PridePointBankCaseStudyHomework.ppt

Risk Management at PridePoint Bank
Caselet #3:
Risk Response and Mitigation

Disclaimer

ISACA has designed and created the Risk Management at PridePoint Bank series (the ‘Work’) primarily as an educational resource for educational professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, security governance and assurance professionals should apply their own professional judgement to the specific circumstances presented by the particular systems or information technology environment.

The example companies, organisations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious. No association with any real company, organisation, product, domain name, email address, logo, person, place or event is intended or should be inferred.

ISACA

3701 Algonquin Road, Suite 1010

Rolling Meadows, IL 60008 USA

Phone: +1.847.253.1545

Fax: +1.847.253.1443

Email: [email protected]

Web site: www.isaca.org

Reservation of Rights

© 2015 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorisation of ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal and non-commercial use and for consulting/advisory engagements, and must include full attribution of the material’s source. No other right or permission is granted with respect to this work.

Provide Feedback: www.isaca.org/ risk-management

Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center

Follow ISACA on Twitter: https://twitter.com/ISACANews

Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial

Like ISACA on Facebook: www.facebook.com/ISACAHQ

Acknowledgements

Author

James C. Samans, CISA, CISM, CRISC, CISSP-ISSEP, CIPT, PMP, XENSHA LLC, USA

Board of Directors

Robert E Stroud, CGEIT, CRISC, CA, USA, International President

Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Vice President

Garry J. Barnes, CISA, CISM, CGEIT, CRISC, BAE Systems Detica, Australia, Vice President

Robert A. Clyde, CISM, Clyde Consulting LLC, USA, Vice President

Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President

Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President

Vittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President

Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President

Gregory T. Grocholski, CISA, SABIC, Saudi Arabia, Past International President

Debbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA, Director

Frank K.M. Yam, CISA, CIA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Director

Alexander Zapata Lenis, CISA, CGEIT, CRISC, ITIL, PMP, Grupo Cynthus S.A. de C.V., Mexico, Director

Knowledge Board

Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Chairman

Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands

Neil Patrick Barlow, CISA, CISM, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK

Charlie Blanchard, CISA, CISM, CRISC, ACA, CIPP/E, CIPP/US, CISSP, FBCS, Amgen Inc., USA

Sushil Chatterji, CGEIT, Edutech Enterprises, Singapore

Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA

Anthony P. Noble, CISA, Viacom, USA

Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK

Ivan Sanchez Lopez, CISA, CISM, CISSP, ISO 27001 LA, DHL Global Forwarding & Freight, Germany

Academic Program Subcommittee

Matthew Liotine, Ph.D., CBCP, CHS-III, CSSBB, MBCI, University of Illinois at Chicago, USA, Chairman

Daniel Canoniero, Universidad de Montevideo, Uruguay

Tracey Choulat, CISM, CGEIT, CRISC, University of Florida, USA

Umesh Rao Hodeghatta, Xavier Institute of Management, India

Nabil Messabia, CPA, CGA, Université du Québec en Outaouais, Canada

Mark Lee Salamasick, CISA, CSP, CIA, CRMA, University of Texas, USA

Ype van Wijk, Ph.D., RE, RA, Rijksuniversiteit Groningen, The Netherlands

S. Vanderloot, CISA, CISM, CRISC, Ph.D., AST, CCNA, CCNA Security, CCSA, CEH, ECSA, ISO 27001 LA, NCSA, PCIP, UK

Nancy C. Wells, CISA, CRISC, USA

Student Book

This caselet was developed to support
Risk Management Student Book

www.isaca.org/ risk-management

Introduction

  • Risk management refers to the co-ordinated activities taken by an enterprise to direct and control activities pertaining to risk.
  • Risk management is an active process, not simply a form of elaborate observation.
  • ‘Control’, when used as a verb in the context of risk management, is often used as a synonym for ‘measure’.
  • However, the results of measurement must be used as the basis for directing actions and activities.
  • Comprehensive risk management includes four steps:
  • Identification
  • Assessment
  • Mitigation (response)
  • Ongoing monitoring and reporting

What is risk management?

What is risk response?

How does it benefit an enterprise?

