Binghamton Bank Risk Analysis.pptx

Infrastructure DivisionChloe Chan, Janet Chan, Kyle Stim, Lillian Kravitz, Rohit Kapur & Taylor Goudreau

Application DivisionZachary Alexander, Alexis Cai, Sharon Han, Gary Liku, Derek Liu & Joshua Neustadter

Binghamton Bank Risk Analysis

April 24, 2015 Aegis 1

Agenda

Infrastructure Risk Analysis

Application Risk Analysis

Summary

Executive Summary

March 20, 2015 Aegis - Infrastructure Division 2

Aegis Analysis

Overview of Binghamton

Bank

Overview of Binghamton Bank



Summary

Executive Summary


Aegis Analysis


Bank


• Binghamton Bank Corporation is the largest bank in the Northeastern region

• Headquarters in Boston, MA• Specializes in commercial, retail and investment banking• Binghamton Bank has $50 million in assets• New CEO Conner Wayne• “Building a Sanctuary for your Future”• Strives to be the number one bank to safely protect ones investments and

interests

Background of Binghamton Bank


• Requests to enhance their applications and infrastructure to create a company that better serves the customer

• Software upgrade issues• Stopped payments for 2 hours• Large monetary loss

• Web application issue• Customers could not access their accounts• Log-in troubles

• Reliability and reputation issues

Binghamton Bank Issues

Executive Summary



Summary

Executive Summary


Aegis Analysis


Bank

Executive Summary


1. Online Banking Security

2. FIN 3. BODPS 4. ATM Disaster Prevention

Risks •High traffic•Unsecure networks•Low authorization•Allows remote access

•Backup system•Test contingency plan•Windows 2000•Test employees

•No authorization•Employee training•Confidential information•Breaches

•7 critical vendors•Backup generator•Vendor transitions•Unreliable vendors

Applicable to Bank

•Reputation•Vulnerable information•Database breach

•Pivotal Operations•Recovery time•Prevent breaches

•Easy to hack database•GLBA violation•Critical functions

•National news•Loss of operations•Recovery time

Recommenda-tions

•2 factor authentication•Monitoring•Safeguards•Encryption

•Test contingency plan annually•Update severs•Cold Sites•Monthly fake scams

•High authentication•Compliance•Training workshops

•Backup generator•Transition vendor•Review vendors annually


ATM Vendor Dependency

Risks:Reliant on external vendors for ATM operationsLacking emergency protocolOutcomes:Vendor reliability awarenessLess failtime

Executive Summary - Write hereOnline Banking Remote Security

Risks:Compromised information and reputation due to weak securityOutcomes:Prevention information disclosure

DR/Server Security

Risks:No data encryption Lack of backup plan tests Out of date serversOutcomes:Reputation in safe customer informationSmoother emergency procedureBODPS

Risks:•High traffic•Unsecure networks•Remote AccessRecommendations

NorthGO


FIN


Application down, infrastructure up (ill fix format)

Executive Summary


1. Online Banking Security

Risks:•High traffic•Unsecure networks•Remote AccessApplicable to bank:•Reputation•Vulnerable critical information •Database breachRecommendations:•Two factor authentication•Monitoring •Remote access safeguards•Encryption

2. FIN

Risks:•Backup System•Contingency plan tests•Windows 2000•Test employeesApplicable to bank:•Pivotal operations•Recovery time•Prevent breachesRecommendations:•Test contingency plan annually•Update servers•Cold sites•Monthly employee scam tests

3. BODPS

Risks:•No authorization•Employee training•Confidential information•BreachesApplicable to bank:•Easy to hack database•GLBA violation•Critical functionsRecommendations:•High authentication•Compliance•Training workshops for employees

4. ATM Disaster Prevention

Risks:•7 critical vendors•No backup generator•Vendor transitions•Unreliable vendorsApplicable to bank:•National news•Loss of operations•Recovery time•Financial lossRecommendations:•Backup generator•Transition vendor•Review vendors annually

Aegis Analysis



Summary

Executive Summary


Aegis Analysis


Bank


• ToolDesigned a custom tool that takes user answers and calculates inherent risk, control strength and residual risk

• Criteria• Operational

Risks associated with functions inside of the company and risks that affect the internal day-to-day activates • Financial

Risks associated with business transactions including both financial dealings and non-monetary trading or sharing

• TechnologicalRisks resulting from failures or errors by IT devices or systems put in place by the company

• ExternalAny associated risk due to an uncontrollable occurrence outside of the company

Aegis Analysis

Agenda



Summary

Executive Summary


Aegis Analysis


Bank

1. ATM Vendor Dependency


Inherent Risk Operational ● Process 2,000-5,000 transactions per hour

External ● Negative media will reach national news● ATM’s utilize 7 or more critical vendors

Control Strength External● ATM’s do not have backup generators● ATM’s do not have cold sites in place● Cannot transition to another vendor● Bank takes no precautions to ensure vendors are reliable

