SlideShare a Scribd company logo

Binghamton Bank Risk Analysis

Download as PPTX, PDF
S
Sharon Han
1 of 35
Infrastructure Division Chloe Chan, Janet Chan, Kyle Stim, Lillian Kravitz, Rohit Kapur & Taylor Goudreau Application Division Zachary Alexander, Alexis Cai, Sharon Han, Gary Liku, Derek Liu & Joshua Neustadter Binghamton Bank Risk Analysis 1
Infrastructure Risk Analysis Application Risk Analysis Summary Executive Summary Aegis Analysis Overview of Binghamton Bank 2 Agenda
Infrastructure Risk Analysis Application Risk Analysis Summary Executive Summary Aegis Analysis Overview of Binghamton Bank 3 Overview of Binghamton Bank
• Largest bank in Northeast with headquarters in Boston, MA • Specialized in commercial, retail, and investment banking • $50 billion in assets, 20th largest bank holding company in the United States • New CEO, Conner Wayne • Rebranded slogan: “Building a Sanctuary for your Future” 4 Background of Binghamton Bank
Needs enhancement of applications and infrastructures to create a cost-efficient improvement to customer satisfaction Software upgrade Issues • Stopped payments for 2 hours • Large monetary loss Web Application Issues • Customers could not access their accounts • Log-in troubles Reliability and Reputation Issues • Customers still question the reliability of the bank’s IT systems 5 Binghamton Bank Challenges
Infrastructure Risk Analysis Application Risk Analysis Summary Aegis Analysis Overview of Binghamton Bank 6 Executive Summary Aegis Analysis
Risk Evaluation Tool • Designed and developed a risk evaluation tool that determines inherent risk, control strength, and residual risk by assessing client responses Risk Criteria • Operational Risks associated with functions inside of the company and risks that affect the internal day-to-day activities • Financial Risks associated with business transactions including both financial dealings and non- monetary trading and sharing • Technological Risks resulting from failures or errors by IT devices or systems put in place by the company • External Any associated risk due to an uncontrollable occurrence outside of the company 7 Aegis Analysis
Infrastructure Risk Analysis Application Risk Analysis Summary Executive Summary Aegis Analysis Overview of Binghamton Bank 8 Executive Summary
9 Infrastructure Risks • Reliant on external vendors for ATM operations • Lacking emergency protocol Recommendations • Implement transitional vendors Risks • Weak security leads to possibility of compromised information and reputational loss Recommendations • Boost remote access security 1. ATM Vendor Dependency 2. Online Banking Remote Security 3. Disaster Recovery – Server Security Risks • No data encryption • Weak failure prevention Recommendations • Encrypt server information • Test contingency plan • Upgrade servers Application Risks • Poor information security • Limited employee training Expected Outcome • Loss of sensitive client data • Prone to social engineering and regulation violations Risks • System overload • Lack of backup system Expected Outcome • Application failure • Reputational harm • Data loss 1. BODPS 2. NorthGo 3. FIN Risks • Short RTO • Application failure Expected Outcome • Serious monetary loss • Halt of Binghamton Bank’s operations Executive Summary
Risks • Reliant numerous critical vendors to operate ATM’s • Lacking emergency plan for failed vendors • Alternative power source is unavailable Recommendations • Increase vendor reliability awareness • Implement Automatic Transfer Switch (ATS) • Contract transitional vendors 1. ATM Vendor Dependency Risks • No encryption of sensitive information • Contingency plan not tested frequently • Servers are not up to date Recommendations • Upgrade servers to Windows Server 2012 R2 • Utilize COBIT • Enable SSL certificates • Encrypt sensitive information • Test contingency plan 3. Disaster Recovery – Server Security Risks • Weak preventions for network access • Sensitive information not encrypted • Weak authentication for account access Recommendations • Acquire SSL certificates • Require remote access through Virtual Machines • Enable Remote Wipe on employee devices • Prevent unauthorized network access 2. Online Banking Remote Security 10 Infrastructure Summary
Infrastructure Risk Analysis Application Risk Analysis Summary Executive Summary Aegis Analysis Overview of Binghamton Bank 11 Infrastructure Risk Analysis
ATM’s Operational Financial Technological External Inherent Risk 53 40 78 67 Control Strength 28 10 25 9 Residual Risk 38 36 58 60 • Processes 2,000-5,0000 transactions per hour • ATMs require 7 or more critical vendors to operate • Negative press has the potential to reach national news Inherent Risk Technological • ATMs do not have backup power plans in place External • Currently no transitional vendors in place • Binghamton Bank takes no precautions to ensure that vendors are reliable Control Observations 12 1. ATM Vendor Dependency Inherent Risk – lower is better Control Strength – higher is better *Red indicates discussed risks *Score values are from 1 - 100 Note
• On average, ATM’s process 180% more transactions per hour than online banking systems • Reputational Issues • Dependence on processes outside of Binghamton Bank’s control • Potential for negative media • ATM failures could seriously affect reputation of new CEO Risk Priority Vendor Reliability • Have transitional backup vendors in place for each critical vendor • Create and practice vendor contingency plan • Increase awareness of vendors’ reliability • Perform quarterly financial reviews • Background checks on vendors (SOC-II) • Annual Debrief with Vendor Management Failure Time Prevention • Implement backup power system • Implement Automatic Transfer Switch (ATS) to reduce failover time Recommendations 13 1. ATM Vendor Dependency
Technological • Less than 25% of online banking operations can be performed with failed servers • More than 60% of sensitive information would be compromised in the event of a breach to the database • Allowing remote access for online banking may open doors to potential risks Financial • Binghamton Bank would face greater than $200,000 in fines in the event of non-compliance with regulations Inherent Risk Technological • No multi-tier authentication in order to gain access to online banking remotely • Weak prevention for unauthorized access to network • No encryption of sensitive information Control Observations 14 Online Banking Operational Financial Technological External Inherent Risk 48 41 66 49 Control Strength 30 10 24 20 Residual Risk 34 37 50 39 2. Online Banking Remote Access Security
• Reputational Loss • Decrease in accountability to customers if servers were to fail • Loss of sensitive information will result in non-compliance with GLBA • Monetary Loss • Each violation of GLBA can cause fines up to $100,000 • Safety of customers’ personal information • Hackers could disclose or utilize private customer information Risk Priority Remote Access Safeguards • Require virtual machines for employee remote access • Enable remote wipe for devices • Require 2-step authentication for employee remote access • Include SSL certificates to encrypt data for all subdomains • Require employees to access server information through a Virtual Private Network (VPN) Unauthorized Network Access • Allow pre-authorized MAC addresses • Monitoring and logging system • Separate networks by critical information Recommendations 15 2. Online Banking Remote Access Security
Technological • 10%–30% of critical infrastructures’ software are not up to date • Less than 25% of operations can be performed with failed servers • More than 60% of sensitive information would be compromised if databases were breached • Allowing remote access to company systems can open doors to potential risks Financial • In the event of non-compliance with regulations, Binghamton Bank could face greater than $200,000 Inherent Risk Technological • Binghamton Bank only tests contingency plan every 2 – 5 years • Tests employees’ preparedness for online threats less than once a year • Servers do not encrypt sensitive information Financial • IT employee operations not aligned with financial goals Control Observations 16 DR/Servers Operational Financial Technological External Inherent Risk 59 43 67 44 Control Strength 25 15 20 18 Residual Risk 44 36 53 36 3. Disaster Recovery – Server Security
