Binghamton Bank Risk Analysis
Transcript of Binghamton Bank Risk Analysis
Infrastructure DivisionChloe Chan, Janet Chan, Kyle Stim, Lillian Kravitz, Rohit Kapur & Taylor Goudreau
Application DivisionZachary Alexander, Alexis Cai, Sharon Han, Gary Liku, Derek Liu & Joshua Neustadter
Binghamton Bank Risk Analysis
1
Infrastructure Risk Analysis
Application Risk Analysis Summary
Executive Summary
Aegis Analysis
Overview of Binghamton
Bank
2
Agenda
Infrastructure Risk Analysis
Application Risk Analysis Summary
Executive Summary
Aegis Analysis
Overview of Binghamton
Bank
3
Overview of Binghamton Bank
• Largest bank in Northeast with headquarters in Boston, MA
• Specialized in commercial, retail, and investment banking
• $50 billion in assets, 20th largest bank holding company in the United States
• New CEO, Conner Wayne
• Rebranded slogan: “Building a Sanctuary for your Future”
4
Background of Binghamton Bank
Looking for enhancement of Binghamton Bank’s applications and infrastructure assets to protect clients’ assets as well as Binghamton Bank’s reputation
Software Upgrade Issues• Stopped payments for 2 hours• Large monetary loss
Web Application Issues• Customers could not access their accounts• Log-in troubles
Reliability and Reputation Issues• Customers still question the reliability of the bank’s IT systems
5
Binghamton Bank Challenges
Infrastructure Risk Analysis
Application Risk Analysis Summary
Aegis Analysis
Overview of Binghamton
Bank
6
Executive Summary
Aegis Analysis
Risk Evaluation Tool• Designed and developed a risk evaluation tool that determines inherent risk, control
strength, and residual risk by assessing client responses
Risk Criteria• Operational
Risks associated with functions inside of the company and risks that affect the internal day-to-day activities
• FinancialRisks associated with business transactions including both financial dealings and non-monetary trading and sharing
• TechnologicalRisks resulting from failures or errors by IT devices or systems put in place by the company
• ExternalAny associated risk due to an uncontrollable occurrence outside of the company
7
Aegis Analysis
Infrastructure Risk Analysis
Application Risk Analysis Summary
Executive Summary
Aegis Analysis
Overview of Binghamton
Bank
8
Executive Summary
9
Infrastructure
Risks• Reliant on external vendors for
ATM operations• Lacking emergency protocol
Consequences• Loss of ATM operations
therefore financial loss
Risks• Weak network access security• Lack of multi-tier
authentication
Consequences• Breaches to the database• Disclosure of information
1. ATM Vendor Dependency 2. Online Banking Remote Security 3. Disaster Recovery – Server Security
Risks• No data encryption• Weak failure prevention• Outdated servers
Consequences• Long recovery time objective• Hacking company servers
Application
Risk• Sensitive client informationConsequences• Loss of sensitive client data• Prone to social engineering and
regulation violations
Risk• Difficulty performing upgrades
Consequences• Application failure• Reputational harm• Data loss
Risk• Critical to bank functions
Consequences• Serious monetary loss• Halt of Binghamton Bank’s
operations
Executive SummaryWith prospects of long term success, Binghamton Bank hired Aegis Consulting to identify current
risks which are identified below
1. Information Security – BODPS & NorthGo 3. Lack of Backup System - FIN2. Internal Monitoring – NorthGo & FIN
ATM’s Operational Financial Technological ExternalInherent Risk 53 40 78 67Control Strength 28 10 25 9
Residual Risk 38 36 58 60
• Processes 2,000-5,000 transactions per hour
• ATMs require 7 or more critical vendors to operate
• Negative press has the potential to reach national news
Inherent Risk
Technological• ATM’s do not have backup power plans in
place
External• Currently no transitional vendors in place• Binghamton Bank takes no precautions to
ensure that vendors are reliable
Control Observations
10
1. ATM Vendor Dependency
Inherent Risk – lower is betterControl Strength – higher is better*Red indicates discussed risks*Score values are from 1 - 100
Note
Binghamton Bank Operations
• On average, ATM’s process 180% more transactions per hour than online banking systems
Reputation• Dependence on processes outside of
Binghamton Bank’s control• Potential for negative media• ATM failures could seriously affect reputation
of new CEO
Risk Priority
Vendor Reliability• Have transitional backup vendors in place for
each critical vendor• Create and practice vendor contingency plan• Increase awareness of vendors’ reliability
• Perform quarterly financial reviews• Background checks on vendors (SOC-II)• Annual debrief with vendor
management
Failure Time Prevention• Implement backup power system• Implement Automatic Transfer Switch (ATS) to
reduce failover time
Recommendations
11
1. ATM Vendor Dependency
Technological• Less than 25% of online banking operations can be
performed with failed servers• More than 60% of sensitive information would be
