Abstract

Data loss prevention is a technique that is used to cater to the data loss problem. The most secure data is related to debit and credit cardholders. This project analysis is therefore designed to analyze and select the best-suited methodology to develop the network infrastructure of the Emirates Islamic Bank in accordance with the Payment Card Industry Data Security Standards. The best-suited methodology identified for this project is the securing of the firewall. The report gives an introduction of the project then defines the client’s requirements and constraints along with the stakeholder perspective. An analysis for the selection of the approach or methodology for fulfilling the requirement of this project is given is discussed after the constraints and perspective. At the end of this project, a discussion about the technical issues that the team can face and the reflection of their solution is given.

Introduction

The invent of the internet has resulted in the digitalization of the world. A number of new inventions have been developed since then. These inventions that are based on the internet of thing IoT at one end made the life easier, and at the second end raised multiple threats. One of these threats is related to data loss. The IoT has allowed a lot of data to be placed online. This data due to technological advancement is now at risk of loss or theft. Data loss is currently the biggest problem faced by almost everyone connected to the internet. Either it is private sector or the public one, government agency or nonprofit organization, office or home, millions and trillions of bytes of data has been lost (Ablon, Heaton, Lavery & Romanosky, 2016). In order to fight this problem prevention techniques are adopted. These strategies also are known as Data Loss Prevention or (DLP). In short, the DLP is a secure system that monitor, identify and protect data, from being accessed to an unauthorized channel, by performing inspection and analysis of the data transferred (Roebuck, 2011).

Although there are different forms of data that need to be protected from being lost, this project is designed to apply Payment Card Industry Data Security Standards (PCI DSS) to the database system of the Emirates Islamic Bank. According to Abdel-Salam and fellows (2017), PCI DSS provides a basic line of technical and operational controls that prevent confidential data loss. The PCI DSS includes minimum requirements for the protection of the cardholder’s data and may increase the additional control and practice to further reduce risk associated with the data related to credit and debit card (Lotzer & Haller, 2018).

Client Requirements and Constraints

In order to identify the client requirements and limitations, a meeting is the most important. There will be multiple meetings for this project. Some will be with the client while others without the client. The meetings with the client will be held before project planning, before project analysis and after the completion of the project. On the other hand, the meetings without client will be held before the project planning phase, analysis phase, development phase and after the finalizing of the project.

There are certain requirements and constraints that need to be followed and addressed within the project. Some of the requirements along with the priorities are as follows:

1. Creation and execution of router configuration that restricts the networking between unreliable/untrusted networks and system elements in the cardholder data environment (Priority: High).
2. Effective configure system, confirmation, and examination of all router and firewall settings to ensure the safety traffic transmitting for the cardholder environment (Priority: High).
3. Synchronize and secure router configuration files (Priority: Medium).
4. Appropriate router system that analyses and restrict the files from unauthorized access (Priority: High)
5. Installation of perimeter between all the wireless networking to examine if traffic is necessary and direct to business purposes (Priority: Low).

Some of the constraints are as followed;

1. Inappropriate use of network segmentation that unable to integrate firewall and separate the card environment from rest of the unsecured business environment,
2. Lack of maintaining firewall measure that reduces the PCI scope and increases security efforts.
3. Constraints in log management can also one of the significant issues that result in poor tracking of logs and sent insecure notifications to cardholders.
4. Lack of proper documentation system from the human resource that could not justify the allowed protocols, ports, and secure services.

Stakeholder Perspectives

Although the main stakeholder of this project is Emirates Islamic Bank, there are some other key stakeholders such as the cardholders, banks’ management and other staff members. In order to ensure the sustainable viability of the entire payment for cardholders, stakeholders’ keen perspective relies on successful integration and maintenance of the firewall configuration (Hadden & Mahdy, 2016). Stakeholders perspective always remain positive towards remembering that if they are the user, they should take good and upright compliance to cardholders. The major concern also remains significant to reduce vulnerability and security costs as well as to ensure the cardholder’s data security and confidentiality (Abrar, Ahmed & Kashif, 2018). From the stakeholder’s mind, it is necessary to consider which technology to be encrypted and what information will be collected to maintain high standards of PCI DSS. The adoption of PCI DSS will not only make them safe but also increases the overall customer value of the Emirates Islamic Bank.

