SlideShare a Scribd company logo

Final 5_4(10-37PM)

Download as PPTX, PDF
T
Tyler Schroeder
1 of 38
Albany Bank Corporation: IT Environment Analysis Perfect Profilers 1 There’s No Risk With Us
Team Members 2 Tyler Schroeder Julie Michlinski Kasey WichelnsBrad Sherman Angelica ChinArthur Akhtenberg
Perfect Profilers • Our purpose ▫ Analyze IT infrastructure ▫ Provide mitigation strategies ▫ Determine plan of action 3
Agenda • Current vs future infrastructure • Our Risk Profiling Tool • Evaluation of current state applications • Analysis of future state infrastructure • 12 month program • Demonstration of Risk Profiling Tool 4
Current vs Future Infrastructure 5
Our Risk Profiling Tool • Company specific • User friendly • Identify risks 6
Current State Infrastructure Medium risk: • FIN • BODPS • ATM • TEL 7 Low risk: • CMS • BeSecure • PeoplePay • iReport • WeHelp
Current State Residual Heat Map 8 TEL FIN ATM BODPS PeoplePay WeHelp CMS BeSecure IReport Likelihood Impact Current State
Key Existing Controls • Firewalls • Antivirus • All systems notify relevant employees in the event of an IT problem • All applications are backed up 9
Broad Recommendations • Update servers • Enhance security department • Encrypt necessary applications • Comply with industry standards and regulations 10
Regulatory Agencies and Regulations • FFIEC ▫ FDIC ▫ Board of Governors of the Federal Reserve System • Federal Trade Commission • State Regulations 11
Industry Standards • NIST 800 Series ▫ Attack and penetration testing • PCI DSS ▫ 3rd party vendors 12
Medium Risk: FIN Risk Drivers: • Outdated servers • Lack of encryption • Noncompliance • Systems are not mirrored 13 Recommendations: • System z13 • 128-bit encryption • Comply with industry standards and regulations • Mirroring of systems
Medium Risk: BODPS Risk Drivers: • Outdated servers • No redundancy checks • Systems are not mirrored • Noncompliance 14 Recommendations: • IBM P Series vs distributed server • Free up server space • Mirroring of systems • Comply with industry standards and regulations
Medium Risk: ATM & TEL Risk Drivers: • Noncompliance • Lack of security • Outdated servers 15 Recommendations: • Comply with industry standards and regulations • Attack and penetration testing • Monitor access • Microsoft SQL 2014
Low risk: • CMS • Encryption • PeoplePay & iReport • Monitor access • BeSecure • Monitor access • WeHelp • Train employees 16
Future State Infrastructure High Risk • ABC Online 17 Medium Risk • FIN • ATM • BODPS Low Risk • CMS • BeSecure • PeoplePay • iReport • WeHelp • TEL
Future State Residual Heat Map 18 FIN ATM BODPS PeoplePay WeHelp CMS BeSecure IReport ABC Online TEL Likelihood Impact Future State
Changes Resulting from ABC Online 19 Increased Impact • FIN • BODPS • BeSecure • CMS Increased Vulnerabilities • FIN • BeSecure Decreased Impact • TEL Anticipated Future Infrastructure
High Risk: ABC Online Risk Drivers: • Internet facing • High number of users • Outdated software • Noncompliance 20 Recommendations: • 128 bit encryption • Update Oracle to version 12c • Comply with FFIEC • Multi-factor authentication • Device identification based off cookies • Use of debit card blocks
Our Proposal • Focus on mitigating risks within current state environment; reconsider online banking in the future 21
12 Month Program 22 4 8 120 • Comply with standards and regulations • Enhance security department • Schedule of updates for servers • Encryption • Mirroring of systems • Reassessment of IT applications
Within 4 Months • Prioritize compliance across applications ▫ FFIEC, PCI DSS • Enhance security department ▫ Proper training, staying up-to-date 23 0 4 8 12
Cost/Benefit Analysis Roadmap to Comply with Regulations: $40 million- $86 million ▫ PCI DSS – fines can range from $5,000-$100,000 per month for PCI compliance violations ▫ Penalties of $15 million for violations of FFIEC 24
Cost/Benefit Analysis Enhance IT Security Team: $135,000 - $400,000 per year ▫ CISO:  $125,000 - $250,000 salary ▫ Attack and penetration testing:  $10,000-$150,000 25
Within 8 Months • Create and implement a schedule of updates for servers • Encryption ▫ FIN, CMS 26 0 4 8 12
Cost/Benefit Analysis Update Servers: $14 million - $85 million ▫ SONY - $170 million loss due to outdated servers ▫ Goldman Sachs - $83 million to update all mainframes 27
Cost/Benefit Analysis Encryption: $100 - $300 per system ▫ Anthem data breach - $100 million, 80 million records exposed ▫ Coca-Cola data breach – 74,000 records exposed 28
Within 12 Months • Mirroring of critical applications ▫ BODPS, FIN • Reassessment of IT applications 29 0 4 8 12
Demonstration of the Tool 30 Perfect Profilers
Instructions 31
Contact Information 32
Impact Sheet • Identify the value of IT applications • 10 questions • 4 criteria (Reputational, Operational, Financial, & Regulatory) 33
Likelihood Sheet • Analyzes risks associated with IT applications • 21 risk statements • 4 criteria (Reputational, Operational, Financial, & Regulatory) 34
Inherent Risk Score • Prior to the implementation of controls • Impact * Likelihood 35
Controls Sheet • Identifies current controls • 13 control questions • 6 types (Preventative, Detective, Corrective, Recovery Focused, Directive, & Deterrent) 36
Projected Residual Risk Score • Based on the implementation of suggested controls 37 Original: New:
Questions, Comments, Concerns? Stay connected! Email us at: 2015trajectory2@gmail.com Follow us on Facebook & Twitter to stay up to date with current events! www.facebook.com/PerfectProfilers @PerfProfilers 38

