
access or data breaches by restricting the potential attack surface. High level of security
and reliability is provided for its users in a computer network that has been designed and
configured as a trusted network, and data is transmitted and processed in a secure and
trusted manner, with access to network resources tightly controlled.
The technologies listed below help organizations create a reliable network
DMZ (Demilitarized Zone) Network
A DMZ or demilitarized zone is a perimeter network that protects and adds an extra layer
of security to an organization’s internal local-area network from untrusted traffic. The end
goal of a demilitarized zone network is to allow an organization to access untrusted
networks, such as the internet, while ensuring its private network or LAN remains secure.
Organizations typically store external-facing services and resources, as well as servers for
the Domain Name System (DNS), File Transfer Protocol (FTP), mail, proxy, Voice over
Internet Protocol (VoIP), and web servers, in the DMZ (Fortinet.com, 2023)
These servers and resources are isolated and given limited access to the LAN to ensure they
can be accessed via the internet, but the internal LAN cannot. As a result, a DMZ approach
makes it more difficult for a hacker to gain direct access to an organization’s data and
internal servers via the internet. A company can minimize the vulnerabilities of its Local
Area Network, creating an environment safe from threats while also ensuring employees
can communicate efficiently and share information directly via a safe connection.

Figure 11:DMZ (Demilitarized Zone) Network.

S.Piravaksan SECURITY ID:RE63300 56 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Benefits of DMZ network

Reducing the attack surface
By placing public-facing servers in a DMZ, the attack surface for an organization is
reduced. This means that there are fewer opportunities for attackers to find and exploit
vulnerabilities.
Better compliance
A DMZ network can help organizations comply with industry regulations and standards by
providing a secure and isolated network for publicly accessible servers.
Segmentation of Network Resources
By placing publicly accessible services and resources in the DMZ network, an organization
can segment their network resources and limit the attack surface. This makes it easier to
control access to resources and track network activity.
Improved Security
A DMZ network provides an additional layer of security between the internet and the
internal network. By isolating publicly accessible services and resources in the DMZ
network, the risk of an attacker gaining access to sensitive data and systems on the internal
network is greatly reduced.
Simplified Management
A DMZ network can simplify the management of network resources by separating publicly
accessible services and resources from internal network resources. This makes it easier to
manage security policies and configurations, reducing the risk of configuration errors.
Improved performance
By segregating publicly accessible servers into a separate network, traffic can be routed
more efficiently. This can reduce congestion and improve the performance of the internal
network.

S.Piravaksan SECURITY ID:RE63300 57 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Implementing a DMZ (Demilitarized Zone) Network for METROPOLIS CAPITAL

Bank
METROPOLIS CAPITAL Bank recognizes the importance of securing its network
infrastructure and protecting sensitive customer data from potential cyber threats. To
achieve this, the bank has implemented a DMZ network architecture as part of its
comprehensive security strategy. The DMZ network at METROPOLIS CAPITAL Bank
serves as an isolated zone that separates the public-facing services from the internal
network resources, such as the core banking system and high-performance servers running
the bank's critical operations. This architectural setup provides an added layer of defense
against unauthorized access, data breaches, and other security risks.
By deploying a DMZ network, the bank ensures that all incoming and outgoing traffic
passes through a controlled security checkpoint. This allows the bank to carefully monitor
and filter network traffic, reducing the risks associated with external threats. The DMZ
network enables secure communication between external systems, such as online banking
platforms, mobile applications, and outside vendors, and the bank's internal systems. This
controlled communication flow prevents direct access to sensitive data and resources,
limiting the possible impact of any security incidents. Within the DMZ network, the bank
employs various security measures to ensure the integrity and confidentiality of data.
The DMZ network facilitates the secure implementation of additional services, such as
employee WiFi and guest WiFi hotspots. With proper network segmentation and access
controls, METROPOLIS CAPITAL Bank can provide connectivity for BYOD (Bring Your
Own Device) devices without compromising the security of their internal network or
customer data. The implementation of a DMZ network aligns with the bank's commitment
to bonding to industry best practices and regulatory requirements. By segregating network
resources, controlling access, and implementing robust security measures, METROPOLIS
CAPITAL Bank enhances its overall security posture, safeguarding customer information,
and maintaining the trust of its clients.

S.Piravaksan SECURITY ID:RE63300 58 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Examples of DMZ (Demilitarized Zone) network

Home networks
A DMZ can also be useful in a home network in which computers and other devices are
connected to the internet using a broadband router and configured into a LAN. Some home
routers include a DMZ host feature. This can be contrasted with the DMZ subnetwork used
in organizations with many more devices than would be found in a home. The DMZ host
feature designates one device on the home network to function outside of the firewall,
where it acts as the DMZ while the rest of the home network lies inside the firewall. In
some cases, a gaming console is chosen to be the DMZ host so that the firewall doesn't
interfere with gaming. Also, the console is a good candidate for a DMZ host because it
likely holds less sensitive information than a personal computer (Lutkevich, 2021)
Small businesses
Small businesses often use DMZs to host web servers, email servers, and other essential
services. This helps to protect the business's internal network from attack and allows the
business to provide its services to customers without compromising its security.
Large enterprises
Large enterprises often have complex networks with multiple DMZs. This helps to segment
the network and protect different parts of the network from each other. For example, a large
enterprise might have a DMZ for web servers, a DMZ for email servers, and a DMZ for
file sharing servers.

S.Piravaksan SECURITY ID:RE63300 59 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Static IP
In the world of networking and internet security, a critical role is played by Static IP
addresses. A permanent, unchanging address is assigned to a computer or device on a
network, which is known as a static IP address. Unlike dynamic IP addresses, which are
subject to periodic changes, static IP addresses remain the same throughout the lifetime of
the device or network. The value of static IP addresses lies in their ability to secure network
resources and prevent unauthorized access. In this assignment, the importance of static IP
addresses in network security, how they are assigned, and how they can be used to enhance
the security of the organization's network will be explored.

Figure 12:Static IP

Benefits of Static IP
Improved quality of service
With a static IP address, it's possible to set up quality of service policies that prioritize
certain types of traffic over others. This is particularly important for businesses that use
video conferencing or other real-time applications that require a high-quality connection.
More stable connections
Disruptions in network connections can be caused by dynamic IP addresses when they
change. By using a static IP address, these disruptions can be avoided, and a more stable
connection can be maintained.
Better security
A static IP address can improve security by enabling better access control. With a static IP
address, it's easier to set up firewalls and access control policies to restrict access to specific
devices or networks. This can help prevent unauthorized access and protect sensitive data.

S.Piravaksan SECURITY ID:RE63300 60 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Easy remote access

Static IP addresses make remote access to devices or networks much easier. This is because
the static IP address remains the same, so it's always easy to connect to the device or
network from a remote location. This is particularly important for businesses that need to
access their network remotely.
Easier tracking
In the event of a security breach, a static IP address can make it easier to track down the
source of the attack. This is because the IP address provides a unique identifier that can be
used to trace the origin of malicious activity.
Better website hosting
A static IP address is essential for hosting a website. This is because a website requires a
fixed address so that it can be accessed by visitors. With a static IP address, visitors can
always find the website at the same address, making it easy to maintain and manage.
Examples of Static IP
Network printer - A network printer may be assigned a static IP address so that users can
consistently send print jobs to the printer without needing to search for its IP address each
time.
Security cameras - In a surveillance system, each security camera can have a static IP
address. This ensures that the cameras can be accessed and monitored consistently without
the need to reconfigure IP addresses.
Web server: A web server hosting a website or web application typically has a static IP
address. This allows users to access the website reliably using a consistent IP address.
Network gateway or router: The network gateway or router that connects a local network
to the internet often has a static IP address. This allows devices within the network to
connect to the internet and for external devices to reach the network consistently.

S.Piravaksan SECURITY ID:RE63300 61 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Implementation of Static IP for METROPOLIS CAPITAL Bank

METROPOLIS CAPITAL Bank has implemented the use of Static IP addresses as part of
its network infrastructure to ensure reliable and secure connectivity between its various
locations, including datacenters, branches, and ATMs. This implementation offers several
advantages for the bank. Static IP addresses provide stable and consistent connectivity,
ensuring important systems such as core banking servers and communication channels can
be accessed reliably. Each location is assigned a specific Static IP address, enabling
consistent communication and connectivity between these endpoints.
The use of Static IP addresses enhances the bank's network security. It allows for the
implementation of stringent firewall rules and access controls, ensuring that only
authorized devices and networks can connect to the bank's systems. This contributes to a
secure network infrastructure, protecting sensitive data and reducing potential security
threats. Static IP addresses facilitate seamless remote access to the bank's systems.
Authorized employees, including the Technical Support Team and senior executives, can
securely connect to the network from outside locations, enabling efficient remote
troubleshooting and system administration when required.
The implementation of Static IP addresses also simplifies network management for the
bank's IT team. With fixed addresses, network devices and services can be easily identified
and managed, streamlining network monitoring and troubleshooting processes. The use of
Static IP addresses improves overall security and compliance. It enables better tracking and
monitoring of network activity, enhancing the bank's ability to detect and respond to
potential security threats promptly. This adherence to security practices aligns with the
bank's commitment to comply with government regulations, including those imposed by
the Central Bank.

S.Piravaksan SECURITY ID:RE63300 62 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Network Address Translation (NAT)

Network Address Translation (NAT) conserves IP addresses by enabling private IP
networks using unregistered IP addresses to go online. Before NAT forwards packets
between the networks it connects, it translates the private internal network addresses into
legal, globally unique addresses.
NAT configurations can reveal just one IP address for an entire network to the outside
world as part of this capability, effectively hiding the entire internal network and providing
additional security. Network address translation is typically implemented in remote-access
environments, as it offers the dual functions of address conservation and enhanced security
(Avinetworks.com, 2023)

Figure 13:Network Address Translation (NAT)

Benefits of Network Address Translation

Increased Network Performance
NAT can also improve network performance by reducing the amount of traffic that needs
to be transmitted over the internet. With NAT, only a single IP address is visible to the
outside world, which reduces the number of packets that need to be transmitted over the
internet. This can result in faster network speeds, especially when there are many devices
on the network.
Efficient Use of IP Addresses
NAT is also beneficial for conserving IP addresses. With NAT, multiple devices can share
a single public IP address, which reduces the number of IP addresses that an organization
needs to purchase from its internet service provider. This can result in cost savings,
especially for large organizations with many devices on their network.

S.Piravaksan SECURITY ID:RE63300 63 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Simplified Network Management

NAT can simplify network management by allowing an organization to use private IP
addresses for its internal network. This eliminates need to configure unique IP addresses
for every device on network, which can be time-consuming and error prone. With NAT,
devices on internal network can use private IP addresses, while NAT device translates
these addresses to public IP address used by internet.
Improved Network Security
One of the primary benefits of NAT is improved network security. By using NAT, an
organization can hide its internal network from the public internet, which makes it harder
for hackers to target the network. NAT also provides a level of protection against Denial-
of-Service attacks, as it can limit the number of connections that can be established to a
particular IP address.
Compatibility with IPv4
NAT is an effective solution for organizations that still use IPv4 addressing, as it allows
them to use private IP addresses internally and translates them to public IP addresses for
communication over the internet. This is especially important as the world transitions to
IPv6 addressing, as many devices and applications are not yet compatible with IPv6.
Customizable Access Control
It allows an organization to customize access control for devices on its internal network by
blocking or allowing specific types of traffic based on IP address, port number, or protocol.
This can provide an additional layer of security against attacks and unauthorized access to
the network.
Examples of NAT
Dynamic NAT - Dynamic NAT allows multiple private IP addresses to be translated to a
smaller pool of public IP addresses. The translation is done dynamically based on the
availability of public IP addresses from the pool. It enables several devices in a private
network to share a limited number of public IP addresses. When a device from the private
network initiates communication with the internet, a temporary mapping is created between
its private IP address and an available public IP address from the pool.

Twice NAT - In certain scenarios, it may be necessary to perform NAT on both the source
and destination IP addresses. This is known as Twice NAT or Bidirectional NAT. It allows
for more complex translation scenarios, such as mapping between different private and

S.Piravaksan SECURITY ID:RE63300 64 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

public IP address ranges or modifying specific IP addresses for security or compatibility

reasons.

Static NAT - In this form of NAT, a one-to-one mapping is established between a private
IP address and a public IP address. It is commonly used when an organization wants to
expose specific internal servers, such as a web server or an email server, to the public
internet. The private IP address is translated to a corresponding public IP address, allowing
external users to access the services provided by the internal server.

Overload NAT (PAT) - Port Address Translation (PAT) is a variant of dynamic NAT
where multiple private IP addresses are translated to a single public IP address by using
different source port numbers. PAT keeps track of the source port number along with the
private IP address to maintain uniqueness in the translation process. It allows many devices
within a private network to access the internet using a single public IP address. Incoming
responses are then correctly routed back to the respective devices based on the port number.

Implementing Network Address Translation (NAT) for METROPOLIS CAPITAL

Bank
METROPOLIS CAPITAL Bank, a leading private banking service provider in Sri Lanka,
has implemented Network Address Translation (NAT) as a main component of their
network infrastructure. NAT allows the bank to efficiently manage and control the flow of
network traffic between their various locations, ensuring secure and seamless connectivity.
NAT is important for enabling communication between different network segments within
the bank's infrastructure, including their primary and secondary datacenters, branches,
ATM machines, and the Head Office. With over 100 branches, 500 ATM machines, and
multiple overseas branches, establishing connectivity and ensuring the smooth operation of
the core banking system is of utmost importance.
By employing NAT, each location, whether it's a branch, ATM, or datacenter, can have a
single ISP link that provides VPN services and MPLS connectivity. NAT allows for the
translation of private IP addresses used within the bank's internal network into public IP
addresses for communication with external systems and the internet. This translation
process ensures that all communication is routed securely and efficiently while preserving
the integrity and confidentiality of the bank's network. NAT implementation enhances the
bank's security posture by acting as a barrier between the external network and the internal
systems. It effectively hides the internal IP addresses, making it more challenging for

S.Piravaksan SECURITY ID:RE63300 65 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

potential attackers to identify and target specific resources within the network. NAT,
combined with the bank's existing firewall protection, adds an extra layer of security to
safeguard sensitive customer data and major banking operations. NAT enables effective
management of IP address allocation and conservation. With a large network infrastructure
spread across different locations, it is essential to optimize the use of available IP addresses.
NAT allows the bank to utilize private IP addresses internally while utilizing a limited pool
of public IP addresses for external communication.
The implementation of NAT aligns with METROPOLIS CAPITAL Bank's commitment to
complying with government regulations and Central Bank requirements. It helps ensure the
secure and reliable operation of their core banking systems, facilitating seamless
connectivity between various locations while protecting sensitive information.
Conclusion
Understanding NAT, Static IP, and DMZ is considered important for network
administrators and IT professionals responsible for network management and security. The
significance lies in the fact that NAT allows a single IP address to be shared among multiple
devices, thereby concealing the internal network from external entities, and providing
security. Attacks and unauthorized access can be prevented through this mechanism. Static
IP addresses, on the other hand, play a main role for devices that require consistent
connectivity, such as servers and routers, by ensuring easy access and identification,
thereby assisting in network administration and troubleshooting. Similarly, DMZ acts as a
buffer zone between an organization's internal network and the internet, thereby preventing
direct access from external networks. By placing publicly accessible servers in the DMZ,
these servers can be isolated from the internal network, minimizing the impact of any
security breaches. By having a comprehensive understanding of these concepts, robust
security measures can be implemented by network administrators and IT professionals,
leading to efficient network management. NAT can be utilized to add an additional layer
of protection, static IP addresses can be assigned to critical devices, and DMZ can be
employed to segregate and secure publicly accessible servers. With this knowledge, secure
network architectures can be designed, access controls can be established, and network
traffic can be effectively monitored. Through the implementation of these measures,
organizations can safeguard their network assets, ensure reliable connectivity, and uphold
the confidentiality and integrity of their data.

