Case study: PridePoint bank, accounting homework help

Risk Management at PridePoint Bank Caselet #3: Risk Response and Mitigation Disclaimer ISACA has designed and created the Risk Management at PridePoint Bank series (the ‘Work’) primarily as an educational resource for educational professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, security governance and assurance professionals should apply their own professional judgement to the specific circumstances presented by the particular systems or information technology environment. The example companies, organisations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious. No association with any real company, organisation, product, domain name, email address, logo, person, place or event is intended or should be inferred. ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 Email: info@isaca.org Web site: www.isaca.org Reservation of Rights © 2015 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorisation of ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal and non-commercial use and for consulting/advisory engagements, and must include full attribution of the material’s source. No other right or permission is granted with respect to this work. Provide Feedback: www.isaca.org/risk-management Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center Follow ISACA on Twitter: https://twitter.com/ISACANews Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial Like ISACA on Facebook: www.facebook.com/ISACAHQ Acknowledgements Author James C. Samans, CISA, CISM, CRISC, CISSP-ISSEP, CIPT, PMP, XENSHA LLC, USA Board of Directors Robert E Stroud, CGEIT, CRISC, CA, USA, International President Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Vice President Garry J. Barnes, CISA, CISM, CGEIT, CRISC, BAE Systems Detica, Australia, Vice President Robert A. Clyde, CISM, Clyde Consulting LLC, USA, Vice President Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President Vittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President Gregory T. Grocholski, CISA, SABIC, Saudi Arabia, Past International President Debbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA, Director Frank K.M. Yam, CISA, CIA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Director Alexander Zapata Lenis, CISA, CGEIT, CRISC, ITIL, PMP, Grupo Cynthus S.A. de C.V., Mexico, Director Knowledge Board Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Chairman Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands Neil Patrick Barlow, CISA, CISM, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK Charlie Blanchard, CISA, CISM, CRISC, ACA, CIPP/E, CIPP/US, CISSP, FBCS, Amgen Inc., USA Sushil Chatterji, CGEIT, Edutech Enterprises, Singapore Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA Anthony P. Noble, CISA, Viacom, USA Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK Ivan Sanchez Lopez, CISA, CISM, CISSP, ISO 27001 LA, DHL Global Forwarding & Freight, Germany Academic Program Subcommittee Matthew Liotine, Ph.D., CBCP, CHS-III, CSSBB, MBCI, University of Illinois at Chicago, USA, Chairman Daniel Canoniero, Universidad de Montevideo, Uruguay Tracey Choulat, CISM, CGEIT, CRISC, University of Florida, USA Umesh Rao Hodeghatta, Xavier Institute of Management, India Nabil Messabia, CPA, CGA, Université du Québec en Outaouais, Canada Mark Lee Salamasick, CISA, CSP, CIA, CRMA, University of Texas, USA Ype van Wijk, Ph.D., RE, RA, Rijksuniversiteit Groningen, The Netherlands S. Vanderloot, CISA, CISM, CRISC, Ph.D., AST, CCNA, CCNA Security, CCSA, CEH, ECSA, ISO 27001 LA, NCSA, PCIP, UK Nancy C. Wells, CISA, CRISC, USA Student Book This caselet was developed to support Risk Management Student Book www.isaca.org/risk-management Introduction What is risk management? What is risk response? How does it benefit an enterprise?  Risk management refers to the co-ordinated activities taken by an enterprise to direct and control activities pertaining to risk.  Risk management is an active process, not simply a form of elaborate observation. o ‘Control’, when used as a verb in the context of risk management, is often used as a synonym for ‘measure’. o However, the results of measurement must be used as the basis for directing actions and activities.  Comprehensive risk management includes four steps: 1. 2. 3. 4. Identification Assessment Mitigation (response) Ongoing monitoring and reporting Introduction What is risk management? What is risk response? How does it benefit an enterprise?  Risk is commonly defined as the combination of the probability of an event and its consequence.  