• Monetary Loss • Each violation of GLBA can cause Binghamton Bank to be fined up to $100,000 • Excess or unnecessary activities are performed by the IT department • Failures decrease reliability • Weak ability to adapt to unanticipated events Risk Priority • COBIT governance framework would familiarize IT employees with business standards and goals • Secured Socket Layer (SSL) certificates establishes a link between the server and a client • 256 bit AES encryption in transit and while at rest • Test employees for phishing schemes monthly • Test contingency plan annually • Upgrade to Windows Server 2012 R2 • 1,000 servers ~ $900,000 • 2,500 servers ~ $2.0 million • 5,000 servers ~ $3.7 million • 7,000 servers ~ $4.9 million Recommendations 17 3. Disaster Recovery – Server Security
Risks • Reliant numerous critical vendors to operate ATM’s • Lacking emergency plan for failed vendors • Alternative power source is unavailable Recommendations • Increase vendor reliability awareness • Implement Automatic Transfer Switch (ATS) • Contract transitional vendors 1. ATM Vendor Dependency Risks • No encryption of sensitive information • Contingency plan not tested frequently • Servers are not up to date Recommendations • Upgrade servers to Windows Server 2012 R2 • Utilize COBIT • Enable SSL certificates • Encrypt sensitive information • Test contingency plan 3. Disaster Recovery – Server Security Risks • Weak preventions for network access • Sensitive information not encrypted • Weak authentication for account access Recommendations • Acquire SSL certificates • Require remote access through Virtual Machines • Enable Remote Wipe on employee devices • Prevent unauthorized network access 2. Online Banking Remote Security 18 Infrastructure Summary
Infrastructure Risk Analysis Application Risk Analysis Summary Executive Summary 19 Aegis Analysis Overview of Binghamton Bank Application Risk Analysis
20 Operational • Stores sensitive client data that must be protected at highest level to guard against hacking threats and data leaks Technological • Failure of this application would lead to the improper functioning of other applications Inherent Risk Operational • Employees lack proper training to use the application securely Technological • No levels of authorization • No scheduled dates for application upgrades and maintenance Control Observations BODPS Operational Financial Technological External Inherent Risk 84 15 88 75 Control Strength 38 44 20 41 Residual Risk 52 15 70 44 Inherent Risk – lower is better Control Strength – higher is better *Red indicates discussed risks *Score values are from 1 - 100 Note 1. BODPS (Back Office Data Processing System) Description BODPS processes information from FIN and sends this data to iReport to create financial documents
21 • Poor internal login authorization security • Potential loss of sensitive client data • Sends data to iReport to create financial documents • Poor security may lead to inaccurate data, thus publishing faulty financial statements • Violation of SOX and GLBA are possible (jail time and fines can occur) Risk Priority • Implement a two level authorization process for employees to address poor security • Level 1: Personalized employee password • Level 2: Enter security token code • Example: Vendor Symantec for application security • $38.18 per token annually • Schedule upgrades during low traffic times • Using statistical analytics to locate the slowest hours of operation • Implement mandatory training courses as part of a control objective • Raise awareness of social engineering threats • First steps to comply with COBIT Recommendations 1. BODPS (Back Office Data Processing System)
22 Operational • Web based application that incorporates sensitive information of employees and customers Technological • Vulnerable to online hacking • Excessive traffic Inherent Risk Operational • Backup system does not demonstrate full functionality • Internal monitoring system needs to be updated • Insecure website does not adequately protect customer data Technological • No levels of authorization • No systems are in place to handle increasing traffic Control Observations 2. NorthGo NorthGo Operational Financial Technological External Inherent Risk 84 42 56 15 Control Strength 56 15 20 40 Residual Risk 37 37 45 15 Description NorthGo is an online asset management application
23 • Lack of login security and vulnerable to hacking • Nothing in place to mitigate failure from application overload • Failure can lead to security vulnerability and loss of customer confidence • Security threats can lead to the loss of customer information • Violation of GLBA is possible (up to $100,000 per each violation) • Reputational harm • Insufficient internal monitoring system to alert bank of potential malfunctions Risk Priority • Implement a two factor authorization using a personal password and a random password generated; Example: Symantec token • Upgrade for increasing traffic • Apply backup system; Example: Simpana • Implement application monitoring system • Example: DynaTrace • $177/JVM instance for a three year subscription • Provides alerts of potential risks ahead of time • Schedule upgrades for low traffic times • Utilize ISO 27001,27002 to help begin the process of an Information Security Management System(ISMS) Recommendations 2. NorthGo
24 Operational • FIN is the most critical application to business functions • Integrates with all applications making it a big threat if it were to fail • Binghamton Bank is susceptible to application failures during software upgrades Inherent Risk Operational • There is no manual process to fall back on if application were to fail • Insufficient internal monitoring system to alert employees of application failure • No periodic compliance checks to make sure new standards and regulations are being met Control Observations 3. FIN (Central Financial Transaction Application) FIN Operational Financial Technological External Inherent Risk 100 100 100 15 Control Strength 69 87 89 9 Residual Risk 31 15 15 15 Description FIN is the central financial application of Binghamton Bank
25 • FIN malfunction • Lack of a fully functioning backup system • Functions cannot be completed ad- hoc • Critical bank functions can be halted by FIN failure • Short Recovery Time Objective (RTO) • Bottom-line is affected almost immediately • Quick recovery crucial to prevent financial loss Risk Priority • Implement software for fully functional backup system; Example: CommVault Simpana • Allows physical and virtual backups • Include a failure recovery system • Web based and dashboard reporting features • Live restore, highly scalable, unified architecture – single console for DB admins • $1270 per VM/$1420 per TB of data • Train employees in order to establish best practices in using this software • Schedule backups and upgrades during low traffic times Recommendations 3. FIN (Central Financial Transaction Application)
Risks • Vulnerable to hacking • Social engineering can lead to compromise of bank’s data Recommendations • Implement security tokens for BODPS and NorthGo • Example: Symantec 1. Insufficient Login Authorization Security Risks • System overload • Susceptible to crashes • Loss of sensitive client data • Functions cannot be completed ad-hoc effectively • Critical bank functions can be halted by FIN failure Recommendations • Implement backup system for NorthGo and FIN • Example: CommVault Simpana 3. Lack of Backup System Risks • Cannot foresee problems ahead of time and prepare for them Recommendations • Implement application monitoring system for NorthGo • Example: DynaTrace 2. Insufficient Internal Monitoring System 26 Top Application Risks
