Security and Risk Management

Questions: 1.Introduction to the Case? 2.What kind of Problems Bank was facing before Information/Cyber Security? 3.Discuss the likelihood of the threats; the bank may face due to the Old System? 4.What are the Risk Imposed to the bank and what are the reasons? 5.What are the Steps taken by the bank to Implement Information/Cyber Security? 6.How the bank decided to Maintain the Information/Cyber Security in the coming years? 7.What are Information/Cyber Security Policies/Technologies the bank Implemented? 8.What are the Risk Factors Identified by the Bank? 9.What Risk Model is suitable to the bank management to avoid any Data Breach? 10.Write a Summary of the Case in your own words explaining the advantages of Implementing Information/cyber Security in the Bank. Answers: 1.Introduction to the case The financial institutions are the major target of the criminals affecting the cyber security of the organization. The cyber or internet security is an integral part of all types of business and the complexities arise with the small staff capacity and the resources, which are limited. The public has a belief that the small businesses do not have the necessary infrastructure and labor to put a cyber security like the larger business groups. Thus, the perceptions of the public have created an urgent situation for the community banks to become competitive and find solutions for maintaining the standards of the cyber landscape. There must be wisdom of convention, which would give the larger organizations, a capability to create a team of specialists in the security and updating of the information. There must be traps, which can help the decline of the cyber attacks and increasing the safety and security of the data of the organizations, whether small or large. The major drawback for the community banks are that they lack the possession of the experience and expertise needed for the efficient decision making process. They are not capable of safeguarding their data and information, which is a major problem for the achievement of the required results. The case study is related to the Smalltown Community Bank, which had come to an existence in the late 1800s. The bank had been successful in achieving their desired goals and aims with the consistency in the growth and profits for the past 22 years. The bank had an environment which contained a conservative and risk averse culture. There was a lack of understanding between the vendors and also the technologies and equipments used by the organization. Hence, the steps are taken by the community bank to manage the risks present in the organization and improve the decision making process. 2.The bank had no true strategy or knowledge about the IT or technologies for both hardware and software. Up until the implementation of the information or cyber security, there was no specific system or process i.e. there was an ad-hoc processing system for the security. The above system leads to a creation of an environment, which consisted of poor technologies and processes in the organization. The manual inputs and labor process was full of risks, errors and inconsistent behaviors. The community bank has multiple systems, which require inputs and processes majorly prone to errors and frauds. The bank had been relying on its own software and their vendors and contractors for the implementation and maintenance of their technology for their day-to-day operations. Earlier the approach of the bank was not updated and useful. There were ad-hoc changes or manipulation of the data and information, which was the result of the open accessibility to the vendors or the contractors. The access was made available for the ease of the present situations and symptoms occurring in the environment of the organization. The mindset of the bank was to cover up the work before giving up any time, thus the organization was too reactive in nature. The major drawback of the approach was that there was no one having a sole responsibility for the evaluation of the risks occurring in the environment of the organization. The vendors of the software were not an expert of the cyber security as they were limited to the understanding of their own systems and processes. They even lacked the basic of the risk management procedures, including the secure coding or the assessments of vulnerability. Even the contractors who were hired for the implementation and maintenance of the network and server equipments were not able to get an expertise in the operations of the bank. They just had the ability of understanding the required and used technologies in the organization. 3.The old systems had ad-hoc policies and procedures, which were not useful for the effective management of the organization. The old systems consisted of no major control power i.e. the control was done by the contractors or the vendors of the software who were not capable of meeting the needs of the customers. The organization lacked the requirements and the basic analysis knowledge of the cyber security and coding of the systems processes. The threats faced by the old system are huge in nature, the major ones being: The fraud and errors will be huge as the organization lacks the internal controls required for the efficient continuity of the business policies. The passwords are weak and there are no experts to manage and explain the importance of the security provided by such passwords. The cyber attacks can be easy and someone can do the same within the organization or the vendors or the contractors. As the accessibility is not restricted, it will be impossible to detect the person behind the malicious activity performed within the organization. The network control and security is not updated and safe for the effective and efficient management of the organization. The workstations and the software used are not updated and efficient which would require the revision of the structure, as the same would lead to heavy risks and frauds to be present in the environment. There is no safety and security management and cameras are required from the entrance to all the vaults of the banks, as every wall has to be protected and secured to save the organization. The customers are not convinced about the safety and security from the end of the organization. Hence, there may be a threat of the shifting of the customers to some other banks or institutions. 