Recommended

Perfect Profilers Final Presentation
Perfect Profilers Final PresentationPerfect Profilers Final Presentation
Perfect Profilers Final PresentationJulie Michlinski
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherEnergySec
 
Service Assurance for Modern Apps - BigPanda NA SNO - April 2015 - Dan Turchin
Service Assurance for Modern Apps - BigPanda NA SNO - April 2015 - Dan TurchinService Assurance for Modern Apps - BigPanda NA SNO - April 2015 - Dan Turchin
Service Assurance for Modern Apps - BigPanda NA SNO - April 2015 - Dan TurchinPeopleReign, Inc.
 
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureUsing IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureEnergySec
 
Adaptive Security and Incident Response - A Business-Driven Approach
Adaptive Security and Incident Response - A Business-Driven ApproachAdaptive Security and Incident Response - A Business-Driven Approach
Adaptive Security and Incident Response - A Business-Driven ApproachAlgoSec
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...EnergySec
 
SplunkLive! Customer Presentation - Hurricane Labs
SplunkLive! Customer Presentation - Hurricane LabsSplunkLive! Customer Presentation - Hurricane Labs
SplunkLive! Customer Presentation - Hurricane LabsSplunk
 
PA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingPA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingSchellman & Company
 

Recommended

Perfect Profilers Final Presentation
Perfect Profilers Final PresentationPerfect Profilers Final Presentation
Perfect Profilers Final PresentationJulie Michlinski
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherEnergySec
 
Service Assurance for Modern Apps - BigPanda NA SNO - April 2015 - Dan Turchin
Service Assurance for Modern Apps - BigPanda NA SNO - April 2015 - Dan TurchinService Assurance for Modern Apps - BigPanda NA SNO - April 2015 - Dan Turchin
Service Assurance for Modern Apps - BigPanda NA SNO - April 2015 - Dan TurchinPeopleReign, Inc.
 
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureUsing IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureEnergySec
 
Adaptive Security and Incident Response - A Business-Driven Approach
Adaptive Security and Incident Response - A Business-Driven ApproachAdaptive Security and Incident Response - A Business-Driven Approach
Adaptive Security and Incident Response - A Business-Driven ApproachAlgoSec
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...EnergySec
 
SplunkLive! Customer Presentation - Hurricane Labs
SplunkLive! Customer Presentation - Hurricane LabsSplunkLive! Customer Presentation - Hurricane Labs
SplunkLive! Customer Presentation - Hurricane LabsSplunk
 
PA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingPA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingSchellman & Company
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityJohn Gilligan
 
