Hi, I have attached the IS original document which i was working on you will find ISSP and EISP policy in that document. I want you to answer the question of first file according to IS original file.

Table of Contents

Introduction 2

EISP of Flagstar 4

The background of Flagstar 4

The organizational structure 5

The structure of the information security office: 5

The IT/IS infrastructure 5

1. Flagstar bank’s information security policies 6

2. Procedures 7

3.Programs 7

4.Control 7

5.Opening issues 7

The IISP of Flagstar 7

Federal, state, or local cybersecurity or computer laws and regulations, industrial standards 7

Access Control Telecommunications and Network Security Information Security Governance & Risk Management Software 8

Investigations and Compliance 9

References: 10

Appendix 1: Team Charter 11

On January 22nd US-based bank and mortgage lender Flagstar bank disclosed that they suffered a data breach after the Clop ransomware gang hacked their Accellion file transfer server in January of this year. In December, cybercriminals affiliated with the Clop ransomware gang began exploiting vulnerabilities in Accellion FTA used by organizations to share sensitive files with people outside of their organization. Accellion informed Flagstar of the incident on January 22, 2021, that their platform had a vulnerability and of the breach. Flagstar permanently discontinued the use of the file-sharing system after being informed of the issue. Researchers found that the threat group who stole Flagstar’s information from Accellion FTA was not using the December zero-day vulnerability, which had been patched, but rather used a new vulnerability that was discovered in January. After the data was stolen, Flagstar received a ransom note demanding payment in bitcoin or the data would be released to the public.

Figure1- Example Accellion ransom note received by victims

Ransom demands associated with Accellion attacks have ranged as high as $10 million in bitcoin.

After Flagstar began notifying victims of the data breach, the Clop ransomware gang released screenshots of stolen data with a warning that it had stolen a lot more personal data.

The shared screenshots illustrate the types of sensitive customer and employee information stolen, including social security numbers, names, addresses, phone numbers, and tax records.

Figure2- Screenshots of Flagstar data shared on Clop ransomware site

The ransomware gang has only shared a few screenshots of stolen data, as Flagstar is a bank and mortgage lender, it should be assumed that the threat actors stole further documents containing sensitive information.

Based on the numerous Accellion data leaks published by the Clop gang, they are behind all of these attacks and will continue to publish stolen data as victim's disclose their attacks.

Unfortunately, this means we will likely see further data breaches associated with Accellion FTA hacks soon.

Flagstar’s recent security breach was attributed to an exploitation of a vulnerability of Accellion, a partner of Flagstar that offers a secured file sharing product called FTA. Accellion on Dec 23 last year suffered a cyberattack, which it claimed to remediate using a patch update, notified its customers, added new fraud monitoring capabilities, and flagged attack anomalies. Accellion highlighted that FTA was a 20-year-old software and has constantly encouraged its customers to upgrade to its new software which has a robust security architecture.

Flagstar is headquartered in Troy, Michigan and has some branches in Ohio, Indiana, and Wisconsin. Flagstar Bank offers home loans, commercial, and retail banking services across all states through a network of wholesale brokers and 87 retail physical offices. It is a NYSE listed bank that has over 1.1 million borrowers.

The business model of Flagstar is to maintain sustainable and predictable earnings to thrive with minimal impact in a fluctuating interest-rate environment through its mix of businesses. Where if interest rates are low, its other business units like mortgage originations, mortgage subservicing and warehouse lending compensates for the net-interest margins. On the other hand, when interest rates are high, business units like commercial and consumer lending offsets. The vision and STAR values highlighted below, guides them to serve their customers and employees through a set of principles and values.

Figure 3- Vision and STAR values of Flagstar from their website

Layers of administration - tellers, supervisors, managers, financial managers, branch manager, salespersons, IT technicians, security officers, CISO, CEO

Number of departments Financial Department: Financial Department, IT Department, R&D Department, Credit Department, Corporate Banking, Risk Management Department, Audit & Inspection

The relationship to the IS/IT department - different layers of administration work on different parts of the information systems and information technology. (i.e. managers (all of them) work with IT to increase sales and make plans to submit to higher ups (CEO) for company growth. This can include new equipment (computers, machines, tech needed for banking). IS department is related to employees such as IT techs, security officers, CISO (all of these have to do with keeping security and firewall protections up to date to help prevent attacks)

Infosec team is a centrally located team.