S.Piravaksan SECURITY ID:RE63300 66 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Evaluation of identified physical and virtual risks of METROPOLIS CAPITAL

bank
Table 3:Evaluation of Identified Physical and Virtual Risks of METROPOLIS CAPITAL bank.

Likelihood
The probability of happening (Rated 1 to 10 score)
Severity:-
Low Moderate High

Risk of happening
Likelihood (L)
Risk description Risk type Impacts & Severity (S)

L S
Phishing attacks Virtual risk Unauthorized access
Fack mails or to accounts or data, 6
messages that financial loss,
appear to be from a reputational
trusted source, often damage.
including a link to a
fake website or a
malicious
attachment.

Social engineering Virtual risk Unauthorized access

attacks to accounts or data, 7
financial loss,

S.Piravaksan SECURITY ID:RE63300 67 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Attempts to reputational
manipulate people damage.
into revealing
sensitive
information, such as
passwords or
account details,
through deception
or psychological
manipulation.

Malware attacks Virtual risk Unauthorized access

Malicious software to accounts or data, 8
that can be used to damage to systems,
steal information, financial loss.
damages systems, or
enable unauthorized
access.
SQL Injection Virtual risk An attacker could
One of the most add their own 4
popular methods for malicious SQL
web hacking that instructions to
enables an attacker access the enterprise
to take control of database if an
the final database application fails to
after modifying or properly clear up
deleting data is SQL SQL statements,
injection. which is a security
risk.
Through webpage
input, the attacker
inserts malicious

S.Piravaksan SECURITY ID:RE63300 68 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

code into SQL

reports.

Denial of Service Virtual risk Disruption of

attacks services, financial 7
Attempts to loss, reputational
overwhelm a system damage.
or network with
traffic to make it
unavailable to users.
Insider threats Virtual risk Unauthorized access
Malicious or to accounts or data, 6
negligent actions damage to systems,
taken by employees financial loss,
or contactors, either reputational
intentionally or damage.
accidentally.
Ransomware Virtual risk Financial loss,
Malware that reputational 5
encrypts data and damage, legal
demands payment in penalties, data theft
exchange for the or corruption.
decryption key.
Human errors Physical risk Insiders with
This is used to malicious intent can 3
describe an gain access to
unintentional choice network information
or behavior. and leak it, causing
Violations are damage to devices
conscious attempts and infrastructure.
not to commit a Devices become
purposeful vulnerable because
misdemeanor. Even of ignorance,

S.Piravaksan SECURITY ID:RE63300 69 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

the most negligence, and

experienced and mistakes, which
skilled individual leads to equipment
may be impacted. damage.
Employees leave
with incomplete
work without
making it obvious.
Natural disaster Physical risk This has the
These adverse potential to derail a 4
events include bank's well-planned
These risks include plans and
lightning, floods, expectations. This is
and earthquakes. possible that supply
chains will be
disrupted.
This is possible that
employees won't be
able to get to work.
Physical security Physical risk Theft of assists,
breaches damage to systems, 5
Unauthorized access financial loss.
to physical
facilities, such as
data centers or
ATMs.

S.Piravaksan SECURITY ID:RE63300 70 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Risk management process

Risk management is the process of identifying, assessing, and controlling threats to an
organization's capital and earnings. These risks stem from a variety of sources, including
financial uncertainties, legal liabilities, technology issues, strategic management errors,
accidents, and natural disasters. A successful risk management program helps an
organization consider the full range of risks it faces. Risk management also examines the
relationship between risks and the cascading impact they could have on an organization's
strategic goals (Linda, 2021)

Figure 14:Risk management process.

The steps in the risk management process are listed below

• Identify the risk.
• Analyze the risk.
• Evaluate the risk.
• Treat the risk.
• Monitor and review the risk.

S.Piravaksan SECURITY ID:RE63300 71 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Step 01: Identify the risk

In the risk management process of a bank, the initial stage involves recognizing the
potential risks that the institution may pose to its operational environment. It is essential to
thoroughly identify these risk factors. In a manual context, these risks are documented and
referred to manually. If the bank utilizes a risk management solution, all this information
can be directly inputted into the system. The benefit of this approach is that these risks
become accessible to every staff member in the bank who has system access. Instead of
relying on email requests to obtain this important information, anyone interested in
reviewing the identified risks can easily access the information stored in the risk
management system.

Table 4:Identify the risk.

Risk NO Risk
01 Phishing attacks

02 Social engineering attack

03 Malware attacks

04 SQL injection

05 DoS attacks

06 Insider threats

07 Ransomware

08 Human errors

09 Natural disaster

10 Physical security breaches

S.Piravaksan SECURITY ID:RE63300 72 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Step 02: Analyze the risk

Once a risk is identified in a bank, it is important to conduct a comprehensive analysis. The
objective is to determine the nature and purpose of the risk. Understanding the correlation
between the risk and various factors within the bank is vital. Evaluating the severity and
potential impact of the risk on business operations is key. While some risks may only cause
minor inconveniences during the analysis phase, there are others that, if realized, could
potentially bring the entire bank to a halt. In the manual risk management context, this
analysis needs to be performed manually. When implementing a risk management solution,
a fundamental step is to map the identified risks to relevant documents, policies,
procedures, and business processes. This mapping process holds significant importance in
the overall risk management framework.
Risk Risk Risk type Likelihood Impact
No
01 Phishing attacks Virtual risk Low High
02 Social engineering attack Virtual risk High High
03 Malware attacks Virtual risk High High
04 SQL injection Virtual risk Low Medium
05 DoS attacks Virtual risk High High
06 Insider threats Virtual risk Medium Medium
07 Ransomware Virtual risk Low High
08 Human errors Physical risk Low Low
09 Natural disaster Physical risk Low Medium
10 Physical security Physical risk Low High
breaches
Table 5:Analyze the risk.

S.Piravaksan SECURITY ID:RE63300 73 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Step 03: Evaluate the risk

Risks need to be categorized and prioritized in the context of a bank's risk management
approach. It is common for risk management solutions within the banking industry to
classify risks based on their severity. Often, the potential inconvenience caused by certain
risks is underestimated, while the risk of experiencing catastrophic losses is overestimated.
Accurately ranking risks is important as it provides the bank with a comprehensive
understanding of the risk landscape across the entire organization. While the bank may
encounter numerous low-level risks, they may not require immediate management
intervention. Conversely, a single high-rated risk could demand immediate attention and
intervention.

Table 6:Evaluate the risk.

Risk Risk Likelihood Impact Risk level Ranking

No
01 Phishing attacks Low High High R4
02 Social engineering attack High High Extreme R3
03 Malware attacks High High Extreme R2
04 SQL injection Low Medium Medium R5
05 DoS attacks High High Extreme R1
06 Insider threats Medium Medium Medium R7
07 Ransomware Low High Medium R6
08 Human errors Low Low Low R10
09 Natural disaster Low Medium Low R9
10 Physical security Low High Medium R8
breaches

S.Piravaksan SECURITY ID:RE63300 74 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Step 04:Treat the risk

In a banking environment, it is important to eliminate or control every risk to the greatest
extent possible. This is achieved by engaging with subject matter experts who specialize in
the specific risks involved. In a traditional manual setting, this entails coordinating with
each stakeholder, organizing meetings to facilitate discussions and address concerns.
Within a comprehensive risk management system tailored for banks, notifications can be
internally disseminated to all relevant stakeholders. Risk discussions and potential
solutions can be conducted within the bank, allowing top management to closely monitor
recommended measures and system enhancements. By utilizing the risk management
solution, stakeholders can receive direct updates, eliminating the need for individual
communication and streamlining the flow of information.

Step 05: Monitor and review the risk

In a banking setting, it is important to acknowledge that complete elimination of all risks
is not feasible. Under manual systems, vigilant staff members are responsible for
monitoring and reducing risks. These professionals diligently ensure that all risk factors are
closely observed. The bank employs a risk management system to comprehensively
monitor the entire risk landscape of the institution. Any changes in factors or risks are
promptly communicated to all relevant stakeholders. The use of computer systems is
advantageous as they are more adept at continuously monitoring risks compared to
individuals. Effective risk monitoring also contributes to maintaining the bank's business
continuity.
Conclusion
Implementing a tailored risk management system in the banking industry brings numerous
benefits for effectively handling risks. It improves the recognition process by thoroughly
identifying potential risks and making them easily accessible to staff members.
Comprehensive risk analysis enables proactive decision-making by understanding the
nature and impact of risks. Categorizing and prioritizing risks offers a holistic view,
allowing appropriate resource allocation. Engaging subject matter experts and facilitating
internal discussions streamline collaboration and timely risk mitigation. Effective risk
monitoring and management contribute to maintaining stability, continuity, and resilience
within the bank, ensuring its ability to tackle challenges head-on.

S.Piravaksan SECURITY ID:RE63300 75 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Activity 03
Risk assessment
A risk assessment is a systematic process performed by a competent person which involves
identifying, analyzing, and controlling hazards and risks present in a situation or a place.
This decision-making tool aims to determine which measures should be put in place to
eliminate or control those risks, as well as specify which of them should be prioritized
according to the level of likeliness and impact they have on the business.
Risk assessment is one of the major components of a risk analysis. Risk analysis is a process
with multiple steps that intends to identify and analyze all the potential risks and issues that
are detrimental to the business. This is an ongoing process that gets updated when
necessary. These concepts are interconnected and can be used individually (Andales, 2017)

Figure 15:Risk assessment process

Benefits of Risk assessment

Improved decision-making - Risk assessments can provide organizations with the
information they need to make informed decisions about risk management. This can help
to ensure that resources are allocated effectively and that risks are managed in a cost-
effective manner.
Improved reputation - Risk assessments can help organizations to improve their
reputation by demonstrating that they are taking steps to manage risks. This can be
important for organizations that operate in regulated industries or that rely on public trust.

S.Piravaksan SECURITY ID:RE63300 76 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Cost and resource optimization - By identifying and addressing risks early on,
organizations can prevent or reduce potential financial losses, damage, or disruption. Risk
assessment helps in identifying cost-effective risk management strategies and optimizing
resource allocation. It enables organizations to allocate resources more efficiently, focusing
on areas of highest risk and maximizing the effectiveness of risk mitigation measures.
Risk mitigation and control - The primary purpose of risk assessment is to identify
potential risks and develop appropriate risk mitigation strategies. By understanding the
risks and their potential impacts, organizations can implement control measures and
preventive actions to minimize or eliminate the likelihood and impact of those risks. This
proactive approach helps in reducing vulnerabilities, enhancing security, and protecting the
organization's assets, reputation, and operations.
Increased awareness of risks - Risk assessments can help organizations to identify and
understand the risks that they face. This can help to improve decision-making and to ensure
that appropriate controls are in place to reduce risks.
Risk Identification - Conducting a risk assessment helps in identifying and recognizing
potential risks that could affect an organization's objectives or projects. It allows
organizations to proactively identify and understand the various risks they face, both
internally and externally. This enables them to develop strategies and plans to reduce or
manage those risks effectively.
Increased strategic planning - Risk assessments can help to identify and reduce risks that
could impact the organization's strategic goals. This can help to ensure that the organization
is making informed decisions about its future.

S.Piravaksan SECURITY ID:RE63300 77 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Risk Assessment Procedure report for METROPOLIS CAPITAL Bank

Figure 16:Risk Assessment Procedure report for METROPOLIS CAPITAL Bank

S.Piravaksan SECURITY ID:RE63300 78 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

METROPOLIS CAPITAL BANK

Date 2024.01.15
Version MCB000999
Author Sivaneswaran Piravaksan

Email piravaksan@gmail.com

Description Risk management procedure for METROPOLIS CAPITAL BANK

The purpose is to assess risks, reduce or minimize them through the

implementation of control measures as needed, and ensure the safety of
Purpose operations at METROPOLIS CAPITAL Bank while appropriately
protecting all individuals involved from potential risks.
METROPOLIS CAPITAL Bank adopts the ISO 31000 standards from
the International Organization for Standardization (ISO) to establish
Standard and customized guidelines for effectively managing and controlling the risks
guidance faced by the bank. These guidelines are tailored to the specific needs and
operations of the bank, ensuring a comprehensive approach to risk
management in line with ISO 31000 standards.
Law/Act Information Security Management Act, Protection Act and Data
Protection Act.
METROPOLIS CAPITAL Bank utilizes a comprehensive risk
assessment procedure to proactively identify potential risks and predict
project outcomes. The procedure involves assessing the probability and
impact of identified risks, followed by strategic planning to manage
those risks before they materialize. Effective responses are then
implemented to minimize any negative consequences associated with
Objective identified hazards. The bank continuously measures the effectiveness of
projects against identified vulnerabilities to ensure optimal risk
management. Ongoing monitoring is conducted to track activities that
may potentially trigger adverse events.
Security Mr.S.Piravaksan
Administrator
Project Manager Mr.L.Abibarman

S.Piravaksan SECURITY ID:RE63300 79 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Core team Risk Officer Miss.K.Kamshaa

members Executive Officer Miss.S.Kupenthini
Project Sponsor Miss.A.Shalini
Table 7:Risk Assessment Procedure.

Responsibilities of core team members

Role Responsibilities
The project manager at METROPOLIS CAPITAL Bank assumes
responsibility for the complete project lifecycle.
▪ Identifying risks associated with the project.
▪ Evaluating the identified risks.
Project manager ▪ Formulating strategies to reduce the identified risks.
▪ Procuring necessary risk management measures.
▪ Executing risk management activities as per the plan.
▪ Collaborating with project team members and subject
matter experts.
▪ Providing updates on prior risk management efforts.
▪ Ensuring successful execution of risk management tasks.
▪ The risk officer at METROPOLIS CAPITAL Bank is
responsible for overseeing all specifics of risk management
within the organization.
▪ Conduct thorough assessments to identify and analyze
potential risks.
▪ Evaluate the severity of each risk by considering its
Risk officer
potential impact.
▪ Conduct audits of processes and procedures to ensure
compliance and identify areas of improvement.
▪ Develop effective risk management controls and systems to
reduce identified risks.
▪ Devise strategies to eliminate or minimize potential risks.
▪ Create contingency plans for crisis situations to ensure
preparedness.
▪ Review existing policies and procedures to identify any
weaknesses and make necessary updates.

S.Piravaksan SECURITY ID:RE63300 80 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

▪ Prepare comprehensive reports on risk assessments and

management strategies.
▪ Present recommendations to senior management and
stakeholders.
▪ Provide support during the implementation of risk
management measures.
▪ The executive officer at METROPOLIS CAPITAL Bank
has the responsibility of overseeing the risk management
Executive officer process and ensuring its continuous improvement.
▪ This includes allocating resources to support risk
management activities within the bank.
▪ The executive officer evaluates the effectiveness of risk
management policies and procedures implemented by the
bank.
▪ They establish the guiding principles and overall
framework for the risk management process at
METROPOLIS CAPITAL Bank.
▪ The primary responsibility of the project sponsor at
METROPOLIS CAPITAL Bank is to assess and endorse
the project's investment aligned with the bank's strategic
objectives.
Project sponsor ▪ The project sponsor ensures that the project manager
effectively delivers the anticipated benefits of the project.
▪ The project sponsor holds overall accountability for the
project's performance.
▪ The project sponsor appoints the project manager and team.
▪ The project sponsor defines success criteria for the project.
▪ The project sponsor ensures the successful completion of
the risk assessment project.
Table 8:Responsibilities of Core Team Members.