Binghamton Bank Risk Analysis.pptx
Binghamton Bank Risk Analysis.pptxBinghamton Bank Risk Analysis.pptx
Binghamton Bank Risk Analysis.pptxZachary Alexander, CPA
 
Ahmed
AhmedAhmed
AhmedAhmed Abd Elhamed
 
3 steps to gain control of cloud security
3 steps to gain control of cloud security 3 steps to gain control of cloud security
3 steps to gain control of cloud security SBWebinars
 
Continual Monitoring
Continual MonitoringContinual Monitoring
Continual MonitoringTripwire
 
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...Jon Papp
 
Tymor Total Care
Tymor Total CareTymor Total Care
Tymor Total CareTymorTech
 
IT environment analytics service
IT environment analytics serviceIT environment analytics service
IT environment analytics servicePeter Razenberg
 
Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent Outpost24
 
Qradar as a SOC core
Qradar as a SOC coreQradar as a SOC core
Qradar as a SOC coreMona Arkhipova
 
Chaos monitoring
Chaos monitoringChaos monitoring
Chaos monitoringMona Arkhipova
 
GRC in Australia slides
GRC in Australia slidesGRC in Australia slides
GRC in Australia slidesInSync Conference
 
Migrating and Managing Security Policies in a Segmented Data Center
Migrating and Managing Security Policies in a Segmented Data CenterMigrating and Managing Security Policies in a Segmented Data Center
Migrating and Managing Security Policies in a Segmented Data CenterAlgoSec
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentSam Bowne
 
The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationSchellman & Company
 
Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOpsMaytal Levi
 
Man in the Cloud Attacks
Man in the Cloud AttacksMan in the Cloud Attacks
Man in the Cloud AttacksImperva
 
purva_transcript-II
purva_transcript-IIpurva_transcript-II
purva_transcript-IIpurva chakravarti
 
06 christinacarrick
06 christinacarrick06 christinacarrick
06 christinacarrickChristina Carrick
 
Materiales en la informatica
Materiales en la informaticaMateriales en la informatica
Materiales en la informaticajavier durazo joto
 
Christina carrick
Christina carrickChristina carrick
Christina carrickChristina Carrick
 
Slidesproject
SlidesprojectSlidesproject
SlidesprojectChristina Carrick
 

More Related Content

What's hot

Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityJohn Gilligan
 
3 steps to gain control of cloud security
3 steps to gain control of cloud security 3 steps to gain control of cloud security
3 steps to gain control of cloud security SBWebinars
 
Continual Monitoring
Continual MonitoringContinual Monitoring
Continual MonitoringTripwire
 
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...Jon Papp
 
Tymor Total Care
Tymor Total CareTymor Total Care
Tymor Total CareTymorTech
 
IT environment analytics service
IT environment analytics serviceIT environment analytics service
IT environment analytics servicePeter Razenberg
 
Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent Outpost24
 
Migrating and Managing Security Policies in a Segmented Data Center
Migrating and Managing Security Policies in a Segmented Data CenterMigrating and Managing Security Policies in a Segmented Data Center
Migrating and Managing Security Policies in a Segmented Data CenterAlgoSec
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentSam Bowne
 
The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationSchellman & Company
 
Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOpsMaytal Levi
 
Man in the Cloud Attacks
Man in the Cloud AttacksMan in the Cloud Attacks
Man in the Cloud AttacksImperva
 

What's hot (17)

Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber Security
 
Binghamton Bank Risk Analysis.pptx
Binghamton Bank Risk Analysis.pptxBinghamton Bank Risk Analysis.pptx
Binghamton Bank Risk Analysis.pptx
 
Ahmed
AhmedAhmed
Ahmed
 
3 steps to gain control of cloud security
3 steps to gain control of cloud security 3 steps to gain control of cloud security
3 steps to gain control of cloud security
 
Continual Monitoring
Continual MonitoringContinual Monitoring
Continual Monitoring
 
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
 
Tymor Total Care
Tymor Total CareTymor Total Care
Tymor Total Care
 
IT environment analytics service
IT environment analytics serviceIT environment analytics service
IT environment analytics service
 
Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent
 
Qradar as a SOC core
Qradar as a SOC coreQradar as a SOC core
Qradar as a SOC core
 
Chaos monitoring
Chaos monitoringChaos monitoring
Chaos monitoring
 
GRC in Australia slides
GRC in Australia slidesGRC in Australia slides
GRC in Australia slides
 