CISO - chief information officer - responsible for implementing and developing an information security program (this includes procedures and policies designed to protect enterprise communications from internal and external threats)

Information security managers - responsible for developing and managing information systems cyber security, including disaster recovery, database protection and software development

Information security analysts - monitor their organization’s networks for security breaches and investigate a violation when one occurs.

Information security staff - this includes IT technicians, IS officers (monitor IT system for threats to security and establish protocols for identifying and containing/removing threats, keeping software for antivirus up to date).

The type of network (e.g., Internet, internal network, wireless), - The Flagstar bank involves a dizzying array of things from employee laptops and desktops, software applications, customizable dashboards and self-service Kiosk, Flagstar also uses the mobile app to approve transactions and gain visibility to financial status. Flagstar exports activity data directly into financial management software applications. They have hosting networks to networking and cabling linking offices around the world, internet of things (loT) devices, sophisticated enterprise tools and data centers.

The number of workstations - for each branch, there are multiple workstations. These include around 3-4 bank tellers, 1 or 2 financial advisors/managers for loans on homes and cars, the office of the branch manager. Salespersons, IT technicians, security officers also each probably have a designated workstation at headquarters but need to be able to have a “mobile” workstation to work at each branch when needed. CISO, CEO - these two each have an office at headquarters the software platform (e.g., the operating system) , major business applications, major database management systems and vendors of the technologies and the systems.

IT/IS use

Flagstar uses a third-party company called Accellion. They operate a file-sharing platform used by Flagstar (and other companies) to store sensitive information on customers and employees, such as social security numbers, phone numbers, and addresses. This helps Flagstar by giving the responsibility of this information to someone else, so that when a breach occurs, they are not the party at fault. It also is an example of using outside resources to better the company.

Current information security services:

Password Security Policy: Password protection and security is one of highest priorities for Flagstar bank. This policy establishes a standard for the creation of strong passwords and the protection of those passwords.

Internet & Intranet Security Policy: Developed systems & procedures to ensure that internet is used only for business purposes in a secure manner without endangering the security of the Flagstar banks' network.

Information Security (IS) Incident Management Policy: Incident management policy maintained by Flagstar bank is to ensure that when an incident comes, they can respond quickly and effectively.

Backup & Recovery Policy In order to safeguard information and computing resources from various business and environmental threats, systems and procedures have been developed for backup of all business data, related application systems and operating systems software on a scheduled basis and in a standardized manner across FB (Flagstar Bank)

Security Awareness Policies: All employees of FB, contractors and third-party users shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.

Data Security policies: FB uses encryption, firewalls and other technology and security procedures to help protect the accuracy and security of sensitive personal information and prevent unauthorized access or improper use.

Flagstar bank-built processes to identify cybersecurity threats and ensure their data and customer privacy are well-protected. These processes have been built in partnership with Flagstar’s Chief Risk Officer, Chief Information Officer, business unit leaders, and enterprise risk management team. Flagstar’s Chief Information Security and Privacy Officer (CISO) regularly conducts a comprehensive evaluation and testing of our information security program. The results are shared with the Board of Directors.

In addition, the cybersecurity team conducts quarterly simulated phishing exercises and social engineering tests to make sure that employees and contractors are following policies and adhering to the proper standards. CISO also conducts cybersecurity training for many of FB’s community and nonprofit partners, and the bank joined the American Bankers Association.

Flagstar offers many programs- personal banking, mortgage loans, auto loans, business banking, checking and savings accounts, money market accounts, personal loans.

Physical control

Flagstar Bank maintains a restriction of physical access. They use CCTV cameras and alarm systems to provide complete oversight of the building and critical areas. Software and hardware are designed to work in combination with electronic door locks and authorization guidelines.

Access control: Access control means only authorized people can access bank data if they need the data for their work. Flagstar set up a system to maintain authentication of identity. They use biometric and IDs with photographs to find out the authentication. They also have verifying access authorization of electronic devices like fingerprint and face detection.

