Week 2 assignment – operational security
Scenario: There was a surge of attacks on banks where the attackers were targeting card processing in Eastern Europe. Having penetrated the bank’s infrastructure, criminals obtained access to card processing systems and transferred funds from multiple accounts. They also disabled antifraud systems that would ordinarily notify the bank of fraudulent transactions. Simultaneously, their accomplices were withdrawing cash from ATMs in another country.
The bank’s infrastructure contained the following:
The company runs open-source database, e-mail, and web servers. Employees can access the network via desktop computers that are available in the main office or by using their personal devices. The main office uses the Wireless Encryption Privacy (WEP) Protocol to connect to its wireless network. When training at the main office, volunteers access the Internet via the wireless network. Passwords are not required to be changed, and some employees have been using the same access credentials since joining the organization. Although the employee handbook includes a policy on acceptable use and password maintenance, these policies have never been enforced and have not been updated in years. The employee handbook also states the organization’s security goal to maintain the confidentiality, integrity, and accessibility of the customer data.
Identify at least 2 federal regulations violated and 2 industry-standard frameworks that address protecting PII to support your claims which address or cover how a bank is required to remain in compliance and provide examples from the case study.