compromised in the event of a breach to the database• Binghamton Bank allows remote access which makes
the databases more vulnerable to breachesFinancial• Binghamton Bank would face greater than $200,000 in
fines in the event of non-compliance with regulations
Inherent Risk
Technological• No multi-tier authentication in order to gain
access to online banking remotely• Weak prevention for unauthorized access to
network• No encryption of sensitive information
Control Observations
12
Online Banking Operational Financial Technological ExternalInherent Risk 48 41 66 49Control Strength 30 10 24 20
Residual Risk 34 37 50 39
2. Online Banking Remote Access Security
• Reputational Loss• Decrease in accountability to customers if
servers were to fail• Loss of sensitive information will result in
non-compliance with GLBA• Monetary Loss
• Each violation of GLBA can cause fines up to $100,000
• Safety of customers’ personal information • Hackers could disclose or utilize private
customer information
Risk Priority
Remote Access Safeguards• Require virtual machines for employee
remote access• Enable remote wipe for devices• Require 2-step authentication for employee
remote access; Example: Symantec• $72.25 TCO annually
• Include SSL certificates to encrypt data for all subdomains
• Require employees to access server information through a Virtual Private Network (VPN)
Unauthorized Network Access• Allow pre-authorized MAC addresses• Monitoring and logging system• Separate networks by critical information
Recommendations
13
2. Online Banking Remote Access Security
Technological• 10%–30% of critical infrastructures’ software are not
up to date• Less than 25% of operations can be performed with
failed servers• More than 60% of sensitive information would be
compromised if databases were breached• Allowing remote access to company systems can open
doors to potential risksFinancial• In the event of non-compliance with regulations,
Binghamton Bank could face greater than $200,000
Inherent Risk
Technological• Binghamton Bank only tests contingency plan every 2
– 5 years• Tests employees’ preparedness for online threats less
than once a year• Servers do not encrypt sensitive informationFinancial• IT employee operations not aligned with financial
goals
Control Observations
14
DR/Servers Operational Financial Technological ExternalInherent Risk 59 43 67 44Control Strength 25 15 20 18
Residual Risk 44 36 53 36
3. Disaster Recovery – Server Security
• Monetary Loss• Each violation of GLBA can cause
Binghamton Bank to be fined up to $100,000
• Excess or unnecessary activities are performed by the IT department
• Failures decrease reliability of Binghamton Bank
• Weak ability to adapt to unanticipated events
Risk Priority
• COBIT governance framework would familiarize IT employees with business standards and goals
• Secured Socket Layer (SSL) certificates establishes a link between the server and a client
• 256 bit AES encryption in transit and while at rest
• Test employees for phishing schemes monthly• Test contingency plan annually • Upgrade to Windows Server 2012 R2
• 1,000 servers ~ $900,000• 2,500 servers ~ $2.1 million• 5,000 servers ~ $3.9 million• 7,000 servers ~ $4.9 million
Recommendations
15
3. Disaster Recovery – Server Security
Risks• Reliant on numerous critical
vendors to operate ATM’s
• Lacking emergency plan for failed vendors
• Alternative power source is unavailable
1. ATM Vendor Dependency
Risks• No encryption of sensitive
information
• Contingency plan not tested frequently
• Servers are not up to date
3. Disaster Recovery – Server Security
Risks• Weak preventions for network
access
• Sensitive information not encrypted
• Weak authentication for account access
2. Online Banking Remote Security
16
Infrastructure Summary
• Implement and practice plan to transition to backup vendors• Enable remote access safeguards (e.g. Remote wipe, virtual machines)• 256 bit AES encryption for disaster servers and online banking remote access• Upgrade to Windows Server 2012 R2 • Prevent unauthorized network access for online banking using allowed MAC addresses• Ensure accordance with COBIT 5• Implement ATM backup power systems
Recommendations
Infrastructure Risk Analysis
Application Risk Analysis Summary
Executive Summary
17
Aegis Analysis
Overview of Binghamton
Bank
Application Risk Analysis
18
Operational• Stores sensitive client data that must be protected
at highest level to guard against hacking threats and data leaks
Technological • Failure of this application would lead to the
improper functioning of iReport
Inherent Risk
Operational• Employees lack proper training to use the
application securely
Technological• No levels of authorization• No scheduled dates for application upgrades and
maintenance
Control Observations
BODPS Operational Financial Technological ExternalInherent Risk 84 15 88 75Control Strength 38 44 20 41
Residual Risk 52 15 70 44
Inherent Risk – lower is betterControl Strength – higher is better*Red indicates discussed risks*Score values are from 1 - 100