General issues

The Banking industry has been exposed to a large number of cyber-attacks on their privacy and security such as frauds with online payments, ATM machines, electronic cards, net banking transactions, etc. These are the general issues that Flagstar bank has.

Specific issue: Recently Flagstar bank faced a data breach in March 2021 where hackers gained

unauthorized access of customers' names, Social Security numbers and home addresses.

1. Statement of Purpose

a. Scope and applicability

i. Flagstar’s key points of information security revolve around the values of identifying users/threats, protecting sensitive customer information, detecting threats, responding to threats and recovery of information breached.

b. Definition of technology addressed

i. Flagstar states on their website that they regularly run tests, such as simulated phishing exercises and social engineering tests, to make sure that employees and contractors are following proper procedures

c. Responsibilities

i. CISO conducts comprehensive evaluations and tests on information security systems to make sure everything is running as it should. The responsibilities of the security policy are to protect employees but also the consumers who use Flagstar Bank.

2. Authorized users

a. User access

i. While all employees are expected to use bank devices and handle consumer information securely, it is the CISO, Chief Risk Officer, Chief information officer, business unit leaders and enterprise risk management team that are included in the upper management. When an attack occurs, they are the people who would follow the policy guidelines up the chain of command to assess the threat and discontinue it.

ii. Not all employees have access to all information

b. Fair and responsible use

i. All employees handle sensitive information. It is their job to make sure that information is kept secure by checking for proper identification, account information, etc.

ii. Personal work should not be done on organization equipment, limiting the sites that are explored on the systems handling sensitive information.

c. Protection of privacy

i. When creating an account with the bank, they ask for a lot of personal information, including but not limited to:

1. Name

2. Address

3. Date of Birth

4. Social Security Number

5. A form of picture ID to have on file

ii. They then assign you account numbers. Once you have an account number, you can create online accounts which give the user complete access to their information. IT IS IMPERATIVE THAT THOSE SITES ARE KEPT SAFE in order to keep hackers from gaining access to thousands of people’s personal information.

iii. The bank states they have three lines of defense to keep private information secure

1. First line of defense

a. This includes responsibilities such as identifying, managing, and mitigating risks associated with directly conducting business in the bank. They help to implement and maintain processes and practices to ensure conformity with all applicable policies, laws and regulations

b. Second line of defense is made up of the bank’s independent risk management. These units assess, report, and escalate risks and issues independent of First Line Defense and provide additional support when managing risks

c. Third Line of Defense consists of internal audit and loan review, whose responsibilities can include providing timely, relevant, independent, and object enterprise-level perspectives regarding the effectiveness of governance, risk management, internal controls, and the quality of loan portfolios

3. Prohibited users

a. Disruptive use or misuse

I. This area includes using computers for personal work, use of cell phones while helping customers, trying to access information that is unauthorized, sharing of information with others that do not have authorization to access it.

Ii. Cannot collect or store personal information about others

iii. Impersonating any person, business, entity, or IP address

Iv. Alter, damage, or delete any materials or content provided by flagstar

v. There is a full list on this web page (https://www.flagstar.com/legal-disclaimers/terms-of-use.html)

b. Criminal use

i. Allowing outside hackers into the systems, transferring money from accounts without permission from the account owner, allowing access to unauthorized users

c. Offensive or harassing materials

i. Sharing of sensitive information

d. Copyrighted, licensed, or other intellectual property

i. These can include the name “Flagstar”, the design of their website, any imaging or symbols they use to help identify the business

4. Systems management

a. Management of stored materials

I. All computers, routers, Switches, wires, and any other equipment used is kept in a secure, safe place. They discuss in the privacy statement what information is collected and how it used, but there are some things you can opt out of.

b. Employer monitoring

i. Each employee is mandated to security training and policy reviews annually. 2020, 100% of employees completed this training.

c. Virus protection

i. As stated earlier, they run many tests on a regular basis to try and keep their networks as safe as possible

d. Physical security

i. Security guards are posted outside of banks, along with cameras. A lot of banks also have protective glass between consumers and tellers

e. Encryption

i. Information is encrypted that can be harmful to the consumer, especially when sharing information with other banks. Passwords and usernames for online accounts to gain access, also two-step authentication has become more popular

5. Violation of policy:

It is prohibited to float funds between accounts so that to cover any made withdrawals. The first violation is failure to follow integrity, ethnicity and honesty measures that have been put in place in the institution. They are meant to retain healthy relationships among the employees and when handling clients from different backgrounds. The second violation is failure to report.

