PART ASecurity PolicyThe XYZ Bank ensure security, privacy and integrity of their customers and clientele through the deployment of necessary equipment and procedures that ensure physical and electronic security for their personal, financial and transactional information against all possible risks and threats.The system includes the public and private sections. The public sections do not require password or authorization and do not contain any information related to the visitor of the site. However, the system records information such as data and time of access, IP address, location and browser of the visitor. The private section of the site is password protected and requires complete authorization as it contains private and confidential data of individual clients.Industry approved, and updated security techniques and strategies are deployed that ensure complete protection to the data that belong to Bank and our clients. Some of these strategies include password protected authorization, SSL encryption for Digital ID, encrypted security for Bank server, software and hardware based firewall, etc.The data belonging to clients and the Bank will remain confidential and undisclosed.SubjectsBank clientsAccount holdersBranch ManagersExecutive Members of BankSecurity OfficialsObjectsTransactionsRequestsDatabaseAccess RightsClientAccess account informationWithdrawDepositRequest loan/remittanceBank OfficialAccess client informationEdit/update informationAccept/decline requestsPART BThe given system of authentication is based on simple Authentication Protocol that would involve generation of public and private key as the fingerprint impressions are input using the given device.In the given authentication protocol, five basic steps of authentication will be followed that are described below:First of all, the parameters are established for the biometric characteristics that will be used for the authentication purposes. In our case, it is fingerprint impression of the client.Once the fingerprint impression has been scanned by the device, the web client station will be contacted for the fingerprint data that will be stored on a centralized server that can be cloud based or physical.As a response to generated query, a notification will be generated by the server that will contain biometric information related to the given parameters.The input will be scanned and searched amongst the data on server and a notification regarding the match will be generated.After detailed and descriptive comparison of the records, selected record will be returned to the client server. In case no match is found, the authentication will be declined.Once, the authentication process ends, the system displays the message if access is granted or denied.In this entire process, the role of certification is to manage public key that is generated during the process. The certification will bind the identity/fingerprint details to the cryptographic key. That will generate a token in response to it containing: identity, public key, timestamp, and signature. Once the timestamp expires, the public key expires as well.PART CIntercept Transaction ProcessIntercept Bank ServerIntercept Client PCIntercept NetworkHackerMalicious InsiderSpoofingAccess LANHack SystemKeyloggerEavesdroppingBypassing Security ProtocolsEavesdroppingVirus / TrojanTrojanAccess ServersBreak Security ProtocolSteal PasswordAchieve System AuthorizationExploit Private and Confidential DataPossible Risks and ThreatsSince the Online Banking System involves highly sensitive, private and confidential financial transactions, it is also prone to several risks and threats that can put the reputation and sustainability of the Bank at stake. Because of being a financial institution, it is also a hot cake for hackers, intruders and nefarious users for malicious purposes.One of the most common and critical risk involves the risk of data interception by hackers. In order to intercept the bank network and gain access to servers to steal confidential information, hackers may use several tactics including: phishing, spoofing, eavesdropping, Trojans and worms, viruses, SSL injections, etc. In order to protect the system from such vulnerabilities, several security protocols must be deployed in layers to make the system fool proof.Another serious threat to the system servers are the nefarious insiders. These can be anyone including fired employees, security officers with malicious intents, etc. These are the most critical risks and can often stay unnoticed and totally anonymous since they are very well aware of the weak spots or loopholes of the system. Therefore, special physical and electronic security protocols must be deployed.PART DAudit LogsThe audit logs for the Online Banking System will contain:UserType: AccountHolder, Employee, SecurityMember, ExecutiveMember, adminActionPerformed: AccessPersonalInfo, AccessAccountInfo, AccessServer, AccessBranchInfo, etc.IP AddressPhysical Location: country, city, address.Time of AccessDate of AccessDuration of AccessNumber of returnsAccess Control PolicyThe Audit Log is a highly sensitive and detailed data composition that must not be authorized to everyone. In order to ensure privacy of online client activities as well as transparency of online activities by various types of users, only security officials will be given access to the Audit Logs. These security officials will be high level authorized individuals that must abide by the system protocols. In order to access these logs, they must go through various levels of security that must include a high level encoded password, biometric verification, etc.Only these officials will have access to the audit logs. However, they will not have the permission to edit or delete these logs.PART EAudit Logs, also known as audit trails are the chronological order of the security related details that are recorded over the period of time. These logs actually serve as the documented evidence and proof of any suspicious or alarming activity that must be audited, investigated or inquired by the security officials. The audit logs are helpful for the system investigators, and security officials as these logs can be interpreted in order to detect if any suspicious, unnoticed activity is going on over the system. The details in the log can also help in detecting the location from where these malicious attempts are being made.Other than Audit logs, multiple layered security protocols, hybrid security techniques and strategies can also help in reducing the impact of these vulnerabilities.