Hwk11
Risk Management at PridePoint Bank
Caselet #3:
Risk Response and Mitigation
Disclaimer
ISACA has designed and created the Risk Management at PridePoint Bank series (the ‘Work’) primarily as an educational resource for educational professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, security governance and assurance professionals should apply their own professional judgement to the specific circumstances presented by the particular systems or information technology environment.
The example companies, organisations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious. No association with any real company, organisation, product, domain name, email address, logo, person, place or event is intended or should be inferred.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: [email protected]
Web site: www.isaca.org
Reservation of Rights
© 2015 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorisation of ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal and non-commercial use and for consulting/advisory engagements, and must include full attribution of the material’s source. No other right or permission is granted with respect to this work.
Provide Feedback: www.isaca.org/ risk-management
Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
Acknowledgements
Author
James C. Samans, CISA, CISM, CRISC, CISSP-ISSEP, CIPT, PMP, XENSHA LLC, USA
Board of Directors
Robert E Stroud, CGEIT, CRISC, CA, USA, International President
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Vice President
Garry J. Barnes, CISA, CISM, CGEIT, CRISC, BAE Systems Detica, Australia, Vice President
Robert A. Clyde, CISM, Clyde Consulting LLC, USA, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President
Vittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President
Gregory T. Grocholski, CISA, SABIC, Saudi Arabia, Past International President
Debbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA, Director
Frank K.M. Yam, CISA, CIA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Director
Alexander Zapata Lenis, CISA, CGEIT, CRISC, ITIL, PMP, Grupo Cynthus S.A. de C.V., Mexico, Director
Knowledge Board
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Neil Patrick Barlow, CISA, CISM, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK
Charlie Blanchard, CISA, CISM, CRISC, ACA, CIPP/E, CIPP/US, CISSP, FBCS, Amgen Inc., USA
Sushil Chatterji, CGEIT, Edutech Enterprises, Singapore
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Ivan Sanchez Lopez, CISA, CISM, CISSP, ISO 27001 LA, DHL Global Forwarding & Freight, Germany
Academic Program Subcommittee
Matthew Liotine, Ph.D., CBCP, CHS-III, CSSBB, MBCI, University of Illinois at Chicago, USA, Chairman
Daniel Canoniero, Universidad de Montevideo, Uruguay
Tracey Choulat, CISM, CGEIT, CRISC, University of Florida, USA
Umesh Rao Hodeghatta, Xavier Institute of Management, India
Nabil Messabia, CPA, CGA, Université du Québec en Outaouais, Canada
Mark Lee Salamasick, CISA, CSP, CIA, CRMA, University of Texas, USA
Ype van Wijk, Ph.D., RE, RA, Rijksuniversiteit Groningen, The Netherlands
S. Vanderloot, CISA, CISM, CRISC, Ph.D., AST, CCNA, CCNA Security, CCSA, CEH, ECSA, ISO 27001 LA, NCSA, PCIP, UK
Nancy C. Wells, CISA, CRISC, USA
Student Book
This caselet was developed to support
Risk Management Student Book
Introduction
- Risk management refers to the co-ordinated activities taken by an enterprise to direct and control activities pertaining to risk.
- Risk management is an active process, not simply a form of elaborate observation.
- ‘Control’, when used as a verb in the context of risk management, is often used as a synonym for ‘measure’.
- However, the results of measurement must be used as the basis for directing actions and activities.
- Comprehensive risk management includes four steps:
- Identification
- Assessment
- Mitigation (response)
- Ongoing monitoring and reporting
What is risk management?
What is risk response?
How does it benefit an enterprise?
Introduction
- Risk is commonly defined as the combination of the probability of an event and its consequence.
- Risk response encompasses the four ways in which an enterprise addresses risk:
- Mitigation, or actions taken to reduce the likelihood and/or impact of risk
- Transfer, or sharing the consequences of a particular risk
- Acceptance, meaning no action is taken relative to a particular risk and loss is accepted if it occurs
- Avoidance, in which the enterprise actively ends a line of activity for which it cannot adequately manage risk
- Which of these is appropriate depends on cost.
What is risk management?
What is risk response?
How does it benefit an enterprise?
Introduction
- The instinctive response to risk management is to deploy controls to mitigate the risk—especially for IT risk.
- However, responding to every risk with mitigation can be a flawed strategy.
- Deploying a control may cost more than the maximum consequences.
- It may be possible to control the maximum consequences by sharing risk at lower cost than mitigation.
