Scenario NEB Is a Financial Management Company That Specializes in Lending

Scenario NEB is a financial management company that specializes in lending money for substantial property investments. They have a large IT department that is currently using the following ITSM processes: Service Level Management Availability Management IT Service Continuity Management Information Security Management Incident Management Problem Management. Each of these processes have been implemented within the planned target time and are working effectively and efficiently. Staff have adapted to the changes in a very positive manner and see the benefits of using the ITIL framework. Last Saturday, there was a security breach. A previous member of staff, who has left the company and joined a competitor organization, has been able to gain access to several client lending files. After initial investigation, it was found that access was not terminated when the staff member left the company - this has highlighted that there are insufficient processes in place to ensure access rights are terminated when staff leave the company, change roles etc and there is ongoing investigation to see how many other previous staff still have access to the system. The business has requested immediate recommendations from the IT Manager, as to what can be done to ensure this situation does not happen again and how best to inform clients, with reference to the security breach. Refer to the scenario. Which of the following options is most suitable to deal with this situation?

A) Your first recommendation is to implement the Access Management process as soon as possible. You suggest that as the IT organization has already effectively and efficiently implemented six processes, they will be able to manage a well executed and fast implementation. This process will ensure that access is provided to those who are authorized to have it and will ensure access is restricted to those who are not. With regards to informing clients, you recommend that clients are not told of the situation as you feel it will be too damaging to the NEB reputation and will result in a catastrophic loss of clientele. You suggest that if clients are contacted by the competitor organization, they cannot prove that any information has been obtained via NEB files and (as there is now a plan to implement Access Management) NEB can confidently reassure clients that there is ample security and access management in place to ensure this situation could never arise.
B) Your first recommendation is to implement the Access Management process as soon as possible. You suggest that as the IT organization has already effectively and efficiently implemented six processes, they will be able to manage a well executed and fast implementation. As Access Management is the execution of the policies laid out within the Availability and Information Security Processes, the foundations are already laid. This process will ensure that access is provided to those who are authorized to have it and will ensure access is restricted to those who are not. To ensure alignment between the Business and IT, there will need to be integration with the Human Resources department to ensure there are consistent communications with regards to staff identity, start and end dates etc. With regards to informing clients of the breach, you suggest that the clients affected by the breach must be informed ASAP. You recommend a formal letter is sent from senior management to reassure clients that the situation is being taken seriously and what actions are taking place to ensure this never happens again. You are aware that this could damage the company's reputation, as security is a critical success factor, but feel that the specific clients must be informed by NEB ASAP, as there is a high risk they will be approached by the competitor organization.
C) Your first recommendation is to implement the Access Management process as soon as possible. This process will ensure that access is provided to those who are authorized to have it and will ensure access is restricted to those who are not. With regards to informing clients of the breach, you suggest that only the specifically affected clients are informed of the breach, via a formal letter sent from senior management to reassure clients that the situation is being taken seriously. You suggest that the tone and focus of the letter should emphasize the following points: There has been a 'minor' security breach fault of member of staff, who's employment has now been terminated No data has been 'lost or changed' Sufficient action has been taken to ensure this situation does not happen again and NEB would like to assure their clients that there security and continued confidence is of the highest importance.
D) With regards to informing clients of the breach, you suggest that all clients need to be informed of the breach and the action being taken to ensure this does not happen again. You are aware that this could damage the company's reputation, but are concerned that if only the specifically affected clients are informed, word will spread and the entire client base will feel they have been kept out of the loop on such an important issue and further damage to NEB's reputation will be felt.

Correct Answer:

Verified

Unlock this answer now
Get Access to more Verified Answers free of charge

Access For Free