A Vulnerability Assessment of Information Systems Security at the National Bank of Kenya (Nbk)

Abstract

Every environment is susceptible to threats and security systems at NBK are no exceptions. The most common threat is the ease with which virus attack a system. The attack strategies, sophisticated techniques and the opportunities for intruders have increased rapidly as the banking sector embraced the internet. The introduction of internet is believed to have resulted in sudden vulnerability of financial institutions to attacks not only from people physically inside the bank, but from anyone with an internet connection anywhere in the world. Due to this vulnerability, banks now use strong access controls, firewalls, encryptions and other controls as mitigation strategies to protect their most valuable asset-information. The study conducted aimed at establishing security systems present at NBK as well as assessing how vulnerable these systems are to threats(both internal and extemal).To address the above objectives, data were collected from NBK ICT division and 10 branches in Nairobi using questionnaires and analyzed using statistical tools. Census was done to ensure data collected was not biased. The findings showed that effective security measures are in place to safeguard Information systems at National Bank of Kenya. The findings showed that smart cards are widely used in gaining access to almost all sensitive areas within the bank. Properly installed CCTV cameras are also in place to offer all round surveillance within the bank especially at the branches. This indicates that only authorized get access to banks vital resources such as server rooms, strong rooms and ATM lobbies. The findings revealed that the bank mostly use automated vulnerability assessment tool. This is effective detection systems capable of updating automatically for new threats and scanning periodically based on predefined schedule. The main challenge in offering effective security to the bank’s network may have been attributed to lack of training on system security. This may affect the organization negatively as employees unconsciously delete or tampered with vital files in the system causing system failure. The findings on low security personnel turnover is a good sign as the organization is assured of a more secure and stable network from dedicated expertise. Some limitations encountered during the undertaking of the study were, first, the nature of this study required sensitive security related information, as a result some of the members in the sample considered it too sensitive and declined to respond to some questions in the questionnaire. Secondly, some of those who responded may not have given the exact security position given the sensitive nature of information. Third, the study only incorporated responses from system administrators, network administrators, database administrators and IT managers. Perhaps richer responses would have been obtained if the study incorporated end-user responses. Finally, the time constraint made it impossible to collect more diverse data from the entire NBK network.