4.There are various risks occurring in the environment and the same requires identification and solution to save the organization from losing its goodwill and fame. The risks imposed on the community bank and the reasons for the same, are as follows: There is no new software or hardware implemented with latest or updated technologies, which can prove to be a risk in the efficient management of the organization. The workforce is not efficient enough for taking the steps to manage and reduce the risks and threats occurring in the environment of the organization. The vendors and contractors are in hold of the software and have an access to all the functions and the symptoms or scenarios of the organization, which may lead to the destruction of the systems and policies of the community bank. There are no virtual computers or tools used in the management were not secure or beneficial in nature, which constituted a lot of errors and frauds in the near future. The inventories and other controls lack proper management and efficiency, which can lead to problems in the near future. The implementation procedure is not easy and instant and carries a good effort and process, which requires efficient workforce and updated technologies. The building of consensus and support is not an easy task and requires great effort, which can create frustration and errors. Thus, the benefits of implementation have to be planned and understood well to reach an agreement with the organization and management on a whole. There is a major risk of the technical controls and other checklists being implemented in the organization, which is a major requirement of any organization. There must be an efficient workforce, which would look after the major criteria and scenarios affecting the organization. The same will require the technical and non-technical factors to be analyzed in making informed decisions. 5.The community bank has undertaken major steps in the implementation of a better and effective environment for the efficiency in the management. The bank was lacking in a strategy for the IT and other securities, which would decrease the fear of cyber insecurity. The community bank had no procedures or policies, which would control the risks and other inconsistent behaviors like frauds and errors within the organization. The bank decided to implement the security related to the information and the security structure of the organization. The steps towards the implementation included the following: In 2012, Smalltown Community Bank had hired the first employee who had professional expertise in the information software and technology. The reason being there was an ad-hoc system of accessing and changing the data by the vendors or contractors without any checks or controls, with a sole responsibility. The second step constituted the investment in the training and the technical certifications for the updated information about the changes in the threats and risks present in the cyber environment. Lastly, the step for the identification and communication of the risk were important which would remove the difficulties of the inventory management, sharing of accounts and license of the passwords. There was an implementation of the virtual desktop infrastructure in 2011, the bank started with the process of the virtualization by the conversion of a few aging servers of physical nature to machines of virtual nature. The environment of the virtual machines was designed with the spare capacity of the visualization in the future and for creation of the opportunity of utilization of the existing environment also. The virtual desktop implementation was done in order to mitigate and resolve the problems and risks related to the environment of the organization. The virtual approach created an opportunity for the several security changes by locking down all the access on the part of the administrator or others. 6.The bank took several steps for the maintenance and reduction in the information or cyber insecurities in the organization. The major considerations were introduction of professionals, technical and training certifications and the virtual desktop infrastructures. The bank also decided to maintain the same in the coming and future years, which include the following: The senior management of the bank and the board of directors must have an engagement for an efficient decision making process. The bank decided that to benefit from the decision making process, there must be investment and attainment of sufficient expertise. The necessary ways are the contracting with consultants or in-house employees with the necessary skills and capability in IT and InfoSec. There must be establishment of effective communication channels for the better decision-making process in the organization. Therefore, the gap must be reduced and the confidence of the organization must be increased by effective motivation by the managers and the Board. The decisions include the implementation of checklists of controls, which are technical in nature. The management has decided to have an approach of continuous improvement, which is critical in nature. The transition is a complicated and slow process, which requires an efficient manager and team who can understand the same. Continuous improvement will lead to a future, which would consist of policies and procedures for saving and nurturing the organization. The decision-making also consisted of contractual commitments from the selected vendors or contractors to help in the resolving of the security vulnerabilities, which would occur in the near future. The old program did not consider the risks to be resolved from the end of the vendors or the contractors. Hence, the new program or decision wanted an inclusion of an agreement of negotiation of risks with the vendors in resolving the risks and vulnerabilities with full responsibility and liability. 