Risk response encompasses the four ways in which an enterprise addresses risk: o Mitigation, or actions taken to reduce the likelihood and/or impact of risk o Transfer, or sharing the consequences of a particular risk o Acceptance, meaning no action is taken relative to a particular risk and loss is accepted if it occurs o Avoidance, in which the enterprise actively ends a line of activity for which it cannot adequately manage risk  Which of these is appropriate depends on cost. Introduction What is risk management? What is risk response? How does it benefit an enterprise?  The instinctive response to risk management is to deploy controls to mitigate the risk—especially for IT risk.  However, responding to every risk with mitigation can be a flawed strategy. o Deploying a control may cost more than the maximum consequences. o It may be possible to control the maximum consequences by sharing risk at lower cost than mitigation. o Some risk cannot be reduced to the point of tolerance even with multiple controls.  A formalised risk-response methodology helps decision makers address risk in ways that are cost-effective. Agenda         Company Profile – PridePoint Bank Background Information Your Role Executive Guidance Assessment Findings Technology Response Your Tasks Discussion Questions Profile of PridePoint Bank Mid-sized, publically traded regional bank 2,150 employees and an additional 700 contractors Focused on controlling risk as part of its customer retention strategy Background: Overview Overview Org. Structure Operations Competition Business Goals  PridePoint is the dominant bank across three states with 92 branch locations. o Total assets of $3.6 billion o Non-interest income is 19.2% of total revenue o 84.1% loan-to-deposit ratio o Customers include both individual consumers and regionally established businesses. o Largest business customers average revenues in excess of $57 million per year.  PridePoint processes approximately $8 million in transactions on a given day. Background: Organisational Structure Overview  PridePoint has a five-person board of directors with a nonexecutive chairman. Org. Structure  The chief executive officer (CEO) has three direct reports: Operations Competition Business Goals o Chief financial officer (CFO) o Chief operating officer (COO) o Senior Vice President (SVP) of Administration  Technology Operations and Information Security report to the COO through the chief information officer (CIO).  Facilities and Physical Security report to the SVP, Administration through Human Resources.  Procurement oversees contractors and reports to the CFO.  Operational Risk and Internal Audit report to the CFO. Background: Organisational Structure CEO Overview COO Org. Structure CIO Operations Competition Business Goals Technology Infrastructure Network Operations Consumer Banking Information Security Disaster Recovery SVP, Administration CFO Commercial Banking Procurement Internal Audit Finance Accounting Operational Risk Legal Physical Security HR Compliance Facilities Background: Operations Overview Org. Structure Operations Competition Business Goals  The board of directors has made risk management a priority since the bank was taken public.  Within the technology arena, a third-party consulting firm was engaged to carry out this risk assessment.  The assessment took into account the particular nature of PridePoint’s network: o The network is divided into two zones (A and B), with all Internet traffic traversing the Zone A security perimeter. o Zone A uses physical servers and has dual data centres in a hot-site configuration, located 20 miles apart. o Zone B uses virtual servers in a single data centre. o Leased capacity is available 100 miles away for restoration of Zone B from backup by third-party contractors. o Approximately 75% of all customers are served by Zone A. Network Diagram Bank Branches Internet ATMs Zone A Perimeter Suite 1 Zone B 100 miles Leased Capacity Perimeter Suite 2 Data Centre 1 Data Centre 2 Zone A: Primary Zone A: Secondary Data Centre 3 Zone B 50 miles 20 miles Background: Competition Overview Org. Structure Operations Competition Business Goals  Miners Bank is PridePoint’s largest competitor: o Privately held o 57 branches o Total assets of $2.6 billion  Miners recently unveiled a marketing message that customers’ money is safer with a privately held bank. o Specifically, the Miners message is that larger banks are too focused on short-term profits and take excessive risk.  