It is against the policy to make any false ATM deposits or inflating ATM deposits so that to receive cash. The employee is expected to always record accurate amounts of deposits received from a client. The employees are not allowed to view clients’ account balance for non-business reasons that have not been authorized.

It is against the institution’s policy to use the computer systems of personal work or using the cellphone while handling customers. This is aimed towards offering the most appropriate services to the clients as per the set institutional policies. This also includes giving access to the system to criminals so that they can access clients’ data without the consent of the account holder.

1. Procedures for reporting violations

Flagstar states that in case of any suspected fraud activity, the reporting process must begin immediately. The violation should first be reported through the Ethics point Hotline. The complaint can also be directed to the manager and in case the manager is involved, one can reach out to the higher levels of management. It can also be directed to the human resources business partner depending on the weight of the report. The reported issue can touch on various violations such as harassment, threats or any other activity that one might consider as a violation. Whistleblowers have also been considered whereby they can report the concerns anonymously through the Audit Committee of the Board of Directors.

1. Penalties for violations

The penalties for the violation is punishable by law depending on its weight. This involves both the company’s policies and the government’s law on misconduct. The crimes are punishable through financial constraints such as salary deductions or having to pay a certain amount of funds depending on the violation. If need be, the law enforcement can also be included in the punishment depending on the situation at hand.

6. Policy review and modification

The policy review done in 2018 mainly depends on coordinated work by various groups and forces. This is achieved through major consultation processes on the most effective steps that should be taken by the organization. A task force that is made up of technical experts from all member banks is involved in the process of new modifications. The decision making is also influenced by the public comments that are posted regarding the necessary changes that should be made in the institution whereby the team evaluates all the possible solutions towards a problem. Before the decision is made, non-members are also involved in the process through the biennial international conference of banking supervisors and the financial stability institute.

The first review involves accountability which begins at the lowest level of management. Segmentation of departments or phases in the institution issues that each department is managed by a manager who should meet various set expectations. By narrowing down on the management, the institution will be at a position to handle potential risks at an early stage before it affects the operations in the entire institution.

1. Scheduled review of policy

Policy review depends on its effectiveness when it comes to meeting the set goal. In case the policy ensures that all set goals and objectives in the institution have been met, the institution can take a longer duration of time before making changes on the policy. However, frequent assessments on whether the goal of the policy can be done so as to determine its effectiveness when it comes to meeting the organization’s objectives.

b. Procedures for modification

The first step is to acquire reviews from the employees. By involving them in making the necessary changes, it is easy to implement them as they own the set changes. A team of experts should also be involved to assess the suggested changes so as to determine their impact on the organization’s objectives. The new policies must provide a solution towards a problem that is facing the institution. Various stakeholders are then informed on the made changes before implementation. In case of any concerns on the newly formed policies, a review should be made so that to ensure that all parties are content before implementation.

7. Limitations of liability

To limit its liabilities, the bank shall not take the responsibility of trust which means that its main concern will be to hold monies in escrow whereby the same money will be invested until the escrow conditions can be satisfied as per herein terms and conditions. The banks shall not be held accountable for the decisions made by escrow or in case any party fails to comply with the set conditions. The bank will only be held concerned with the terms and conditions that have been put in place by the forth herein.

Limitation of liability controls the amount of damage limit that can be paid to a party. Flagstar sets a maximum limit that has been permitted by the law. This allows the bank to discourage any form of policy misconduct both to its clients and employees. The limitations should not go beyond the set law so as to prevent lawsuits which have occurred previously in the institution.

1. Statements of liability

The Bank will be reliable for gross negligence and willful misconduct which might result in losses for the client. However, the bank’s level of performance will not be used to guarantee payment of damages incurred. However, in case of damages that will be related to misconduct or negligence, the price to be paid will not be greater than the actual price of the damage. In case of omissions or damages that are caused by a third party, the bank will not be held reliable. It is also important to note that the service charges are not related to the value of offered customer service.

