Answered You can hire a professional tutor to get the answer.
Questions: Identify stakeholders impacted by the bank's operations and explicitly consider and document their interests. (10%) 2.
Questions:
1. Identify stakeholders impacted by the bank's operations and explicitly consider and document their interests. (10%)
2. Consider the role of each actor in the scenario and apply the ACS Code of Professional Conduct (https://www.acs.org.au/content/dam/acs/rules-and-regulations/Code-of-ProfessionalConduct_v2.1.pdf) to analyse their decisions and associated actions, with a focus on the first four points in the ACS Code. (40%)
3. Analyse the security controls that were originally implemented and describe the potential role of each control in preventing the cyberattack that occurred. (30%)
4. Research alternative ethical frameworks and contrast with the ACS Code of Professional Conduct in the context of the case study. (20%)
Scenario:
Sam is the Chief Information Security Officer (CISO) for the multinational finance corporation BroadBank Pty Ltd. Like all financial institutions, BroadBank relies on employees having timely access to detailed customer data to facilitate common banking services such as transactional banking and loans. This is particularly integral for staff who travel between sites and to customer premises. For example, in order for the bank to live up to its recent promise of 'home loan approvals within 30 seconds', staff need access to all customer records remotely when completing applications with customers offsite. It is these types of innovations that have allowed BroadBank to expand its presence and grow its market share. Chris, the CEO of BroadBank hired a consultant to review the efficiency of his staff and the systems they use when facilitating customer transactions such as loans and insurance applications. The consultant provided a report to the executive group highlighting potential inefficiencies, primarily due to current cybersecurity practices. The CEO is very pleased with the report and confident that implementation of the findings will substantially improve the profit position of the bank. Security is not a major consideration for the executive team as BroadBank has not experienced a security breach in recent history. The current system allows staff to remotely access customer records for those customers assigned to the individual staff member via a company issued and controlled laptop. Remote network access is via a Virtual Private Network (VPN) tunnel, established using an inbuilt mobile broadband modem, and the USB ports on the laptop are disabled. Smartcards are used as part of two-factor authentication for the VPN and user passwords must be re-entered every time a privileged operation is requested. The laptops use application whitelisting which prevents employees from running 'useful' 'financial' tools they have found online, and from general web surfing. Users report that software updates are inhibiting their use of the laptop after hours. Staff are also required to attend quarterly security awareness training seminars to provide updates on the latest threats and security best practices. They report little value in attending these seminars when they could instead be signing up new customers and earning commission. When reviewing the consultant's report in detail, Sam finds that it recommends most of these security controls be removed in order to enhance staff productivity. For example, USB devices can be used to provide customers with PDF documents relevant to the service on the spot, useful software found by staff could improve efficiency and staff don't see any practical benefit from the installation of software updates. The report also recommends that staff be allowed to use their own personal devices, such as phones and tablets, to access the bank's systems. Sam realises that her next performance evaluation will be dependent on her ability to address the issues identified in the consultant's report and improve efficiencies. This performance evaluation will directly determine whether or not Sam receives her 2 of 3 year-end bonus. Sam has only been in the role for six months and the security controls were all put in place by her predecessor. Sam tasks Alex, a cybersecurity engineer, with implementing the findings of the report as a matter of urgency. Alex has also recently joined the company and is, of course, concerned with making a good impression during his probation period. Alex considers whether he should discuss the potential changes with Sam or the CEO. He believes that the changes being proposed are highly risky, however he is concerned that if he questions the task that he has been assigned by Sam, that he will be dismissed. He convinces himself that most security breaches only have minor effects and there wouldn't be any great loss for the company if the BroadBank system was breached, and he proceeds to implement the changes as requested. Sam receives her 20% bonus. Alex passes through his probation period without any incident. There is a marginal increase in employee productivity and BroadBank's profits continue to increase steadily. The CEO is particularly pleased with the changes and his decision to dismiss the previous CISO (who insisted that the current security controls be maintained) and commission the consultant's report. The outcomes reaffirm his decision to hire Sam who, unlike other security professionals he has met, wasn't overly paranoid and obsessed with potential security threats. 15 days after the security controls are removed at 2:37am BroadBank's computer systems suffer a total outage. Overnight payments are not completed, and staff are unable to restore services when they are called into work. The bank's systems remain inaccessible for several days, during which time it is not possible for customers to withdraw or deposit funds any other transaction. After the most recent backups of critical systems are restored, a forensic investigation begins. The forensic practitioners soon determine that the outage was caused by a compromise and that the attackers had completed numerous actions before their final action which caused the system outage. The source of the compromise was malware, inadvertently installed by a staff member on their laptop, which was able to compromise the Bank's key systems once it had breached the perimeter security defences via the VPN tunnel, and utilised stolen credentials now that two-factor authentication was disabled. They had successfully transferred funds from numerous customer accounts overseas and taken complete copies of customer databases containing sensitive and personally identifiable information about each BroadBank customer. The company requested a trading halt on its stock, and was not certain, considering the successful funds transfers, whether it would be able to meet its debit obligations to its customers. It doesn't have accurate records as the most recent complete backup was over one day old. In the weeks after the event, the true cost of the situation becomes clear. Customers had to seek emergency funds from government social services to cover their daily living expenses. Lenders tried, and in some cases succeeded, to foreclose on customers who were unable to make loan payments from the BroadBank accounts on assets such as homes and cars until the government stepped in and froze foreclosure on BroadBank customers until the matter could be resolved. Ultimately, customer deposits were guaranteed by the government, but customers suffered massive inconvenience, and potential loss, while they were unable to access their funds. A criminal investigation into the situation is launched and it comes to light that Sam does not have any background in cybersecurity or even IT in general, despite the claims in her CV. When questioned, Sam admitted misrepresenting herself, but was confident that she could handle the demands of a cybersecurity role as she had made extensive use of social media and other Internet services. Chris is dismissed by the board, with a massive payout, and soon has a job with a BroadBank competitor who admires his willingness to take risk. Unfortunately, his success is short-lived as he is charged with criminal offenses in relation to his actions at BroadBank. Alex realises the mistake that he has made and sees the effects that it has had in practice. He resigns out of principle. He applies for several new positions in cybersecurity, but because of his wellpublicised role in the bank's downfall, he is unable to even secure an interview. In the end, BroadBank collapses and its remaining assets are dissolved.