Infrastructure Risk Analysis Application Risk Analysis Summary Executive Summary 27 Aegis Analysis Overview of Binghamton Bank Summary
Infrastructure Recommendations • Enable transitional vendors • Vendor reliability procedures • Automatic Transfer Switch • Contingency plan tests Recommendations • SSL certificates • Virtual machines • Remote wipe • Pre-determined MAC addresses ATM Vendor Dependency Online Banking Remote Security Disaster Recovery – Server Security Recommendations • Upgrade to Windows 2012 R2 • Familiarize employees with COBIT • SSL certificates • Data encryption • Test contingency plan Application Recommendations • Implement security tokens • Provide application and regulation training program for employees • Establish best practices with COBIT Recommendations • Implement internal monitoring system • Implement a robust backup system • Implement security tokens • Establish an ISMS with ISO 27001/27002 BODPS NorthGo FIN 28 Recommendations • Implement a more robust backup system • Set up a failure recovery plan • Internal monitoring system to tell when FIN is going to fail Recommendations Summary
Questions? Thank you 29
Symantec: https://www4.symantec.com/mktginfo/whitepaper/user_authentication/whitepaper-twofactor-authentication.pdf • Better value with Symantec Lower costs • Free, easy-to-use software credentials provide significant cost savings • Cost-effective tokens—no token renewal fees and no shelf decay • Single, integrated platform allows you to deploy multiple devices depending on user and application types • Flexible models enable you to create a customized solution for your business—OTP or tokenless options • Leverages existing technology investments (Directory, database, SSO servers, etc.) - Fully scalable • Open versus proprietary—more credential choices and no vendor lock • Continuous innovation—innovative devices both in cost and functionality (secure storage, end-point security, etc.) • Single platform can support changing authentication requirements (including risk-based authentication) • Out-of-box self-service application—including token activation, token synchronization, etc. • External • Any associated risk due to an uncontrollable occurrence outside of the company 30 Appendix A
Simpana: http://www.commvault.com/simpana-software • Industry leading backup and recovery • Backup success rate of 95 percent • Maximizes utilization of storage and infrastructure • Powerful scalability • Broad flexibility • Simple and comprehensive management • Automated protection of virtual machines • Acceleration and simplification of disaster recovery using “virtualize me” • Disaster recovery cost reductions using Simpana Replication • Eliminates operational complexity and reduce cost by integrating archiving, backups, and reporting into a single process to • need for third-party reporting tools eliminated because it is managed from a single console • allows for workflow automation of tasks that would otherwise be repetitive or complex • self-service access to information, which allows for maximized productivity • accounts for all data and reduces risk in a single, enterprise wide search • One-Click, Enterprise-Wide Legal Hold • 1270 per socket • 4.50 per user per month • 30 per mailbox • 1420 per tb 31 Appendix B
DynaTrace: http://www.dynatrace.com/en/index.html • No other company can match our experience and depth of knowledge: More than 800 of the field’s top engineers and application performance experts contribute to our industry leading products, assuring customer value and driving innovation. Dynatrace optimizes every digital moment by enabling you to: • Proactively spot and solve application performance issues before users are impacted. • smart and adaptive alerts to better adjust in future situations • code-to-click visibility which can deliver actionable insights at each step in the lifecycle of the application • increases customer satisfaction by delivering visibility, context, insight, and adaptability • Speed new applications and enhancements to market with DevOps functionality. • Pinpoint root-causes and optimize critical applications. • always ready to launch on time due to effective competitive benchmarking, testing, monitoring, and performance protection 32 Appendix C
ISO standards: ISO 27001, 27002 • ISO 27001 is a specification for creating an ISMS. It does not mandate specific actions, but includes suggestions for documentation, internal audits, continual improvement, and corrective and preventive action. • ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature. • ISO 27002 provides the code of conduct – guidance and recommended best practices that can be used to enforce the specification. • ISO 27002, then, is the source of guidance for the selection and implementation of an effective ISMS. In effect, ISO 27002 is the second part of ISO 27001. SOX: The Sarbanes-Oxley Act is United States legislation to improve the accuracy of corporate disclosures and prevent accounting errors and fraudulent financial practices. Due to the purpose of its establishment, all organizations regardless of size and scope are required to comply. • Section 404 Program for risk assessment and internal control reporting requirements. Section 404 of SOX is primarily devoted to the management assessment of internal controls using a top-down risk assessment. A top-down, risk-based approach is a process of identifying financial reporting related risks, a combination of controls that effectively address those risks, and evaluating testing results to provide conclusive responses of the effectiveness of the controls. This method rests on the fact that not all risks are equal and that risks should be organized in accordance to likelihood and impact. • 33 Appendix D
COBIT: • Framework: Organize IT governance objectives and good practices by IT domains and processes, and links them to business requirements • Process descriptions: A reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run and monitor. • Control objectives: Provide a complete set of high-level requirements to be considered by management for effective control of each IT process. • Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes • Maturity models: Assess maturity and capability per process and helps to address gaps. • The maturity models (MMs) in COBIT were first created in 2000 and at that time were designed based on the original CMM scale with the addition of an extra level (0) as shown below: • Level 0: Non-existent • Level 1: Initial/ad hoc • Level 2: Repeatable but Intuitive • Level 3: Defined Process • Level 4: Managed and Measurable • Level 5: Optimized 34 Appendix E
GLBA: • The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operation, including three areas that are particularly important to information security: Employee Management and Training; Information Systems; and Detecting and Managing System Failures. One of the early steps companies should take is to determine what information they are collecting and storing, and whether they have a business need to do so. You can reduce the risks to customer information if you know what you have and keep only what you need. • The Privacy Rule protects a consumer's "nonpublic personal information" (NPI). NPI is any "personally identifiable financial information" that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise "publicly available." NPI: • any information an individual gives you to get a financial product or service (for example, name, address, income, Social Security number, or other information on an application); • any information you get about an individual from a transaction involving your financial product(s) or service(s) (for example, the fact that an individual is your consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or • any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report). Fines for GLBA: • fines up to 100,000 for each violation • specific individuals fined up to 10,000 for each violation • criminal penalties of up to 5 years in prison 35 Appendix F