S.Piravaksan SECURITY ID:RE63300 81 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Assets identification of METROPOLIS CAPITAL BANK

Table 9:Internal Assets

Internal Assets Description

Physical Assets These include the bank's buildings, branches, offices, and
other physical infrastructure.
Human Resources The bank's employees, their skills, expertise, and knowledge
are valuable internal assets. This includes executives,
managers, tellers, loan officers, and other staff members.
Intellectual Property It includes patents, trademarks, copyrights, and other
intellectual assets owned by the bank, such as proprietary
software or algorithms developed in-house.
Financial Resources Internal financial assets refer to the bank's capital, reserves,
and funds held for various purposes, such as liquidity
management and investment.
Information Technology It includes the bank's servers, computer systems, networks,
(IT) Infrastructure data centers, and other technological resources used to
support banking operations.

Table 10:External Assets

External Assets Description
Customer Deposits Deposits made by customers in various accounts, such as
savings accounts, current accounts, and fixed deposits, are
important external assets for a bank.
Brand Reputation The bank's reputation and brand value in the market are
external intangible assets that can have a important impact on
customer trust, loyalty, and market perception.
Partnerships and Collaborations with other financial institutions, fintech
Alliances companies, or strategic partners can be considered as external
assets that contribute to the bank's overall value.
Investments It refers to the bank's holdings in securities, bonds, stocks, and
other financial instruments.
Loan Portfolios The loans extended to individuals, businesses, and other
entities form a major part of a bank's external assets.

S.Piravaksan SECURITY ID:RE63300 82 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Risk classification of METROPOLIS CAPITAL BANK

Human errors
Physical risks
Natural disaster
Physical security breaches
Phishing
Social engineering attacks
Malware attacks
Virtual risks
SQL injection
DoS attacks
Insider threats
Ransomware
Table 11:Risk classification.

Risk matrix

Figure 17:Risk matrix.

S.Piravaksan SECURITY ID:RE63300 83 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Risk rating description

Table 12:Risk rating description.

Risk level Description

Immediate cessation of operations is necessary until appropriate
Extreme
controls are implemented to reduce the risk effectively.
Risk mitigation measures must be implemented to decrease the risks to
High
an acceptable level by following the hierarchy of controls.
Evaluate the risk assessment and implement control measures to reduce
Medium
the risk to an acceptable level, following the hierarchy of controls.
Reduce risks by implementing regular procedures and conducting
Low
ongoing monitoring.

Risk register tables for identified risks

Table 13:Risk Register table for phishing

RISK NO: 01
Description Phishing attacks
Category Virtual risk
Likelihood Low
Impact High
Risk level High
▪ It is important to conduct thorough scanning of emails to
identify and reduce potential phishing threats.
▪ Ensure that client-side operating systems, software, and
plug-ins are consistently updated to minimize vulnerabilities
and enhance security.
Responsibilities ▪ Implement and configure two-factor authentication measures
to add an extra layer of security for accessing sensitive
information and systems.
▪ Provide comprehensive training and education to bank
personnel regarding the importance of security awareness.
Cost Medium
Benefits Medium

S.Piravaksan SECURITY ID:RE63300 84 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Table 14:Risk Register table for social engineering attack

RISK NO: 02
Description Social engineering attack
Category Virtual risk
Likelihood High
Impact High
Risk level Extreme
▪ It is important to actively monitor and detect social
engineering attacks, such as phishing or pretexting, by
conducting thorough analysis of communication channels
and user interactions.
▪ Ensure that client-side operating systems, software, and plug-
ins are consistently updated to minimize vulnerabilities and
strengthen defenses against social engineering attacks.
Responsibilities ▪ Implement and set up two factor authentication measures to
add an additional layer of protection against social
engineering attacks. This ensures that accessing sensitive
information and systems requires multiple verification steps.
▪ Conduct comprehensive training and education programs to
increase awareness among bank personnel about social
engineering attacks. This includes educating them about
common tactics, warning signs, and strategies to effectively
identify and respond to social engineering threats.
Cost Medium
Benefits High

S.Piravaksan SECURITY ID:RE63300 85 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Table 15:Risk Register table for malware attack

RISK NO: 03
Description Malware attack
Category Virtual risk
Likelihood High
Impact High
Risk level Extreme

▪ Installation of reliable anti-virus and anti-spyware software

is essential.
▪ Utilize secure authentication methods for accessing systems.
▪ Limit the use of administrative accounts to only when
necessary.
▪ Ensure software is regularly updated to maintain security.
Responsibilities ▪ Implement strict access controls to restrict unauthorized
system access.
▪ Deploy effective anti-spam and anti-virus software for email
protection.
▪ METROPOLIS CAPITAL Bank may engage external
security service providers to conduct vulnerability
assessments, penetration testing, and security audits. These
providers should be responsible for identifying potential
vulnerabilities and recommending remediation measures to
prevent malware attacks.
Cost Medium
Benefits High

S.Piravaksan SECURITY ID:RE63300 86 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Table 16:Risk Register table for SQL injection

RISK NO: 04
Description SQL injection
Category Virtual risk
Likelihood Low
Impact Medium
Risk level Medium

▪ Regular monitoring of SQL statements is important to detect

and prevent any abnormal or potentially malicious database
activities within the systems of Metropolis Capital Bank.
▪ Proper control of privileges and access rights should be
implemented to ensure that only authorized individuals have
the necessary access to sensitive systems and data at the bank.
Responsibilities ▪ The bank should prioritize the use of stored procedures
within the database as a best practice for ensuring secure and
efficient data manipulation.
▪ It is essential to enforce the use of prepared statements and
parameterization techniques to enhance the security of
database operations at Metropolis Capital Bank.
▪ To maintain a robust security posture, the bank should
conduct regular auditing and penetration testing exercises to
identify vulnerabilities and assess the effectiveness of
existing security measures.
Cost Medium
Benefits High

S.Piravaksan SECURITY ID:RE63300 87 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Table 17:Risk Register table for DoS attack

RISK NO: 05
Description DoS attack
Category Virtual risk
Likelihood High
Impact High
Risk level Extreme

▪ Acquire a thorough understanding of the indicators and

symptoms associated with denial-of-service attacks to enable
early detection and swift response.
▪ Consider outsourcing DDoS protection services to
specialized providers who can offer advanced and dedicated
solutions tailored to the bank's specific needs.
Responsibilities ▪ Develop a comprehensive plan to effectively address and
reduce denial-of-service attacks.
▪ Enhance the resilience of the bank's network infrastructure to
ensure its durability and ability to withstand potential attacks.
▪ Ensure the implementation and maintenance of proper online
hygiene practices to minimize vulnerabilities and reduce the
risk of attacks.
▪ Leverage anti-DDoS equipment and software to effectively
protect the bank's network and reduce the impact of potential
attacks.
Cost Medium
Benefits High

S.Piravaksan SECURITY ID:RE63300 88 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Table 18:Risk Register table for insider threats

RISK NO: 06
Description Insider threats.
Category Virtual risk
Likelihood Medium
Impact Medium
Risk level Medium

▪ Develop a comprehensive plan to address insider threats.

▪ Enhance the resilience of the network against internal
security breaches.
▪ Promote and enforce good cybersecurity practices among
employees.
▪ Implement effective monitoring and detection systems for
Responsibilities insider threats.
▪ Recognize and be familiar with indicators and warning signs
of insider attacks.
▪ Consider outsourcing insider threat detection and mitigation
capabilities.
▪ Conducting regular risk assessments to identify and evaluate
the potential vulnerabilities and risks associated with insider
threats. This includes reviewing and updating security
controls and practices based on the assessment findings.
Cost Medium
Benefits High

S.Piravaksan SECURITY ID:RE63300 89 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Table 19:Risk Register table for ransomware

RISK NO: 07
Description Ransomware
Category Virtual risk
Likelihood Low
Impact High
Risk level Medium

▪ Identify and assess the potential risks associated with

ransomware attacks, considering the bank's systems,
networks, and data as potential targets.
▪ Develop and implement robust cybersecurity policies and
procedures to prevent, detect, and respond to ransomware
attacks effectively.
▪ Regularly update and patch software, operating systems, and
applications to address known vulnerabilities that can be
exploited by ransomware.
Responsibilities
▪ Implement strong access controls and authentication
mechanisms to protect sensitive data and limit unauthorized
access.
▪ Backup important data regularly and store backups in a
secure and separate location. Test the integrity of backups
periodically to ensure they can be successfully restored in the
event of a ransomware attack.
▪ Establish an incident response plan specifically tailored to
ransomware attacks. Define roles and responsibilities for
incident response team members and establish
communication channels and escalation procedures.
Cost Medium
Benefits High

S.Piravaksan SECURITY ID:RE63300 90 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Table 20:Risk Register table for human errors

RISK NO: 08
Description Human errors
Category Physical risk
Likelihood Low
Impact Low
Risk level Low

▪ Ensure that all employees receive comprehensive training on

their roles, responsibilities, and the bank's policies and
procedures. Promote a culture of risk awareness and
accountability throughout the organization.
▪ Establish clear lines of communication within the bank to
facilitate the reporting of errors and near misses. Encourage
employees to promptly report any incidents or potential risks
they identify to the appropriate channels.
▪ Regularly monitor employee performance and provide
Responsibilities
constructive feedback to address any recurring errors or areas
of concern. Implement performance management systems
that recognize and reward good performance while
addressing and remedying poor performance.
▪ Explore the use of technology and automation to minimize
the potential for human errors. Implement appropriate
software systems, controls, and validation mechanisms to
reduce reliance on manual processes and reduce the risk of
errors.
Cost Low
Benefits Medium

S.Piravaksan SECURITY ID:RE63300 91 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Table 21:Risk Register table for natural disasters

RISK NO: 09
Description Natural disasters
Category Physical risk
Likelihood Low
Impact Medium
Risk level Low

▪ Develop a contingency plan for reducing the impact of

natural disasters.
▪ Enhance the resilience of the network infrastructure against
natural disasters.
▪ Ensure proper disaster preparedness and response protocols
are in place.
▪ Employ appropriate disaster recovery and business
continuity measures.
▪ Stay updated on the signs and indicators of potential natural
Responsibilities disasters.
▪ Consider outsourcing disaster recovery and continuity
services for added protection and expertise.
▪ Regularly review and update the disaster response plan
based on lessons learned and industry best practices.
▪ Conduct drills and simulations to test the effectiveness of the
disaster response plan.
▪ Collaborate with relevant authorities and agencies for
disaster management and emergency response.
▪ Implement robust physical security measures to safeguard
against damage from natural disasters.
Cost Medium
Benefits High

S.Piravaksan SECURITY ID:RE63300 92 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Table 22:Risk Register table for physical security breaches

RISK NO: 10
Description Physical security breaches
Category Physical risk
Likelihood Low
Impact High
Risk level Medium

▪ Monitor and maintain the CCTV surveillance systems to

ensure proper coverage and functioning of cameras in
important areas.
▪ Develop and maintain an incident response plan that outlines
the step-by-step procedures to be followed in the event of a
physical security breach.
▪ Conduct regular physical security audits to identify and
address any gaps or vulnerabilities in the bank's physical
security measures.
Responsibilities
▪ Stay updated with relevant regulations and industry standards
related to physical security in the banking sector.
▪ Provide comprehensive security awareness and training
programs to all employees, emphasizing the importance of
physical security and their roles in maintaining a secure
environment.
▪ Regularly inspect and maintain physical barriers, such as
fences, gates, doors, to prevent unauthorized access to
sensitive areas.
Cost Medium
Benefits High

S.Piravaksan SECURITY ID:RE63300 93 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Conclusion
The risk register holds significant importance within the comprehensive risk management
process of METROPOLIS CAPITAL Bank. Its main function lies in safeguarding the
sensitive data of clients throughout the entire lifespan of the bank's operations. To further
enhance its effectiveness, it is advisable to develop a well-defined plan that accurately
assesses the probability and impact factors of recurring risks. The risk register complements
other essential risk management procedures such as qualitative risk analysis, quantitative
risk analysis, risk response planning, and risk monitoring and control. By utilizing the risk
register judiciously, METROPOLIS CAPITAL Bank can efficiently manage and visualize
risks, thereby fortifying its risk management practices and ensuring the security of client
data.
Data protection and regulations in IT security
Data protection and regulations in IT security refer to the measures and legal frameworks
put in place to ensure the privacy, security, and appropriate use of personal and sensitive
data in information technology systems. These regulations aim to protect individuals' rights
and establish guidelines for organizations handling data, ensuring responsible data
practices, and reducing the risks associated with data breaches, and misuse.

Data protection and regulation at METROPOLIS CAPITAL bank

Data Protection Act - METROPOLIS CAPITAL Bank adheres to the Data Protection Act,
which regulates how and when personal information can be obtained, used, and disclosed.
The bank is required to comply with the eight data protection principles outlined in the Act.
ISO 31000 - The bank has obtained ISO 31000:2009 certification, which provides
guidelines and principles for effective risk management. This certification demonstrates the
bank's commitment to identifying, assessing, and reducing risks related to data protection
and security.
Connectivity and Network Security - METROPOLIS CAPITAL Bank ensures secure
connectivity between its datacenters, branches, and ATMs through VPN and MPLS
services provided by its ISP. The bank employs a single firewall to protect communication
between the core banking system, outside systems, and the Head Office. Bank implements
security measures such as VA scanning, internal auditing, and 24x7 monitoring to
safeguard its network infrastructure.

J. S.Piravaksan SECURITY ID:RE63300 94 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Physical security - The bank's premises, including datacenters, branches, ATMs, and the
Head Office, are covered by CCTV surveillance and 24x7 monitoring. This helps ensure
the physical security of customer data and assets.
Vendor management - METROPOLIS CAPITAL Bank engages with various local and
foreign IT service vendors, with whom the bank has signed agreements, contracts, and
NDAs. The bank follows a robust vendor management process to ensure that third-party
vendors adhere to data protection requirements and maintain the security of customer
information.
Employee security practices -The bank has implemented a bring your own device
(BYOD) concept for Senior Executive Staff and HR departments, providing employee
WiFi and guest WiFi hotspot. To enhance security, the bank has employed a Privileged
Access Management (PAM) system, Endpoint Detection and Response (EDR) system,
Data Loss Prevention (DLP) tool, Web Application Firewall (WAF), and Secure Mail
Gateway. These security tools are managed by the bank's Technical Support Team.
Internal auditing - METROPOLIS CAPITAL Bank performs routine internal audits to
evaluate its security controls, processes, and adherence to policies and regulations. These
audits assess the efficiency of security measures, identify any shortcomings or
opportunities for enhancement, and ensure compliance with security standards.
Security operations - The bank's staff is accountable for security operations,
encompassing the monitoring of security systems, incident investigation, and response to
security alerts or breaches. These responsibilities encompass tasks like analyzing logs,
monitoring threat intelligence, managing incidents, and addressing vulnerabilities.
Privileged Access Management (PAM) System -METROPOLIS CAPITAL Bank has
deployed a PAM system to regulate and oversee privileged users’ access to vital systems
and sensitive data. This system guarantees that only authorized individuals possess elevated
privileges while maintaining a record of privileged actions for auditing purposes.
Data Loss Prevention (DLP) Tool - METROPOLIS CAPITAL Bank employs a Data Loss
Prevention tool to safeguard against unauthorized disclosure or loss of sensitive data. This
tool monitors data in various states (in motion, at rest, and in use) to detect and prevent data
breaches, including unauthorized transfers or inadvertent leaks of confidential information.
VA scanning - Vulnerability Assessment scanning is a process that helps identify and
assess vulnerabilities in a computer system, network, or application. It involves using
specialized tools and techniques to scan and analyze the target system for potential security

J. S.Piravaksan SECURITY ID:RE63300 95 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

weaknesses. In the case of METROPOLIS CAPITAL Bank, VA scanning is an important

security measure implemented to ensure the protection of their systems and data.
Web Application Firewall (WAF) - The Web Application Firewall (WAF) is a security
tool used by METROPOLIS CAPITAL Bank to protect their web applications from various
cyber threats and attacks. WAF works by analyzing incoming web traffic and filtering out
potentially malicious requests or unauthorized access attempts.
Secure Mail Gateway (SMG) – It is a security solution designed to protect email
communications within an organization. It acts as a filter between the bank's internal email
system and the external network, such as the internet. The primary purpose of an SMG is
to prevent unauthorized access, malicious content, and potential threats from entering or
leaving the bank's email infrastructure.
Conclusion
METROPOLIS CAPITAL Bank takes data protection and security seriously by adhering
to various rules and regulations. They comply with the Data Protection Act and have
obtained ISO 31000:2009 certification, showcasing their commitment to effective risk
management. The bank implements robust connectivity and network security measures,
including VPN and MPLS services, firewalls, and regular vulnerability assessments.
Physical security is ensured through CCTV surveillance and 24x7 monitoring of their
premises. The bank also prioritizes vendor management, employee security practices,
internal auditing, and security operations. By deploying tools such as Privileged Access
Management, Data Loss Prevention, Web Application Firewall, and Secure Mail Gateway,
METROPOLIS CAPITAL Bank further enhances their data protection measures. Through
these comprehensive strategies, the bank aims to safeguard customer information and
maintain a secure banking environment.