The marketing undertaken by Miners Bank has not yet resulted in significant losses of existing accounts. Background: Business Goals Overview Org. Structure Operations Competition Business Goals  Recent scandals regarding compromised credit card numbers at major retailers have the board concerned. o Most PridePoint account holders began their banking experience with one of the pre-merger banks and are still evaluating what the merger means for them.  Independent surveys suggest that a data breach could result in a loss of up to one-third of daily banking activity. o Interestingly, the same survey shows substantial tolerance for service interruptions if no data is lost.  The CEO has indicated that resources will be made available for risk management as needed.  The enterprise risk appetite is $3 million, with a tolerance of $1 million. Your Role Experience:  Two years of experience in risk assessment  Two years of previous experience in information technology Credentials:  Bachelor’s degree in Information Systems  CRISC certification  As an Operational Risk Specialist, you have been assigned to help the CIO develop a risk response strategy.  Technology Operations and Information Security staff will be available to answer technical questions and provide clarification.  You: o Will present your recommendations jointly to the CIO and CFO o May be asked to explain your reasoning o Are encouraged to use your judgement  Final decisions regarding risk response will be made at the executive level. Executive Guidance  Everyone agrees that: o Risk needs to be managed o The XYZZY risk assessment is reliable  The CIO has provided you with proposals from the technical staff regarding ways to mitigate the risk identified in the assessment.  The CFO is concerned that the commitment of the CEO to make resources available for risk response may prompt a ‘wish list’ mentality.  Additionally, the CFO has recently obtained a proposal for business interruption insurance, which: o Is payable during a disruption that results in a loss of business processes o Replaces a specified amount of revenue per day, up to a maximum of $10 million o Has an annual premium equal to 10% of the selected daily replacement amount Assessment Findings Introduction As directed by the scope of work established between PridePoint Bank and XYZZY Consulting, this risk assessment addresses only that risk previously identified by PridePoint within the scope of its technology functions and processes. Additionally, XYZZY conducted this assessment based on technical information provided by PridePoint, not an independent verification and validation activity. This assessment presents its findings ranked in order of most to least significant according to the best estimates of XYZZY based on the limitations disclosed above. Assessment Findings Risk 1 of 8 Rating: HIGH Category Architecture Threat Event Regional event affecting connectivity and/or power Target Physical Infrastructure, IT Infrastructure IT Risk Category Operations/Service Detection Difficulty Easy. Immediate and widespread physical evidence. Vulnerability Zone A data centres are co-located within one region. Consequence(s) Enterprise operations are shut down indefinitely across both zones. Rating Explanation Because all Internet traffic flows through the Zone A perimeter, both zones and all connectivity to branches and ATMs cease with the loss of the Zone A data centres and would continue until their return to service. May be irrecoverable were the nature of the event to destroy data, leave staff unable to travel to a recovery site or both. Assessment Findings Risk 2 of 8 Rating: HIGH Category Environmental Threat Event Loss of cooling capacity within a data centre Target Physical or IT Infrastructure: Data Centre 3 IT Risk Category Operations/Service Detection Difficulty Moderate. Physical evidence eventually apparent. Environmental monitoring unknown. Vulnerability Zone B cannot sustain data centre loss without service interruption. Consequence(s) Processes needing Zone B systems are interrupted for up to 12 hours. Rating Explanation Zone A and B services are entirely distinct, and customers reliant upon Zone B cannot carry out transactions during recovery. The Zone B DRP is stated to take up to 12 hours to complete recovery carried out by third-party contractors using capacity leased at an out-of-region site. Assessment Findings Risk 3 of 8 Rating: HIGH Category Logical Attacks Threat Event External parties direct cyberattacks against the network. Target Applications, IT Infrastructure IT Risk Category Operations/Service Detection Difficulty Difficult due to false positive IDS alarms and lack of internal detection Vulnerability Perimeter defences are not configured for defence-in-depth. Consequence(s) Services