Recommended

Binghamton Bank Analysis
Binghamton Bank AnalysisBinghamton Bank Analysis
Binghamton Bank AnalysisAlex Cai
 
Heartlandpt3
Heartlandpt3Heartlandpt3
Heartlandpt3grimesjo
 
Heartlandpt3
Heartlandpt3Heartlandpt3
Heartlandpt3grimesjo
 
Protecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessProtecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessPrecisely
 
Best practices for building network operations center
Best practices for building network operations centerBest practices for building network operations center
Best practices for building network operations centerSatish Chavan
 
Computer Audit an Introductory
Computer Audit an IntroductoryComputer Audit an Introductory
Computer Audit an IntroductoryMNorazizi HM
 
Tymor Total Care
Tymor Total CareTymor Total Care
Tymor Total CareTymorTech
 
Network Security Offering by GSS America
Network Security Offering by GSS AmericaNetwork Security Offering by GSS America
Network Security Offering by GSS AmericaGss America
 

Recommended

Binghamton Bank Analysis
Binghamton Bank AnalysisBinghamton Bank Analysis
Binghamton Bank AnalysisAlex Cai
 
Heartlandpt3
Heartlandpt3Heartlandpt3
Heartlandpt3grimesjo
 
Heartlandpt3
Heartlandpt3Heartlandpt3
Heartlandpt3grimesjo
 
Protecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessProtecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessPrecisely
 
Best practices for building network operations center
Best practices for building network operations centerBest practices for building network operations center
Best practices for building network operations centerSatish Chavan
 
Computer Audit an Introductory
Computer Audit an IntroductoryComputer Audit an Introductory
Computer Audit an IntroductoryMNorazizi HM
 
Tymor Total Care
Tymor Total CareTymor Total Care
Tymor Total CareTymorTech
 
Network Security Offering by GSS America
Network Security Offering by GSS AmericaNetwork Security Offering by GSS America
Network Security Offering by GSS AmericaGss America
 
IT & the Auditor
IT & the AuditorIT & the Auditor
IT & the AuditorLinda Forbes
 
24/7 outsourced noc services
24/7 outsourced noc services24/7 outsourced noc services
24/7 outsourced noc servicesElena Benson
 
Intellinx.z watch
Intellinx.z watchIntellinx.z watch
Intellinx.z watchJim Porell
 
Auditing in a computer environment copy
Auditing in a computer environment copyAuditing in a computer environment copy
Auditing in a computer environment copySaleh Rashid
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsjayussuryawan
 
Network Operations Center Processes- Isaac Mwesigwa
Network Operations Center Processes- Isaac MwesigwaNetwork Operations Center Processes- Isaac Mwesigwa
Network Operations Center Processes- Isaac MwesigwaIsaac Mwesigwa, MSc (IT),ITILv3
 
Intellinx overview.2010
Intellinx overview.2010Intellinx overview.2010
Intellinx overview.2010Jim Porell
 
Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014Brian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
 
Audit in computerised informaton system environment and recent development i...
Audit in computerised informaton system environment and recent development i...Audit in computerised informaton system environment and recent development i...
Audit in computerised informaton system environment and recent development i...Dr. Sanjay Sawant Dessai
 
Internal Controls
Internal ControlsInternal Controls
Internal ControlsNational Pork Board
 
Network Operations Center
Network Operations Center Network Operations Center
Network Operations Center Muhannad Kalbouneh
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1ControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECControlCase
 
Final pp t
Final pp tFinal pp t
Final pp tSandesh
 
24/7 Outsourced NOC Services
24/7 Outsourced NOC Services24/7 Outsourced NOC Services
24/7 Outsourced NOC ServicesFlightcase1
 
How Application Discovery and Dependency Mapping can stop you from losing cus...
How Application Discovery and Dependency Mapping can stop you from losing cus...How Application Discovery and Dependency Mapping can stop you from losing cus...
How Application Discovery and Dependency Mapping can stop you from losing cus...ManageEngine
 
Managing a Widely Distributed Network
Managing a Widely Distributed Network Managing a Widely Distributed Network
Managing a Widely Distributed Network Savvius, Inc
 
Quadrant MSSP Doc
Quadrant MSSP DocQuadrant MSSP Doc
Quadrant MSSP DocAmy Lynn Pennington
 
Acculink systems end user presentation
Acculink systems end user presentationAcculink systems end user presentation
Acculink systems end user presentationArt Morrison
 
Binghamton Bank Risk Analysis.pptx
Binghamton Bank Risk Analysis.pptxBinghamton Bank Risk Analysis.pptx
Binghamton Bank Risk Analysis.pptxZachary Alexander, CPA
 
RISK: When What Can Never Happen — Does
RISK: When What Can Never Happen — DoesRISK: When What Can Never Happen — Does
RISK: When What Can Never Happen — DoesTechPoint
 
Final 5_4(10-37PM)
Final 5_4(10-37PM)Final 5_4(10-37PM)
Final 5_4(10-37PM)Tyler Schroeder
 

More Related Content

What's hot

24/7 outsourced noc services
24/7 outsourced noc services24/7 outsourced noc services
24/7 outsourced noc servicesElena Benson
 
Intellinx.z watch
Intellinx.z watchIntellinx.z watch
Intellinx.z watchJim Porell
 
Auditing in a computer environment copy
Auditing in a computer environment copyAuditing in a computer environment copy
Auditing in a computer environment copySaleh Rashid
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsjayussuryawan
 
Intellinx overview.2010
Intellinx overview.2010Intellinx overview.2010
Intellinx overview.2010Jim Porell
 
Audit in computerised informaton system environment and recent development i...
Audit in computerised informaton system environment and recent development i...Audit in computerised informaton system environment and recent development i...
Audit in computerised informaton system environment and recent development i...Dr. Sanjay Sawant Dessai
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1ControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECControlCase
 
Final pp t
Final pp tFinal pp t
Final pp tSandesh
 
24/7 Outsourced NOC Services
24/7 Outsourced NOC Services24/7 Outsourced NOC Services
24/7 Outsourced NOC ServicesFlightcase1
 
How Application Discovery and Dependency Mapping can stop you from losing cus...
How Application Discovery and Dependency Mapping can stop you from losing cus...How Application Discovery and Dependency Mapping can stop you from losing cus...
How Application Discovery and Dependency Mapping can stop you from losing cus...ManageEngine
 
Managing a Widely Distributed Network
Managing a Widely Distributed Network Managing a Widely Distributed Network
Managing a Widely Distributed Network Savvius, Inc
 
Acculink systems end user presentation
Acculink systems end user presentationAcculink systems end user presentation
Acculink systems end user presentationArt Morrison
 

What's hot (19)

IT & the Auditor
IT & the AuditorIT & the Auditor
IT & the Auditor
 
24/7 outsourced noc services
24/7 outsourced noc services24/7 outsourced noc services
24/7 outsourced noc services
 
Intellinx.z watch
Intellinx.z watchIntellinx.z watch
Intellinx.z watch
 
Auditing in a computer environment copy
Auditing in a computer environment copyAuditing in a computer environment copy
Auditing in a computer environment copy
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
 
Network Operations Center Processes- Isaac Mwesigwa
Network Operations Center Processes- Isaac MwesigwaNetwork Operations Center Processes- Isaac Mwesigwa
Network Operations Center Processes- Isaac Mwesigwa
 
Intellinx overview.2010
Intellinx overview.2010Intellinx overview.2010
Intellinx overview.2010
 
Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014
 
Audit in computerised informaton system environment and recent development i...
Audit in computerised informaton system environment and recent development i...Audit in computerised informaton system environment and recent development i...
Audit in computerised informaton system environment and recent development i...
 
Internal Controls
Internal ControlsInternal Controls
Internal Controls
 
Network Operations Center
Network Operations Center Network Operations Center
Network Operations Center
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Final pp t
Final pp tFinal pp t
Final pp t
 
24/7 Outsourced NOC Services
24/7 Outsourced NOC Services24/7 Outsourced NOC Services
24/7 Outsourced NOC Services
 
How Application Discovery and Dependency Mapping can stop you from losing cus...
How Application Discovery and Dependency Mapping can stop you from losing cus...How Application Discovery and Dependency Mapping can stop you from losing cus...
How Application Discovery and Dependency Mapping can stop you from losing cus...
 