J. S.Piravaksan SECURITY ID:RE63300 96 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Data Protection Act

The Data Protection Act is a law that was enacted to protect the privacy of individuals and
their personal information. It is designed to safeguard the way personal data is collected,
used, and stored by organizations. The Act sets out rules for how information should be
processed and gives individuals the right to access the personal data held about them. The
Act applies to both electronic and paper records and covers information such as name,
address, date of birth, and medical records. Organizations must comply with the Act or face
penalties, including fines and legal action. The Data Protection Act is an important piece
of legislation that helps to protect individuals' rights to privacy (Experian.co.uk, 2017)
Data Protection Act (DPA) 1998
The Data Protection Act 1998 ('the Act') regulates how and when information relating to
individuals may be obtained, used, and disclosed. The Act also allows individuals access
to personal data relating to them, to challenge misuse of it and to seek redress. Enforcement
of the Act is through the Information Commissioner ('the Commissioner').
The Act places a duty on any person or organization that holds personal information about
living individuals ( personal data) on computer or in certain manual data systems (or has
such information processed on computer by others) to comply with the eight data protection
principles and to notify the Commissioner about the processing carried out. Failure to notify
is a criminal offence. However, there are several exemptions from the notification
requirement of the Act for individuals and organizations that make only limited use of
personal data. The Commissioner has produced a self-assessment guide to determine
whether notification is necessary.
Remedies for misuse of personal data include compensation if the individual has suffered
damage, rectification or destruction of inaccurate data and the right to request a review by
the Commissioner of whether the Act has been contravened (AVILA, 2007)

Figure 18:Data Protection Act (DPA)

1998.

J. S.Piravaksan SECURITY ID:RE63300 97 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Principals of Data Protection Act (DPA) 1998

The Data Protection Act (DPA) of 1998 is a legislation in the United Kingdom that governs
the processing of personal data and provides individuals with certain rights and protections.
It is based on several principles that guide the handling and protection of personal data.
Fair and lawful
Organizations must have legitimate grounds for collecting the data and it must not have a
negative effect on the person or be used in a way they wouldn’t expect. Organizations are
required to provide full transparency about how they wish to use the data, as well as ensure
their data is only used in ways customers would expect (Vinciworks.com, 2017)
Specific for its purpose
Personal data should only be collected and used for specific, lawful purposes. It should not
be further processed in a manner incompatible with the original purpose.
Data minimization
Organizations should only collect and process the personal data that is necessary for the
intended purpose. Data should be adequate, relevant, and not excessive.
Accuracy
Personal data should be accurate and kept up to date. Organizations have a responsibility
to take reasonable steps to ensure the accuracy of the data they hold.
Storage limitation
Personal data should not be kept for longer than necessary. It should be securely deleted or
disposed of when it is no longer needed for the purpose it was collected.
Integrity and confidentiality
Organizations must implement appropriate security measures to protect personal data from
unauthorized access, loss, or damage. They are responsible for ensuring the confidentiality,
integrity, and availability of the data.
Individual rights
The DPA grants individuals certain rights, including the right to access their personal data,
correct inaccuracies, request erasure, and prevent processing in certain circumstances.
Transfers outside the European Economic Area
If personal data is transferred to countries outside the EEA, organizations must ensure that
adequate protection is in place to safeguard the data.

J. S.Piravaksan SECURITY ID:RE63300 98 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Accountability
Organizations are accountable for their compliance with the DPA and must be able to
demonstrate their compliance through appropriate policies, procedures, and
documentation.
Conclusion
Data Protection Act 1998 (DPA) in the United Kingdom regulates the collection, use, and
disclosure of personal data. It places obligations on organizations to comply with eight data
protection principles. These principles include ensuring that data collection is fair and
lawful, data is used for specific purposes, data is minimized to what is necessary, data is
accurate and up to date, data is not stored for longer than necessary, data is kept secure and
confidential, individuals have certain rights over their data, transfers of data outside the
European Economic Area have adequate protection, and organizations are accountable for
their compliance with the DPA. The DPA grants individuals the right to access their
personal data, request corrections, request erasure, and prevent processing in certain
circumstances. Organizations are required to implement appropriate security measures to
protect personal data and must have policies, procedures, and documentation in place to
demonstrate their compliance with the DPA. Enforcement of the DPA is overseen by the
Information Commissioner, who has the authority to investigate and act against
organizations that contravene the Act. Remedies for individuals who have suffered damage
or misuse of their personal data include compensation, rectification or destruction of
inaccurate data, and the right to seek a review by the Commissioner.
IT Security Audit
The overall IT infrastructure is subject to a review known as an IT security audit. There are
two methods by which an IT security audit can be conducted: a manual assessment or an
automated assessment. In a manual assessment, the IT security auditor conducts a
comprehensive check of the IT systems. The access to both the IT framework and IT
hardware is reviewed, and network and software vulnerabilities are sought out. On the other
hand, an automated assessment involves the system auditing itself. Changes to servers and
files are tracked, and software monitoring reports are kept up with. The related data can
then be reviewed to stay updated on the system's health. Ideally, both audit assessments
should be incorporated into the IT security strategy. A manual review should be conducted
at least once a year, while the analysis of automated assessment reports should be
performed more frequently. (Sepulveda, 2022)

J. S.Piravaksan SECURITY ID:RE63300 99 | P a g e

 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Importance of IT security audit for METROPOLIS CAPITAL Bank

IT security audits play a major role in ensuring the smooth and secure operations of
METROPOLIS CAPITAL Bank. With its status as a leading private banking service
provider, the bank is committed to upholding compliance with various government and
Central Bank regulations and standards. Conducting regular IT security audits is paramount
in ensuring that the bank's IT systems and practices align with these requirements, reducing
the risk of non-compliance and potential penalties. These audits enable the identification
and assessment of potential risks and vulnerabilities within the bank's IT infrastructure,
systems, and processes. By thoroughly examining security controls, access privileges,
network configurations, and data protection measures, the audit helps identify weaknesses
and gaps that could be exploited by cyber threats. This empowers the bank to take proactive
measures to reduce risks and strengthen its overall security posture.
The protection of customer data is of utmost importance to METROPOLIS CAPITAL
Bank. Given its handling of sensitive financial and personal information, conducting
regular IT security audits ensures the confidentiality, integrity, and availability of customer
data. Evaluating data protection measures, access controls, and encryption protocols allows
the bank to identify areas for improvement and implement necessary safeguards to protect
customer information from unauthorized access, breaches, and misuse. Maintaining
business continuity is a important facet of METROPOLIS CAPITAL Bank's operations.
IT security audits assess the bank's disaster recovery and business continuity plans,
evaluating the effectiveness of backup systems, redundancy measures, and incident
response protocols.
By identifying potential vulnerabilities that could disrupt important banking operations, the
audit enables the bank to enhance its resilience and ensure continuity of services in the face
of cyberattacks, natural disasters, or other disruptions. METROPOLIS CAPITAL Bank
relies on various local and foreign IT service vendors to support its operations. IT security
audits play a main role in evaluating the security practices and controls of these vendors,
ensuring they meet the bank's standards and comply with contractual obligations. Assessing
the security posture of third-party vendors is important to reduce the risk of data breaches,
supply chain attacks, or unauthorized access to the bank's systems through vendor
connections. IT security audits provide a mechanism for continuous improvement. By
regularly assessing the bank's IT security controls, policies, and procedures, the audit helps
identify areas for enhancement and ensures that security measures keep pace with evolving

S.Piravaksan SECURITY ID:RE63300 100 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

cyber threats. It allows the bank to remain vigilant and proactive in addressing emerging
risks and adopting best practices to protect its systems, data, and customers.
Impacts of IT security audit on METROPOLIS CAPITAL Bank
An IT security audit for METROPOLIS CAPITAL Bank can have important impacts on
the organization, ensuring a robust and secure environment for its operations. The audit
will thoroughly assess the bank's systems, networks, and applications to identify any
vulnerabilities that may exist. This comprehensive examination helps uncover weaknesses
such as outdated software, inadequate security controls, or misconfigurations that could
potentially be exploited by malicious actors. Once vulnerabilities are identified, the bank
can take immediate steps to address them and minimize the risk of potential security
breaches. This may involve enhancing access controls, implementing stronger
authentication mechanisms, improving network segmentation, or upgrading encryption
protocols. By strengthening these security measures, METROPOLIS CAPITAL Bank can
better protect sensitive customer data and prevent unauthorized access.
IT security audit verifies the bank's compliance with relevant regulations and standards,
such as ISO 31000, data protection laws, and industry-specific requirements. Compliance
is important for a financial institution like METROPOLIS CAPITAL Bank to avoid
penalties, legal issues, and reputational damage. The audit ensures that the bank is adhering
to the necessary regulatory requirements and industry best practices. In addition to
identifying vulnerabilities and ensuring compliance, the audit conducts a thorough risk
assessment of the bank's overall security posture. This assessment provides insights into
potential risks and their potential impact on operations.
By understanding these risks, METROPOLIS CAPITAL Bank can prioritize security
investments and allocate resources effectively to reduce identified risks. This proactive
approach enhances the bank's overall risk management capabilities and reduces the
likelihood of security incidents. The IT security audit also evaluates the bank's incident
response procedures and capabilities. It helps identify any gaps or weaknesses in the bank's
ability to detect, respond, and recover from security incidents. By addressing these gaps,
METROPOLIS CAPITAL Bank can enhance its incident response readiness, minimize the
impact of potential security breaches, and ensure business continuity. Conducting regular
IT security audits demonstrates METROPOLIS CAPITAL Bank's commitment to
protecting customer data and ensuring the confidentiality, integrity, and availability of its
services. This commitment enhances customer trust and confidence in the bank's ability to

S.Piravaksan SECURITY ID:RE63300 101 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

safeguard their sensitive information. Ultimately, it leads to increased customer satisfaction

and loyalty. The findings and recommendations from the IT security audit serve as a
roadmap for implementing necessary security enhancements. METROPOLIS CAPITAL
Bank can establish a culture of continuous security monitoring and improvement based on
these insights. By continuously enhancing its security posture, the bank can stay ahead of
emerging threats and ensure a resilient IT infrastructure.
Conclusion
Conducting regular IT security audits is of paramount importance for METROPOLIS
CAPITAL Bank to ensure the smooth and secure functioning of its operations. These audits
not only help the bank comply with regulatory requirements but also identify and address
potential vulnerabilities and risks within its IT infrastructure. By proactively strengthening
security measures, verifying compliance, and enhancing risk management capabilities, the
bank can safeguard customer data, protect against cyber threats, and ensure business
continuity. The audits enable METROPOLIS CAPITAL Bank to foster customer trust and
loyalty by demonstrating its commitment to data protection and continuous improvement.
By implementing the recommendations from the audits and maintaining a vigilant approach
to emerging threats, the bank can establish a resilient IT environment that meets the highest
standards of security and confidentiality.
The ISO 31000 Risk management framework
ISO 31000 is a risk management standard published by the International Organization for
Standardization (ISO). It was first released in 2009, with the most recent edition (at the
time of writing) in 2018. It offers a collection of recommendations designed to help firms
streamline risk management. ISO 31000:2018 is a single standard within the broader family
of risk management standards known as ISO 31000. The risk management standards are all
intended to be applied extensively across diverse sectors, niches, and company kinds, to
give the best practice framework and advice to all operations wanting to employ risk
management concepts.
There are two scopes associated with risk management. ISO 31000 describes them as:
A risk management framework - This provides the foundations and organizational
arrangements for designing, implementing, monitoring, and continually improving risk
management throughout the organization.

S.Piravaksan SECURITY ID:RE63300 102 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

A risk management process - This is the set of management policies, procedures, and
practices that ensure effective risk management. Ideally, the risk management process is
guided by the risk management framework (Reciprocity.com, 2023)
ISO 31000’s risk management principals

• Identify risks.
• Evaluate the probability of an event tied to an identified risk occurring.
• Determine the severity of the problems caused by the event occurring.
Benefits of using ISO 31000
• Better ability to make decisions - ISO 31000 helps organizations identify and
assess risks, which can lead to better decision-making.
• Reduced costs - By taking steps to reduce the likelihood or impact of risks,
organizations can save money on insurance premiums, lost productivity, and other
costs.
• Better reputation - Organizations may enhance their standing with clients,
investors, and other stakeholders by showing that they take risk management
seriously.
• Increased compliance - Organizations can help to guarantee that they are following
pertinent rules and regulations by using the ISO 31000 risk management approach.
Application of ISO 31000 risk management methodology in METROPOLIS
CAPITAL Bank for effective risk reduction
The application of ISO 31000 risk management methodology in METROPOLIS CAPITAL
Bank enables them to systematically identify, assess, and reduce risks associated with their
operations. ISO 31000 provides a comprehensive framework for effective risk
management, ensuring that the bank can proactively address potential threats and
vulnerabilities. In the context of METROPOLIS CAPITAL Bank, the application of ISO
31000 starts with establishing the context of the risk management process. This involves
defining objectives, scope, and constraints, as well as identifying stakeholders and their
interests. The bank considers its branches, datacenters, ATMs, and Head Office as critical
components of its operations and recognizes the need for connectivity and secure
communication channels between these locations. By setting the context, the bank can align
its risk management efforts with its strategic goals and ensure a holistic approach to risk
reduction.