Moreover, stakeholders such as the board of directors, investors, and customers all keen to secure retaining of their long-term information and risk of collecting and retaining information. For this purpose, the Compliance Manager at Emirates Islamic banks must be given full responsibility for this activity, must fulfill these functions and receive appropriate funding and appropriate authority to effectively organize and disseminate these relevant resources (Lotzer & Haller, 2018). The given responsibility in the presence of PCI DSS adaptation will make them confident enough to face other challenges and to perform their job more positively.

Analysis

Since the main aim and objective of this project is to apply the PCI DSS in Emirates Islamic Bank, therefore the main process or methodology adopted for this project will be based on the approaches that will fulfill the 12 key requirements of the PCI DSS. PCI Standard Council has developed these 12 requirements that need to be compiled by every merchant, service providers, retailers and any other user that read, transmit and process the cardholder’s data (Rowlingson & Winsborrow, 2006). These standards are designed to secure the point of sale system, routers, card readers, data storage and the overall network. In order to follow the standards of PCI DSS, three steps are required to be continuously followed.

Assessment

This is the very first step for analyzing the need for PCI DSS adoption. In this step, the identification is done. Cardholder requirements and risks related to the payment system are identified. Payment process, network, and other related systems are accessed in order to find out any vulnerabilities.

Remediation

 The second step is remediation. In this stage, the vulnerabilities and risks are responded. There are multiple techniques, based on the type and category of the risk and vulnerability, that are used for meditating them.

Reporting

The last phase in the application of PCI DSS is the reporting. The compilation of records of vulnerabilities and risks along with their proposed and adopted solutions in order to future reference is done in this stage (“How a layered security approach can help you protect customer data and your business”, 2017).

For this project, the selected approach will be based on the remediation stage only since the client requirements and constraints have already assessed the vulnerabilities and risks associated with their payment system. The approach needed to be adopted should be related to the firewall and network protection.

GOALS	PCI DSS REQUIREMENTS
Build and Maintain a Secure Network	1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data	3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program	5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures	7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks	10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
Maintain an Information Security Policy	12. Maintain a policy that addresses information security for employees and contractors

Table 1: PCI DSS Requirements (“PCI Security Standards”, 2019)

Network Security for Prevention of Data Loss

Network security is one of the biggest fields of computer science. It requires a lot of methods and approaches to make the network secure. In order to fulfill the requirement of the client i.e. Emirates Islamic Bank, a look at the 12 requirements of the PCI DSS is helpful. The 12 requirements of PCI DSS as shown in table focus majorly on encryption, firewall and use of antivirus.

Firewall

Firewall is the security system that controls and monitors the ingoing and outgoing data stream against established security rules (Tilborg, 2011). For setting up the firewall, first, the router is needed to be configured. A router’s primary work is to route the incoming data to the correct destination. The best principles for the router settings are:

• Do not add every suspicious internet protocol address to the access control list.
• Protect the system by placing the router outside the firewall.
• Filter the list of private internet protocol address.
• Block traffic from systems owns IP.

To make the most out of the firewall, there are only two basic principles. The first is that deny all incoming traffic and allow only the ones you want to. Do not use the default setting as it works oppositely. The second principle is to label all the rules and remain specific to the requirement so that in future the upgradation of the firewall rules can be easier (Kartch, 2017).

Discussion

The invent of the internet has changed the scope of information security. The sensitive data that once was stored on papers is now digitalized. The digitalization of the data has increased the threats associated with data loss. One of the most important data is the one related to the banking industry. The cardholder’s information is the sensitive information that needs to be prevented. There are multiple standards and approaches that need to be followed to prevent data loss. One of these standards is PCI DSS. Set up by the council of PCI Security Council, that was founded in 2006 by the combined efforts of JCB, MasterCard, American Express, Visa Inc. and Discover (“PCI Security”, 2019), PCI DSS is the standard requirements that all the retailers and merchandisers that are handling credit and debit card are required to follow. These standards define the basic needs in order to prevent data loss.