Managing a Widely Distributed Network
Managing a Widely Distributed Network Managing a Widely Distributed Network
Managing a Widely Distributed Network
 
Quadrant MSSP Doc
Quadrant MSSP DocQuadrant MSSP Doc
Quadrant MSSP Doc
 
Acculink systems end user presentation
Acculink systems end user presentationAcculink systems end user presentation
Acculink systems end user presentation
 

Similar to Binghamton Bank Risk Analysis

RISK: When What Can Never Happen — Does
RISK: When What Can Never Happen — DoesRISK: When What Can Never Happen — Does
RISK: When What Can Never Happen — DoesTechPoint
 
Threats of Database in ECommerce
Threats of Database in ECommerceThreats of Database in ECommerce
Threats of Database in ECommerceMentalist Akram
 
Computerized Banking System
Computerized Banking SystemComputerized Banking System
Computerized Banking SystemShibly Ahamed
 
Information technology risks
Information technology risksInformation technology risks
Information technology riskssalman butt
 
Myths of validation
Myths of validationMyths of validation
Myths of validationJeff Thomas
 
Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent Outpost24
 
Cloud Cmputing Security
Cloud Cmputing SecurityCloud Cmputing Security
Cloud Cmputing SecurityDevyani Vaidya
 
Lessons Learned from the Field: CyberSecurity that Works - Jason Smith Ses...
Lessons Learned from the Field: CyberSecurity that Works - Jason Smith Ses... Lessons Learned from the Field: CyberSecurity that Works - Jason Smith Ses...
Lessons Learned from the Field: CyberSecurity that Works - Jason Smith Ses...Internetwork Engineering (IE)
 
Protecting the bank
Protecting the bankProtecting the bank
Protecting the bankCGI Suomi
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptxdotco
 
Perfect Profilers Final Presentation
Perfect Profilers Final PresentationPerfect Profilers Final Presentation
Perfect Profilers Final PresentationJulie Michlinski
 
Preventing Network Outages
Preventing Network OutagesPreventing Network Outages
Preventing Network OutagesHelpSystems
 
Garth Grahams Stratmor Slides from Digital Mortgage Conference 2017
Garth Grahams Stratmor Slides from Digital Mortgage Conference 2017Garth Grahams Stratmor Slides from Digital Mortgage Conference 2017
Garth Grahams Stratmor Slides from Digital Mortgage Conference 2017Mortgage Coach
 
Cbs concepts and opportunities
Cbs concepts and opportunitiesCbs concepts and opportunities
Cbs concepts and opportunitiesAnil Chaurasiya
 
Hdfc case presentation
Hdfc case presentationHdfc case presentation
Hdfc case presentationRohit Patidar
 

Similar to Binghamton Bank Risk Analysis (20)

Binghamton Bank Risk Analysis.pptx
Binghamton Bank Risk Analysis.pptxBinghamton Bank Risk Analysis.pptx
Binghamton Bank Risk Analysis.pptx
 
RISK: When What Can Never Happen — Does
RISK: When What Can Never Happen — DoesRISK: When What Can Never Happen — Does
RISK: When What Can Never Happen — Does
 
Final 5_4(10-37PM)
Final 5_4(10-37PM)Final 5_4(10-37PM)
Final 5_4(10-37PM)
 
Threats
ThreatsThreats
Threats
 
Threats of Database in ECommerce
Threats of Database in ECommerceThreats of Database in ECommerce
Threats of Database in ECommerce
 
Computerized Banking System
Computerized Banking SystemComputerized Banking System
Computerized Banking System
 
Dutch Bangla Bank MIS
Dutch Bangla Bank MISDutch Bangla Bank MIS
Dutch Bangla Bank MIS
 
Information technology risks
Information technology risksInformation technology risks
Information technology risks
 
Myths of validation
Myths of validationMyths of validation
Myths of validation
 
Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent
 
Cloud Cmputing Security
Cloud Cmputing SecurityCloud Cmputing Security
Cloud Cmputing Security
 
Lessons Learned from the Field: CyberSecurity that Works - Jason Smith Ses...
Lessons Learned from the Field: CyberSecurity that Works - Jason Smith Ses... Lessons Learned from the Field: CyberSecurity that Works - Jason Smith Ses...
Lessons Learned from the Field: CyberSecurity that Works - Jason Smith Ses...
 
Protecting the bank
Protecting the bankProtecting the bank
Protecting the bank
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptx
 
Perfect Profilers Final Presentation
Perfect Profilers Final PresentationPerfect Profilers Final Presentation
Perfect Profilers Final Presentation
 
Flopsar-UK (3)
Flopsar-UK (3)Flopsar-UK (3)
Flopsar-UK (3)
 
Preventing Network Outages
Preventing Network OutagesPreventing Network Outages
Preventing Network Outages
 
Garth Grahams Stratmor Slides from Digital Mortgage Conference 2017
Garth Grahams Stratmor Slides from Digital Mortgage Conference 2017Garth Grahams Stratmor Slides from Digital Mortgage Conference 2017
Garth Grahams Stratmor Slides from Digital Mortgage Conference 2017
 
Cbs concepts and opportunities
Cbs concepts and opportunitiesCbs concepts and opportunities
Cbs concepts and opportunities
 
Hdfc case presentation
Hdfc case presentationHdfc case presentation
Hdfc case presentation
 