S.Piravaksan SECURITY ID:RE63300 103 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

The next step is to identify risks. METROPOLIS CAPITAL Bank considers various risks
arising from its operations, including IT security risks, operational risks, and financial risks.
They identify potential threats and vulnerabilities that could impact the confidentiality,
integrity, and availability of customer data, financial transactions, and overall business
operations. Risks associated with connectivity, outsourcing, third-party vendors, and
compliance are also taken into consideration. Once risks are identified, the bank conducts
risk analysis to evaluate the likelihood and potential impact of each risk. This analysis
involves assessing vulnerabilities, potential consequences, and the probability of
occurrence for each identified risk. The bank may use quantitative or qualitative analysis
techniques to effectively evaluate the risks and prioritize their reduction efforts.
Following risk analysis, the bank evaluates the significance of each risk by comparing them
against established criteria. This allows them to prioritize risks based on their potential
impact and likelihood. By prioritizing risks, METROPOLIS CAPITAL Bank can allocate
resources and implement appropriate risk treatment plans to reduce the most critical risks.
Risk treatment strategies may include risk avoidance, risk reduction through security
controls and safeguards, risk transfer through insurance or contractual agreements, or
acceptance of residual risks.
Risk management is an ongoing process that requires regular monitoring and review.
METROPOLIS CAPITAL Bank has implemented measures such as CCTV surveillance,
24x7 monitoring, and security functions like vulnerability assessment scanning, internal
auditing, and security operations. They have also invested in various security tools such as
a vulnerability scanning tool, Privileged Access Management system, Endpoint Detection
and Response system, Data Loss Prevention tool, Web Application Firewall, and Secure
Mail Gateway. These tools and practices help the bank monitor and detect possible risks,
respond to security incidents, and ensure the protection of sensitive data and systems.
By applying the ISO 31000 risk management methodology, METROPOLIS CAPITAL
Bank can effectively identify, assess, and reduce risks across its operations. Compliance
with ISO 31000 also demonstrates their commitment to following industry best practices
and meeting regulatory requirements enforced by the government and the Central Bank.

S.Piravaksan SECURITY ID:RE63300 104 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Figure 19:Process of ISO 31000 Risk Management Standard

Conclusion
Application of the ISO 31000 risk management methodology in METROPOLIS CAPITAL
Bank demonstrates their commitment to proactive risk identification, assessment, and
reduction. By following the framework provided by ISO 31000, the bank can establish a
comprehensive risk management process that aligns with its strategic goals and ensures the
protection of its critical components, such as branches, datacenters, ATMs, and Head
Office. The bank systematically identifies and evaluates various risks, including IT security
risks, operational risks, and financial risks, considering potential threats and vulnerabilities
that could affect customer data, financial transactions, and overall business operations.
Through risk analysis and significance evaluation, the bank prioritizes risks and
implements appropriate risk treatment strategies, aiming to reduce the most critical risks.
This includes measures such as implementing security controls, safeguards, and monitoring
systems, as well as investing in security tools and technologies to detect and respond to
possible risks. By adopting the ISO 31000 framework, METROPOLIS CAPITAL Bank
benefits from enhanced decision-making, reduced costs, improved reputation, and
increased compliance with relevant rules and regulations. The ongoing monitoring and
review processes, combined with comprehensive security measures, ensure that the bank
maintains a strong security posture and protects sensitive data and systems.

S.Piravaksan SECURITY ID:RE63300 105 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Organizational security
Organizational security involves implementing measures to protect assets, information,
personnel, and operations from threats and unauthorized access. It encompasses strategies,
policies, procedures, and technologies to ensure the confidentiality, integrity, and
availability of resources. This includes assessing risks and vulnerabilities, both physical
and digital, and implementing controls such as access control, video surveillance, and
cybersecurity measures. Security policies establish guidelines for access control, data
handling, incident response, and employee awareness. Technologies like firewalls,
encryption, and security monitoring systems are important for preventing and detecting
security incidents. Employee training programs promote security best practices and safe
online behavior. Compliance with laws, regulations, and industry standards is essential,
ensuring the organization meets security obligations and reduces legal and financial risks.
Potential impacts to organizational security for METROPOLIS CAPITAL Bank
METROPOLIS CAPITAL Bank faces various potential impacts on its organizational
security due to its operations, infrastructure, and services. The bank is susceptible to data
breaches due to the sensitive nature of banking data and the vast amount of customer
information it stores and processes. Unauthorized access to customer accounts and personal
and financial data could result in severe consequences.
Network disruptions pose a significant risk as the bank relies on a single ISP link for
connectivity between its datacenters, branches, and ATMs. Any interruption or
compromise of this link could lead to service disruptions, transaction delays, and customer
dissatisfaction. The bank must address the potential of insider threats, considering the
various employees, vendors, and contractors who have access to sensitive systems and data.
Malicious or negligent actions by insiders could result in unauthorized access, data
manipulation, or information leaks.
The bank faces the constant threat of cyberattacks. The concentration of security measures
around a single firewall protecting the core banking system and communication with
external systems makes it a potential target for cybercriminals. Sophisticated cyberattacks
like malware infections, phishing, or ransomware could compromise the bank's systems
and disrupt its services. The implementation of a bring your own device (BYOD) concept
for Senior Executive Staff and HR Departments introduces additional security risks. If not
properly managed, personal devices used for work purposes could introduce malware, data
leakage, or unauthorized access to the bank's network and sensitive information.

S.Piravaksan SECURITY ID:RE63300 106 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Supply chain risks also need to be considered as the bank relies on multiple local and
foreign IT service vendors. These vendors may have access to the bank's systems and data,
and any inadequacy in their security measures or breaches could indirectly impact the
bank's overall security posture. To reduce these possible impacts, the bank needs to
implement robust security measures. By proactively addressing these possible impacts,
METROPOLIS CAPITAL Bank can strengthen its organizational security and effectively
protect its customers' assets and information.
Conclusion
Maintaining a high level of organizational security is important for METROPOLIS
CAPITAL Bank to protect its assets, information, and operations. The bank faces potential
impacts such as data breaches, network disruptions, insider threats, cyberattacks, BYOD
risks, and supply chain vulnerabilities. To reduce these risks, the bank must implement
multi-layered security controls, conduct regular assessments, provide employee training
and awareness programs, enforce strong access controls, continuously monitor for threats,
and have effective incident response plans in place. Compliance with regulations and
standards, such as ISO 31000:2009, is also essential. By prioritizing organizational security
and implementing proactive measures, METROPOLIS CAPITAL Bank can safeguard its
customers' trust, minimize financial and reputational risks, and ensure the confidentiality,
integrity, and availability of its services and data.
Organizational policy
The organizational policy is a formal document that explains the organization's position on
compliance with rules, standards, and recommendations. Specific rights can be restricted
or allowed to organization members through organization policies. By default, permissions
for generating organization/personal groups and sharing or publishing documents are
granted to all organization users. Organization policies can be easily set by the super
administrator, who can select roles and specify policies accordingly. For example, if it is
desired that organization groups can only be created by the administrator, options can be
restricted accordingly (Assignmentpoint.com, 2021)

S.Piravaksan SECURITY ID:RE63300 107 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

The importance of organizational policies in METROPOLIS CAPITAL Bank

Organizational policies are fundamental for the smooth functioning of any business,
including financial institutions such as METROPOLIS CAPITAL Bank. These policies
provide a set of guidelines and rules that govern behavior, practices, and expectations
within the organization. One of the primary reasons why organizational policies are
important for METROPOLIS CAPITAL Bank is to ensure compliance with applicable
laws, regulations, and industry standards. The bank operates under strict government and
Central Bank regulations, and adherence to these rules is vital for maintaining legal and
ethical operations. Organizational policies outline specific requirements and procedures
that must be followed, fostering a culture of compliance within the organization.
Policies play a main role in identifying, assessing, and reducing risks in METROPOLIS
CAPITAL Bank. They provide a framework for managing risks associated with various
features of the bank's operations, including information security, data protection, financial
transactions, and customer services. Clear policies enable the bank to effectively identify
potential risks and implement appropriate measures to decrease them. This ensures the
safeguarding of the bank's interests and the protection of its customers.
Promoting consistency and standardization in operations is another important feature of
organizational policies. In METROPOLIS CAPITAL Bank, policies ensure that all
branches, ATMs, and data centers operate in a standardized manner, adhering to uniform
practices and procedures. By reducing the likelihood of errors or misunderstandings, these
policies help maintain the quality and reliability of services provided to customers.
Organizational policies serve as a reference point for employees, providing clear guidance
on expected behavior, responsibilities, and processes. They outline acceptable practices, a
code of conduct, and ethical guidelines for employees to follow.
These policies help employees understand their roles, responsibilities, and the boundaries
within which they should operate, fostering professionalism and creating a positive work
environment. Maintaining robust security measures and reducing risks are important for
METROPOLIS CAPITAL Bank. Organizational policies play a main role in achieving this
objective by providing guidelines on information security practices, access controls, data
protection, and incident response.
By following these policies, the bank ensures the necessary security measures are in place
to protect sensitive customer data, prevent unauthorized access, and respond effectively to
security incidents. Policies form the basis for employee training and awareness programs

S.Piravaksan SECURITY ID:RE63300 108 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

within METROPOLIS CAPITAL Bank. They help educate employees about their
responsibilities, the organization's values, and the expected standards of behavior. Regular
training sessions and communication regarding policies keep employees updated on best
practices, emerging risks, and changes in regulations. This fosters a culture of continuous
learning and improvement, further strengthening the organization. By establishing and
enforcing well-defined policies, the METROPOLIS CAPITAL Bank can operate
efficiently, protect customer interests, and uphold its reputation as a reliable and
trustworthy financial institution.
The benefits of well-defined organizational policies
Organizational policies are important for ensuring the smooth operation and security of
METROPOLIS CAPITAL Bank.
Consistency and standardization - Organizational policies provide a framework that
fosters consistent decision-making and actions across different departments and functions.
By standardizing procedures, practices, and behaviors, these policies ensure that everyone
within the organization follows the same guidelines, leading to a cohesive and synchronized
operation.
Compliance and risk management - Policies help organizations adhere to legal and
regulatory requirements. By establishing policies that align with industry standards and
obtaining certifications such as ISO 31000, institutions like METROPOLIS CAPITAL
Bank can demonstrate their commitment to risk management and compliance with
government and central bank regulations.
Security and information protection - Organizational policies define security measures
and protocols to safeguard sensitive information, data centers, branches, and other
important assets. Policies related to data protection, network security, access controls, and
incident response help reduce risks and protect against unauthorized access, breaches, or
data loss.
Employee guidance - Policies provide clear guidelines and expectations for employees,
outlining their roles, responsibilities, and behavior within the organization. They establish
rules regarding the acceptable use of resources, code of conduct, confidentiality
requirements, and compliance obligations. By providing clarity, policies promote a more
productive and ethical work environment.
Operational efficiency - Well-designed policies streamline processes and enhance
operational efficiency. By defining standardized procedures, organizations reduce errors,

S.Piravaksan SECURITY ID:RE63300 109 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

avoid duplications, and improve overall productivity. Policies also aid in resource
allocation, decision-making, and risk assessment, facilitating effective resource
management and optimized operations.
Adaptability - Policies form a foundation for organizational adaptability and continuity.
They can be revised and updated to address changing business needs, emerging risks, and
technological advancements. Regular review and updates of policies ensure their relevance,
effectiveness, and alignment with the evolving landscape.
Well-defined organizational policies bring numerous benefits for METROPOLIS
CAPITAL Bank. These policies serve as the backbone of an organization's operations,
creating a safe, productive, and resilient environment.
Impacts of misaligned organizational policy on IT security in METROPOLIS
CAPITAL Bank
The misalignment of organizational policy on IT security in METROPOLIS CAPITAL
Bank can have important consequences on the overall security posture of the bank. When
organizational policies and IT security practices are not aligned, it is important to
understand the possible impacts that can arise and take appropriate measures to reduce
them. One of the main impacts of misalignment is an increased vulnerability to cyber
threats. Gaps in security measures can be created, leaving the bank more susceptible to
cyber-attacks, data breaches, and other security incidents. Moreover, non-alignment with
IT security requirements can weaken the bank's compliance with regulatory obligations and
industry standards. This may result in legal and financial consequences, reputational
damage, and a loss of customer trust.
Misaligned policies can also hinder efficient risk management practices. Inadequate risk
assessments, improper resource allocation, and a failure to address emerging security
threats effectively can occur when policies are not aligned. This can result in the bank being
ill-prepared to reduce risks, increasing the likelihood of security incidents and their
potential impact. Data protection is of utmost importance for METROPOLIS CAPITAL
Bank, considering the sensitive customer information it handles. Misalignment of policies
can compromise data protection measures, such as encryption, access controls, and data
retention practices. This puts customer data at risk of unauthorized access, data breaches,
and possible financial losses for both the bank and its customers.
Effective incident response is essential to minimize the impact of security incidents.
However, misaligned policies can impair incident response efforts. Delays in detecting,

S.Piravaksan SECURITY ID:RE63300 110 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

containing, and recovering from security incidents can occur, leading to prolonged
disruptions to banking operations and potential further compromise of customer data.
Misaligned policies can weaken employee awareness and training on IT seccurity. Without
clear guidance and aligned policies, employees may have a diminished understanding of
their roles and responsibilities in maintaining IT security. This can result in a lack of
awareness, non-compliance with security practices, and an increased risk of insider threats.
To reduce these possible impacts, METROPOLIS CAPITAL Bank should prioritize
aligning its organizational policies with IT security requirements. Regular reviews and
updates of policies are essential to ensure they remain up to date and effective. Effective
communication of policies and their implications to employees is important to foster a
strong security culture within the organization. Comprehensive training programs should
be provided to employees to enhance their awareness and understanding of IT security
practices. This will enable them to actively contribute to maintaining a secure IT
environment and reduce risks effectively.
Conclusion
Organizational policies are important for the smooth functioning, compliance, and security
of METROPOLIS CAPITAL Bank. These policies ensure consistency, standardization,
and adherence to legal and regulatory requirements. Organizational policies help manage
risks, protect sensitive information, guide employee behavior, and enhance operational
efficiency. Misalignment of organizational policy on IT security can have severe
consequences, including increased vulnerability to cyber threats, weakened compliance,
compromised data protection, impaired incident response, and diminished employee
awareness. To reduce these impacts, the bank must prioritize aligning policies with IT
security requirements, regularly review and update policies, communicate effectively, and
provide comprehensive training to employees. By doing so, METROPOLIS CAPITAL
Bank can strengthen its security posture, maintain compliance, and safeguard its operations,
customer data, and reputation in an ever-evolving digital landscape.

S.Piravaksan SECURITY ID:RE63300 111 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Activity 04
Security policy
A security policy is a document that states in writing how a company plans to protect its
physical and information technology (IT) assets. Security policies are living documents that
are continuously updated and changing as technologies, vulnerabilities and security
requirements change. A company's security policy may include an acceptable use policy.
These describe how the company plans to educate its employees about protecting the
company's assets. They also include an explanation of how security measurements will be
carried out and enforced, and a procedure for evaluating the effectiveness of the policy to
ensure that necessary corrections are made (Ben, 2021)

Figure 20:Security policy for Metropolis Capital Bank

S.Piravaksan SECURITY ID:RE63300 112 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Introduction
This report presents a comprehensive security policy for METROPOLIS CAPITAL Bank,
a leading private banking service provider in Sri Lanka. As a trusted financial institution,
METROPOLIS CAPITAL Bank recognizes the importance of safeguarding its information
assets, ensuring the confidentiality, integrity, and availability of customer data, and
maintaining the trust of its clients and stakeholders.
Purpose
The purpose of this security policy is to outline the principles, guidelines, and procedures
that govern the bank's information security practices. It aims to provide a framework for
protecting important systems, networks, and sensitive data from unauthorized access,
disclosure, alteration, or destruction. This policy covers various features of security,
including physical security, network security, access control, data protection, incident
response, and employee responsibilities.
Scope
This security policy applies to all employees, contractors, third-party vendors, and any
other individuals who have access to METROPOLIS CAPITAL Bank's systems, networks,
and data. It encompasses the bank's datacenters, branches, ATMs, head office, and all other
locations where the bank conducts its operations.
Objectives
• Ensure privacy and confidentiality of customer information through measures
preventing unauthorized access, disclosure, or misuse.
• Maintain uninterrupted service delivery by implementing appropriate security
controls for important systems, networks, and services.
• Adhere to relevant regulatory requirements, including government and Central
Bank regulations, to ensure compliance.
• Identify, assess, and reduce cybersecurity risks through risk management practices
and control measures.
• Foster employee awareness, training, and adherence to security practices for their
main role in organizational security.