Migrating and Managing Security Policies in a Segmented Data Center
Migrating and Managing Security Policies in a Segmented Data CenterMigrating and Managing Security Policies in a Segmented Data Center
Migrating and Managing Security Policies in a Segmented Data Center
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy Development
 
The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & Attestation
 
Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOps
 
Man in the Cloud Attacks
Man in the Cloud AttacksMan in the Cloud Attacks
Man in the Cloud Attacks
 

Viewers also liked

La prima guerra mondiale
La prima guerra mondialeLa prima guerra mondiale
La prima guerra mondialeSavina Gravante
 
sample-eluma-forum
sample-eluma-forumsample-eluma-forum
sample-eluma-forumJim Smylie
 
Brand design Project Work - Brand Refresh
Brand design Project Work - Brand RefreshBrand design Project Work - Brand Refresh
Brand design Project Work - Brand RefreshCristina Laura Mazzacua
 
改善React道
改善React道改善React道
改善React道Hoso michi
 
24.02.2014, Economic and Capital Markets Update, Nick Cousyn
24.02.2014, Economic and Capital Markets Update, Nick Cousyn24.02.2014, Economic and Capital Markets Update, Nick Cousyn
24.02.2014, Economic and Capital Markets Update, Nick CousynThe Business Council of Mongolia
 
Certified In Optic fibre Technology 15
Certified In Optic fibre Technology 15Certified In Optic fibre Technology 15
Certified In Optic fibre Technology 15Sean Rice Timbenavo
 

Viewers also liked (17)

purva_transcript-II
purva_transcript-IIpurva_transcript-II
purva_transcript-II
 
06 christinacarrick
06 christinacarrick06 christinacarrick
06 christinacarrick
 
Materiales en la informatica
Materiales en la informaticaMateriales en la informatica
Materiales en la informatica
 
Christina carrick
Christina carrickChristina carrick
Christina carrick
 
Slidesproject
SlidesprojectSlidesproject
Slidesproject
 
La prima guerra mondiale
La prima guerra mondialeLa prima guerra mondiale
La prima guerra mondiale
 
Gerencia de proyectos
Gerencia de proyectosGerencia de proyectos
Gerencia de proyectos
 
Energías Limpias
Energías Limpias Energías Limpias
Energías Limpias
 
sample-eluma-forum
sample-eluma-forumsample-eluma-forum
sample-eluma-forum
 
Brand design Project Work - Brand Refresh
Brand design Project Work - Brand RefreshBrand design Project Work - Brand Refresh
Brand design Project Work - Brand Refresh
 
Cita multiples autores
Cita multiples autoresCita multiples autores
Cita multiples autores
 
exp24 lab report
exp24 lab reportexp24 lab report
exp24 lab report
 
A.pérez esclarín los retos de la educación
A.pérez esclarín los retos de la educaciónA.pérez esclarín los retos de la educación
A.pérez esclarín los retos de la educación
 
урок 18
урок 18урок 18
урок 18
 
改善React道
改善React道改善React道
改善React道
 
24.02.2014, Economic and Capital Markets Update, Nick Cousyn
24.02.2014, Economic and Capital Markets Update, Nick Cousyn24.02.2014, Economic and Capital Markets Update, Nick Cousyn
24.02.2014, Economic and Capital Markets Update, Nick Cousyn
 
Certified In Optic fibre Technology 15
Certified In Optic fibre Technology 15Certified In Optic fibre Technology 15
Certified In Optic fibre Technology 15
 

Similar to Final 5_4(10-37PM)

TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...SaraPia5
 
Deliver solutions cv_vebtech
Deliver solutions cv_vebtechDeliver solutions cv_vebtech
Deliver solutions cv_vebtechSvetlanaUsikava
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Decisions
 
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS EnergyIntegration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS EnergyTheAnfieldGroup
 
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS EnergyIntegration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS Energystacybre
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessJoAnna Cheshire
 
NGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEA
NGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEANGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEA
NGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEANGINX, Inc.
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?IT Governance Ltd
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC ProjectERPScan
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesUlf Mattsson
 
Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaSolving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaJohn Gilligan
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxAkramAlqadasi1
 