1. Disclaimer

Under Section 229.58, the bank will deliver required information through the mail or agreed method of receiving account information. The bank will make funds available to the client’s bank with the set duration of time by the Expedited Funds Availability Act meaning that the client will not be in a position to file a lawsuit provided the payment is made within the duration. The bank shall also pay interests on counts bearing interest on the day that the bank will receive the credit. Local and nonlocal checks can be withdrawn between the second and the fifth day as per the schedule set under section 229.12.

● California Consumer Privacy Act (“CCPA”): CCPA is applicable for California residents. The CCPA provides consumers with specific rights regarding their personal information.

● Federal Privacy Act (1974): Establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies.

● Gramm-Leach Bliley (GLB) Act (1999): The act addressed to control the ways financial institutions deal with the private information of individuals.

● Consumer Financial Protection Bureau: The Consumer Financial Protection Bureau is a U.S. government agency that makes sure banks, lenders, and other financial companies treat customers fairly.

● Consumer Privacy Act (“CCPA”): CCPA is applicable for California residents.

● Federal and state laws and regulations that require all information to be kept private and secured.

Industry Standards

● Payment Card Industry Data Security Standard (PCI DSS): PCI DSS is applicable for those organizations who accept credit card payments.

Development Security - applying developments to security involves many processes, including developing, adding, and testing security features on applications to help prevent against security vulnerabilities and threats.

This is important to the company because it is a constant work in progress to keep out hackers and attackers from private information of citizens and employees. Without the changing development of security measures, hackers could easily learn a system and access information. This is especially important in a bank setting, due to the information that could become available for attacks, such as bank accounts, fraud, theft of money in accounts, home addresses of customers, identity theft from social securities, and so much more.

Cryptography Security

Architecture and Design Security Operations

Business Continuity & Disaster Recovery Planning Legal Regulations,

There are many key roles involved in compliance and investigation of attacks when they happen. Some of those include having a responsible investigative authority, having a responsible investigator(s), and having legal counsel for when things go sideways.

Having responsible investigators is important because when attacks do happen, we want them taken seriously. This ensures that a thorough investigation is done so that changes can be made, software can be stronger, and risk of attack decreases. You also want to have and investigative authority (person in charge) so that they can oversee the investigation. This prepares them for future attacks and helps them to learn better ways of handling situations. A company that believes they will never be attacked is a vulnerable one. In Flagstar’s case, the information hacked was through the third-party vendor used by them. The action of Flagstar should be to reevaluate whether that vendor is “good enough” to keep, or if they should restructure that part of their business plan. Legal counsel comes in here. It is always a good idea in a large corporation to have good legal counsel for when things go wrong. If someone isn’t doing their job correctly and efficiently, then legal counsel can help you get out of a contract for a security breach

Physical (Environmental) Security

-This would involve security guards around the premises and inside the building for each branch

-It would also include security cameras in and around the building, including the drive through, ATM, each teller station, the bank vault, all entrances and exits, and the parking lot.

Acceptable use of Internet policy

1. Information Reliability - All information sources should be validated for reliability. Employees or partners must not rely on information received from external emails or unrecognized external internet resources to comply with Enterprise information security department policies. The identity of the information source of an individual or organization is validated using digital certificates granted by third parties for verification of digital signatures.

2. Downloading Software – All users should comply with new software installation policies. Users should be vigilant while downloading data files and before using them should check for any viruses and comply with copyright laws.

3. Sending Security Parameters - Users must protect sensitive parameters and personally identifiable information like credit card numbers, passwords, or account numbers and ensure the data has end-to-end encryption.

4. International Transfer of Data - The data movement of private or research information should comply with laws of the countries between which the data exchange is happening across international borders to ensure that laws are not violated.

5. Setting Up Extra Services – All network connections to third parties are prohibited unless the Enterprise Information Security team has approved the associated access controls for these connections. Also, all electronic data exchange and electronic business system workflows should be approved by both the Enterprise Information Security and Information Systems Department.

6. Information Security Reports – It is critical that all recipients of system vulnerabilities information must forward this to only the Enterprise Information Security Department, who can determine appropriate actions to be taken and should not redistribute this information.