The main objective of this project is to adopt these standards in order to secure the current network system of the Emirates Islamic Bank. In the banking industry, many banks fail to realize the significance and importance of PCI DSS requirements in order to maintain security for credit cardholders. For this purpose, the researches of Lotzer and Haller (2018) and Islam (2017) addresses that working and integrating the firewall configuration will support in filtering the secure networking rules. On the other hand, the research of Hadden and Mahdy (2016) states that firewall configuration utilizes the trusted zones and utilize the perimeter installation to networks and cardholder data environment. The analysis of this project also indicates that the need for setting up the firewall according to the standards described through the PCI DSS is not only crucial for this project but also meet the requirements of the client, i.e. Emirates Islamic Bank. Meanwhile, it is the responsibility of the Emirates Islamic banks to thoroughly review firewall configurations and policies to control the secure traffic flow in and out of the routers.

 A lot of issues, especially the technical ones are identified during this analysis phase of the project. These technical issues are related to the current network system of the Emirates Islamic Bank and the hardware used in that system. The configuration of the network security system, especially that of the firewall depends totally on the hardware. The need for routers is a must have for the firewall to work properly. Besides the need of the router, training of the employees of Emirates Islamic Bank, in order to follow the standards of PCI DSS in the future is also a major issue. 

Some of the key reflections for team member are as follows:

1. Based on the above discussion, the team at Emirates Islamic banks needs to believe that firewall configuration needs basic installation and should remain untouched for some time.
2. A team needs to observe and allow open communication between the untrusted and trusted segments.
3. In addition, the team needs to maintain accurate documentation for device approval and timely reviews.
4. The team must provide security to assets that are stored, transmitted or processed to cardholder data. It includes appropriate networking building of information from wireless to mobile devices of cardholders.

References

Abdelsalam, O., Elnahass, M., & Mollah, S. (2017). Asset Securitization and Risk: Does Bank Type Matter?.

Ablon, L., Heaton, P., Lavery, D., & Romanosky, S. (2016). Consumer attitudes toward data breach notifications and loss of personal information. RAND Corporation.

Abrar, T., Ahmed, F., & Kashif, M. (2018). Financial Stability of Islamic versus Conventional Banks in Pakistan. Al-Iqtishad Journal of Islamic Economics, 10(2), 341-366.

Hadden, J. M., & Mahdy, A. M. (2016). The Royal Split Paradigm: Real-Time Data Fragmentation and Distributed Networks for Data Loss Prevention. International Journal of Computer Science and Security (IJCSS), 10(3), 107.

How a layered security approach can help you protect customer data and your business. (2017). Retrieved from https://wellsfargoworks.com/marketing-center/article/how-a-layered-security-approach-can-help-you-protect-customer-data-and-your-business

Islam, N. K. (2017). Role of Prime Bank Ltd on Encouraging Entrepreneurs.

Kartch, R. (2017). Best Practices for Network Border Protection. Retrieved from https://insights.sei.cmu.edu/sei_blog/2017/05/best-practices-for-network-border-protection.html

Lotzer, H. J., & Haller, K. G. (2018). U.S. Patent Application No. 15/723,883.

PCI Security Standards. (2019). Retrieved from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security

PCI Security. (2019). Retrieved from https://www.pcisecuritystandards.org/pci_security/

Roebuck, K. (2011). Data loss prevention (DLP). Lexington, KY.

Rowlingson, R., & Winsborrow, R. (2006). A comparison of the Payment Card Industry data security standard with ISO17799. Computer Fraud & Security, 2006(3), 16-19. doi: 10.1016/s1361-3723(06)70323-2

Tilborg, H. (2011). Encyclopedia of cryptography and security. New York: Springer.