S.Piravaksan SECURITY ID:RE63300 113 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Security Policies for METROPOLIS CAPITAL Bank

Password policy
Password policy is a set of guidelines and rules that govern the creation, usage, and
management of passwords within an organization or system. It is an essential component
of maintaining robust security and protecting sensitive information from unauthorized
access. A strong password policy helps prevent security breaches, data theft, and
unauthorized account access by enforcing stringent password requirements and promoting
good password management practices.
Disaster recovery policy
The disaster recovery plan policy establishes the framework and guidelines for developing
and implementing a comprehensive disaster recovery plan within an organization. It
outlines the objectives, scope, and responsibilities for all parties involved in the plan. The
policy covers key components such as risk assessment, business impact analysis, recovery
strategies, backup and restoration procedures, communication and notification protocols,
and regular testing and maintenance. It emphasizes the importance of business continuity,
data protection, and minimizing downtime in the event of a disaster or significant
disruption.
Information security policy
Information security policy is a comprehensive document that outlines the principles,
guidelines, and procedures for protecting an organization's information assets. It establishes
a framework for managing information security risks, safeguarding sensitive data, and
ensuring the confidentiality, integrity, and availability of information. The policy covers
areas such as access control, data classification and handling, incident response, encryption,
physical security, employee responsibilities, and compliance with relevant laws and
regulations. It provides clear direction to employees and stakeholders on their roles and
responsibilities in maintaining information security within the organization.
Physical access policy
The physical access policy governs the guidelines and procedures for controlling and
managing physical access to the organization's facilities. It includes measures such as
access control systems, visitor management, and surveillance to prevent unauthorized
entry, protect sensitive areas, and ensure the safety of personnel and assets. The policy
outlines the responsibilities of employees, contractors, and visitors in complying with
access control procedures and maintaining a secure environment.

S.Piravaksan SECURITY ID:RE63300 114 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

BYOD (Bring Your Own Devices) policy

Bring Your Own Device (BYOD) policy is a set of guidelines and rules established by an
organization to govern the use of personal devices, such as smartphones, laptops, and
tablets, for work-related purposes. It outlines the rights, responsibilities, and security
measures related to employees using their own devices within the workplace.
Access Control Policy
Access control policy outlines the rules and procedures for granting, managing, and
revoking access privileges to an organization's information systems, data, and resources. It
defines the principles of least privilege and need-to-know, specifies authentication and
authorization mechanisms, and establishes guidelines for user account management. The
policy ensures that access rights are granted based on job roles and responsibilities,
regularly reviewed, and updated, and that access is revoked promptly upon termination or
change in job responsibilities.
Firewall policy
Firewall Policy defines the guidelines and procedures for the configuration, management,
and monitoring of firewall systems within an organization. It describes the rules for
network traffic filtering, including inbound and outbound traffic, and specifies the criteria
for allowing or blocking specific protocols, ports, and IP addresses. The policy also
includes guidelines for regular firewall rule reviews, logging and alerting mechanisms, and
incident response procedures related to firewall security events.
Email policy
Email Policy sets forth guidelines for the appropriate use of email within an organization.
It indicates acceptable use, including restrictions on the transmission of sensitive or
confidential information. The policy may cover topics such as email account creation,
password security, and retention periods. It also addresses issues like email monitoring,
spam filtering, and the consequences of violating the policy. The goal is to ensure efficient,
secure, and professional email communication while protecting the organization's interests.
Wireless network policy
Wireless Network Policy defines the guidelines and procedures for the secure and
responsible use of wireless networks within an organization. It defines the rules and
requirements for configuring, accessing, and managing wireless networks to ensure data
confidentiality, integrity, and availability. The policy covers areas such as network
authentication, encryption standards, network monitoring, device registration, and

S.Piravaksan SECURITY ID:RE63300 115 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

restrictions on unauthorized access points. It also addresses the protection of sensitive

information transmitted over wireless networks and establishes protocols for reporting
security incidents and managing wireless network vulnerabilities.
24 x 7 monitoring
The 24 x 7 monitoring Policy establishes the guidelines and procedures for continuous
monitoring of an organization's systems, networks, and critical assets. It outlines the
purpose, scope, and responsibilities of the monitoring process. The policy covers areas such
as event logging, intrusion detection, vulnerability scanning, and security incident
response. It emphasizes the importance of real-time monitoring, proactive threat detection,
and timely incident response to ensure the integrity, availability, and confidentiality of
information assets. The policy also addresses the retention and review of monitoring logs,
incident reporting, and the roles and responsibilities of personnel involved in the
monitoring process.
Endpoint security policy
It describes the guidelines and procedures for securing endpoints, such as desktops, laptops,
mobile devices, and servers, within an organization's network. It establishes a framework
to protect endpoints from unauthorized access, malware, data breaches, and other security
threats. The policy covers areas such as device encryption, authentication mechanisms,
antivirus and anti-malware software, patch management, and removable media controls. It
also addresses employee responsibilities, incident response protocols, and regular endpoint
security assessments to ensure compliance and maintain a robust security posture.
Data security policy
Data security policy is a comprehensive document that establishes the guidelines and
procedures for protecting an organization's sensitive data. It outlines the principles,
responsibilities, and measures necessary to ensure the confidentiality, integrity, and
availability of data throughout its lifecycle. The policy covers areas such as data
classification, access controls, encryption, data handling and storage, data backup and
recovery, data retention, and disposal procedures. It also addresses employee
responsibilities, incident response protocols, and compliance with relevant laws,
regulations, and industry standards.

S.Piravaksan SECURITY ID:RE63300 116 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Conclusion
METROPOLIS CAPITAL Bank recognizes the importance of implementing robust
policies to ensure the security and protection of its critical assets and operations. The
Password Policy establishes strong password practices to prevent unauthorized access to
sensitive information. The Disaster Recovery Policy outlines procedures to minimize
disruptions and recover critical systems in the event of a disaster. The Information Security
Policy establishes guidelines for safeguarding data and maintaining confidentiality,
integrity, and availability. The BYOD Policy governs the secure use of personal devices
for work purposes. The Access Control Policy ensures appropriate access privileges to
protect sensitive resources. The Firewall Policy protects the organization's network from
unauthorized access and threats. The Email Policy governs the proper use of email to
maintain professional communication and data security.
The Wireless Network Policy ensures secure and responsible use of wireless networks. The
24/7 Monitoring Policy establishes continuous monitoring for proactive threat detection.
The Endpoint Security Policy safeguards endpoints from security risks. Data Security
Policy protects sensitive data throughout its lifecycle. METROPOLIS CAPITAL Bank
demonstrates a strong commitment to security and risk management through the
implementation of various measures. Routine internal audits ensure the evaluation of
security controls and compliance with policies and regulations. Security operations are
efficiently handled by the bank's staff, who monitor systems, investigate incidents, and
respond to security alerts.
By adhering to these policies, METROPOLIS CAPITAL Bank demonstrates its
commitment to maintaining a secure and resilient environment, safeguarding customer
information, and reducing risks to ensure the trust and confidence of its stakeholders.
Organizational policy tools
Organizational policy tools refer to the various methods, instruments, and approaches used
by an organization to establish, communicate, implement, and enforce its policies. These
tools are designed to guide the behavior and decision-making processes of individuals
within the organization, aligning them with the organization's goals, values, and regulatory
requirements.

S.Piravaksan SECURITY ID:RE63300 117 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Benefits of using organizational policy tools

Regulatory compliance - Policy tools help organizations comply with applicable laws,
regulations, and industry standards. By defining and communicating policies that align with
legal requirements, organizations can minimize legal and regulatory risks and demonstrate
their commitment to operating ethically and responsibly.

Risk management - Policies act as risk management tools by identifying potential risks
and outlining mitigation strategies. They help organizations proactively address risks and
establish controls to minimize the likelihood of incidents or adverse events. This, in turn,
protects the organization's reputation, financial stability, and overall well-being.

Clarity and communication - Policy tools enhance communication by clearly articulating

expectations, guidelines, and procedures to employees. They provide a shared
understanding of organizational values, objectives, and acceptable behavior, reducing
ambiguity and fostering a positive work environment.

Conflict resolution - Policies provide a framework for resolving conflicts and disputes
within the organization. When conflicts arise, employees can refer to policies to understand
the appropriate course of action, facilitating fair and objective resolutions.

Performance management and evaluation - Policies enable organizations to establish

performance criteria and evaluate employees based on adherence to policies and standards.
This promotes accountability, supports performance management processes, and facilitates
fair and consistent evaluations.

Continual improvement - Policy tools are not static; they can be reviewed and updated to
adapt to changing circumstances, emerging risks, and evolving business needs. Regularly
assessing and revising policies allows organizations to enhance their effectiveness, stay
current with industry best practices, and drive continual improvement.

S.Piravaksan SECURITY ID:RE63300 118 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Different types of tools are used in an Organizational policy

Network security tools for METROPOLIS CAPITAL Bank network protection
Table 23:Network security tools for METROPOLIS CAPITAL Bank network protection

Network security Description Examples How it helps for

tools the Bank
Firewall A network security Cisco ASA, Palo Prevents
device that Alto Networks unauthorized access
monitors and filters Firewall to the bank's
incoming and network, protects
outgoing network against network-
traffic. based attacks, and
enforces security
policies and
controls.
Intrusion detection Detects and alerts Snort, Suricata, Helps identify and
system on suspicious IBM QRadar respond to network-
activities or based threats such
potential threats as hacking
within the network attempts, malware
environment. infections, and
unauthorized access
to sensitive data.
Virtual Private Establishes secure OpenVPN, Cisco Enables secure
Network remote connections AnyConnect VPN remote access for
over the public bank employees
internet, ensuring and provides a
encrypted data secure connection
transmission. for customers
accessing online
banking services
from external
networks.

S.Piravaksan SECURITY ID:RE63300 119 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Secure email Scans and filters Mimecast, Protects against

gateway incoming and Proofpoint, email-based threats
outgoing emails for Symantec Email such as phishing
malicious Security attacks, malware
attachments, spam, distribution, and
and phishing data leaks,
attempts. safeguarding
sensitive
information and
maintaining email
security.
Network access Enforces security Cisco Identity Ensures that only
control policies and Services Engine authorized devices
controls user access (ISE), Aruba and users gain
to the network ClearPass access to the bank's
based on their network, preventing
credentials. unauthorized access
and protecting
against insider
threats.
Vulnerability Identifies security Nessus, Qualys, Identifies
scanner vulnerabilities in OpenVAS weaknesses or
network devices, misconfigurations
applications, or in the bank's
systems for network
remediation. infrastructure,
allowing timely
patching and
mitigation to
protect against
potential exploits.

S.Piravaksan SECURITY ID:RE63300 120 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Password security tools for METROPOLIS CAPITAL Bank password protection

Table 24:Password security tools for METROPOLIS CAPITAL Bank password protection

Password security Description Examples How it helps for

tools the Bank
Password manager A tool that securely LastPass, Dashlane, Simplifies
stores and manages KeePass password
passwords, management for
allowing users to employees,
generate strong, encourages the use
unique passwords of strong
and access them passwords, reduces
conveniently. the risk of
password-related
security incidents
and data breaches.
Two-Factor Adds an extra layer Google Enhances login
Authentication of security by Authenticator, Duo security by
requiring users to Security, RSA reducing the risk of
provide an SecurID unauthorized access
additional even if passwords
verification factor, are compromised,
such as a unique providing an
code or biometric additional
information, in safeguard for
addition to their sensitive data.
password.
Password policy A tool that enforces Microsoft Active Maintains
enforcer password policies, Directory, Okta, consistent password
ensuring that users One Identity security standards
create strong across the
passwords and organization,
regularly change reduces the risk of
weak or easily

S.Piravaksan SECURITY ID:RE63300 121 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

them according to guessed passwords,

specified rules. and strengthens
overall network
security.
Password strength Evaluates the zxcvbn, Password Helps users choose
checker strength of Checker API (Troy strong passwords
passwords by Hunt's service) by providing
analyzing factors feedback on
such as length, password strength
complexity, and and identifies
resistance to potential
common cracking vulnerabilities in
methods. the password
selection process.

Database security tools for METROPOLIS CAPITAL Bank

Table 25:Database security tools for METROPOLIS CAPITAL Bank

Password security Description Examples How it helps for

tools the Bank
Database Protects sensitive Microsoft SQL Safeguards
Encryption data by converting Server Transparent sensitive data stored
it into encrypted Data Encryption in the bank's
form, rendering it (TDE), Oracle databases, ensuring
unreadable without Advanced Security that even if the data
the decryption key. is compromised, it
remains encrypted
and unusable to
unauthorized
individuals or
attackers.
Database activity Monitors and logs Imperva Helps identify and
monitoring database activities SecureSphere, IBM respond to
to detect and alert Guardium unauthorized access

S.Piravaksan SECURITY ID:RE63300 122 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

on suspicious or attempts, suspicious

unauthorized access activities, and
or changes to data. potential data
breaches, providing
real-time visibility
into database
activities.
Database Auditing Captures and Oracle Database Facilitates
records detailed Auditing, SQL compliance with
information about Server Audit regulatory
database activities, requirements,
including user enables forensic
actions, data investigations, and
modifications, and enhances
access attempts. accountability by
providing an audit
trail of database
activities.
Database access Manages and Oracle Database Ensures that only
controls enforces granular Vault, MySQL authorized
access controls to Access Control individuals can
restrict database Policies access and modify
access to authorized data, reducing the
users and roles. risk of unauthorized
changes or data
breaches.

S.Piravaksan SECURITY ID:RE63300 123 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Web application security tools for METROPOLIS CAPITAL Bank

Table 26:Web application security tools for METROPOLIS CAPITAL Bank

Web application Description Examples How it helps for

security tools the Bank
Web application A security ModSecurity, Reduces the risk of
firewall appliance or Imperva web-based attacks
software that SecureSphere WAF such as SQL
monitors and filters injection, cross-site
incoming and scripting (XSS),
outgoing web and cross-site
application traffic, request forgery
protecting against (CSRF), enhancing
common web-based overall application
attacks. security.
Web application Automates the Netsparker, Qualys Scans web
scanners process of scanning Web Application applications for
and identifying Scanning (WAS) common
security vulnerabilities, such
vulnerabilities in as injection attacks,
web applications. insecure
authentication, and
sensitive data
exposure, enabling
timely remediation
actions.
Secure code review Manual or Secure Code Helps identify and
automated review Warrior, Veracode fix security flaws,
of the source code Static Analysis weaknesses, and
to identify security insecure coding
vulnerabilities and practices in the web
coding best application
practices. codebase,

S.Piravaksan SECURITY ID:RE63300 124 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

improving overall
security posture.
Web session Ensures the secure OWASP Session Protects user
management management and Management Cheat sessions from
handling of user Sheet, Spring session hijacking,
sessions, including Session session fixation,
session and other session-
authentication, related attacks,
tracking, and maintaining the
termination. confidentiality and
integrity of user
interactions.
Encryption security tools for METROPOLIS CAPITAL Bank
Table 27:Encryption security tools for METROPOLIS CAPITAL Bank

Encryption Description Examples How it helps for

security tools the Bank
Full disk encryption Encrypts entire BitLocker, Safeguards
storage devices, FileVault, sensitive data stored
such as hard drives VeraCrypt on devices,
or SSDs, protecting preventing
data at rest from unauthorized access
unauthorized to data in the event
access. of theft or loss.
Database Encrypts data Microsoft SQL Provides an
encryption within a database, Server Transparent additional layer of
protecting sensitive Data Encryption protection for
information from (TDE), Oracle sensitive customer
unauthorized access Advanced Security data stored in
or disclosure. databases, ensuring
its confidentiality
even if the database
is compromised.