Network security policies

1. Connection Approval Required – All network devices and connections to third-party systems or networks should be approved by the Enterprise Information Security Department and should comply with its security policy requirements.

2. Personal Computer Connections – All employees must comply to not connect their office computers/devices with open or third-party networks without prior authorization. Also, personal devices must not be used for official purposes unless approved by the Info Security manager.

3. New Installations compliance- Employees and vendors must comply with new hardware or software installation policies and obtain written approval from the Director of the Office of Telecommunications.

4. Firewalls Requirement - All connections between internal networks and the Internet or other public network must be protected by an approved firewall and have an approved access control system in place. All privilege permissions through this firewall or other approved access control system must have relevant business needs and defined access control standards documented and managed by the Enterprise Information Security Department.

Third party access control policy

a. Written approval requirement – Written approval is a mandate to access any internal systems by a third party. It includes partners, consultants, contractors, and information like outsourcing partners.

b. Access restrictions requirement- Third parties should only have in-bound connection privileges if they have authorized and legitimate business needs and are valid for the approved time period required to accomplish the approved tasks. Any Third-party access that requires more than 24 hour access must have an approval from the Enterprise Information Security Department.

c. Only public information should be posted- All information owners can only share public information over directory, server, or other file/folder location that is accessible by unknown parties.

d. Third party security requirements – All third parties and partners must secure their own connected systems in compliance to the organization security policy requirements. All organizations should reserve a right to unplanned audits and immediate termination, if security measures in effect do not meet security requirements.

Encryption Policy

To protect information, it is important to enable encryption services. This includes encryption facilities to protect sensitive information discussed over cellular or mobile phones or during video conferences or shared over network devices or over the internet. Not just at transit, whenever confidential information is stored, it should leverage similar encryption methods and authorization.

Key Selection – Most encryption methods require the user to input a seed or key for authorization and these keys should be protected against unauthorized disclosure and also follow rules to create strong passwords and avoid un-hash threats.

SQL injection prevention policies – Critical to Flagstar data breach

Managers, developers, system and database administrators can implement several policies to minimize the probability of an attacks or its impact:

1. Development of web applications with parameterized queries and stored procedures that have typed and bound parameters in the databases leveraging programming languages like Java, .NET or PHP etc.

2. Keep systems up-to-date with the latest security patches from all partners. These systems include web servers, applications components like plug-ins, frameworks, libraries, and database servers.

3. Leverage the principle of least privilege to provision user and accounts access to the SQL database. Relevant use of SELECT, INSERT, UPDATE, or DELETE privileges and never allow system administrator privileges to any external account.

4. Prevent the use of shared database accounts for websites and applications.

5. Validate all user input for expected meta data and not just the data.

6. Configure appropriate error reports and its handling on the web server to prevent sending errors to the client browser and thereby prevent attackers who leverage verbose error messages for sql injection through queries.

Remediation policy – Critical to Flagstar Breach

It is critical to take immediate action and address any confirmed incidence if SQL Injection vulnerabilities when it first happened in Dec, last year:

1. Notify the security personnel responsible for coordinating full remediation to implement Information Security and Policy

2. Investigate the reported potentially vulnerable web servers, applications, and resources with stakeholders

3. Review of web servers, application, and database logs will lead to identification of the vulnerability and its source

4. Develop recovery plan to remediate and run patch updates for SQL Injection vulnerabilities for prevention of future attacks

https://www.flagstar.com/esg/company-overview/our-business-overview.html

https://www.bowiestate.edu/files/resources/information-security-public.pdf

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a

Application Security

https://www.vmware.com/topics/glossary/content/application-security

https://www.compliance.com/resources/tips-preparing-conducting-compliance-investigations/

Information Security

https://www.criminaljusticedegreeschools.com/careers/information-security-officer/#:~:text=Career%20Description%2C%20Duties%2C%20and%20Common,virus%20software%20to%20block%20threats.

https://www.flagstar.com/esg/governance/data-security-and-customer-privacy.html

https://www.flagstar.com/esg/governance/risk-management.html

https://www.flagstar.com/legal-disclaimers/terms-of-use.html

https://www.flagstar.com/legal-disclaimers/privacy-statement.html#2