Note
1. BODPS (Back Office Data Processing System)Description BODPS processes information from FIN and sends this data to iReport to create financial documents
19
• Poor internal login authorization security• Potential loss of sensitive client data• Sends data to iReport to create financial
documents• Poor security may lead to inaccurate
data, thus publishing faulty financial statements
• Violation of SOX and GLBA are possible (jail time and fines can occur)
Risk Priority
• Implement a two level authorization process for employees to address poor security• Example: Vendor Symantec for
application security• Schedule upgrades during low traffic
times• Using statistical analytics to locate the
slowest hours of operation• Implement mandatory training courses as part
of a control objective• Raise awareness of social engineering
threats• First steps to comply with COBIT
• Utilize ISO 27001,27002 to help begin the process of an Information Security Management System(ISMS)
Recommendations
1. BODPS (Back Office Data Processing System)
20
Operational• Web based application that incorporates
sensitive information of employees and customers
Technological• Vulnerable to online hacking• Excessive traffic can lead to potential overload
Inherent RiskOperational• Backup system does not demonstrate full
functionality• Internal monitoring system needs to be updated• Insecure website does not adequately protect
customer data
Technological• No levels of authorization• No systems are in place to handle increasing traffic
Control Observations
2. NorthGo
NorthGo Operational Financial Technological ExternalInherent Risk 84 42 56 15
Control Strength 56 15 20 40
Residual Risk 37 37 45 15
Description NorthGo is an online asset management application
21
• Lack of login security and vulnerable to hacking
• Nothing in place to mitigate failure from application overload• Failure can lead to security vulnerability
and loss of customer confidence• Security threats can lead to the loss of
customer information• Violation of GLBA is possible (up to
$100,000 per each violation)• Reputational harm
• Insufficient internal monitoring system to alert Binghamton Bank of potential malfunctions
Risk Priority
• Implement a two factor authorization using a personal password and a random password generated; Example: Symantec token
• Upgrade for increasing traffic• Apply backup system; Example: Simpana
• Implement application monitoring system• Example: DynaTrace
• $177/JVM instance for a three year subscription
• Provides alerts of potential risks ahead of time
• Schedule upgrades for low traffic times
Recommendations
2. NorthGo
22
Operational• FIN is the most critical application to business
functions• Integrates with all applications making it a big
threat if it were to fail• Binghamton Bank is susceptible to application
failures during software upgrades
Inherent Risk
Operational• There is no manual process to fall back on if
application were to fail• Insufficient internal monitoring system to alert
employees of application failure• No periodic compliance checks to make sure
new standards and regulations are being met
Control Observations
3. FIN (Central Financial Transaction Application)
FIN Operational Financial Technological ExternalInherent Risk 100 100 100 15
Control Strength 69 87 89 15
Residual Risk 31 15 15 15
Description FIN is the central financial application of Binghamton Bank
23
• FIN malfunction• Lack of a fully functioning backup system• Functions cannot be completed ad-hoc• Critical bank functions can be halted by
FIN failure• Short Recovery Time Objective (RTO)
• Bottom-line is affected almost immediately
• Quick recovery crucial to prevent financial loss
Risk Priority
• Implement software for fully functional backup system; Example: CommVault Simpana• Allows physical and virtual backups• Include a failure recovery system • Web based and dashboard reporting
features• Live restore, highly scalable, unified
architecture – single console for DB admins
• $1270 per VM/$1420 per TB of data• Train employees in order to establish best
practices in using this software• Schedule backups and upgrades during low
traffic times
Recommendations
3. FIN (Central Financial Transaction Application)
Risks• No levels of authorization to
access data; vulnerable to hacking, data loss, and data altercation
• Employees not properly trained to identify social engineering threats
1. Insufficient Information Security
Risks• No backup system to continue
protecting data
• Functions cannot be completed ad-hoc effectively
• Critical bank functions can be halted by FIN failure
3. Lack of Backup System
Risks• Applications can fail unexpectedly
and Binghamton Bank is not prepared to recover quickly
• Failed application will hurt customer confidence and compromise information security
2. Insufficient Internal Monitoring Systems for Application Failure
24
Application Summary
