binghamton bank risk analysis
TRANSCRIPT
Infrastructure DivisionChloe Chan, Janet Chan, Kyle Stim, Lillian Kravitz, Rohit Kapur & Taylor Goudreau
Application DivisionZachary Alexander, Alexis Cai, Sharon Han, Gary Liku, Derek Liu & Joshua Neustadter
Binghamton Bank Risk Analysis
1
Infrastructure Risk Analysis
Application Risk Analysis Summary
Executive Summary
Aegis Analysis
Overview of Binghamton
Bank
2
Agenda
Infrastructure Risk Analysis
Application Risk Analysis Summary
Executive Summary
Aegis Analysis
Overview of Binghamton
Bank
3
Overview of Binghamton Bank
• Largest bank in Northeast with headquarters in Boston, MA• Specialized in commercial, retail, and investment banking• $50 billion in assets, 20th largest bank holding company in the
United States • New CEO, Conner Wayne• Rebranded slogan: “Building a Sanctuary for your Future”
4
Background of Binghamton Bank
Needs enhancement of applications and infrastructures to create a cost-efficient improvement to customer satisfaction
Software upgrade Issues• Stopped payments for 2 hours• Large monetary loss
Web Application Issues• Customers could not access their accounts• Log-in troubles
Reliability and Reputation Issues• Customers still question the reliability of the bank’s IT systems
5
Binghamton Bank Challenges
Infrastructure Risk Analysis
Application Risk Analysis Summary
Aegis Analysis
Overview of Binghamton
Bank
6
Executive Summary
Aegis Analysis
Risk Evaluation Tool• Designed and developed a risk evaluation tool that determines inherent risk, control
strength, and residual risk by assessing client responses
Risk Criteria• Operational
Risks associated with functions inside of the company and risks that affect the internal day-to-day activities
• FinancialRisks associated with business transactions including both financial dealings and non-monetary trading and sharing
• TechnologicalRisks resulting from failures or errors by IT devices or systems put in place by the company
• ExternalAny associated risk due to an uncontrollable occurrence outside of the company
7
Aegis Analysis
Infrastructure Risk Analysis
Application Risk Analysis Summary
Executive Summary
Aegis Analysis
Overview of Binghamton
Bank
8
Executive Summary
9
Infrastructure
Risks• Reliant on external vendors for
ATM operations• Lacking emergency protocol
Recommendations• Implement transitional vendors
Risks• Weak security leads to
possibility of compromised information and reputational loss
Recommendations• Boost remote access security
1. ATM Vendor Dependency 2. Online Banking Remote Security 3. Disaster Recovery – Server Security
Risks• No data encryption• Weak failure prevention
Recommendations• Encrypt server information• Test contingency plan• Upgrade servers
Application
Risks• Poor information security• Limited employee training
Expected Outcome• Loss of sensitive client data• Prone to social engineering and
regulation violations
Risks• System overload• Lack of backup system
Expected Outcome• Application failure• Reputational harm• Data loss
1. BODPS 2. NorthGo 3. FIN
Risks• Short RTO• Application failure
Expected Outcome• Serious monetary loss• Halt of Binghamton Bank’s
operations
Executive Summary
Risks• Reliant numerous critical vendors
to operate ATM’s
• Lacking emergency plan for failed vendors
• Alternative power source is unavailable
Recommendations• Increase vendor reliability
awareness
• Implement Automatic Transfer Switch (ATS)
• Contract transitional vendors
1. ATM Vendor Dependency
Risks• No encryption of sensitive
information
• Contingency plan not tested frequently
• Servers are not up to date
Recommendations• Upgrade servers to Windows
Server 2012 R2
• Utilize COBIT
• Enable SSL certificates
• Encrypt sensitive information
• Test contingency plan
3. Disaster Recovery – Server Security
Risks• Weak preventions for network
access
• Sensitive information not encrypted
• Weak authentication for account access
Recommendations• Acquire SSL certificates
• Require remote access through Virtual Machines
• Enable Remote Wipe on employee devices
• Prevent unauthorized network access
2. Online Banking Remote Security
10
Infrastructure Summary
Infrastructure Risk Analysis
Application Risk Analysis Summary
Executive Summary
Aegis Analysis
Overview of Binghamton
Bank
11
Infrastructure Risk Analysis
ATM’s Operational Financial Technological ExternalInherent Risk 53 40 78 67Control Strength 28 10 25 9
Residual Risk 38 36 58 60
• Processes 2,000-5,0000 transactions per hour
• ATMs require 7 or more critical vendors to operate
• Negative press has the potential to reach national news
Inherent Risk
Technological• ATMs do not have backup power plans in place
External• Currently no transitional vendors in place• Binghamton Bank takes no precautions to
ensure that vendors are reliable
Control Observations
12