S.Piravaksan SECURITY ID:RE63300 125 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

File transfer Encrypts files or SFTP (Secure File Secures the transfer
encryption data during transit Transfer Protocol), of sensitive files or
between systems or FTPS (FTP over data to external
parties, preventing SSL/TLS) systems, ensuring
unauthorized access their confidentiality
or interception. and integrity
throughout the
transfer process.
Email security tools for METROPOLIS CAPITAL Bank
Table 28:Email security tools for METROPOLIS CAPITAL Bank

Email security Description Examples How it helps for

tools the Bank
Spam filters Filters incoming Proofpoint, Reduces the risk of
emails to identify Symantec Email employees falling
and block Security, Barracuda victim to phishing
unsolicited or attacks, prevents
malicious the delivery of
messages, such as malicious content,
spam or phishing and improves
attempts. overall email
hygiene.
Email encryption Encrypts email Mimecast Secure Protects the privacy
messages and Email Gateway, of sensitive data
attachments to ZixEncrypt shared via email,
ensure the ensuring that only
confidentiality and authorized
integrity of recipients can
sensitive access the
information during encrypted content.
transit.
Email Implements SPF (Sender Policy Prevents email
authentication protocols and Framework), DKIM spoofing,
techniques to verify (DomainKeys strengthens email

S.Piravaksan SECURITY ID:RE63300 126 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

the authenticity of Identified Mail), sender reputation,

incoming emails, DMARC (Domain- and reduces the risk
reducing the risk of based Message of phishing and
email spoofing or Authentication, other email-based
impersonation. Reporting, and attacks targeting
Conformance) bank employees or
customers.
Network monitoring security tools for METROPOLIS CAPITAL Bank
Table 29:Network Monitoring Security Tools for METROPOLIS CAPITAL Bank

Network Description Examples How it helps for

monitoring the Bank
security tool
Intrusion Detection Monitors network Snort, Suricata, Detects and alerts
System (IDS) traffic and detects Cisco Firepower on suspicious
unauthorized or network behavior,
malicious activities such as intrusion
by analyzing attempts, malware
network packets. activity, or
unauthorized
access, allowing
prompt response
and mitigation of
potential security
incidents.
Intrusion Like IDS, but also Palo Alto Networks Provides real-time
Prevention System takes active Next-Generation prevention and
(IPS) measures to block Firewall, Fortinet response
or prevent detected IPS capabilities by
intrusions or actively blocking
malicious activities. malicious network
traffic or
connection
attempts,

S.Piravaksan SECURITY ID:RE63300 127 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

preventing potential
security breaches.
Network Traffic Captures and Wireshark, Identifies network
Analyzer analyzes network SolarWinds anomalies, potential
traffic to provide Network security threats, and
insights into Performance performance issues,
network usage, Monitor enabling proactive
performance, and monitoring,
security. troubleshooting,
and optimizing
network
infrastructure.
Video surveillance security tools for METROPOLIS CAPITAL Bank
Table 30:Video surveillance security tools for METROPOLIS CAPITAL Bank

Video surveillance Description Examples How it helps for

tools the Bank
IP cameras Network-connected Axis Provides high-
cameras that capture Communications, quality video
and transmit video Hikvision, Dahua surveillance with
footage over an IP Technology advanced features
network. such as high
resolution, remote
access, motion
detection, and
integration with
other security
systems.
Video Management Software platform Milestone XProtect, Centralizes video
System (VMS) that manages and Genetec Security management,
controls multiple IP Center, Avigilon enabling real-time
cameras, allowing Control Center monitoring, video
viewing, recording, playback, video
analytics, and

S.Piravaksan SECURITY ID:RE63300 128 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

and analysis of integration with

video footage. access control and
alarm systems for
effective security
management.
PTZ (Pan-Tilt- Cameras that can be Bosch PTZ Offers increased
Zoom) Cameras remotely controlled cameras, Sony PTZ situational
to pan, tilt, and cameras awareness and the
zoom, providing ability to closely
flexibility in monitor specific
monitoring areas or objects,
different areas and allowing security
focusing on specific personnel to
points of interest. respond promptly to
potential security
threats or incidents.
Incident response security tools for METROPOLIS CAPITAL Bank
Table 31:Incident Response Security Tools for METROPOLIS CAPITAL Bank

Incident response Description Examples How it helps for

security tools the Bank
Forensic analysis Analyzes and EnCase Forensic, Facilitates incident
tools investigates Volatility, Autopsy investigation and
security incidents, digital forensics,
collecting and allowing banks to
analyzing digital identify the cause
evidence from of security
systems and incidents, gather
networks to evidence for legal
determine the root purposes, and
cause and impact of support incident
the incident. response and post-
incident analysis.

S.Piravaksan SECURITY ID:RE63300 129 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Communication Facilitates effective Slack, Microsoft Enables real-time

and Collaboration communication and Teams, Atlassian communication,
Tools collaboration Jira information
among incident sharing, task
response team assignment, and
members during the collaboration
incident response among incident
process. response team
members,
promoting efficient
and coordinated
incident response
efforts.
Security Automates and Palo Alto Networks Enables efficient
Orchestration, streamlines incident Cortex XSOAR, incident response
Automation, and response processes IBM Resilient, by automating
Response (SOAR) by integrating Splunk Phantom incident triage,
various security enrichment, and
tools, orchestrating response actions,
actions, and improving response
automating time, and reducing
repetitive tasks. the manual effort
required during
incident
investigations and
mitigation.

S.Piravaksan SECURITY ID:RE63300 130 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

User authentication tools for METROPOLIS CAPITAL Bank

Table 32:User Authentication tools for METROPOLIS CAPITAL Bank

User Description Examples How it helps for

authentication the Bank
Password-Based The most common Active Directory, Verifies user
Authentication form of LDAP, Okta, identity using
authentication that Microsoft Azure unique usernames
relies on a AD and passwords,
combination of a ensuring authorized
username and access to systems,
password. applications, and
sensitive data.
Two-Factor Requires users to Google Enhances security
Authentication provide two Authenticator, Duo by adding an
(2FA) separate factors for Security, RSA additional layer of
authentication, such SecurID authentication,
as a password and a reducing the risk of
one-time unauthorized access
verification code. even if the
password is
compromised.
Multi-Factor Similar to 2FA, but YubiKey, Microsoft Strengthens user
Authentication allows the use of Authenticator, authentication by
(MFA) multiple factors, Symantec VIP combining multiple
such as passwords, factors, providing
biometrics, increased assurance
hardware tokens, or of user identity and
mobile devices. reducing the risk of
unauthorized access
to sensitive systems
and data.

S.Piravakasan SECURITY ID:RE63300 131 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Conclusion
The tables above outline a comprehensive range of security tools and technologies that can
greatly enhance the security measures at METROPOLIS CAPITAL Bank. By
implementing these tools, the bank can establish a robust security infrastructure to
safeguard its network, databases, web applications, encryption, email communications,
video surveillance systems, incident response capabilities, and user authentication
processes. The adoption of network security tools such as intrusion detection and
prevention systems, network traffic analyzers, and DDoS protection mechanisms ensures
the integrity and availability of the bank's network resources, preventing unauthorized
access and reducing potential cyber threats. Utilization of encryption security tools
safeguards sensitive data from unauthorized disclosure, protecting both the bank and its
customers from data breaches and compliance violations.
The implementation of web application security tools, including web application firewalls,
vulnerability scanners, and secure coding practices, helps reduce the risk of web-based
attacks, such as SQL injections and cross-site scripting. This ensures the confidentiality,
integrity, and availability of online banking services and customer data, instilling trust, and
confidence among users. Database security tools, such as database firewalls, access
controls, and database activity monitoring, safeguard main financial and customer
information stored in databases, reducing the risk of unauthorized access or data
manipulation. Video surveillance tools, including IP cameras, video management systems,
and video analytics, provide comprehensive monitoring and analysis of the bank's physical
premises, ensuring the safety of employees, customers, and assets. This enables proactive
threat detection, incident investigation, and preventive measures.
The incident response security tools, including SIEM, SOAR, and forensic analysis tools,
enable the bank to detect and respond swiftly to security incidents, minimizing the impact
and recovery time. By leveraging threat intelligence platforms, the bank can stay informed
about emerging threats and proactively adapt its security posture. User authentication tools
such as two-factor authentication, biometric authentication, and single sign-on enhance the
bank's access control mechanisms, ensuring that only authorized individuals can access
critical systems and data. This helps prevent unauthorized account access, protects against
identity theft, and strengthens the overall security posture. By prioritizing security
measures, the bank can instill trust and confidence among customers, maintain regulatory
compliance, and safeguard its reputation in the financial industry.

S.Piravakasan SECURITY ID:RE63300 132 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Presentation of METROPOLIS CAPITAL Bank’s Disaster Recovery Plan

METROPOLIS CAPITAL Bank’s Disaster Recovery Plan

Figure 21:Slide 1

In this presentation, I introduce myself and present the title of the slideshow.

Figure 22:Slide 2

The slide above displays the contents of the Disaster recovery plan presentation for
METROPOLIS CAPITAL Bank.

S.Piravakasan SECURITY ID:RE63300 133 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Figure 23:Slide 3

In this presentation slide, disasters occur when there is a combination of risks,

encompassing both the likelihood of an event and its potential impact, along with
vulnerabilities. These risks can arise from natural, man-made, and technological hazards,
as well as other societal factors that influence vulnerability.

Figure 24:Slide 4

The presentation slide provides an overview of different types of natural disasters. It briefly
describes each disaster and its potential impact. By including tornadoes, tsunamis, floods,
and wildfires, the slide covers a range of natural disasters that can occur due to various

S.Piravakasan SECURITY ID:RE63300 134 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

environmental factors. This content serves to create awareness about the different types of
natural disasters and their destructive consequences, highlighting the need for preparedness
and mitigation measures.

Figure 25:Slide 5

The presentation slide provides a concise overview of man-made disasters. It highlights the
various types of man-made disasters, including cyber-attacks, transportation accidents, oil
spills, and building collapses. This information is important because it emphasizes that
disasters can occur because of human actions, both accidental and intentional, and
demonstrates the need for preventive measures, safety protocols, and responsible practices
to reduce the risks associated with such events.

S.Piravakasan SECURITY ID:RE63300 135 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Figure 26:Slide 6

In this presentation slide, a disaster recovery plan is important as it provides organizations

with a strategic roadmap to minimize the impact of unforeseen incidents, ensuring business
continuity and timely recovery. It emphasizes the importance of preparedness and
highlights the significance of having a well-defined plan in place.

Figure 27:Slide 7

The slide highlights several advantages of having a disaster recovery plan, encompassing
its diverse range of benefits. A disaster recovery plan is essential for businesses as it reduces

S.Piravaksan SECURITY ID:RE63300 136 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

downtime, improves business continuity, meets regulatory requirements, and enhances

customer satisfaction. By having a plan in place, major systems and data can be restored
quickly, ensuring uninterrupted operations. Compliance with regulations instills trust in
stakeholders, while customer satisfaction is increased as they can rely on uninterrupted
services and data availability during disasters.

Figure 28:Slide 8

In this presentation slide covered the main components of a Disaster Recovery Plan (DRP)
in a concise and informative manner. Each component, such as risk assessment, emergency
response, data backup, infrastructure recovery, and others, was justified because they
addressed critical aspects of disaster recovery. The inclusion of vendor and supplier
management, testing and training, communication, regulatory compliance, and plan
maintenance highlighted the comprehensive nature of the DRP to ensure effective
preparedness and response in the face of potential disasters.

S.Piravaksan SECURITY ID:RE63300 137 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Figure 29:Slide 9

This presentation slide provided a comprehensive risk assessment that thoroughly

identified potential threats and vulnerabilities to the bank. The evaluation of each risk
considered its potential impact on various features of the bank's operations, such as
financial, operational, reputational, and regulatory impacts. By prioritizing risks based on
their likelihood and potential consequences, the bank was able to allocate resources
effectively and address the most major risks proactively.

Figure 30:Slide 10

S.Piravaksan SECURITY ID:RE63300 138 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

This presentation slide included detailed emergency response procedures, defined roles and
responsibilities for key personnel, established communication protocols, and emphasized
the importance of incident reporting mechanisms. This content was justified as it aimed to
ensure immediate and effective response actions during disasters or disruptions, facilitate
coordinated efforts among team members, ensure timely and accurate information sharing,
and enable post-incident analysis for continuous improvement.

Figure 31:Slide 11

This presentation slide provided a comprehensive justification for implementing a robust

data backup strategy. It emphasized the importance of regular backups of important data to
minimize the risk of data loss. Storing backups in off-site locations ensured availability in
case of on-site failures or disasters. The establishment of efficient data restoration
procedures and tools aimed to minimize downtime and data loss during recovery. Regular
testing of the data recovery process verified its effectiveness, ensuring a reliable and
effective backup system.

S.Piravaksan SECURITY ID:RE63300 139 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Figure 32:Slide 12

In this presentation slide provided a detailed plan for recovering the bank's IT
infrastructure, including servers, networks, databases, and other essential systems. It
defined recovery time objectives (RTOs) and recovery point objectives (RPOs) to
determine acceptable downtime and data loss thresholds. The inclusion of redundancy and
failover mechanisms ensured continuous availability of critical systems. Alternative site
arrangements such as hot sites, cold sites, or cloud-based solutions were proposed to resume
operations in the event of a physical site failure. The justification highlighted the
comprehensive approach taken to mitigate risks and minimize disruptions to the bank's
operations.

Figure 33:Slide 13

S.Piravaksan SECURITY ID:RE63300 140 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

In this presentation slide focused on justifying the importance of implementing business

continuity procedures. It emphasized the need to identify critical business functions,
develop relocation strategies, ensure access to resources, and establish temporary
communication channels. This was done to ensure that operations could continue
seamlessly during a disaster, enabling effective coordination among employees and
stakeholders.

Figure 34:Slide 14

This presentation slide provided an overview of the key elements of vendor and supplier
management, focusing on assessing resilience and recovery capabilities, establishing
agreements for disaster recovery, maintaining communication and coordination, and
developing alternative sourcing strategies. This content was justified as it helped
organizations minimize the risks of disruptions caused by vendor or supplier failures,
ensuring business continuity, and reducing potential impacts on operations.

S.Piravaksan SECURITY ID:RE63300 141 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Figure 35:Slide 15

In this presentation slide justified the need for regular testing and simulation exercises to
evaluate the effectiveness of the disaster recovery plan. By simulating various disaster
scenarios, the organization was able to assess its response and recovery capabilities.
Identifying areas for improvement and updating the plan based on lessons learned from
testing ensured that the plan remained robust. Providing training to employees on their roles
and responsibilities during a disaster enhanced overall preparedness.

Figure 36:Slide 16

S.Piravaksan SECURITY ID:RE63300 142 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

The comprehensive communication plan addressed internal and external stakeholders by

providing clear channels of communication. Primary and alternate communication
channels were established for various scenarios, ensuring effective communication during
disruptions. Protocols were defined for communicating with employees, customers,
regulators, and the media, enabling timely and accurate information dissemination.
Spokespersons were designated, and guidelines were established for managing public
relations, promoting efficient crisis management, and maintaining a positive image.

Figure 37:Slide 17

The inclusion of regulatory and compliance considerations in the disaster recovery plan
was justified as it ensured adherence to industry regulations and legal requirements. By
staying informed about regulatory changes and updating the plan accordingly, the
organization demonstrated its commitment to compliance. Documenting compliance
measures and maintaining necessary records and documentation allowed for successful
audits and regulatory inspections.