• Company wide two level authorization. e.g. Symantec security tokens• Implementing internal monitoring system. e.g. DynaTrace• Full functioning backup system. e.g. CommVault Simpana• Backup data and test backup systems regularly • Mandatory employee training programs including detailed failure recovery plan
Recommendations
Infrastructure Risk Analysis
Application Risk Analysis Summary
Executive Summary
25
Aegis Analysis
Overview of Binghamton
Bank
Summary
Infrastructure
Recommendations• Enable transitional vendors• Vendor reliability procedures• Automatic Transfer Switch• Contingency plan tests
Recommendations• SSL certificates• Virtual machines• Remote wipe• Pre-determined MAC addresses
ATM Vendor Dependency Online Banking Remote Security Disaster Recovery – Server Security
Recommendations• Upgrade to Windows 2012 R2• Familiarize employees with COBIT• SSL certificates• Data encryption• Test contingency plan
Application
Recommendations• Implement security tokens• Provide application and
regulation training program for employees
• Establish best practices with COBIT
Recommendations• Implement internal monitoring
system• Implement a robust backup
system• Implement security tokens• Establish an ISMS with ISO
27001/27002
BODPS NorthGo FIN
26
Recommendations• Implement a more robust backup
system• Set up a failure recovery plan• Internal monitoring system to tell
when FIN is going to fail
Recommendations Summary
Questions?Thank you
27
Symantec:https://www4.symantec.com/mktginfo/whitepaper/user_authentication/whitepaper-twofactor-authentication.pdf• Better value with Symantec Lower costs • Free, easy-to-use software credentials provide significant cost savings • Cost-effective tokens—no token renewal fees and no shelf decay • Single, integrated platform allows you to deploy multiple devices depending on user and application types • Flexible models enable you to create a customized solution for your business—OTP or tokenless options • Leverages existing technology investments (Directory, database, SSO servers, etc.) - Fully scalable • Open versus proprietary—more credential choices and no vendor lock • Continuous innovation—innovative devices
both in cost and functionality (secure storage, end-point security, etc.) • Single platform can support changing authentication requirements (including risk-based authentication) • Out-of-box self-service application—including token activation, token synchronization, etc.• External
• Any associated risk due to an uncontrollable occurrence outside of the company
28
Appendix A
Symantec:
29
Appendix B
Simpana:http://www.commvault.com/simpana-software• Industry leading backup and recovery• Backup success rate of 95 percent• Maximizes utilization of storage and infrastructure• Powerful scalability• Broad flexibility• Simple and comprehensive management• Automated protection of virtual machines• Acceleration and simplification of disaster recovery using “virtualize me”• Disaster recovery cost reductions using Simpana Replication• Eliminates operational complexity and reduce cost by integrating archiving, backups, and reporting into a single process
to• need for third-party reporting tools eliminated because it is managed from a single console• allows for workflow automation of tasks that would otherwise be repetitive or complex• self-service access to information, which allows for maximized productivity• accounts for all data and reduces risk in a single, enterprise wide search• One-Click, Enterprise-Wide Legal Hold• 1270 per socket• 4.50 per user per month• 30 per mailbox• 1420 per tb
30
Appendix C
DynaTrace:http://www.dynatrace.com/en/index.html• No other company can match our experience and depth of knowledge: More than 800 of the field’s top engineers and
application performance experts contribute to our industry leading products, assuring customer value and driving innovation. Dynatrace optimizes every digital moment by enabling you to:
• Proactively spot and solve application performance issues before users are impacted.• smart and adaptive alerts to better adjust in future situations• code-to-click visibility which can deliver actionable insights at each step in the lifecycle of the application• increases customer satisfaction by delivering visibility, context, insight, and adaptability• Speed new applications and enhancements to market with DevOps functionality.• Pinpoint root-causes and optimize critical applications.• always ready to launch on time due to effective competitive benchmarking, testing, monitoring, and performance
protection
31
Appendix D
ISO standards: ISO 27001, 27002• ISO 27001 is a specification for creating an ISMS. It does not mandate specific actions, but includes suggestions for
documentation, internal audits, continual improvement, and corrective and preventive action.• ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an
information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
• ISO 27002 provides the code of conduct – guidance and recommended best practices that can be used to enforce the specification.