Binghamton Bank Risk Analysis

  • 1. Infrastructure Division Chloe Chan, Janet Chan, Kyle Stim, Lillian Kravitz, Rohit Kapur & Taylor Goudreau Application Division Zachary Alexander, Alexis Cai, Sharon Han, Gary Liku, Derek Liu & Joshua Neustadter Binghamton Bank Risk Analysis 1
  • 4. • Largest bank in Northeast with headquarters in Boston, MA • Specialized in commercial, retail, and investment banking • $50 billion in assets, 20th largest bank holding company in the United States • New CEO, Conner Wayne • Rebranded slogan: “Building a Sanctuary for your Future” 4 Background of Binghamton Bank
  • 5. Needs enhancement of applications and infrastructures to create a cost-efficient improvement to customer satisfaction Software upgrade Issues • Stopped payments for 2 hours • Large monetary loss Web Application Issues • Customers could not access their accounts • Log-in troubles Reliability and Reputation Issues • Customers still question the reliability of the bank’s IT systems 5 Binghamton Bank Challenges
  • 7. Risk Evaluation Tool • Designed and developed a risk evaluation tool that determines inherent risk, control strength, and residual risk by assessing client responses Risk Criteria • Operational Risks associated with functions inside of the company and risks that affect the internal day-to-day activities • Financial Risks associated with business transactions including both financial dealings and non- monetary trading and sharing • Technological Risks resulting from failures or errors by IT devices or systems put in place by the company • External Any associated risk due to an uncontrollable occurrence outside of the company 7 Aegis Analysis
  • 9. 9 Infrastructure Risks • Reliant on external vendors for ATM operations • Lacking emergency protocol Recommendations • Implement transitional vendors Risks • Weak security leads to possibility of compromised information and reputational loss Recommendations • Boost remote access security 1. ATM Vendor Dependency 2. Online Banking Remote Security 3. Disaster Recovery – Server Security Risks • No data encryption • Weak failure prevention Recommendations • Encrypt server information • Test contingency plan • Upgrade servers Application Risks • Poor information security • Limited employee training Expected Outcome • Loss of sensitive client data • Prone to social engineering and regulation violations Risks • System overload • Lack of backup system Expected Outcome • Application failure • Reputational harm • Data loss 1. BODPS 2. NorthGo 3. FIN Risks • Short RTO • Application failure Expected Outcome • Serious monetary loss • Halt of Binghamton Bank’s operations Executive Summary
  • 10. Risks • Reliant numerous critical vendors to operate ATM’s • Lacking emergency plan for failed vendors • Alternative power source is unavailable Recommendations • Increase vendor reliability awareness • Implement Automatic Transfer Switch (ATS) • Contract transitional vendors 1. ATM Vendor Dependency Risks • No encryption of sensitive information • Contingency plan not tested frequently • Servers are not up to date Recommendations • Upgrade servers to Windows Server 2012 R2 • Utilize COBIT • Enable SSL certificates • Encrypt sensitive information • Test contingency plan 3. Disaster Recovery – Server Security Risks • Weak preventions for network access • Sensitive information not encrypted • Weak authentication for account access Recommendations • Acquire SSL certificates • Require remote access through Virtual Machines • Enable Remote Wipe on employee devices • Prevent unauthorized network access 2. Online Banking Remote Security 10 Infrastructure Summary
  • 12. ATM’s Operational Financial Technological External Inherent Risk 53 40 78 67 Control Strength 28 10 25 9 Residual Risk 38 36 58 60 • Processes 2,000-5,0000 transactions per hour • ATMs require 7 or more critical vendors to operate • Negative press has the potential to reach national news Inherent Risk Technological • ATMs do not have backup power plans in place External • Currently no transitional vendors in place • Binghamton Bank takes no precautions to ensure that vendors are reliable Control Observations 12 1. ATM Vendor Dependency Inherent Risk – lower is better Control Strength – higher is better *Red indicates discussed risks *Score values are from 1 - 100 Note
  • 13. • On average, ATM’s process 180% more transactions per hour than online banking systems • Reputational Issues • Dependence on processes outside of Binghamton Bank’s control • Potential for negative media • ATM failures could seriously affect reputation of new CEO Risk Priority Vendor Reliability • Have transitional backup vendors in place for each critical vendor • Create and practice vendor contingency plan • Increase awareness of vendors’ reliability • Perform quarterly financial reviews • Background checks on vendors (SOC-II) • Annual Debrief with Vendor Management Failure Time Prevention • Implement backup power system • Implement Automatic Transfer Switch (ATS) to reduce failover time Recommendations 13 1. ATM Vendor Dependency
  • 14. Technological • Less than 25% of online banking operations can be performed with failed servers • More than 60% of sensitive information would be compromised in the event of a breach to the database • Allowing remote access for online banking may open doors to potential risks Financial • Binghamton Bank would face greater than $200,000 in fines in the event of non-compliance with regulations Inherent Risk Technological • No multi-tier authentication in order to gain access to online banking remotely • Weak prevention for unauthorized access to network • No encryption of sensitive information Control Observations 14 Online Banking Operational Financial Technological External Inherent Risk 48 41 66 49 Control Strength 30 10 24 20 Residual Risk 34 37 50 39 2. Online Banking Remote Access Security
  • 15. • Reputational Loss • Decrease in accountability to customers if servers were to fail • Loss of sensitive information will result in non-compliance with GLBA • Monetary Loss • Each violation of GLBA can cause fines up to $100,000 • Safety of customers’ personal information • Hackers could disclose or utilize private customer information Risk Priority Remote Access Safeguards • Require virtual machines for employee remote access • Enable remote wipe for devices • Require 2-step authentication for employee remote access • Include SSL certificates to encrypt data for all subdomains • Require employees to access server information through a Virtual Private Network (VPN) Unauthorized Network Access • Allow pre-authorized MAC addresses • Monitoring and logging system • Separate networks by critical information Recommendations 15 2. Online Banking Remote Access Security
  • 16. Technological • 10%–30% of critical infrastructures’ software are not up to date • Less than 25% of operations can be performed with failed servers • More than 60% of sensitive information would be compromised if databases were breached • Allowing remote access to company systems can open doors to potential risks Financial • In the event of non-compliance with regulations, Binghamton Bank could face greater than $200,000 Inherent Risk Technological • Binghamton Bank only tests contingency plan every 2 – 5 years • Tests employees’ preparedness for online threats less than once a year • Servers do not encrypt sensitive information Financial • IT employee operations not aligned with financial goals Control Observations 16 DR/Servers Operational Financial Technological External Inherent Risk 59 43 67 44 Control Strength 25 15 20 18 Residual Risk 44 36 53 36 3. Disaster Recovery – Server Security
  • 17. • Monetary Loss • Each violation of GLBA can cause Binghamton Bank to be fined up to $100,000 • Excess or unnecessary activities are performed by the IT department • Failures decrease reliability • Weak ability to adapt to unanticipated events Risk Priority • COBIT governance framework would familiarize IT employees with business standards and goals • Secured Socket Layer (SSL) certificates establishes a link between the server and a client • 256 bit AES encryption in transit and while at rest • Test employees for phishing schemes monthly • Test contingency plan annually • Upgrade to Windows Server 2012 R2 • 1,000 servers ~ $900,000 • 2,500 servers ~ $2.0 million • 5,000 servers ~ $3.7 million • 7,000 servers ~ $4.9 million Recommendations 17 3. Disaster Recovery – Server Security
  • 18. Risks • Reliant numerous critical vendors to operate ATM’s • Lacking emergency plan for failed vendors • Alternative power source is unavailable Recommendations • Increase vendor reliability awareness • Implement Automatic Transfer Switch (ATS) • Contract transitional vendors 1. ATM Vendor Dependency Risks • No encryption of sensitive information • Contingency plan not tested frequently • Servers are not up to date Recommendations • Upgrade servers to Windows Server 2012 R2 • Utilize COBIT • Enable SSL certificates • Encrypt sensitive information • Test contingency plan 3. Disaster Recovery – Server Security Risks • Weak preventions for network access • Sensitive information not encrypted • Weak authentication for account access Recommendations • Acquire SSL certificates • Require remote access through Virtual Machines • Enable Remote Wipe on employee devices • Prevent unauthorized network access 2. Online Banking Remote Security 18 Infrastructure Summary
  • 20. 20 Operational • Stores sensitive client data that must be protected at highest level to guard against hacking threats and data leaks Technological • Failure of this application would lead to the improper functioning of other applications Inherent Risk Operational • Employees lack proper training to use the application securely Technological • No levels of authorization • No scheduled dates for application upgrades and maintenance Control Observations BODPS Operational Financial Technological External Inherent Risk 84 15 88 75 Control Strength 38 44 20 41 Residual Risk 52 15 70 44 Inherent Risk – lower is better Control Strength – higher is better *Red indicates discussed risks *Score values are from 1 - 100 Note 1. BODPS (Back Office Data Processing System) Description BODPS processes information from FIN and sends this data to iReport to create financial documents
  • 21. 21 • Poor internal login authorization security • Potential loss of sensitive client data • Sends data to iReport to create financial documents • Poor security may lead to inaccurate data, thus publishing faulty financial statements • Violation of SOX and GLBA are possible (jail time and fines can occur) Risk Priority • Implement a two level authorization process for employees to address poor security • Level 1: Personalized employee password • Level 2: Enter security token code • Example: Vendor Symantec for application security • $38.18 per token annually • Schedule upgrades during low traffic times • Using statistical analytics to locate the slowest hours of operation • Implement mandatory training courses as part of a control objective • Raise awareness of social engineering threats • First steps to comply with COBIT Recommendations 1. BODPS (Back Office Data Processing System)
  • 22. 22 Operational • Web based application that incorporates sensitive information of employees and customers Technological • Vulnerable to online hacking • Excessive traffic Inherent Risk Operational • Backup system does not demonstrate full functionality • Internal monitoring system needs to be updated • Insecure website does not adequately protect customer data Technological • No levels of authorization • No systems are in place to handle increasing traffic Control Observations 2. NorthGo NorthGo Operational Financial Technological External Inherent Risk 84 42 56 15 Control Strength 56 15 20 40 Residual Risk 37 37 45 15 Description NorthGo is an online asset management application