Introduction

  • Risk is commonly defined as the combination of the probability of an event and its consequence.
  • Risk response encompasses the four ways in which an enterprise addresses risk:
  • Mitigation, or actions taken to reduce the likelihood and/or impact of risk
  • Transfer, or sharing the consequences of a particular risk
  • Acceptance, meaning no action is taken relative to a particular risk and loss is accepted if it occurs
  • Avoidance, in which the enterprise actively ends a line of activity for which it cannot adequately manage risk
  • Which of these is appropriate depends on cost.

What is risk management?

What is risk response?

How does it benefit an enterprise?

Introduction

  • The instinctive response to risk management is to deploy controls to mitigate the risk—especially for IT risk.
  • However, responding to every risk with mitigation can be a flawed strategy.
  • Deploying a control may cost more than the maximum consequences.
  • It may be possible to control the maximum consequences by sharing risk at lower cost than mitigation.
  • Some risk cannot be reduced to the point of tolerance even with multiple controls.
  • A formalised risk-response methodology helps decision makers address risk in ways that are cost-effective.

What is risk management?

What is risk response?

How does it benefit an enterprise?

Agenda

  • Company Profile – PridePoint Bank
  • Background Information
  • Your Role
  • Executive Guidance
  • Assessment Findings
  • Technology Response
  • Your Tasks
  • Discussion Questions

*

Profile of PridePoint Bank

Mid-sized, publically traded regional bank

2,150 employees and an additional 700 contractors

Focused on controlling risk as part of its customer retention strategy

*

Background: Overview

  • PridePoint is the dominant bank across three states with 92 branch locations.
  • Total assets of $3.6 billion
  • Non-interest income is 19.2% of total revenue
  • 84.1% loan-to-deposit ratio
  • Customers include both individual consumers and regionally established businesses.
  • Largest business customers average revenues in excess of $57 million per year.
  • PridePoint processes approximately $8 million in transactions on a given day.

Overview

Operations

Business Goals

Org. Structure

Competition

*

Background: Organisational Structure

  • PridePoint has a five-person board of directors with a non-executive chairman.
  • The chief executive officer (CEO) has three direct reports:
  • Chief financial officer (CFO)
  • Chief operating officer (COO)
  • Senior Vice President (SVP) of Administration
  • Technology Operations and Information Security report to the COO through the chief information officer (CIO).
  • Facilities and Physical Security report to the SVP, Administration through Human Resources.
  • Procurement oversees contractors and reports to the CFO.
  • Operational Risk and Internal Audit report to the CFO.

Overview

Operations

Business Goals

Org. Structure

Competition

*

Background: Organisational Structure

Overview

Org. Structure

Competition

Business Goals

Operations

*

Background: Operations

Overview

  • The board of directors has made risk management a priority since the bank was taken public.
  • Within the technology arena, a third-party consulting firm was engaged to carry out this risk assessment.
  • The assessment took into account the particular nature of PridePoint’s network:
  • The network is divided into two zones (A and B), with all Internet traffic traversing the Zone A security perimeter.
  • Zone A uses physical servers and has dual data centres in a hot-site configuration, located 20 miles apart.
  • Zone B uses virtual servers in a single data centre.
  • Leased capacity is available 100 miles away for restoration of Zone B from backup by third-party contractors.
  • Approximately 75% of all customers are served by Zone A.

Org. Structure

Competition

Business Goals

Operations

*

Network Diagram

Internet

Perimeter Suite 1

Data Centre 1

Zone A: Primary

Data Centre 3

Zone B

Perimeter Suite 2

Data Centre 2

Zone A: Secondary

Leased Capacity

Bank Branches

ATMs

50 miles

20 miles

100 miles

Zone A

Zone B

*

Background: Competition

Overview

Org. Structure

Competition

Business Goals

Operations

  • Miners Bank is PridePoint’s largest competitor:
  • Privately held
  • 57 branches
  • Total assets of $2.6 billion
  • Miners recently unveiled a marketing message that customers’ money is safer with a privately held bank.
  • Specifically, the Miners message is that larger banks are too focused on short-term profits and take excessive risk.
  • The marketing undertaken by Miners Bank has not yet resulted in significant losses of existing accounts.

*

Background: Business Goals

Overview

Org. Structure

Competition

Business Goals

Operations

  • Recent scandals regarding compromised credit card numbers at major retailers have the board concerned.
  • Most PridePoint account holders began their banking experience with one of the pre-merger banks and are still evaluating what the merger means for them.
  • Independent surveys suggest that a data breach could result in a loss of up to one-third of daily banking activity.
  • Interestingly, the same survey shows substantial tolerance for service interruptions if no data is lost.
  • The CEO has indicated that resources will be made available for risk management as needed.
  • The enterprise risk appetite is $3 million, with a tolerance of $1 million.