7.The community bank included many policies and procedures to get rid of the old and updated system, which was hampering the system and management of the bank currently. The technologies implemented by the bank for the security of the information and cyber security include the follows: The bank insisted the change or rest of the passwords to 15 character passwords to get an effective coding structure within the organization. The eight characters was changed to fifteen characters password so that there must be efficient decline in the risk and threat of the accessibility of important documents or information of the organization. There was implementation of the Virtual Desktops Infrastructure, which included the conversion of few aging physical servers to the virtual machines. There were tests conducted to check and experiment the controls and performance by the users. The same was referred to the management for knowing the solution to the problems, which might have crept in or might creep in the near future. Core banking approach was implemented to merge the functions and recognizing that the old procedures were not updated and there was a strong requirement of finding a new solution or answer. The new system was complied in a request for proposal and sent to all the vendors for bidding on the new system of core banking system. The implementation included the negotiations from the vendors in cases of security risks and vulnerabilities, which might creep in future. Earlier, the old system did not contain any responsibilities from the end of the vendors or the contractors. But, the latest technological and technical system comprised of a contract of negotiation related to the security of risks and vulnerabilities which might get present in the environment of the organization. 8.The changes in the process of decision-making process gave rise to many factors in the assessments of the risk, which included the following: The bank even after the recognition of the outdated nature of the old system had a reluctant approach towards finding a new and better solution. There was a survey conducted which included a comment of employee, saying that he would retire early as the new system was hard. Other employees were against the new system and the system of core banking in the organization. The other major factor was the cost effectiveness of the core banking system, which was in existence within the organization. The risk was not just limited to the core banking system cost but also the complexities and cost of the management of the separate contracts, which were related to the products ancillary in nature and a major requirement for the operation of the banking systems. The factors also considered the fees related to the termination and conversion of the data and information of the organization. The old system did not consider the automated integration of the inputs or applications, which was to be considered by the management. The other major factors of risks existing in the organization are the outdated features and tools present in the system. Few of the outdated process in the system were flat file data structures, Cobol backend, visual basic user interface and communication protocols which included telnet and FTP. Security concerns similar to the accessibility of the vendors and contractors to the system, was also a major issue and concern of risk. The concerns like the lack of user authentication for data retrieval functions were also a major concern of risk by the organization. The other risks comprised the conversion of data from the multiple system of legacy to the new system. 9.The bank must go with the model of continual improvement, which would include the management of the system to avoid any breach of data and information from the organization. The bank requires following the subsequent requirements to gain and achieve the goals of continuous improvement: There must be effective implementation of strong and convenient passwords or codes to restrict the malicious acts or manipulation of the necessary information or the data, which would lead to the loss of cyber security. There must be consequent check and control of the provided passwords in intervals to achieve better results and productivity. The networks must be protected with firewalls and the management at higher levels cannot accept necessary controls as the loss of data and errors. There must be effective software and controls implemented which would change as per the requirement. There are changes required on a day-to-day basis by any organization, thus the same should be checked and implemented as per the requirement. The security controls must be strong and effective related to the accessibility other than implementing passwords. The access, which is unnecessary in nature, must be denied in any circumstances as the same may lead to manipulation of data and information risking the continuity of the organization. The data and information must be updated in intervals along with the backup of the same. The technology used should be changed as per the requirement, from time to time for a safe and secure future of the organization. The employees and the professionals under the team must be checked and they must be provided with the required changes and updating knowledge if any. They must be trained and communicated in a specific interval of time as the reviews and feedbacks can lead to a more efficient organization. 10.The case represents the problems, which was being faced by the renowned community bank i.e. the Smalltown Community Bank. The organization realized the need of the changes within the bank and carried on the implementation of the desired policies and procedures. Earlier, the old version of the system did not contain the right and effective policies required to run an organization without any threat or risks towards the data and information. There were errors and frauds occurring within the environment of the organization, which resulted in loss of important data and information. Therefore, there were steps taken by the bank to control and attain an effective environment within the organization. There are many advantages attached to the implementation of the data and information security policies, which are as follows: There was an introduction of professional employee who would manage the IT and other securities of the organization. The introduction helped in the decline of the unnecessary and unauthorized access of the data and information of the organization, which would lead to heavy loss by manipulation and errors encrypted in the system. The other process like the implementation of the virtual desktops and passwords of length of 15 characters also increased the effectiveness of the organization policies and procedures. Core banking system has been the major and most efficient process added up by the organization as the same lead to an integration and mutual agreement within the whole branches of a bank. Hence, the above leads to an agreement that there must be implementation of certain cyber securities related to the data and information security.