  • 23. 23 • Lack of login security and vulnerable to hacking • Nothing in place to mitigate failure from application overload • Failure can lead to security vulnerability and loss of customer confidence • Security threats can lead to the loss of customer information • Violation of GLBA is possible (up to $100,000 per each violation) • Reputational harm • Insufficient internal monitoring system to alert bank of potential malfunctions Risk Priority • Implement a two factor authorization using a personal password and a random password generated; Example: Symantec token • Upgrade for increasing traffic • Apply backup system; Example: Simpana • Implement application monitoring system • Example: DynaTrace • $177/JVM instance for a three year subscription • Provides alerts of potential risks ahead of time • Schedule upgrades for low traffic times • Utilize ISO 27001,27002 to help begin the process of an Information Security Management System(ISMS) Recommendations 2. NorthGo
  • 24. 24 Operational • FIN is the most critical application to business functions • Integrates with all applications making it a big threat if it were to fail • Binghamton Bank is susceptible to application failures during software upgrades Inherent Risk Operational • There is no manual process to fall back on if application were to fail • Insufficient internal monitoring system to alert employees of application failure • No periodic compliance checks to make sure new standards and regulations are being met Control Observations 3. FIN (Central Financial Transaction Application) FIN Operational Financial Technological External Inherent Risk 100 100 100 15 Control Strength 69 87 89 9 Residual Risk 31 15 15 15 Description FIN is the central financial application of Binghamton Bank
  • 25. 25 • FIN malfunction • Lack of a fully functioning backup system • Functions cannot be completed ad- hoc • Critical bank functions can be halted by FIN failure • Short Recovery Time Objective (RTO) • Bottom-line is affected almost immediately • Quick recovery crucial to prevent financial loss Risk Priority • Implement software for fully functional backup system; Example: CommVault Simpana • Allows physical and virtual backups • Include a failure recovery system • Web based and dashboard reporting features • Live restore, highly scalable, unified architecture – single console for DB admins • $1270 per VM/$1420 per TB of data • Train employees in order to establish best practices in using this software • Schedule backups and upgrades during low traffic times Recommendations 3. FIN (Central Financial Transaction Application)
  • 26. Risks • Vulnerable to hacking • Social engineering can lead to compromise of bank’s data Recommendations • Implement security tokens for BODPS and NorthGo • Example: Symantec 1. Insufficient Login Authorization Security Risks • System overload • Susceptible to crashes • Loss of sensitive client data • Functions cannot be completed ad-hoc effectively • Critical bank functions can be halted by FIN failure Recommendations • Implement backup system for NorthGo and FIN • Example: CommVault Simpana 3. Lack of Backup System Risks • Cannot foresee problems ahead of time and prepare for them Recommendations • Implement application monitoring system for NorthGo • Example: DynaTrace 2. Insufficient Internal Monitoring System 26 Top Application Risks
  • 28. Infrastructure Recommendations • Enable transitional vendors • Vendor reliability procedures • Automatic Transfer Switch • Contingency plan tests Recommendations • SSL certificates • Virtual machines • Remote wipe • Pre-determined MAC addresses ATM Vendor Dependency Online Banking Remote Security Disaster Recovery – Server Security Recommendations • Upgrade to Windows 2012 R2 • Familiarize employees with COBIT • SSL certificates • Data encryption • Test contingency plan Application Recommendations • Implement security tokens • Provide application and regulation training program for employees • Establish best practices with COBIT Recommendations • Implement internal monitoring system • Implement a robust backup system • Implement security tokens • Establish an ISMS with ISO 27001/27002 BODPS NorthGo FIN 28 Recommendations • Implement a more robust backup system • Set up a failure recovery plan • Internal monitoring system to tell when FIN is going to fail Recommendations Summary
  • 30. Symantec: https://www4.symantec.com/mktginfo/whitepaper/user_authentication/whitepaper-twofactor-authentication.pdf • Better value with Symantec Lower costs • Free, easy-to-use software credentials provide significant cost savings • Cost-effective tokens—no token renewal fees and no shelf decay • Single, integrated platform allows you to deploy multiple devices depending on user and application types • Flexible models enable you to create a customized solution for your business—OTP or tokenless options • Leverages existing technology investments (Directory, database, SSO servers, etc.) - Fully scalable • Open versus proprietary—more credential choices and no vendor lock • Continuous innovation—innovative devices both in cost and functionality (secure storage, end-point security, etc.) • Single platform can support changing authentication requirements (including risk-based authentication) • Out-of-box self-service application—including token activation, token synchronization, etc. • External • Any associated risk due to an uncontrollable occurrence outside of the company 30 Appendix A
  • 31. Simpana: http://www.commvault.com/simpana-software • Industry leading backup and recovery • Backup success rate of 95 percent • Maximizes utilization of storage and infrastructure • Powerful scalability • Broad flexibility • Simple and comprehensive management • Automated protection of virtual machines • Acceleration and simplification of disaster recovery using “virtualize me” • Disaster recovery cost reductions using Simpana Replication • Eliminates operational complexity and reduce cost by integrating archiving, backups, and reporting into a single process to • need for third-party reporting tools eliminated because it is managed from a single console • allows for workflow automation of tasks that would otherwise be repetitive or complex • self-service access to information, which allows for maximized productivity • accounts for all data and reduces risk in a single, enterprise wide search • One-Click, Enterprise-Wide Legal Hold • 1270 per socket • 4.50 per user per month • 30 per mailbox • 1420 per tb 31 Appendix B
  • 32. DynaTrace: http://www.dynatrace.com/en/index.html • No other company can match our experience and depth of knowledge: More than 800 of the field’s top engineers and application performance experts contribute to our industry leading products, assuring customer value and driving innovation. Dynatrace optimizes every digital moment by enabling you to: • Proactively spot and solve application performance issues before users are impacted. • smart and adaptive alerts to better adjust in future situations • code-to-click visibility which can deliver actionable insights at each step in the lifecycle of the application • increases customer satisfaction by delivering visibility, context, insight, and adaptability • Speed new applications and enhancements to market with DevOps functionality. • Pinpoint root-causes and optimize critical applications. • always ready to launch on time due to effective competitive benchmarking, testing, monitoring, and performance protection 32 Appendix C
  • 33. ISO standards: ISO 27001, 27002 • ISO 27001 is a specification for creating an ISMS. It does not mandate specific actions, but includes suggestions for documentation, internal audits, continual improvement, and corrective and preventive action. • ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature. • ISO 27002 provides the code of conduct – guidance and recommended best practices that can be used to enforce the specification. • ISO 27002, then, is the source of guidance for the selection and implementation of an effective ISMS. In effect, ISO 27002 is the second part of ISO 27001. SOX: The Sarbanes-Oxley Act is United States legislation to improve the accuracy of corporate disclosures and prevent accounting errors and fraudulent financial practices. Due to the purpose of its establishment, all organizations regardless of size and scope are required to comply. • Section 404 Program for risk assessment and internal control reporting requirements. Section 404 of SOX is primarily devoted to the management assessment of internal controls using a top-down risk assessment. A top-down, risk-based approach is a process of identifying financial reporting related risks, a combination of controls that effectively address those risks, and evaluating testing results to provide conclusive responses of the effectiveness of the controls. This method rests on the fact that not all risks are equal and that risks should be organized in accordance to likelihood and impact. • 33 Appendix D
  • 34. COBIT: • Framework: Organize IT governance objectives and good practices by IT domains and processes, and links them to business requirements • Process descriptions: A reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run and monitor. • Control objectives: Provide a complete set of high-level requirements to be considered by management for effective control of each IT process. • Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes • Maturity models: Assess maturity and capability per process and helps to address gaps. • The maturity models (MMs) in COBIT were first created in 2000 and at that time were designed based on the original CMM scale with the addition of an extra level (0) as shown below: • Level 0: Non-existent • Level 1: Initial/ad hoc • Level 2: Repeatable but Intuitive • Level 3: Defined Process • Level 4: Managed and Measurable • Level 5: Optimized 34 Appendix E
  • 35. GLBA: • The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operation, including three areas that are particularly important to information security: Employee Management and Training; Information Systems; and Detecting and Managing System Failures. One of the early steps companies should take is to determine what information they are collecting and storing, and whether they have a business need to do so. You can reduce the risks to customer information if you know what you have and keep only what you need. • The Privacy Rule protects a consumer's "nonpublic personal information" (NPI). NPI is any "personally identifiable financial information" that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise "publicly available." NPI: • any information an individual gives you to get a financial product or service (for example, name, address, income, Social Security number, or other information on an application); • any information you get about an individual from a transaction involving your financial product(s) or service(s) (for example, the fact that an individual is your consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or • any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report). Fines for GLBA: • fines up to 100,000 for each violation • specific individuals fined up to 10,000 for each violation • criminal penalties of up to 5 years in prison 35 Appendix F