Regulators’ Role in Smart Grid Security: What They Want to Know by Alan Rival...
Regulators’ Role in Smart Grid Security: What They Want to Know by Alan Rival...Regulators’ Role in Smart Grid Security: What They Want to Know by Alan Rival...
Regulators’ Role in Smart Grid Security: What They Want to Know by Alan Rival...TheAnfieldGroup
 
Making Sense of Threat Reports
Making Sense of Threat ReportsMaking Sense of Threat Reports
Making Sense of Threat ReportsDLT Solutions
 
Best Practices for Documenting and Managing your Public Safety Systems and Ap...
Best Practices for Documenting and Managing your Public Safety Systems and Ap...Best Practices for Documenting and Managing your Public Safety Systems and Ap...
Best Practices for Documenting and Managing your Public Safety Systems and Ap...MissionCriticalPartners
 
Computer system validations
Computer system validations Computer system validations
Computer system validations Saikiran Koyalkar
 

Similar to Final 5_4(10-37PM) (20)

TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...
 
Deliver solutions cv_vebtech
Deliver solutions cv_vebtechDeliver solutions cv_vebtech
Deliver solutions cv_vebtech
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015
 
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS EnergyIntegration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
 
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS EnergyIntegration of Technology & Compliance Presented by John Heintz, CPS Energy
Integration of Technology & Compliance Presented by John Heintz, CPS Energy
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
 
NGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEA
NGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEANGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEA
NGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEA
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaSolving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity Dilemma
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
 
Regulators’ Role in Smart Grid Security: What They Want to Know by Alan Rival...
Regulators’ Role in Smart Grid Security: What They Want to Know by Alan Rival...Regulators’ Role in Smart Grid Security: What They Want to Know by Alan Rival...
Regulators’ Role in Smart Grid Security: What They Want to Know by Alan Rival...
 
Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014
 
Making Sense of Threat Reports
Making Sense of Threat ReportsMaking Sense of Threat Reports
Making Sense of Threat Reports
 
Best Practices for Documenting and Managing your Public Safety Systems and Ap...
Best Practices for Documenting and Managing your Public Safety Systems and Ap...Best Practices for Documenting and Managing your Public Safety Systems and Ap...
Best Practices for Documenting and Managing your Public Safety Systems and Ap...
 
Cost effective cyber security
Cost effective cyber securityCost effective cyber security
Cost effective cyber security
 
Computer system validations
Computer system validations Computer system validations
Computer system validations
 

Final 5_4(10-37PM)

