5. Risk Scenario
Citibank wired a $900 million loan payoff to the cosmetic company Revlon’s money lenders, in 2020.
This was done mistakenly. Citibank reached out to the hedge funds to return the money, some did,
others refused.
Citibank decided to sue them. The federal judge ruled that Citibank can’t have its money back.
As you would imagine, Citibank had multiple controls and policies in place to ensure that mistakes
like this won’t happen.
Initial reports said that the mistake could have happened because of compromised banking controls,
but the problem was finally traced to a recently installed software that was rife with UI issues.
The software didn’t have appropriate controls and it led to the error. US regulators fined Citibank
$400 million to update their data governance, risk management, and compliance controls.
14. ❌Dont’s
❌ Dont Assume that Security controls are working properly
✅Set up monitoring and response mechanism (SIEM, SOC, Security Analysts)
✅Always check to identify issues with the controls and fine-tune if possible
✅Always test from every angle to ensure appropriateness of your control
❌Dont Over-rely on Compensating Controls
✅Set time limit to remediate the issue and remove the compensating control
✅Always review with management if the risk persists
❌ Dont Be hasty and/or try to cut corners
✅Be realistic with the treatment methods chosen
✅Get enough information for management to decide appropriately
✅and Do’s
15. ❌Dont Assume that you know your inventory completely
✅Always carry out periodic inventory to update database, automate discovery
✅Block automatic entry of assets, control introduction of new assets
❌Dont Assume that your users will always understand controls
✅Training and security awareness on regular basis
✅Test their knowledge through Campaigns like Phishing Campaigns
❌Dont Try to re-invent the wheel
✅Use tried and proven methods such as standards and frameworks which are available
✅ISO 27005, NIST 800-37, EBIOS, MEHARI, OCTAVE, ISF RMF
❌Dont’s ✅and Do’s