• ISO 27002, then, is the source of guidance for the selection and implementation of an effective ISMS. In effect, ISO 27002 is the second part of ISO 27001.
SOX: The Sarbanes-Oxley Act is United States legislation to improve the accuracy of corporate disclosures and prevent accounting errors and fraudulent financial practices. Due to the purpose of its establishment, all organizations regardless of size and scope are required to comply.• Section 404 Program for risk assessment and internal control reporting requirements. Section 404 of SOX is primarily
devoted to the management assessment of internal controls using a top-down risk assessment. A top-down, risk-based approach is a process of identifying financial reporting related risks, a combination of controls that effectively address those risks, and evaluating testing results to provide conclusive responses of the effectiveness of the controls. This method rests on the fact that not all risks are equal and that risks should be organized in accordance to likelihood and impact.
32
Appendix E
COBIT: • Framework: Organize IT governance objectives and good practices by IT domains and processes, and links them to
business requirements• Process descriptions: A reference process model and common language for everyone in an organization. The processes
map to responsibility areas of plan, build, run and monitor.• Control objectives: Provide a complete set of high-level requirements to be considered by management for effective
control of each IT process.• Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate
interrelationship with other processes• Maturity models: Assess maturity and capability per process and helps to address gaps.• The maturity models (MMs) in COBIT were first created in 2000 and at that time were designed based on the original
CMM scale with the addition of an extra level (0) as shown below:• Level 0: Non-existent• Level 1: Initial/ad hoc• Level 2: Repeatable but Intuitive• Level 3: Defined Process• Level 4: Managed and Measurable• Level 5: Optimized
33
Appendix F
GLBA:• The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their
operation, including three areas that are particularly important to information security: Employee Management and Training; Information Systems; and Detecting and Managing System Failures. One of the early steps companies should take is to determine what information they are collecting and storing, and whether they have a business need to do so. You can reduce the risks to customer information if you know what you have and keep only what you need.
• The Privacy Rule protects a consumer's "nonpublic personal information" (NPI). NPI is any "personally identifiable financial information" that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise "publicly available."
NPI:• any information an individual gives you to get a financial product or service (for example, name, address, income, Social
Security number, or other information on an application);• any information you get about an individual from a transaction involving your financial product(s) or service(s) (for
example, the fact that an individual is your consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or
• any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report).
Fines for GLBA:• fines up to 100,000 for each violation• specific individuals fined up to 10,000 for each violation• criminal penalties of up to 5 years in prison
34
Appendix G
Cost Analysis for ATM Backup Power Systems• Cost of previous 2 hour failure= $100 million• If 1/5 of this cost were attributed to ATM failures = $20 million• Cost per unit of 1000 Watt gasoline powered generator= $250• Cost per unit of 300 Watt solar powered generator= $650• Cost per unit PowerMax 50 Amp ATS < $100 • Assuming cost to deliver/install is < $1750• Total Cost per unit <$2,500• More than 8,000 units could be installed without ‘cost’ to the bank• One Time Cost
35
Appendix H
36
Appendix I
Source: http://www.microsoft.com/en-us/server-cloud/products/windows-server-2012-r2/purchasing.aspx)
Cost Source for Server Upgrades
Calculations for Windows Server 2012 R2*
(# of servers*(cost per server))*(estimated discount)
1,000 servers: ((1,000)*(882))*(1.00) = 882,000 ~ $900,0002,500 servers: ((2,500)*(882))*(0.95) = 2,094,750 ~ $2.1 million5,000 servers: ((5,000)*(882))*(0.88) = 3,880,800 ~ $3.9 million7,000 servers: ((7,000)*(882))*(0.79) = 4,877,460 ~ $ 4.9 million
*Note: These prices are estimates and Microsoft can give a more accurate estimate based on the amount of servers that need upgrades
37
Appendix J
SOC- II Report• Filed in compliance with the Statement on Standards for Attestation Engagements (SSAE) No. 16• Based upon the 5 Trust Service Principles set forth in the AICPA Guide• Report filed by independent auditor• Reports on the controls a Service Organization has in place• User Entities (potential clients) review this to get a better idea of how reliable/ competent a
Service Organization is • Can be used before beginning or continuing to pay a Service Organization for a service or product
38
Appendix K