a) Three Main Information Security Objectives and Reasons for Controls (10 Marks):

The CIA triad forms the core objectives, crucial in Ghana’s banking under BoG’s Cyber Directive 2020 to prevent collapses like Capital Bank.

1. Confidentiality (3 Marks): Ensures data is accessible only to authorized users, e.g., via encryption. Banks implement controls to protect customer data from breaches, complying with data protection laws and maintaining trust post-2017 cleanup.
2. Integrity (3 Marks): Prevents unauthorized alterations, using checksums. Controls are vital to ensure accurate financial records, aligning with Basel II/III and BoG’s governance to avoid fraud that led to UT Bank’s downfall.
3. Availability (3 Marks): Guarantees timely access, through redundancies. Reasons include operational continuity, meeting BoG’s liquidity guidelines, and supporting digital banking resilience amid events like DDEP.

Reasons Overall (1 Mark): Controls mitigate risks, ensure regulatory compliance, enhance profitability by reducing losses, and promote ethical practices in a competitive sector.

b) Tools, Techniques, and Means for Security (10 Marks): Organizations, especially banks like Stanbic Ghana, use multifaceted approaches per BoG directives.

• Firewalls and Intrusion Detection Systems (IDS): Block unauthorized access and monitor traffic; techniques include signature-based detection.
• Encryption Tools: Like AES for data at rest/transit, ensuring confidentiality.
• Access Controls: Role-based access (RBAC) and multi-factor authentication (MFA) to limit permissions.
• Antivirus and Malware Scanners: Real-time scanning with tools like Endpoint Protection Platforms.
• Regular Audits and Penetration Testing: Techniques to identify vulnerabilities, mandated by BoG.
• Backup and Disaster Recovery Plans: Means like cloud backups for availability.
• Employee Training Programs: Techniques to combat social engineering, aligning with governance directives.
• Biometric Authentication: Tools for secure access, common in mobile banking.
• Security Information and Event Management (SIEM): Aggregates logs for threat analysis.
• Patch Management: Regularly updating systems to fix exploits, preventing outages.