  • 1. Albany Bank Corporation: IT Environment Analysis Perfect Profilers 1 There’s No Risk With Us
  • 2. Team Members 2 Tyler Schroeder Julie Michlinski Kasey WichelnsBrad Sherman Angelica ChinArthur Akhtenberg
  • 3. Perfect Profilers • Our purpose ▫ Analyze IT infrastructure ▫ Provide mitigation strategies ▫ Determine plan of action 3
  • 4. Agenda • Current vs future infrastructure • Our Risk Profiling Tool • Evaluation of current state applications • Analysis of future state infrastructure • 12 month program • Demonstration of Risk Profiling Tool 4
  • 5. Current vs Future Infrastructure 5
  • 6. Our Risk Profiling Tool • Company specific • User friendly • Identify risks 6
  • 7. Current State Infrastructure Medium risk: • FIN • BODPS • ATM • TEL 7 Low risk: • CMS • BeSecure • PeoplePay • iReport • WeHelp
  • 8. Current State Residual Heat Map 8 TEL FIN ATM BODPS PeoplePay WeHelp CMS BeSecure IReport Likelihood Impact Current State
  • 9. Key Existing Controls • Firewalls • Antivirus • All systems notify relevant employees in the event of an IT problem • All applications are backed up 9
  • 10. Broad Recommendations • Update servers • Enhance security department • Encrypt necessary applications • Comply with industry standards and regulations 10
  • 11. Regulatory Agencies and Regulations • FFIEC ▫ FDIC ▫ Board of Governors of the Federal Reserve System • Federal Trade Commission • State Regulations 11
  • 12. Industry Standards • NIST 800 Series ▫ Attack and penetration testing • PCI DSS ▫ 3rd party vendors 12
  • 13. Medium Risk: FIN Risk Drivers: • Outdated servers • Lack of encryption • Noncompliance • Systems are not mirrored 13 Recommendations: • System z13 • 128-bit encryption • Comply with industry standards and regulations • Mirroring of systems
  • 14. Medium Risk: BODPS Risk Drivers: • Outdated servers • No redundancy checks • Systems are not mirrored • Noncompliance 14 Recommendations: • IBM P Series vs distributed server • Free up server space • Mirroring of systems • Comply with industry standards and regulations
  • 15. Medium Risk: ATM & TEL Risk Drivers: • Noncompliance • Lack of security • Outdated servers 15 Recommendations: • Comply with industry standards and regulations • Attack and penetration testing • Monitor access • Microsoft SQL 2014
  • 16. Low risk: • CMS • Encryption • PeoplePay & iReport • Monitor access • BeSecure • Monitor access • WeHelp • Train employees 16
  • 17. Future State Infrastructure High Risk • ABC Online 17 Medium Risk • FIN • ATM • BODPS Low Risk • CMS • BeSecure • PeoplePay • iReport • WeHelp • TEL
  • 18. Future State Residual Heat Map 18 FIN ATM BODPS PeoplePay WeHelp CMS BeSecure IReport ABC Online TEL Likelihood Impact Future State
  • 19. Changes Resulting from ABC Online 19 Increased Impact • FIN • BODPS • BeSecure • CMS Increased Vulnerabilities • FIN • BeSecure Decreased Impact • TEL Anticipated Future Infrastructure
  • 20. High Risk: ABC Online Risk Drivers: • Internet facing • High number of users • Outdated software • Noncompliance 20 Recommendations: • 128 bit encryption • Update Oracle to version 12c • Comply with FFIEC • Multi-factor authentication • Device identification based off cookies • Use of debit card blocks
  • 21. Our Proposal • Focus on mitigating risks within current state environment; reconsider online banking in the future 21
  • 22. 12 Month Program 22 4 8 120 • Comply with standards and regulations • Enhance security department • Schedule of updates for servers • Encryption • Mirroring of systems • Reassessment of IT applications
  • 23. Within 4 Months • Prioritize compliance across applications ▫ FFIEC, PCI DSS • Enhance security department ▫ Proper training, staying up-to-date 23 0 4 8 12
  • 24. Cost/Benefit Analysis Roadmap to Comply with Regulations: $40 million- $86 million ▫ PCI DSS – fines can range from $5,000-$100,000 per month for PCI compliance violations ▫ Penalties of $15 million for violations of FFIEC 24
  • 25. Cost/Benefit Analysis Enhance IT Security Team: $135,000 - $400,000 per year ▫ CISO:  $125,000 - $250,000 salary ▫ Attack and penetration testing:  $10,000-$150,000 25
  • 26. Within 8 Months • Create and implement a schedule of updates for servers • Encryption ▫ FIN, CMS 26 0 4 8 12
  • 27. Cost/Benefit Analysis Update Servers: $14 million - $85 million ▫ SONY - $170 million loss due to outdated servers ▫ Goldman Sachs - $83 million to update all mainframes 27
  • 28. Cost/Benefit Analysis Encryption: $100 - $300 per system ▫ Anthem data breach - $100 million, 80 million records exposed ▫ Coca-Cola data breach – 74,000 records exposed 28
  • 29. Within 12 Months • Mirroring of critical applications ▫ BODPS, FIN • Reassessment of IT applications 29 0 4 8 12
  • 30. Demonstration of the Tool 30 Perfect Profilers
  • 33. Impact Sheet • Identify the value of IT applications • 10 questions • 4 criteria (Reputational, Operational, Financial, & Regulatory) 33
  • 34. Likelihood Sheet • Analyzes risks associated with IT applications • 21 risk statements • 4 criteria (Reputational, Operational, Financial, & Regulatory) 34
  • 35. Inherent Risk Score • Prior to the implementation of controls • Impact * Likelihood 35
  • 36. Controls Sheet • Identifies current controls • 13 control questions • 6 types (Preventative, Detective, Corrective, Recovery Focused, Directive, & Deterrent) 36
  • 37. Projected Residual Risk Score • Based on the implementation of suggested controls 37 Original: New:
  • 38. Questions, Comments, Concerns? Stay connected! Email us at: 2015trajectory2@gmail.com Follow us on Facebook & Twitter to stay up to date with current events! www.facebook.com/PerfectProfilers @PerfProfilers 38