1. ATM Vendor Dependency
Inherent Risk – lower is betterControl Strength – higher is better*Red indicates discussed risks*Score values are from 1 - 100
Note
• On average, ATM’s process 180% more transactions per hour than online banking systems
• Reputational Issues• Dependence on processes outside of
Binghamton Bank’s control• Potential for negative media• ATM failures could seriously affect
reputation of new CEO
Risk Priority
Vendor Reliability• Have transitional backup vendors in place for
each critical vendor• Create and practice vendor contingency plan• Increase awareness of vendors’ reliability
• Perform quarterly financial reviews• Background checks on vendors (SOC-II)• Annual Debrief with Vendor
Management
Failure Time Prevention• Implement backup power system• Implement Automatic Transfer Switch (ATS) to
reduce failover time
Recommendations
13
1. ATM Vendor Dependency
Technological• Less than 25% of online banking operations can be
performed with failed servers• More than 60% of sensitive information would be
compromised in the event of a breach to the database• Allowing remote access for online banking may open
doors to potential risks Financial• Binghamton Bank would face greater than $200,000 in
fines in the event of non-compliance with regulations
Inherent Risk
Technological• No multi-tier authentication in order to gain
access to online banking remotely• Weak prevention for unauthorized access to
network• No encryption of sensitive information
Control Observations
14
Online Banking Operational Financial Technological ExternalInherent Risk 48 41 66 49Control Strength 30 10 24 20
Residual Risk 34 37 50 39
2. Online Banking Remote Access Security
• Reputational Loss• Decrease in accountability to customers if
servers were to fail• Loss of sensitive information will result in
non-compliance with GLBA• Monetary Loss
• Each violation of GLBA can cause fines up to $100,000
• Safety of customers’ personal information • Hackers could disclose or utilize private
customer information
Risk Priority
Remote Access Safeguards• Require virtual machines for employee
remote access• Enable remote wipe for devices• Require 2-step authentication for employee
remote access• Include SSL certificates to encrypt data for all
subdomains • Require employees to access server
information through a Virtual Private Network (VPN)
Unauthorized Network Access• Allow pre-authorized MAC addresses• Monitoring and logging system• Separate networks by critical information
Recommendations
15
2. Online Banking Remote Access Security
Technological• 10%–30% of critical infrastructures’ software are not
up to date• Less than 25% of operations can be performed with
failed servers• More than 60% of sensitive information would be
compromised if databases were breached• Allowing remote access to company systems can open
doors to potential risksFinancial• In the event of non-compliance with regulations,
Binghamton Bank could face greater than $200,000
Inherent Risk
Technological• Binghamton Bank only tests contingency plan every 2
– 5 years• Tests employees’ preparedness for online threats less
than once a year• Servers do not encrypt sensitive informationFinancial• IT employee operations not aligned with financial
goals
Control Observations
16
DR/Servers Operational Financial Technological ExternalInherent Risk 59 43 67 44Control Strength 25 15 20 18
Residual Risk 44 36 53 36
3. Disaster Recovery – Server Security
• Monetary Loss• Each violation of GLBA can cause
Binghamton Bank to be fined up to $100,000
• Excess or unnecessary activities are performed by the IT department
• Failures decrease reliability• Weak ability to adapt to unanticipated events
Risk Priority
• COBIT governance framework would familiarize IT employees with business standards and goals
• Secured Socket Layer (SSL) certificates establishes a link between the server and a client
• 256 bit AES encryption in transit and while at rest
• Test employees for phishing schemes monthly• Test contingency plan annually • Upgrade to Windows Server 2012 R2
• 1,000 servers ~ $900,000• 2,500 servers ~ $2.0 million• 5,000 servers ~ $3.7 million• 7,000 servers ~ $4.9 million
Recommendations
17
3. Disaster Recovery – Server Security
Risks• Reliant numerous critical vendors
to operate ATM’s
• Lacking emergency plan for failed vendors
• Alternative power source is unavailable
Recommendations• Increase vendor reliability
awareness
• Implement Automatic Transfer Switch (ATS)
• Contract transitional vendors
1. ATM Vendor Dependency
Risks• No encryption of sensitive
information
• Contingency plan not tested frequently
• Servers are not up to date
Recommendations• Upgrade servers to Windows
Server 2012 R2
• Utilize COBIT
• Enable SSL certificates
• Encrypt sensitive information
• Test contingency plan