- Some risk cannot be reduced to the point of tolerance even with multiple controls.
- A formalised risk-response methodology helps decision makers address risk in ways that are cost-effective.
What is risk management?
What is risk response?
How does it benefit an enterprise?
Agenda
- Company Profile – PridePoint Bank
- Background Information
- Your Role
- Executive Guidance
- Assessment Findings
- Technology Response
- Your Tasks
- Discussion Questions
*
Profile of PridePoint Bank
Mid-sized, publically traded regional bank
2,150 employees and an additional 700 contractors
Focused on controlling risk as part of its customer retention strategy
*
Background: Overview
- PridePoint is the dominant bank across three states with 92 branch locations.
- Total assets of $3.6 billion
- Non-interest income is 19.2% of total revenue
- 84.1% loan-to-deposit ratio
- Customers include both individual consumers and regionally established businesses.
- Largest business customers average revenues in excess of $57 million per year.
- PridePoint processes approximately $8 million in transactions on a given day.
Overview
Operations
Business Goals
Org. Structure
Competition
*
Background: Organisational Structure
- PridePoint has a five-person board of directors with a non-executive chairman.
- The chief executive officer (CEO) has three direct reports:
- Chief financial officer (CFO)
- Chief operating officer (COO)
- Senior Vice President (SVP) of Administration
- Technology Operations and Information Security report to the COO through the chief information officer (CIO).
- Facilities and Physical Security report to the SVP, Administration through Human Resources.
- Procurement oversees contractors and reports to the CFO.
- Operational Risk and Internal Audit report to the CFO.
Overview
Operations
Business Goals
Org. Structure
Competition
*
Background: Organisational Structure
Overview
Org. Structure
Competition
Business Goals
Operations
*
Background: Operations
Overview
- The board of directors has made risk management a priority since the bank was taken public.
- Within the technology arena, a third-party consulting firm was engaged to carry out this risk assessment.
- The assessment took into account the particular nature of PridePoint’s network:
- The network is divided into two zones (A and B), with all Internet traffic traversing the Zone A security perimeter.
- Zone A uses physical servers and has dual data centres in a hot-site configuration, located 20 miles apart.
- Zone B uses virtual servers in a single data centre.
- Leased capacity is available 100 miles away for restoration of Zone B from backup by third-party contractors.
- Approximately 75% of all customers are served by Zone A.
Org. Structure
Competition
Business Goals
Operations
*
Network Diagram
Internet
Perimeter Suite 1
Data Centre 1
Zone A: Primary
Data Centre 3
Zone B
Perimeter Suite 2
Data Centre 2
Zone A: Secondary
Leased Capacity
Bank Branches
ATMs
50 miles
20 miles
100 miles
Zone A
Zone B
*
Background: Competition
Overview
Org. Structure
Competition
Business Goals
Operations
- Miners Bank is PridePoint’s largest competitor:
- Privately held
- 57 branches
- Total assets of $2.6 billion
- Miners recently unveiled a marketing message that customers’ money is safer with a privately held bank.
- Specifically, the Miners message is that larger banks are too focused on short-term profits and take excessive risk.
- The marketing undertaken by Miners Bank has not yet resulted in significant losses of existing accounts.
*
Background: Business Goals
Overview
Org. Structure
Competition
Business Goals
Operations
- Recent scandals regarding compromised credit card numbers at major retailers have the board concerned.
- Most PridePoint account holders began their banking experience with one of the pre-merger banks and are still evaluating what the merger means for them.
- Independent surveys suggest that a data breach could result in a loss of up to one-third of daily banking activity.
- Interestingly, the same survey shows substantial tolerance for service interruptions if no data is lost.
- The CEO has indicated that resources will be made available for risk management as needed.
- The enterprise risk appetite is $3 million, with a tolerance of $1 million.
*
Your Role
Experience:
- Two years of experience in risk assessment
- Two years of previous experience in information technology
Credentials:
- Bachelor’s degree in Information Systems
- CRISC certification
- As an Operational Risk Specialist, you have been assigned to help the CIO develop a risk response strategy.
- Technology Operations and Information Security staff will be available to answer technical questions and provide clarification.
- You:
- Will present your recommendations jointly to the CIO and CFO
- May be asked to explain your reasoning
- Are encouraged to use your judgement
- Final decisions regarding risk response will be made at the executive level.