ATMS Operational Financial Technological External

Inherent 53 40 78 67

Control 28 10 25 9

Residual 38 36 58 60



Recommendations

On average ATM’s process 180% more

transactions per hour than online banking

Reputational Loss

-ATM failures would be known nationally

-Dependence on processes outside of

Binghamton Bank’s Control

Vendor Reliability:

Have a transitional backup vendor for each critical vendor

Increase Awareness of Vendor Reliability:

-Perform quarterly financial reviews

-Background checks on vendors (SOC-II)

-Annual Debrief with Vendor Management

create/practice vendor contingency plan

Failure Preventions:

Implement an Automatic Transfer Switch (ATS) to reduce

fail time

2. Online Banking Remote Access Security




Control 30 10 24 20


Inherent Risk Technological● Less than 25% of online banking operations can be performed with failed

servers● More than 60% of sensitive information would be compromised in the event of a

breach to the database● Allows remote access for online banking may lead to potential risks

Financial● Binghamton Bank would face greater than $200,000 in fines in the event of

non-compliance with regulations

Control Strength Technological● No multi-tier authentication in order to gain access to online banking remotely ● Weak prevention to unauthorized access to network● No encryption of sensitive information


2. Online Banking Remote Access


Reasons why the Risk is a Priority Recommendations

Reputational Loss

● Decrease in accountability to

customers if servers were to fail

● Loss of sensitive information will result

in non-compliance with GLBA

Monetary Loss

● Each violation of GLBA can be fined up

to $100,000

Customer Safety

● Hackers could disclose or utilize

customer information

- Include SSL certificates to encrypt data for all subdomains

- Require virtual machines for employee remote access

- Enable remote wipe for company devices

- Require 2 step authentication for employee remote access

- Enable Virtual Private Network

Prevent unauthorized access to network

-Only allow pre-authorized MAC addresses

-Implement a monitoring and logging system

-Seperate networks by critical information

3. DR/Servers Security


Inherent Risk Technological:● 10% - 30% critical infrastructures are not up to date ● Less than 25% can perform with failed servers ● More than 60% of sensitive information would be compromised if databases were

breached● Allowing remote access to company systems may lead to potential risks

Financial:● Noncompliance can result to greater than $200,000 in fines

Control Strength Technological:● Tests contingency plan every 2-5 years● Tests for employees for online threats every year or more● Servers do not encrypt sensitive information

Financial:● IT employees are not well versed with financial goals and objectives



Control 25 15 20 18




Reasons why the Risk is a Priority Recommendations

Monetary Loss

● GLBA fines if sensitive information is

compromised

● Excess and/or unnecessary activities

are performed by the IT department

Reputational and Reliability Loss

● Weak ability to adapt to unanticipated

events

COBIT governance framework - familiarize IT employees with business standards and goals

Secured Socket Layer (SSL) certificates establishes a link between the server and a client

256 bit AES encryption

Test employees for phishing schemes monthly

Test contingency plan annually

Upgrade to windows 2012 R2 standard edition-Costly1,000 servers - $800,0002,500 servers - $2.2 million5,000 servers - $4.4 million7,000 servers - $6.1 million

Infrastructure Summary



Risks:•Reliant on many critical vendors to operate ATM’s•Lacking emergency plan for failed vendor•Alternate Power source unavailable

Recommendations:•Increase vendor reliability awareness •Implement Automatic Transfer Switch•Transitional Vendors

2. Online Banking Remote Access Security

Risks:•Weak preventions for network access•Sensitive information not encrypted•Weak authentication for access

Recommendations:•SSL certificates•Virtual machines•Remote wipe•Prevent unauthorized network access


Risks:•No encryption of sensitive information•Contingency plan not tested frequently•Servers not up to dateRecommendations:•Upgrade servers to Windows 2012 R2•Utilize COBIT•Enable SSL certificates•Encrypt sensitive information•Test contingency plans

Detailed AnalysisApplication Risks


BODPS: Current State


● Operational:○ Extremely critical for business functions○ Employees are not trained to properly use and secure this

application○ Bank is unsure how secure online networks are for customer access

● Technology ○ Integrates with many critical applications and contains sensitive

customer data○ No levels of authorization and no scheduling of upgrades and

maintenance ● Financial

○ No mechanism in place to inform customers that their assets are secure

Operational Financial Technological External


Control 38 44 20 41

Residual 52.08 15 70.4 44.25

BODPS: Risk & Consequences


Overall Application Risk: Poor Security. This can lead to a loss of sensitive client data. Additionally, BODPS is responsible for sending data to iReport to create financial documents. Poor security can lead to altering of this data and publishing financial statements that are not accurate. (This can lead to a violation of SOX)● Risk: No authorization levels● Consequence: Anyone can access this data. Nothing that authorizes the user as being

a trustworthy person to access the information● Risk: Employees are not properly trained● Consequence: Employees can divulge information and leave workstations logged in.