*

Your Role

Experience:

  • Two years of experience in risk assessment
  • Two years of previous experience in information technology

Credentials:

  • Bachelor’s degree in Information Systems
  • CRISC certification
  • As an Operational Risk Specialist, you have been assigned to help the CIO develop a risk response strategy.
  • Technology Operations and Information Security staff will be available to answer technical questions and provide clarification.
  • You:
  • Will present your recommendations jointly to the CIO and CFO
  • May be asked to explain your reasoning
  • Are encouraged to use your judgement
  • Final decisions regarding risk response will be made at the executive level.

*

Executive Guidance

  • Everyone agrees that:
  • Risk needs to be managed
  • The XYZZY risk assessment is reliable
  • The CIO has provided you with proposals from the technical staff regarding ways to mitigate the risk identified in the assessment.
  • The CFO is concerned that the commitment of the CEO to make resources available for risk response may prompt a ‘wish list’ mentality.
  • Additionally, the CFO has recently obtained a proposal for business interruption insurance, which:
  • Is payable during a disruption that results in a loss of business processes
  • Replaces a specified amount of revenue per day, up to a maximum of $10 million
  • Has an annual premium equal to 10% of the selected daily replacement amount

*

Assessment Findings

Introduction

As directed by the scope of work established between PridePoint Bank and XYZZY Consulting, this risk assessment addresses only that risk previously identified by PridePoint within the scope of its technology functions and processes. Additionally, XYZZY conducted this assessment based on technical information provided by PridePoint, not an independent verification and validation activity.

This assessment presents its findings ranked in order of most to least significant according to the best estimates of XYZZY based on the limitations disclosed above.

*

Chart1

HIGH
MODERATE
LOW
Risks by Severity
3
4
1

Sheet1

Risks by Severity
HIGH 3
MODERATE 4
LOW 1

Assessment Findings

Risk 1 of 8 Rating: HIGH
Category Architecture
Threat Event Regional event affecting connectivity and/or power
Target Physical Infrastructure, IT Infrastructure
IT Risk Category Operations/Service
Detection Difficulty Easy. Immediate and widespread physical evidence.
Vulnerability Zone A data centres are co-located within one region.
Consequence(s) Enterprise operations are shut down indefinitely across both zones.
Rating Explanation Because all Internet traffic flows through the Zone A perimeter, both zones and all connectivity to branches and ATMs cease with the loss of the Zone A data centres and would continue until their return to service. May be irrecoverable were the nature of the event to destroy data, leave staff unable to travel to a recovery site or both.

*

Assessment Findings

Risk 2 of 8 Rating: HIGH
Category Environmental
Threat Event Loss of cooling capacity within a data centre
Target Physical or IT Infrastructure: Data Centre 3
IT Risk Category Operations/Service
Detection Difficulty Moderate. Physical evidence eventually apparent. Environmental monitoring unknown.
Vulnerability Zone B cannot sustain data centre loss without service interruption.
Consequence(s) Processes needing Zone B systems are interrupted for up to 12 hours.
Rating Explanation Zone A and B services are entirely distinct, and customers reliant upon Zone B cannot carry out transactions during recovery. The Zone B DRP is stated to take up to 12 hours to complete recovery carried out by third-party contractors using capacity leased at an out-of-region site.

*

Assessment Findings

Risk 3 of 8 Rating: HIGH
Category Logical Attacks
Threat Event External parties direct cyberattacks against the network.
Target Applications, IT Infrastructure
IT Risk Category Operations/Service
Detection Difficulty Difficult due to false positive IDS alarms and lack of internal detection
Vulnerability Perimeter defences are not configured for defence-in-depth.
Consequence(s) Services are impacted or data is lost. Confidence among customers and shareholders is eroded.
Rating Explanation PridePoint has a robust security perimeter, but any single line of security can eventually be compromised, and the bank lacks not only the strategic depth needed to delay an initially successful intrusion but also the ability to reasonably notice that an attack is underway.

