Introduction
This paper develops a system plan and evaluation procedure for the security system of a hypothetical bank called the National Bank of America. The National Bank of America deals in the safekeeping of its client’s money, and since the bank operates huge volumes of financial transactions, most of its systems are automated. These systems are subject to several security measures because it is crucial for the company to ensure all accounts held for its customers are uniquely operated by the legitimate owners. Comprehensively, the bank’s security systems are often subject to breaches by fraudsters and other suspicious entities. The possibility of a security breach warrants a through development of a comprehensive system plan and evaluation procedure. In achieving the above objective, this paper explains the concept of security assurance and trusted systems of the bank; an evaluation of ways of providing assurance throughout the life cycle; a discussion of the validity and verification of the system, and a Illustration of the evaluation methodology and certification techniques of the security system. These analyses will be done systematically.
Security Assurance and Trusted Systems
The concept of security assurance in the National Bank of America’s security system revolves around the assurances of the company (to its clients) that the company’s security system is completely secure (Merkow, 2004, p. 11). The system’s security assurances will be supported by objective evidences, based on more than one premise. Unlike most security assurance and trusted systems technologies, National Bank of America will have a security assurance system that will be based on people, processes and technology (Carnegie Mellon University, 2008, p. 2). These premises will show how the claim of security assurance is supported by several sub-claims. In this explanation, the system explains various levels of security vulnerabilities that need to be protected.
The strongest security assurance premise for National Bank of America would be the guarantee that the system caters for all coding effects. These coding effects may lead to several buffer overflow breaches (Carnegie Mellon University, 2008, p. 2). In this regard, the strongest security assurance will be based on the guarantee that all the programmers who developed the bank’s security systems were trained to develop the system. Here, an assurance is given that the code writing process was done by qualified programmers, hence the minimal chances of realizing buffer overflow vulnerabilities.
The second security vulnerability will be made with the assurance that all programmers comprehensively reviewed the security system to ensure there is no chance of a buffer overflow occurring (Carnegie Mellon University, 2008, p. 2). A statistics analysis tool will also be used as a security assurance measure to guarantee that, there will be no security problems realized. Finally, the system will be tested with invalid arguments to test its reliability. Here, it should be affirmed that all the inputs are rejected, and sometimes, such security issues should be treated as unique elements of the security system (Carnegie Mellon University, 2008, p. 2). Comprehensively, the above security assurance procedures will be aimed at identifying buffer overflow incidences. It should also be affirmed that, there is no possibility of security breaches occurring, and some of the weak security links identified should be effectively corrected.
Another security assurance method for the National bank of America’s security system lies in its online banking method. To ensure, there is a reliable security assurance for the online banking system, the “extended validation secure socket layer” will be used to guarantee the bank’s customers that the company’s website is authentic (PNC, 2011, p. 1). This security assurance measure is crucial in the bank’s online banking media because the internet contains several fraudulent websites which do not represent the identity of the company. Some of these websites may also be malicious or suspicious in nature.
Evaluation of Security Assurance Procedures
The “extended validation secure socket layer’ is a reliable way of ensuring there is minimal fraud in the bank’s online system. This is because the system guarantees the safety of transactions. The system is designed in three levels. The first level shows a green light at the bar code to mean that, the clients are using the authentic company website (PNC, 2011, p. 1). On the second level is the yellow address bar where customers are supposed to proceed with extensive caution because there may be instances of malicious or suspicious activity detected.
Here, there are indications that the website visited bears qualities of a suspicious website (but it may not be authenticated that the site is indeed fraudulent) (PNC, 2011, p. 1). At the third level of the security system is the red address bar. This bar is an advisory message to the bank’s customers that, transactions should be stopped because the website may be fraudulent, malicious or suspicious. In other times, the red message means the website has a SSL security problem and therefore, it may not be safe to carry out any financial transactions through the website. These three levels of online banking security are crucial to the safety of the overall bank’s financial security. Indeed, they are also very reliable.