3. Disaster Recovery – Server Security
Risks• Weak preventions for network
access
• Sensitive information not encrypted
• Weak authentication for account access
Recommendations• Acquire SSL certificates
• Require remote access through Virtual Machines
• Enable Remote Wipe on employee devices
• Prevent unauthorized network access
2. Online Banking Remote Security
18
Infrastructure Summary
Infrastructure Risk Analysis
Application Risk Analysis Summary
Executive Summary
19
Aegis Analysis
Overview of Binghamton
Bank
Application Risk Analysis
20
Operational• Stores sensitive client data that must be
protected at highest level to guard against hacking threats and data leaks
Technological • Failure of this application would lead to the
improper functioning of other applications
Inherent RiskOperational
• Employees lack proper training to use the application securely
Technological• No levels of authorization• No scheduled dates for application upgrades
and maintenance
Control Observations
BODPS Operational Financial Technological ExternalInherent Risk 84 15 88 75Control Strength 38 44 20 41
Residual Risk 52 15 70 44
Inherent Risk – lower is betterControl Strength – higher is better*Red indicates discussed risks*Score values are from 1 - 100
Note
1. BODPS (Back Office Data Processing System)Description BODPS processes information from FIN and sends this data to iReport to create
financial documents
21
• Poor internal login authorization security• Potential loss of sensitive client data• Sends data to iReport to create financial
documents• Poor security may lead to inaccurate
data, thus publishing faulty financial statements
• Violation of SOX and GLBA are possible (jail time and fines can occur)
Risk Priority
• Implement a two level authorization process for employees to address poor security
• Level 1: Personalized employee password
• Level 2: Enter security token code• Example: Vendor Symantec for
application security• $38.18 per token annually
• Schedule upgrades during low traffic times• Using statistical analytics to locate the
slowest hours of operation• Implement mandatory training courses as
part of a control objective• Raise awareness of social
engineering threats• First steps to comply with COBIT
Recommendations
1. BODPS (Back Office Data Processing System)
22
Operational• Web based application that incorporates
sensitive information of employees and customers
Technological• Vulnerable to online hacking• Excessive traffic
Inherent RiskOperational
• Backup system does not demonstrate full functionality
• Internal monitoring system needs to be updated
• Insecure website does not adequately protect customer data
Technological• No levels of authorization• No systems are in place to handle increasing
traffic
Control Observations
2. NorthGo
NorthGo Operational Financial Technological ExternalInherent Risk 84 42 56 15Control Strength 56 15 20 40
Residual Risk 37 37 45 15
Description NorthGo is an online asset management application
23
• Lack of login security and vulnerable to hacking
• Nothing in place to mitigate failure from application overload
• Failure can lead to security vulnerability and loss of customer confidence
• Security threats can lead to the loss of customer information
• Violation of GLBA is possible (up to $100,000 per each violation)
• Reputational harm• Insufficient internal monitoring system to
alert bank of potential malfunctions
Risk Priority
• Implement a two factor authorization using a personal password and a random password generated; Example: Symantec token
• Upgrade for increasing traffic• Apply backup system; Example:
Simpana• Implement application monitoring system• Example: DynaTrace
• $177/JVM instance for a three year subscription
• Provides alerts of potential risks ahead of time
• Schedule upgrades for low traffic times• Utilize ISO 27001,27002 to help begin the
process of an Information Security Management System(ISMS)
Recommendations
2. NorthGo
24
Operational• FIN is the most critical application to
business functions• Integrates with all applications making it a
big threat if it were to fail• Binghamton Bank is susceptible to
application failures during software upgrades
Inherent RiskOperational
• There is no manual process to fall back on if application were to fail
• Insufficient internal monitoring system to alert employees of application failure
• No periodic compliance checks to make sure new standards and regulations are being met
Control Observations
3. FIN (Central Financial Transaction Application)
FIN Operational Financial Technological ExternalInherent Risk 100 100 100 15Control Strength 69 87 89 9
Residual Risk 31 15 15 15
Description FIN is the central financial application of Binghamton Bank
25
• FIN malfunction• Lack of a fully functioning backup
system• Functions cannot be completed ad-
