Embed Size (px)
Citation preview
1
Albany Bank Corporation:Risk Assessment of IT ApplicationsPerfect Profilers
There’s No Risk With Us
2
Team Members
Tyler Schroeder
Julie Michlinski
Kasey Wichelns
Brad Sherman
Angelica Chin
Arthur Akhtenberg
3
Perfect Profilers
•Our purpose▫Analyze IT infrastructure ▫Provide mitigation strategies ▫Determine plan of action
4
Agenda
•Current vs future infrastructure •Our Risk Profiling Tool•Evaluation of current state applications•Analysis of future state infrastructure •12 month program•Demonstration of Risk Profiling Tool
Current vs Future Infrastructure
5
6
Our Risk Profiling Tool
•User friendly•Company specific•Identify risks
Inherent Risk = Impact * Likelihood
7
Current State Risk Levels
Medium Risk Low RiskFIN CMS
BODPS BeSecure
ATM PeoplePay
TEL iReport
WeHelp
8
Current State Residual Heat Map
0 1 2 3 4 50
2
4
6
8
10
12
Series1
iReport
Current State
Lik
eli
hoo
d
Impact
9
Key Existing Controls•Applications are protected by firewalls•Antivirus installed on all systems•All systems notify relevant employees in
the event of an IT problem•Applications are backed up
10
Broad Recommendations•Update servers•Enhance IT security department•Encrypt data within necessary
applications•Comply with industry standards and
regulations
11
Federal Regulatory Agencies•FFIEC
▫Uniform principles, standards, and regulations
•Federal Trade Commission▫Prevents unfair business practices
Federal Regulations•FDIC
▫Electronic Funds Transfer Act▫Bank Secrecy Act▫Right to Financial Privacy Act
12
Federal Regulations• Board of Governors of the Federal Reserve
System▫Regulation CC (Availability of Funds and
Collection of Checks)
13
Federal Regulations• Gramm Leach Bliley Act
▫Explain information-sharing practices▫Security guidelines
14
15
State Regulations •Massachusetts Data Protection•NYS Breach Notification Act
16
Industry Standards•NIST 800 Series
▫Framework for risk assessment ▫Attack and penetration testing
•PCI DSS▫3rd party vendors
17
Medium Risk: FINRisk Drivers Recommendatio
nsOutdated servers System z13
Lack of encryption 128-bit encryption
Noncompliance Comply with industry standards and regulations
Systems are not mirrored
Mirroring of system
18
Medium Risk: BODPSRisk Drivers Recommendatio
nsOutdated servers IBM P Series vs.
distributed server
No redundancy checks
Free up server space
Systems are not mirrored
Mirroring of systems
Noncompliance Comply with industry standards and regulations
19
Medium Risk: ATM & TEL Risk Drivers Recommendatio
nsNoncompliance Comply with
industry standards and regulations
Lack of security Attack and penetration testing and monitor access
Outdated servers Update to Microsoft SQL 2014
20
Low risk:
• CMS▫ Encryption
• PeoplePay & iReport▫ Monitor
access
• BeSecure▫ Monitor
access
• WeHelp▫ Train
employees
21
Projected Future State Risk Levels
High Risk Medium Risk
Low Risk
ABC Online FIN CMS
BODPS BeSecure
ATM PeoplePay
iReport
WeHelp
TEL
22
Projected Future State Residual Heat Map
0 1 2 3 4 50
2
4
6
8
10
12
Series1
iReport
Future State
Lik
eli
hoo
d
Impact
23
Changes Resulting from ABC OnlineIncreased
ImpactIncreased
VulnerabilitiesDecreased
Impact
FIN FIN TEL
BeSecure BeSecure
BODPS
CMS
Projected Future Infrastructure
24
High Risk: ABC OnlineRisk Drivers Recommendatio
nsInternet facing and an increased number of users
128- bit encryption
Outdated database Update to Oracle version 12C
Noncompliance Comply with industry standards and regulations
25
Our Proposal •Focus on mitigating risks within current
state infrastructure; reconsider online banking in the future
26
12 Month Program
4 8 120
• Comply with standards and regulations
• Enhance IT security department
• Schedule of updates for servers
• Encryption
• Mirroring of systems
• Reassessment of IT applications
27
Within 4 Months•Prioritize compliance across applications
▫FFIEC, PCI DSS•Enhance IT security department
▫Proper training, staying up-to-date
0 4 8 12
28
Cost/Benefit AnalysisRoadmap to Compliance: $40 million- $86 million
▫Penalties of $15 million for violations of FFIEC
▫PCI DSS – fines up to $100,000 per month for compliance violations
29
Cost/Benefit AnalysisEnhance IT Security Department: $135,000 - $400,000 per year
▫CISO: $125,000 - $250,000 salary
▫Attack and penetration testing
30
Within 8 Months•Create and implement a schedule of
updates for servers•Encrypt data within necessary
applications▫FIN, CMS
0 4 8 12
31
Cost/Benefit AnalysisUpdate Servers: $14 million - $30 million
▫SONY - $170 million loss due to outdated servers
▫Goldman Sachs - $83 million to update all mainframes
32
Cost/Benefit AnalysisEncryption: $100 - $300 per system
▫Anthem data breach - $100 million, 80 million records exposed
▫Coca-Cola data breach – 74,000 records exposed
33
Within 12 Months•Mirroring of critical applications
▫BODPS, FIN•Reassessment of IT applications
0 4 8 12
34
Demonstration of the ToolPerfect Profilers
35
Instructions
36
Contact Information
37
Impact Sheet•Identify the value of IT applications•10 questions•4 criteria (Reputational, Operational,
Financial, & Regulatory)
38
Likelihood Sheet•Analyze risks associated with IT
applications•21 risk statements•4 criteria (Reputational, Operational,
Financial, & Regulatory)
39
Inherent Risk Score•Prior to the implementation of controls•Impact * Likelihood
Controls Sheet• Identifies current controls •13 control questions•6 types (Preventative, Detective,
Corrective, Recovery Focused, Directive, & Deterrent)
40
41
Projected Residual Risk Score•Based on the implementation of
suggested controls•[1- (Tier Level * Control)] * Inherent Risk
Score
Original:
New:
42
Questions, Comments, Concerns?
Stay connected! Email us at:[email protected]
Follow us on Facebook &Twitter to stay up to datewith current events!
www.facebook.com/PerfectProfilers
@PerfProfilers