The assurance that all programmers employed to develop the bank’s security systems are qualified and well trained is a reliable measure because it supports high standards of developing the bank’s security system. In other words, the skills and expertise directed towards developing the bank’s security system is high-end and therefore, the overall output is bound to share the same quality. If unskilled or incompetent programmers were used to develop the bank’s security systems, several security vulnerabilities would be evidenced. However, this is not the case. This assurance is therefore reliable because it guarantees the quality of the bank’s security system.
A review of the bank’s security system is also a credible way of ensuring the safety of the bank’s security system. This is because reviewing the company’s safety system is a sure way of ensuring the system meets its intended purpose (Paper-Check, 2011, p. 2). This assurance is crucial in determining the relevance of the security measure. There are certain security systems that fail to cover adequately their objectives because they are not effectively reviewed to ascertain if they meet their intended purpose. The fact that the security provisions are effectively reviewed is therefore a strong indicator that the system can be effectively relied on.
Validation and Verification
The validity of the security assurances cited above, are entrenched in the time period for review (TAOnline, 2011, p. 14). The security assurances are going to be subject to two years review to ascertain their effectiveness and identify any areas of improvement. From the inception of one security measure, the validity period will only be two years, after which an evaluation will be done to extend the validity of the security measure, or eliminate the security measure altogether (in favor of a more effective one). This is an effective way of guaranteeing the validity of the security measures.
The bank’s system verification is done on two levels. The first level is the dynamic verification which entails the test and experimentation of the bank’s security systems (Bishop, 2003). To verify the bank’s security systems, executing the appropriate softwares and checking their behaviors will be crucial in ensuring the security systems meet their intended objectives. This task is often performed in the test phase of the security software development (Bishop, 2003). The second level of the security verification procedure involves the assurance that the applicable security measures meet their required standards. This verification is done after undertaking a physical verification of the system to ascertain several variables including code conventions verification, bad practices (anti-pattern) detection, formal verification and the software metrics calculation (Bishop, 2003). These procedures ensure the bank’s security systems satisfy all the stipulated security requirements.
Evaluation Methodology and Certification Techniques
For National Bank of America, a finger-print based biometrics will be crucial in ensuring there are no fraudulent activities launched on the company’s security system (Bishop, 2003). All customers will be required to input their fingerprints before using the bank’s systems to withdraw, transfer or deposit cash. This system will be backed-up by an image-based biometrics evaluation that contains information regarding the physical features of the customers. This prevents the occurrence of security breaches that may bypass the fingerprint authentication feature (Tanabe, 2009, p. 2). Past evaluation methodologies have strongly relied on human-based algorithm procedures but these systems have been useful in situations characterized by theoretical analyses (Tanabe, 2009, p. 2). This plan proposal will therefore go beyond the theoretical analysis.
The best certification technique to be used in this system plan will be a third party certification from an independent body. A credible security institution or body will therefore be sourced to certify the security features employed by the bank. Moreover, the software programmers will be sourced from respectable institutions which are certified by a security body. This technique will guarantee the reliability of the programmers and the security system (in totality) (Hibma, 2011, p. 1).
References
Bishop, M. (2003). Computer Security: Art and Science. New York: Addison-Wesley Professional.
Carnegie Mellon University. (2008). Arguing Security – Creating Security Assurance Cases. Web.
Hibma, T. (2011). Security Certification Requirements. Web.
Merkow, M. (2004). Computer Security Assurance Using The Common Criteria. London: Cengage Learning.
Paper-Check. (2011).The Importance of Proofreading. Web.
PNC. (2011). Extended Validation Secure Socket Layer (EV SSL) Certificates. Web.
Tanabe, Y. (2009). A Study on Security Evaluation Methodology For Image-Based Biometrics Authentication Systems. Piscataway, NJ: IEEE Press.
TAOnline. (2011). Security Clearances. Web.