*
Executive Guidance
- Everyone agrees that:
- Risk needs to be managed
- The XYZZY risk assessment is reliable
- The CIO has provided you with proposals from the technical staff regarding ways to mitigate the risk identified in the assessment.
- The CFO is concerned that the commitment of the CEO to make resources available for risk response may prompt a ‘wish list’ mentality.
- Additionally, the CFO has recently obtained a proposal for business interruption insurance, which:
- Is payable during a disruption that results in a loss of business processes
- Replaces a specified amount of revenue per day, up to a maximum of $10 million
- Has an annual premium equal to 10% of the selected daily replacement amount
*
Assessment Findings
Introduction
As directed by the scope of work established between PridePoint Bank and XYZZY Consulting, this risk assessment addresses only that risk previously identified by PridePoint within the scope of its technology functions and processes. Additionally, XYZZY conducted this assessment based on technical information provided by PridePoint, not an independent verification and validation activity.
This assessment presents its findings ranked in order of most to least significant according to the best estimates of XYZZY based on the limitations disclosed above.
*
Chart1
| HIGH |
| MODERATE |
| LOW |
Sheet1
| Risks by Severity | |
| HIGH | 3 |
| MODERATE | 4 |
| LOW | 1 |
Assessment Findings
| Risk | 1 of 8 | Rating: | HIGH |
| Category | Architecture | ||
| Threat Event | Regional event affecting connectivity and/or power | ||
| Target | Physical Infrastructure, IT Infrastructure | ||
| IT Risk Category | Operations/Service | ||
| Detection Difficulty | Easy. Immediate and widespread physical evidence. | ||
| Vulnerability | Zone A data centres are co-located within one region. | ||
| Consequence(s) | Enterprise operations are shut down indefinitely across both zones. | ||
| Rating Explanation | Because all Internet traffic flows through the Zone A perimeter, both zones and all connectivity to branches and ATMs cease with the loss of the Zone A data centres and would continue until their return to service. May be irrecoverable were the nature of the event to destroy data, leave staff unable to travel to a recovery site or both. |
*
Assessment Findings
| Risk | 2 of 8 | Rating: | HIGH |
| Category | Environmental | ||
| Threat Event | Loss of cooling capacity within a data centre | ||
| Target | Physical or IT Infrastructure: Data Centre 3 | ||
| IT Risk Category | Operations/Service | ||
| Detection Difficulty | Moderate. Physical evidence eventually apparent. Environmental monitoring unknown. | ||
| Vulnerability | Zone B cannot sustain data centre loss without service interruption. | ||
| Consequence(s) | Processes needing Zone B systems are interrupted for up to 12 hours. | ||
| Rating Explanation | Zone A and B services are entirely distinct, and customers reliant upon Zone B cannot carry out transactions during recovery. The Zone B DRP is stated to take up to 12 hours to complete recovery carried out by third-party contractors using capacity leased at an out-of-region site. |
*
Assessment Findings
| Risk | 3 of 8 | Rating: | HIGH |
| Category | Logical Attacks | ||
| Threat Event | External parties direct cyberattacks against the network. | ||
| Target | Applications, IT Infrastructure | ||
| IT Risk Category | Operations/Service | ||
| Detection Difficulty | Difficult due to false positive IDS alarms and lack of internal detection | ||
| Vulnerability | Perimeter defences are not configured for defence-in-depth. | ||
| Consequence(s) | Services are impacted or data is lost. Confidence among customers and shareholders is eroded. | ||
| Rating Explanation | PridePoint has a robust security perimeter, but any single line of security can eventually be compromised, and the bank lacks not only the strategic depth needed to delay an initially successful intrusion but also the ability to reasonably notice that an attack is underway. |
*
Assessment Findings
| Risk | 4 of 8 | Rating: | MODERATE |
| Category | Information | ||
| Threat Event | Customer data accessed without permission. | ||
| Target | Information | ||
| IT Risk Category | Operations/Service | ||
| Detection Difficulty | Difficult. No known internal controls. | ||
| Vulnerability | Third-party contractors empowered to complete Zone B recovery have administrator credentials. | ||
| Consequence(s) | Customers incur losses that are passed to the bank. Confidence and market share are lost. | ||
| Rating Explanation | PridePoint has no visibility into the internal risk processes of the third-party contractor from which it leases out-of-region recovery capacity for Zone B such as governance, monitoring or segregation of duties. |
*
Assessment Findings
| Risk | 5 of 8 | Rating: | MODERATE |
| Category | Program/Project Life Cycle Management | ||