Editor's Notes

  1. Speaking: Sharon
  2. janet
  3. Taylor
  4. taylor
  5. taylor
  6. kyle
  7. kyle
  8. chloe
  9. chloe
  10. janet
  11. Zach
  12. Implement two level authorization for employees to address poor security. Step 1: Employees have to enter one password that they personally create Step 2: Enter password generated by a security token that constantly changes the password Implement training courses so employees are aware of how to properly and legally use application. - Course would take place at the beginning of every year - Employees should be aware of social engineering threats and not divulge information while also logging off after use -Company should properly allocate their resources and funds to spend on training programs and frequent updates that are capable of providing the most up to date security measures Risk Priority: Overall Application Risk: Poor Security. - This can lead to a loss of sensitive client data. BODPS is responsible for sending data to iReport to create financial documents. Poor security can lead to altering of this data and publishing financial statements that are not accurate - Lead to a violation of SOX and GLBA Risk: No authorization levels Consequence: Anyone can access this data. Nothing that authorizes the user as being a trustworthy person to access the information Risk: Employees are not properly trained Consequence: Employees can divulge information and leave workstations logged in. Not knowing security measures can lead to them sharing confidential information Risk: No mechanism in place to inform customers that their data is secure Consequence: Customers will not know if they data has been compromised or shared Risk: Poor security can lead to altering of this data and publishing financial statements that are not accurate and poor security can lead to a leak of customer data Consequence: Lead to a violation of SOX and GLBA
  13. JVM: java virtual machine
  14. Operational: Binghamton Bank does not have a fully functioning backup system in place Unsure if this application’s functions can be completed manually if it were to fail Unsure if the bank has an internal monitoring system to alert employees of an application failure There are no compliance checks to make sure that new standards and regulations are being met Binghamton Bank runs into noncompliance issues >20 times External: System audits are only conducted yearly Vendors never provide system upgrades
  15. Overall Application Risk: FIN Failure. FIN is the central financial application of Binghamton Bank and it integrates and monitors all financial transactions in one location. Not having a fully functioning backup system for an application whose functions can not be completed manually is a risk Risk: No proper backup system in place to mitigate application failure Consequence: Application’s functions cannot be completed and crucial bank functions will be halted. FIN failure is a security threat because a system crash can open it up to hacking threats Risk: Cannot be completed manually if the application were to fail Consequence: Operations cannot continue to run effectively because the bank would have to record all transactions on paper slowing down operations to a point where everything is backlogged Risk: Short recovery time objective Consequence: Bank will lose money quickly if application’s functions are not restored in Recommendations: Implement a more robust data backup and backup security measures in case of application failure while investing in a more fully functional system that can take over and perform FINs functions if there is an emergency •Set up a failure recovery plan to help takeover for FIN •Internal monitoring system to tell when FIN is going to fail •Train employees to properly use FIN’s backup systems Implement a more robust data backup and backup security measures in case of application failure while nesting in a more fully functional system that can take over and perform FINs functions if there is an emergency •Set up a failure recovery plan to help takeover for FIN •Internal monitoring system to tell when FIN is going to fail •Train employees to properly use FIN’s backup systems One option through outside vendors is CommVault Simpana software Allows physical and virtual backups Web based and dashboard reporting features Live restore, highly scalable, unified architecture – single console for DB admins $1270 per VM/$1420 per tb of data Top recommendation by Gartner Magic Quadrant http://www.commvault.com/simpana-software/solution-sets
  16. janet