S.Piravaksan SECURITY ID:RE63300 143 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Figure 38:Slide 18

The presented content emphasized the importance of regularly reviewing and updating the
disaster recovery plan to adapt to evolving technology, operations, and risks. Conducting
periodic drills and exercises ensured the plan's effectiveness, while audits identified any
gaps or areas for improvement. Continuous monitoring of emerging threats allowed for
timely adjustments to the plan, ensuring preparedness for potential disasters.

Figure 39:Slide 19

S.Piravaksan SECURITY ID:RE63300 144 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

The slide highlights the four phases of a disaster recovery plan, which every organization
experiences at some point. Gaining knowledge about these phases enables organizations to
effectively prepare for and respond to crises. By making informed decisions, organizations
enhance their chances of survival and recovery after an unexpected event, increasing their
overall resilience.

Figure 40:Slide 20

In the mentioned slide, the focus was on the mitigation phase of the disaster recovery plan,
where the primary objective for the organization was to minimize vulnerability to the
impacts of disasters, including property damage, injuries, and loss of life. Mitigation is
important for minimizing the devastating consequences of disasters. By fortifying buildings
through updated building codes, implementing effective land use management strategies,
and strengthening public infrastructure, communities can enhance their resilience. These
proactive measures significantly reduce vulnerabilities, preventing injuries, loss of life, and
property damage. The content of the presentation slide highlights the importance of
mitigation in safeguarding communities and promoting their long-term sustainability.

S.Piravaksan SECURITY ID:RE63300 145 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Figure 41:Slide 21

The presentation slide focused on justifying the content of the preparedness phase for
potential disasters. The justification highlighted the importance of this phase in terms of
developing emergency response plans, conducting drills and exercises, stockpiling
necessary supplies, and training personnel. These proactive measures were essential in
ensuring an effective and efficient response to any future disaster situations that may arise.

Figure 42:Slide 22

The presentation slide provided a concise overview of the response phase during a disaster.
It highlighted the essential actions taken to safeguard lives and assets, including
evacuations, search and rescue missions, emergency medical aid, and the mobilization of
resources for relief operations. The content accurately portrayed the immediate measures

S.Piravaksan SECURITY ID:RE63300 146 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

undertaken in response to a disaster, aiming to reduce the impact and provide necessary
support to affected communities.

Figure 43:Slide 23

The presentation slide included information on the recovery phase, which focused on the
actions taken after the immediate crisis had subsided. The justification for this content was
to emphasize the importance of restoring essential services, repairing infrastructure, and
aiding affected individuals and communities. By facilitating the return to normalcy, the
recovery phase aimed to address the aftermath of the crisis and support the affected areas
in their recovery process.

Figure 44:Slide 24

S.Piravaksan SECURITY ID:RE63300 147 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

The justification for the content of the presentation slide is that it accurately summarized
the disaster recovery plan for METROPOLIS CAPITAL Bank. It outlined the bank's
comprehensive strategy, including risk identification, preventive measures, response and
recovery protocols. The emphasis on prioritizing essential services, infrastructure, and
customer support demonstrated the bank's commitment to minimizing disruptions and
ensuring continuity during unforeseen events. The slide effectively conveyed the bank's
dedication to safeguarding operations and serving customers in challenging circumstances.

Figure 45:Slide 25

The final slide of the presentation included a questionnaire for the audience and expressed
gratitude for their participation.

S.Piravaksan SECURITY ID:RE63300 148 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Stakeholder
A stakeholder is either an individual, group or organization that’s impacted by the outcome
of a project or a business venture. Stakeholders have an interest in the success of the project
and can be within or outside the organization that’s sponsoring the project. Stakeholders
are important because they can have a positive or negative influence on the project with
their decisions. There are also critical or key stakeholders, whose support is needed for the
project to exist (Landau, 2022)
Types of stakeholders
Internal stakeholders
Internal stakeholders, also called primary stakeholders, are entities with a direct interest or
influence in a company, as all the processes and results of the company's operations also
affect them. An example of internal stakeholders are employees of a company and its
owners or investors (Maddevs.io, 2022)
Internal stakeholders of METROPOLIS CAPITAL Bank and their roles and
descriptions
Internal stakeholder Role Description
Senior executive staff Decision makers Responsible for strategic
decision-making and overall
management of the bank.
HR department Human resources Manages employee-related
matters, including recruitment,
training, and performance
evaluation.
Technical support team IT support Provides technical support for
customers and manages IT
infrastructure and systems.
Customer services Frontline services Handles customer inquiries,
transactions, and issue
resolution.
Supply chain Vendor management Oversees contracts, agreements,
management and relationships with IT service
vendors.

S.Piravaksan SECURITY ID:RE63300 149 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

IT department IT operations Manages and maintains the

bank's IT infrastructure, systems,
and security measures.
Operations department Banking operations Handles day-to-day banking
operations, including
transactions, account
management, and reconciliation.
Compliance department Regulatory compliance Ensures the bank's operations
comply with government and
Central Bank regulations.
Finance department Financial management Manages financial features of the
bank, including budgeting,
accounting, and financial
reporting.
Security department Physical and Implements and monitors
cybersecurity security measures to protect the
bank's assets, data, and facilities.
Table 33:Internal stakeholders of METROPOLIS CAPITAL Bank and their roles and descriptions

External stakeholders
External stakeholders are people or factors that operate outside of the internal affairs of the
business but still experience risk based on the business's performance. For example,
customers can be external stakeholders for any business. Because the customer experiences
risk based on the performance of the business, they fall under the category of external
stakeholder (Indeed.com, 2022)

S.Piravaksan SECURITY ID:RE63300 150 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

External stakeholder Role Description

Customers Customers are individuals or Customers engage with the
entities who use the banking bank to open accounts,
services provided by perform financial
METROPOLIS CAPITAL transactions, access online
Bank. and mobile banking, seek
loans or credit facilities,
and utilize other banking
services.
Government authorities Government authorities and Government authorities
and regulators regulators oversee the and regulators, such as the
banking industry and enforce Central Bank, set
rules and regulations to guidelines, monitor the
ensure compliance and bank's operations, and
stability. ensure adherence to legal
and regulatory
requirements. They
safeguard the interests of
customers and maintain the
integrity of the financial
system.
IT service vendors IT service vendors are IT service vendors offer
external companies that services such as software
provide various technology- development, infrastructure
related services and support management, network
to METROPOLIS CAPITAL connectivity, security
Bank. solutions, and technical
support. They help the
bank maintain its IT
systems, ensure smooth
operations, and enhance
cybersecurity measures.

S.Piravaksan SECURITY ID:RE63300 151 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Local and foreign Local and foreign business Business partners could
business partners partners collaborate with include other financial
METROPOLIS CAPITAL institutions, vendors,
Bank for various business- suppliers, or service
related activities. providers. They may offer
joint ventures, partnerships,
or specialized services to
the bank, contributing to its
overall operations and
service delivery.
General public and The public and shareholders The public comprises
shareholders have an interest in the bank's potential customers, local
operations, reputation, and communities, and society
financial performance. at large. Shareholders are
individuals or entities who
own shares in
METROPOLIS CAPITAL
Bank. Both stakeholders
have an interest in the
bank's success, corporate
social responsibility
initiatives, and financial
stability.
Auditors and external Auditors and external Auditors conduct internal
consultants consultants provide and external audits to
independent assessments, assess the bank's financial
evaluations, and statements, internal
recommendations to ensure controls, and adherence to
compliance and improve regulations. External
business practices. consultants may be
engaged for specialized
advice on risk
management, compliance,

S.Piravaksan SECURITY ID:RE63300 152 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

process improvement, or IT
security.
Table 34:External Stakeholders of METROPOLIS CAPITAL Bank and Their Roles

Conclusion
METROPOLIS CAPITAL Bank has a wide range of internal and external stakeholders that
play major roles in the bank's operations and success. Internal stakeholders, such as
employees and management, are responsible for providing banking services, ensuring
smooth operations, and maintaining the bank's reputation. External stakeholders contribute
to the bank's ecosystem by engaging in partnerships, regulatory oversight, and providing
essential services. Customers are an important external stakeholder group, as they utilize
the bank's services and drive its business. Government authorities and regulators enforce
rules and regulations, ensuring compliance and stability within the banking industry. IT
service vendors offer technology-related services and support, enabling the bank to
maintain its IT infrastructure and security. Local and foreign business partners collaborate
with METROPOLIS CAPITAL Bank for various business activities, expanding the bank's
reach and capabilities. The supply chain management officer manages vendor relationships
and contracts to ensure smooth operations and service delivery. The public and
shareholders have a vested interest in the bank's success, reputation, and financial
performance. Auditors and external consultants provide independent assessments and
guidance to improve compliance, business practices, and efficiency. By recognizing and
engaging with these internal and external stakeholders, METROPOLIS CAPITAL Bank
can foster strong relationships, enhance operational efficiency, and maintain compliance
with regulations.

S.Piravaksan SECURITY ID:RE63300 153 |

Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

References
Networking. 2023. What is Network Security? Definition, Importance and Types |
TechTarget. [ONLINE] Available at:
https://www.techtarget.com/searchnetworking/definition/network-security. [Accessed 06
Jan 2024].
Garg, R. (2018). What is Information Security? - GeeksforGeeks. [online] GeeksforGeeks.
Available at: https://www.geeksforgeeks.org/what-is-information-security/ . [Accessed
06 Jan 2024].

Shea, S. (2021). What is Cybersecurity? Everything You Need to Know. [online]

SearchSecurity. Available at:
https://www.techtarget.com/searchsecurity/definition/cybersecurity . [Accessed 06 Jan
2024].
www.microfocus.com. (n.d.). What is Application Security? [online] Available at:
https://www.microfocus.com/en-us/what-is/application-security . [Accessed 06 Jan 2024].
Paloaltonetworks.com. (2019). What is Network Security - Palo Alto Networks. [online]
Available at: https://www.paloaltonetworks.com/cyberpedia/what-is-network-security .
[Accessed 07 Jan 2024].
Palo Alto Networks. (n.d.). What Is IoT Security? [online] Available at:
https://www.paloaltonetworks.com/cyberpedia/what-is-iot-security . [Accessed 07 Jan
2024].
Palo Alto Networks. (n.d.). What Is IoT Security? [online] Available at:
https://www.paloaltonetworks.com/cyberpedia/what-is-iot-security . [Accessed 08 Jan
2024].
Learning, G. (2022). What is CIA Triad & Why is it important? [online] GreatLearning
Blog: Free Resources what Matters to shape your Career! Available at:
https://www.mygreatlearning.com/blog/cia-triad/ . [Accessed 08 Jan 2024].
Law Insider. (n.d.). Security Threat Definition. [online] Available at:
https://www.lawinsider.com/dictionary/security-threat . [Accessed 09 Jan 2024].
Tunggal, A.T. (2019). What is a Vulnerability? [online] Upguard.com. Available at:
https://www.upguard.com/blog/vulnerability [Accessed 09 Jan 2024].

S.Piravaksan SECURITY 154 |

ID:RE63300
Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

www.sciencedirect.com. (n.d.). Security Procedure - an overview | ScienceDirect Topics.

[online] Available at: https://www.sciencedirect.com/topics/computer-science/security-
procedure#:~:text=A%20security%20procedure%20is%20a . [Accessed 10 Jan 2024].
Checkpoint (2022). What is Network Security. [online] Check Point Software. Available
at: https://www.checkpoint.com/cyber-hub/network-security/what-is-network-security/ .
[Accessed 11 Jan 2024].
GeeksforGeeks. (2018). Introduction to Internet of Things (IoT) | Set 1 - GeeksforGeeks.
[online] Available at: https://www.geeksforgeeks.org/introduction-to-internet-of-things-
iot-set-1/ [Accessed 11 Jan 2024].
Fortinet. 2023. What Is a DMZ Network and Why Would You Use It? | Fortinet. [ONLINE]
Available at: https://www.fortinet.com/resources/cyberglossary/what-is-dmz. [Accessed
12 Jan 2024].
Avi Networks. 2023. What is Network Address Translation? | Avi Networks. [ONLINE]
Available at: https://avinetworks.com/glossary/network-address-translation/ [Accessed 13
Jan 2024].
Tucci, L. (2021). What is Risk Management and Why is it Important? [online] TechTarget.
Available at: https://www.techtarget.com/searchsecurity/definition/What-is-risk-
management-and-why-is-it-important [Accessed 15 Jan 2024].
crowdstrike.com. 2023. What is IT Security? Information Technology Security -
CrowdStrike. [ONLINE] Available at: https://www.crowdstrike.com/cybersecurity-101/it-
security/. [Accessed 16 Jan 2024].
Sciencedirect.com. (2018). Security Procedure - an overview | ScienceDirect Topics.
[online] Available at: https://www.sciencedirect.com/topics/computer-science/security-
procedure [Accessed 17 Jan 2024].
Security. 2023. What is a Firewall and Why Do I Need One? | Definition from TechTarget.
[ONLINE] Available at: https://www.techtarget.com/searchsecurity/definition/firewall.
[Accessed 18 Jan 2024].
Check Point Software. (n.d.). FirewallConfiguration. [online
Available at: https://www.checkpoint.com/cyber-hub/network-security/what-is-
firewall/firewall- configuration/ [Accessed 19 Jan 2024].

S.Piravaksan SECURITY 155 |

ID:RE63300
Page
 HIGHER NATIONAL DIPLOMA IN
SOFTWARE ENGINEERING.

Figure Reference

ICT Group. (n.d.). Cyber security. [online] Available at:

https://www.ict.eu/en/expertises/cyber-security [Accessed 09 Jan 2024].
GeeksforGeeks. (2022). What is Demiltarized Zone? [online] Available at:
https://www.geeksforgeeks.org/what-is-demiltarized-zone/ [Accessed 11 Jan 2024].
What is a static IP address (2019). What is a static IP address? [online] Broadband
Compare. Available at: https://www.broadbandcompare.co.nz/p/what-is-static-ip-address
[Accessed 11 Jan 2024].
Avi Networks. 2023. What is Network Address Translation? | Avi Networks. [ONLINE]
Available at: https://avinetworks.com/glossary/network-address-translation/ [Accessed 11
Jan 2024].
Horvath, I. (2020). Five Steps of Risk Management Process | Effective Risk Management
Process. [online] Invensis Learning Blog. Available at:
https://www.invensislearning.com/blog/risk-management-process-steps/ [Accessed 12
Jan 2024].
GeeksforGeeks. (2018). Types of firewall and possible attacks - GeeksforGeeks. [online]
Available at: https://www.geeksforgeeks.org/types-of-firewall-and-possible-attacks/
[Accessed 12 Jan 2024].
www.ardentprivacy.ai. (n.d.). UK Personal Data Protection Act | General Data Protection
Act UK. [online] Available at: https://www.ardentprivacy.ai/data-protection-act/
[Accessed 12 Jan 2024].
Marsden, E. (2017). The ISO 31000 standard: Risk management: principles and guidelines.
[online] Risk Engineering. Available at: https://risk-engineering.org/ISO-31000-risk-
management/ [Accessed 13 Jan 2024].
www.cloudpanel.io. (n.d.). What Is a Proxy Server Firewall? [online] Available at:
https://www.cloudpanel.io/blog/what-is-a-proxy-server-firewall/ [Accessed 15 Jan 2024].
Salvus TG. (2020). Next Generation Firewalls for Small Business. [online] Available at:
https://salvustg.com/next-generation-firewalls-small-business/ [Accessed 16 Jan 2024].
Risk Assessment Matrix 3 by 3 example with FREE Download (2019). Risk Assessment
Matrix 3 by 3 example with FREE Download. [online] Stakeholdermap.com. Available at:
https://www.stakeholdermap.com/risk/risk-assessment-matrix-simple-3x3.html [Accessed
17 Jun. 2023].

S.Piravaksan SECURITY 156 |

ID:RE63300
Page