*

Assessment Findings

Risk 4 of 8 Rating: MODERATE
Category Information
Threat Event Customer data accessed without permission.
Target Information
IT Risk Category Operations/Service
Detection Difficulty Difficult. No known internal controls.
Vulnerability Third-party contractors empowered to complete Zone B recovery have administrator credentials.
Consequence(s) Customers incur losses that are passed to the bank. Confidence and market share are lost.
Rating Explanation PridePoint has no visibility into the internal risk processes of the third-party contractor from which it leases out-of-region recovery capacity for Zone B such as governance, monitoring or segregation of duties.

*

Assessment Findings

Risk 5 of 8 Rating: MODERATE
Category Program/Project Life Cycle Management
Threat Event IT projects cost more or take longer than planned.
Target People and Skills, Process
IT Risk Category Project Delivery
Detection Difficulty Project management proficiency unknown.
Vulnerability IT organisation has not executed any significant projects in more than one year.
Consequence(s) Necessary projects are cancelled or delayed. Opportunities for improved service are lost.
Rating Explanation Enterprises that initiate new IT projects without project management experience may experience cost overruns of up to 50% and substantial delays in completion.

*

Assessment Findings

Risk 6 of 8 Rating: MODERATE
Category Architecture
Threat Event Consolidation into a single-zone network.
Target Physical Infrastructure, IT Infrastructure
IT Risk Category Benefit/Value, Project Delivery
Detection Difficulty Project management proficiency unknown. Value dependent upon target state.
Vulnerability Data centres use different architectures, and some applications exist in multiple instances.
Consequence(s) Missteps lead to cost overruns or yield inadequate value.
Rating Explanation Enterprises that initiate new IT projects without project management experience may experience cost overruns of up to 50% and substantial delays in completion.

*

Assessment Findings

Risk 7 of 8 Rating: MODERATE
Category IT Expertise and Skills
Threat Event Key knowledge lost due to employee departures.
Target Applications, IT Infrastructure
IT Risk Category Operations/Service
Detection Difficulty Moderate. Who is key is not always evident.
Vulnerability Deep cuts in staffing cause employees to look for other opportunities.
Consequence(s) Maintaining existing systems becomes more costly or difficult.
Rating Explanation The current PridePoint architecture is diverse and complex, requiring several different types of specialised expertise to be kept operational, while a combination of technical stagnation and staff reductions make it more likely that people possessing such expertise are looking for other opportunities. This combination sets the stage for loss of vital skills.

*

Assessment Findings

Risk 8 of 8 Rating: LOW
Category Staff Operations
Threat Event Data transaction processed on wrong system.
Target Information, Applications
IT Risk Category Operations/Service
Detection Difficulty Difficult. No known internal controls in place.
Vulnerability Identical applications exist in unrelated instances on each zone.
Consequence(s) Active and backup data lose integrity. Effects are multiplied across processes.
Rating Explanation PridePoint has transaction logs that can be used to back out erroneous transactions, although manual reversion may be time-consuming. The odds of any one error are moderate, but each case is distinct: one error does not suggest a greater likelihood of another.

*

Technology Response

Risk Proposed Mitigation Estimated Cost
1 ‘Swap’ the roles of Data Centres 1 and 3; relocate Perimeter Suite 1 to maintain its co-existence with the new Data Centre 1 location. $14 million
2 Install environmental sensors and establish active monitoring. Distribute Zone B virtual servers across all three data centres. $8 million
3 Engage a contractor to tune the IDS sensors and eliminate false positives. Build a 24x7 position dedicated to alarm and log review. $1 million
4 Leased-capacity unnecessary after completing Mitigation #2. No extra cost
5 Send IT managers to project-management training. $20K
6 Included within the scope of Mitigation #5. No extra cost.
7 Offer retention bonuses in exchange for a five-year commitment. $2 million
8 Eliminate multiple instances by consolidating enterprise customer accounts and data into Zone A. Eliminate Zone B. $21 million

*

Your Tasks

  • Estimate the cost associated with the consequences of each risk included in the scope of the risk assessment.
  • Using your estimates regarding the cost of consequences for each risk, identify any technology proposals that are not cost-effective.
  • Evaluate the technology proposals that appear to be cost-effective to identify any that may not be technically effective.
  • Drawing on the results of these tasks, decide on your recommended response to each of the eight identified instances of risk.

*

Discussion Questions

  • This caselet presented consequences that all had clear financial impacts. How might the consequences have been treated differently if they included death, injury or negative publicity?
  • The proposed IT mitigation to Risk #8—consolidation into a single zone—was eliminated as cost-ineffective. Does that mean that it is not a good idea?

*