Creating Policies for Systems and Web Services
You have been hired as a security consultant to develop policies that document the minimum security requirements for Regional Bank covering its financial system and customer-facing online web service.
Part 1: Regional Bank Financial Software System (RBFSS)
Regional Bank has an accounting system that tracks its revenue, accounts receivable, accounts payable, and employee payroll.
Write a 2- to 3-page security policy for RBFSS in which you describe:
- Access control-based user roles for each component (accounts receivable, accounts payable, employee payroll)
- Password requirements and protection
- Password protected screen savers
- Data encryption at rest
Annotate each security control with at least one Critical Security Control (CSC) from the Center for Internet Security (CIS).
Part 2: Regional Bank Financial Software System (RBFSS)
Regional Bank has an online web-based service for its customers that allows for online banking.
Write a 1- to 2-page security policy for the RBFSS web-based online banking system that includes a brief description of the following security controls:
- Authentication method for customers to log in
- Encryption of data in transit
- Web browser security
- Deployment of anti-malware software
Annotate each security control with at least one Critical Security Control (CSC) from the Center for Internet Security (CIS).
Annotate at least one OWASP Top 10 security risk that could be associated with each of the security controls above.