are impacted or data is lost. Confidence among customers and shareholders is eroded. Rating Explanation PridePoint has a robust security perimeter, but any single line of security can eventually be compromised, and the bank lacks not only the strategic depth needed to delay an initially successful intrusion but also the ability to reasonably notice that an attack is underway. Assessment Findings Risk 4 of 8 Rating: MODERATE Category Information Threat Event Customer data accessed without permission. Target Information IT Risk Category Operations/Service Detection Difficulty Difficult. No known internal controls. Vulnerability Third-party contractors empowered to complete Zone B recovery have administrator credentials. Consequence(s) Customers incur losses that are passed to the bank. Confidence and market share are lost. Rating Explanation PridePoint has no visibility into the internal risk processes of the third-party contractor from which it leases out-of-region recovery capacity for Zone B such as governance, monitoring or segregation of duties. Assessment Findings Rating: MODERATE Risk 5 of 8 Category Program/Project Life Cycle Management Threat Event IT projects cost more or take longer than planned. Target People and Skills, Process IT Risk Category Project Delivery Detection Difficulty Project management proficiency unknown. Vulnerability IT organisation has not executed any significant projects in more than one year. Consequence(s) Necessary projects are cancelled or delayed. Opportunities for improved service are lost. Rating Explanation Enterprises that initiate new IT projects without project management experience may experience cost overruns of up to 50% and substantial delays in completion. Assessment Findings Rating: MODERATE Risk 6 of 8 Category Architecture Threat Event Consolidation into a single-zone network. Target Physical Infrastructure, IT Infrastructure IT Risk Category Benefit/Value, Project Delivery Detection Difficulty Project management proficiency unknown. Value dependent upon target state. Vulnerability Data centres use different architectures, and some applications exist in multiple instances. Consequence(s) Missteps lead to cost overruns or yield inadequate value. Rating Explanation Enterprises that initiate new IT projects without project management experience may experience cost overruns of up to 50% and substantial delays in completion. Assessment Findings Risk 7 of 8 Rating: MODERATE Category IT Expertise and Skills Threat Event Key knowledge lost due to employee departures. Target Applications, IT Infrastructure IT Risk Category Operations/Service Detection Difficulty Moderate. Who is key is not always evident. Vulnerability Deep cuts in staffing cause employees to look for other opportunities. Consequence(s) Maintaining existing systems becomes more costly or difficult. Rating Explanation The current PridePoint architecture is diverse and complex, requiring several different types of specialised expertise to be kept operational, while a combination of technical stagnation and staff reductions make it more likely that people possessing such expertise are looking for other opportunities. This combination sets the stage for loss of vital skills. Assessment Findings Risk 8 of 8 Rating: LOW Category Staff Operations Threat Event Data transaction processed on wrong system. Target Information, Applications IT Risk Category Operations/Service Detection Difficulty Difficult. No known internal controls in place. Vulnerability Identical applications exist in unrelated instances on each zone. Consequence(s) Active and backup data lose integrity. Effects are multiplied across processes. Rating Explanation PridePoint has transaction logs that can be used to back out erroneous transactions, although manual reversion may be timeconsuming. The odds of any one error are moderate, but each case is distinct: one error does not suggest a greater likelihood of another. Technology Response Risk Proposed Mitigation Estimated Cost 1 ‘Swap’ the roles of Data Centres 1 and 3; relocate Perimeter Suite 1 to maintain its co-existence with the new Data Centre 1 location. 2 Install environmental sensors and establish active monitoring. $8 million Distribute Zone B virtual servers across all three data centres. 3 Engage a contractor to tune the IDS sensors and eliminate false positives. Build a 24×7 position dedicated to alarm and log review. $1 million 4 Leased-capacity unnecessary after completing Mitigation #2. No extra cost 5 Send IT managers to project-management training. $20K 6 Included within the scope of Mitigation #5. N …