hoc• Critical bank functions can be halted
by FIN failure• Short Recovery Time Objective (RTO)
• Bottom-line is affected almost immediately
• Quick recovery crucial to prevent financial loss
Risk Priority
• Implement software for fully functional backup system; Example: CommVault Simpana
• Allows physical and virtual backups• Include a failure recovery system • Web based and dashboard reporting
features• Live restore, highly scalable, unified
architecture – single console for DB admins
• $1270 per VM/$1420 per TB of data• Train employees in order to establish
best practices in using this software• Schedule backups and upgrades during
low traffic times
Recommendations
3. FIN (Central Financial Transaction Application)
Risks• Vulnerable to hacking• Social engineering can
lead to compromise of bank’s data
Recommendations• Implement security tokens
for BODPS and NorthGo• Example: Symantec
1. Insufficient Login Authorization Security
Risks• System overload• Susceptible to crashes• Loss of sensitive client
data• Functions cannot be
completed ad-hoc effectively
• Critical bank functions can be halted by FIN failure
Recommendations• Implement backup system
for NorthGo and FIN• Example: CommVault
Simpana
3. Lack of Backup System
Risks• Cannot foresee problems
ahead of time and prepare for them
Recommendations• Implement application
monitoring system for NorthGo
• Example: DynaTrace
2. Insufficient Internal Monitoring System
26
Top Application Risks
Infrastructure Risk Analysis
Application Risk Analysis Summary
Executive Summary
27
Aegis Analysis
Overview of Binghamton
Bank
Summary
Infrastructure
Recommendations• Enable transitional vendors• Vendor reliability procedures• Automatic Transfer Switch• Contingency plan tests
Recommendations• SSL certificates• Virtual machines• Remote wipe• Pre-determined MAC
addresses
ATM Vendor Dependency Online Banking Remote Security Disaster Recovery – Server Security
Recommendations• Upgrade to Windows 2012 R2• Familiarize employees with
COBIT• SSL certificates• Data encryption• Test contingency plan
Application
Recommendations• Implement security tokens• Provide application and
regulation training program for employees
• Establish best practices with COBIT
Recommendations• Implement internal monitoring
system• Implement a robust backup
system• Implement security tokens• Establish an ISMS with ISO
27001/27002
BODPS NorthGo FIN
28
Recommendations• Implement a more robust
backup system• Set up a failure recovery plan• Internal monitoring system to
tell when FIN is going to fail
Recommendations Summary
Questions?Thank you
29
Symantec:https://www4.symantec.com/mktginfo/whitepaper/user_authentication/whitepaper-twofactor-authentication.pdf• Better value with Symantec Lower costs • Free, easy-to-use software credentials provide significant cost savings • Cost-effective tokens—no token renewal fees and no shelf decay • Single, integrated platform allows you to deploy multiple devices depending on user and application types • Flexible models enable you to create a customized solution for your business—OTP or tokenless options • Leverages existing technology investments (Directory, database, SSO servers, etc.) - Fully scalable • Open versus proprietary—more credential choices and no vendor lock • Continuous innovation—innovative devices
both in cost and functionality (secure storage, end-point security, etc.) • Single platform can support changing authentication requirements (including risk-based authentication) • Out-of-box self-service application—including token activation, token synchronization, etc.• External
• Any associated risk due to an uncontrollable occurrence outside of the company
30
Appendix A
Simpana:http://www.commvault.com/simpana-software• Industry leading backup and recovery• Backup success rate of 95 percent• Maximizes utilization of storage and infrastructure• Powerful scalability• Broad flexibility• Simple and comprehensive management• Automated protection of virtual machines• Acceleration and simplification of disaster recovery using “virtualize me”• Disaster recovery cost reductions using Simpana Replication• Eliminates operational complexity and reduce cost by integrating archiving, backups, and reporting into a single process
to• need for third-party reporting tools eliminated because it is managed from a single console• allows for workflow automation of tasks that would otherwise be repetitive or complex• self-service access to information, which allows for maximized productivity• accounts for all data and reduces risk in a single, enterprise wide search• One-Click, Enterprise-Wide Legal Hold• 1270 per socket• 4.50 per user per month• 30 per mailbox• 1420 per tb
31
Appendix B
DynaTrace:http://www.dynatrace.com/en/index.html• No other company can match our experience and depth of knowledge: More than 800 of the field’s top engineers and