Not knowing security measures can lead to them sharing confidential information● Risk: No mechanism in place to inform customers that their data is secure● Consequence: Customers will not know if they data has been compromised or shared● Risk: Poor security can lead to altering of this data and publishing financial

statements that are not accurate and poor security can lead to a leak of customer data

● Consequence: Lead to a violation of SOX and GLBA

BODPS: Recommendations


● Implement two level authorization for employees with the implementation of security tokens as an initial step to address poor security. Employees have to enter one password that they create, followed by a security token that constantly changes the password

● Implement training courses so employees are aware of how to properly and legally use application. Employees should be aware of social engineering threats and not divulge information while also logging off after use

● Company should properly allocate their resources and funds to spend on training programs and frequent updates that are capable of providing the most up to date security measures

NorthGo: Current State




Control 56 11 20 40


• Operational:• Backup systems exist but do not demonstrate full functionality• Internal monitoring system needs to be updated• Online networks that customers use are not secure

• Technology • No authorization levels for application that stores sensitive client

information• Rarely upgraded to be able to operate under heavy user traffic• No alternative operation methods if integrated application fails

• Financial• Investing in online application is crucial to maintaining and

expanding customer base• No funds allocated towards application recovery

NorthGo: Risk & Consequences


Overall Application Risk: Application Overload. This application experiences heavy traffic from both employees and customers, and with nothing in place to mitigate overload, NorthGo is prone to overloading and failing. Failure of NorthGo can make it prone to security threats and lead loss of customer confidence● Risk: No system in place to mitigate application overload● Consequence: Failure of system due to increased traffic can lead to another

NorthGo crash which will lead to monetary loss and loss of customer faith. Having system down still leaves it open to security threats where customers information can be stolen or compromises. This consequence also leads to a GLBA violation

● Risk: NorthGo does not have a system backup● Consequence: If another NorthGo crash occurs, Binghamton Bank will earn the

reputation of providing poor applications. Customers will not have confidence and there will be a loss of clientele

NorthGo: Recommendations


● Put a system in place to mitigate application overload● Allocate more funds to application upgrades, maintenance and failure recovery● Implement internal monitoring system to gauge traffic and alert employees if

system is close to overloading● Increase traffic capacity● Two factor authorization for employees and customers

○ Smart tokens and password for employees○ Password and automatic sending of email with temporary access code

● Password and txt update to customers on current state of their data

FIN: Current State


● Operational:○ Binghamton Bank does not have a fully functioning backup system in

place○ Unsure if this application’s functions can be completed manually if it

were to fail○ Unsure if the bank has an internal monitoring system to alert

employees of an application failure ○ There are no compliance checks to make sure that new standards and

regulations are being met ○ Binghamton Bank runs into noncompliance issues >20 times

● External: ○ System audits are only conducted yearly ○ Vendors never provide system upgrades


Inherent 100 100 100 15

Control 69 87 89 9


FIN: Risk & Consequences


Overall Application Risk: FIN Failure. FIN is the central financial application of Binghamton Bank and it integrates and monitors all financial transactions in one location. Not having a fully functioning backup system for an application whose functions can not be completed manually is a risk• Risk: No proper backup system in place to mitigate application failure• Consequence: Application’s functions cannot be completed and crucial bank

functions will be halted. FIN failure is a security threat because a system crash can open it up to hacking threats

• Risk: Cannot be completed manually if the application were to fail• Consequence: Operations cannot continue to run effectively because the bank

would have to record all transactions on paper slowing down operations to a point where everything is backlogged

• Risk: Short recovery time objective • Consequence: Bank will lose money quickly if application’s functions are not

restored in

FIN: Recommendations


● Implement a more robust data backup and backup security measures in

case of application failure while nvesting in a more fully functional

system that can take over and perform FINs functions if there is an

emergency

•Set up a failure recovery plan to help takeover for FIN

•Internal monitoring system to tell when FIN is going to fail

•Train employees to properly use FIN’s backup systems

Application Summary


Application Name Current State of Application

Risk to Binghamton Bank

Recommendation

BODPS Has poor security strength and poorly trained employees to use application securely

Employees can divulge client information and information can be accessed and altered easily, leading to violations

Implement security tokens and implement application and regulation training program for employees

NorthGo Current backup system is not functioning at full capacity. No Authorization levels

System overload.Cannot function efficiently and properly.

Implement internal monitoring system.Reallocation of funds.

FIN Does not have a fully functioning backup system.Unsure if application’s functions can be completed manually.

FIN failure. No proper backup system in place.Cannot be completed manually.Short recovery time objective.

Implement a more robust backup system.Set up a failure recovery plan.Internal monitoring system to tell when FIN is going to fail.

& RecommendationsAnalysis Summary


Overall Summary


• We want to explain what controls the bank has currently in place that are good

• What controls Binghamton Bank is missing• Our recommendations by priority

Thank youQuestions?


Infrastructure Division: Chloe Chan, Janet Chan, Kyle Stim, Lillian Kravitz, Rohit Kapur & Taylor Goudreau

Application Division: Alexis Cai, Derek Liu, Gary Liku, Joshua Neustadter, Sharon Han & Zachary Alexander

ToolDemonstration


Video Demonstration


Appendix


- Regulations- Financial Calculations-

Binghamton Bank Risk Analysis.pptx

Documents

Transcript of Binghamton Bank Risk Analysis.pptx