| Threat Event | IT projects cost more or take longer than planned. | ||
| Target | People and Skills, Process | ||
| IT Risk Category | Project Delivery | ||
| Detection Difficulty | Project management proficiency unknown. | ||
| Vulnerability | IT organisation has not executed any significant projects in more than one year. | ||
| Consequence(s) | Necessary projects are cancelled or delayed. Opportunities for improved service are lost. | ||
| Rating Explanation | Enterprises that initiate new IT projects without project management experience may experience cost overruns of up to 50% and substantial delays in completion. |
*
Assessment Findings
| Risk | 6 of 8 | Rating: | MODERATE |
| Category | Architecture | ||
| Threat Event | Consolidation into a single-zone network. | ||
| Target | Physical Infrastructure, IT Infrastructure | ||
| IT Risk Category | Benefit/Value, Project Delivery | ||
| Detection Difficulty | Project management proficiency unknown. Value dependent upon target state. | ||
| Vulnerability | Data centres use different architectures, and some applications exist in multiple instances. | ||
| Consequence(s) | Missteps lead to cost overruns or yield inadequate value. | ||
| Rating Explanation | Enterprises that initiate new IT projects without project management experience may experience cost overruns of up to 50% and substantial delays in completion. |
*
Assessment Findings
| Risk | 7 of 8 | Rating: | MODERATE |
| Category | IT Expertise and Skills | ||
| Threat Event | Key knowledge lost due to employee departures. | ||
| Target | Applications, IT Infrastructure | ||
| IT Risk Category | Operations/Service | ||
| Detection Difficulty | Moderate. Who is key is not always evident. | ||
| Vulnerability | Deep cuts in staffing cause employees to look for other opportunities. | ||
| Consequence(s) | Maintaining existing systems becomes more costly or difficult. | ||
| Rating Explanation | The current PridePoint architecture is diverse and complex, requiring several different types of specialised expertise to be kept operational, while a combination of technical stagnation and staff reductions make it more likely that people possessing such expertise are looking for other opportunities. This combination sets the stage for loss of vital skills. |
*
Assessment Findings
| Risk | 8 of 8 | Rating: | LOW |
| Category | Staff Operations | ||
| Threat Event | Data transaction processed on wrong system. | ||
| Target | Information, Applications | ||
| IT Risk Category | Operations/Service | ||
| Detection Difficulty | Difficult. No known internal controls in place. | ||
| Vulnerability | Identical applications exist in unrelated instances on each zone. | ||
| Consequence(s) | Active and backup data lose integrity. Effects are multiplied across processes. | ||
| Rating Explanation | PridePoint has transaction logs that can be used to back out erroneous transactions, although manual reversion may be time-consuming. The odds of any one error are moderate, but each case is distinct: one error does not suggest a greater likelihood of another. |
*
Technology Response
| Risk | Proposed Mitigation | Estimated Cost |
| 1 | ‘Swap’ the roles of Data Centres 1 and 3; relocate Perimeter Suite 1 to maintain its co-existence with the new Data Centre 1 location. | $14 million |
| 2 | Install environmental sensors and establish active monitoring. Distribute Zone B virtual servers across all three data centres. | $8 million |
| 3 | Engage a contractor to tune the IDS sensors and eliminate false positives. Build a 24x7 position dedicated to alarm and log review. | $1 million |
| 4 | Leased-capacity unnecessary after completing Mitigation #2. | No extra cost |
| 5 | Send IT managers to project-management training. | $20K |
| 6 | Included within the scope of Mitigation #5. | No extra cost. |
| 7 | Offer retention bonuses in exchange for a five-year commitment. | $2 million |
| 8 | Eliminate multiple instances by consolidating enterprise customer accounts and data into Zone A. Eliminate Zone B. | $21 million |
*
Your Tasks
- Estimate the cost associated with the consequences of each risk included in the scope of the risk assessment.
- Using your estimates regarding the cost of consequences for each risk, identify any technology proposals that are not cost-effective.
- Evaluate the technology proposals that appear to be cost-effective to identify any that may not be technically effective.
- Drawing on the results of these tasks, decide on your recommended response to each of the eight identified instances of risk.
*
Discussion Questions
- This caselet presented consequences that all had clear financial impacts. How might the consequences have been treated differently if they included death, injury or negative publicity?
- The proposed IT mitigation to Risk #8—consolidation into a single zone—was eliminated as cost-ineffective. Does that mean that it is not a good idea?
*