application performance experts contribute to our industry leading products, assuring customer value and driving innovation. Dynatrace optimizes every digital moment by enabling you to:
• Proactively spot and solve application performance issues before users are impacted.• smart and adaptive alerts to better adjust in future situations• code-to-click visibility which can deliver actionable insights at each step in the lifecycle of the application• increases customer satisfaction by delivering visibility, context, insight, and adaptability• Speed new applications and enhancements to market with DevOps functionality.• Pinpoint root-causes and optimize critical applications.• always ready to launch on time due to effective competitive benchmarking, testing, monitoring, and performance
protection
32
Appendix C
ISO standards: ISO 27001, 27002• ISO 27001 is a specification for creating an ISMS. It does not mandate specific actions, but includes suggestions for
documentation, internal audits, continual improvement, and corrective and preventive action.• ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an
information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
• ISO 27002 provides the code of conduct – guidance and recommended best practices that can be used to enforce the specification.
• ISO 27002, then, is the source of guidance for the selection and implementation of an effective ISMS. In effect, ISO 27002 is the second part of ISO 27001.
SOX: The Sarbanes-Oxley Act is United States legislation to improve the accuracy of corporate disclosures and prevent accounting errors and fraudulent financial practices. Due to the purpose of its establishment, all organizations regardless of size and scope are required to comply.• Section 404 Program for risk assessment and internal control reporting requirements. Section 404 of SOX is primarily
devoted to the management assessment of internal controls using a top-down risk assessment. A top-down, risk-based approach is a process of identifying financial reporting related risks, a combination of controls that effectively address those risks, and evaluating testing results to provide conclusive responses of the effectiveness of the controls. This method rests on the fact that not all risks are equal and that risks should be organized in accordance to likelihood and impact.
33
Appendix D
COBIT: • Framework: Organize IT governance objectives and good practices by IT domains and processes, and links them to
business requirements• Process descriptions: A reference process model and common language for everyone in an organization. The processes
map to responsibility areas of plan, build, run and monitor.• Control objectives: Provide a complete set of high-level requirements to be considered by management for effective
control of each IT process.• Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate
interrelationship with other processes• Maturity models: Assess maturity and capability per process and helps to address gaps.• The maturity models (MMs) in COBIT were first created in 2000 and at that time were designed based on the original
CMM scale with the addition of an extra level (0) as shown below:• Level 0: Non-existent• Level 1: Initial/ad hoc• Level 2: Repeatable but Intuitive• Level 3: Defined Process• Level 4: Managed and Measurable• Level 5: Optimized
34
Appendix E
GLBA:• The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their
operation, including three areas that are particularly important to information security: Employee Management and Training; Information Systems; and Detecting and Managing System Failures. One of the early steps companies should take is to determine what information they are collecting and storing, and whether they have a business need to do so. You can reduce the risks to customer information if you know what you have and keep only what you need.
• The Privacy Rule protects a consumer's "nonpublic personal information" (NPI). NPI is any "personally identifiable financial information" that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise "publicly available."
NPI:• any information an individual gives you to get a financial product or service (for example, name, address, income, Social
Security number, or other information on an application);• any information you get about an individual from a transaction involving your financial product(s) or service(s) (for
example, the fact that an individual is your consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or
• any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report).
Fines for GLBA:• fines up to 100,000 for each violation• specific individuals fined up to 10,000 for each violation• criminal penalties of up to 5 years in prison
35
Appendix F