1

Security Policy Outline

Purpose:

The First World Bank Savings and Loan estimates over $100,000,000 a year in

online credit card transactions for loan applications and other banking services and is in

need of a practical Information Technology (IT) solution to provide and manage

seamless and secure online banking services for its customers. In order to meet the

statutory compliance criteria for Information security management systems, there are

specific legislation and regulations that The First World Bank Savings and Loan must

follow and implement. There are also cost and performance considerations that must be

applied to the overall strategy.

Solution: legislation and regulations

The International Organization for Standardization (ISO) and the International

Electrotechnical Commission (IEC) have produced several documents that address IT

security solutions standards. The two prominent documents to follow are ISO/IEC

17799:2005 and ISO /IEC 27001:2005. The first is ISO/IEC 17799:2005 titled

Information technology - Security techniques - Code of practice for information security

management which establishes guidelines and general principles for initiating,

implementing, maintaining, and improving information security management in an

organization. The objectives outlined provide general guidance on the commonly

accepted goals of information security management. The second is ISO/IEC 27001

titled Information technology - Security techniques - Information security management

systems - Requirements which specifies the processes to enable a business to

2

establish, implement, review and monitor, manage and maintain an effective Information

security management system (ISMS). By following these two standards and ensuring

that the Information Technology Infrastructure Library (ITIL) framework is carefully

implemented, a well-designed and maintained IT security structure will be in place.

Solution: Linux and open source infrastructure

The cost and performance of an IT network and software infrastructure can be

reduced by the utilization of third-party commercial data centers and open source

software products. Linux based IT systems have dominated the World Wide Web server

applications and there are a variety of open source software packages available at

practically no cost to the user. To successfully operate and maintain a secure online

transaction infrastructure, the hardware and software requirements should include

database servers, web servers, file servers, Simple Mail Transfer Protocol (SMTP)

servers, and Lightweight Directory Access Protocol (LDAP) servers. These hardware

and software requirements are available for low cost leases through many third party IT

enterprise companies that utilize virtualization technologies; such as, VMware, and

Citrix. By utilizing the multi-tiered architecture of a third party Linux-based infrastructure,

the cost, performance, and security of maintaining a Linux and open source

infrastructure can be optimized.

Conclusion: Benefits

To stay competitive in the financial institution market, the First World Bank

Savings and Loan must implement the proposed solutions and adhere to all of the

statutory compliance criteria for ISMS for providing online banking services for its

3

customers. In additions to cost savings and increased performance, the confidentiality,

integrity, and availability (CIA) triad perspective can be fully achieved.