1

Albany Bank Corporation:IT Environment AnalysisPerfect Profilers

There’s No Risk With Us

2

Team Members

Tyler Schroeder

Julie Michlinski Kasey Wichelns

Brad Sherman

Angelica Chin

Arthur Akhtenberg

3

Perfect Profilers

•Our purpose▫Analyze IT infrastructure ▫Provide mitigation strategies ▫Determine plan of action

4

Agenda•Current vs future infrastructure •Our Risk Profiling Tool•Evaluation of current state applications•Analysis of future state infrastructure •12 month program•Demonstration of Risk Profiling Tool

Current vs Future Infrastructure

5

6

Our Risk Profiling Tool

•Company specific•User friendly•Identify risks

7

Current State Infrastructure

Medium risk: •FIN•BODPS•ATM•TEL

Low risk: •CMS•BeSecure•PeoplePay•iReport•WeHelp

8

Current State Residual Heat Map

Series1

Current State

Impact

Like

lihoo

d

9

Key Existing Controls•Firewalls•Antivirus •All systems notify relevant employees in

the event of an IT problem•All applications are backed up

10

Broad Recommendations•Update servers•Enhance security department•Encrypt necessary applications•Comply with industry standards and

regulations

11

Regulatory Agencies and Regulations•FFIEC

▫FDIC▫Board of Governors of the Federal Reserve

System•Federal Trade Commission•State Regulations

12

Industry Standards•NIST 800 Series

▫Attack and penetration testing •PCI DSS

▫3rd party vendors

13

Medium Risk: FINRisk Drivers:• Outdated servers• Lack of encryption• Noncompliance• Systems are not mirrored

Recommendations:• System z13• 128-bit encryption• Comply with

industry standards and regulations

• Mirroring of systems

14

Medium Risk: BODPSRisk Drivers:• Outdated servers• No redundancy checks• Systems are not mirrored• Noncompliance

Recommendations:• IBM P Series vs

distributed server• Free up server space• Mirroring of systems• Comply with

industry standards and regulations

15

Medium Risk: ATM & TEL Risk Drivers:• Noncompliance• Lack of security• Outdated servers

Recommendations:• Comply with

industry standards and regulations

• Attack and penetration testing

• Monitor access• Microsoft SQL 2014

16

Low risk:

• CMS• Encryption

• PeoplePay & iReport• Monitor

access

• BeSecure• Monitor

access

• WeHelp• Train

employees

17

Future State InfrastructureHigh Risk•ABC Online

Medium Risk•FIN•ATM•BODPS

Low Risk•CMS•BeSecure•PeoplePay•iReport•WeHelp•TEL

18

Future State Residual Heat Map

Series1

Future State

Impact

Like

lihoo

d

19

Changes Resulting from ABC Online

Increased Impact

•FIN•BODPS•BeSecure•CMS

Increased Vulnerabilities

•FIN•BeSecure

Decreased Impact

•TELAnticipated Future

Infrastructure

20

High Risk: ABC OnlineRisk Drivers:• Internet facing• High number of users• Outdated software• Noncompliance

Recommendations:• 128 bit encryption• Update Oracle to

version 12c• Comply with FFIEC

• Multi-factor authentication

• Device identification based off cookies

• Use of debit card blocks

21

Our Proposal •Focus on mitigating risks within current

state environment; reconsider online banking in the future

22

12 Month Program

4 8 120

• Comply with standards and regulations

• Enhance security department

• Schedule of updates for servers

• Encryption

• Mirroring of systems

• Reassessment of IT applications

23

Within 4 Months•Prioritize compliance across applications

▫FFIEC, PCI DSS•Enhance security department

▫Proper training, staying up-to-date 

0 4 8 12

24

Cost/Benefit AnalysisRoadmap to Comply with Regulations: $40 million- $86 million

▫PCI DSS – fines can range from $5,000-$100,000 per month for PCI compliance violations

▫Penalties of $15 million for violations of FFIEC

25

Cost/Benefit AnalysisEnhance IT Security Team: $135,000 - $400,000 per year

▫CISO: $125,000 - $250,000 salary

▫Attack and penetration testing: $10,000-$150,000

26

Within 8 Months•Create and implement a schedule of

updates for servers•Encryption

▫FIN, CMS

0 4 8 12

27

Cost/Benefit AnalysisUpdate Servers: $14 million - $85 million

▫SONY - $170 million loss due to outdated servers

▫Goldman Sachs - $83 million to update all mainframes

28

Cost/Benefit AnalysisEncryption: $100 - $300 per system

▫Anthem data breach - $100 million, 80 million records exposed

▫Coca-Cola data breach – 74,000 records exposed

29

Within 12 Months•Mirroring of critical applications

▫BODPS, FIN•Reassessment of IT applications

0 4 8 12

30

Demonstration of the ToolPerfect Profilers

31

Instructions

32

Contact Information

33

Impact Sheet•Identify the value of IT applications•10 questions•4 criteria (Reputational, Operational,

Financial, & Regulatory)

34

Likelihood Sheet•Analyzes risks associated with IT

applications•21 risk statements•4 criteria (Reputational, Operational,

Financial, & Regulatory)

35

Inherent Risk Score•Prior to the implementation of controls•Impact * Likelihood

Controls Sheet• Identifies current controls •13 control questions•6 types (Preventative, Detective,

Corrective, Recovery Focused, Directive, & Deterrent)

36

37

Projected Residual Risk Score•Based on the implementation of

suggested controls

Original:

New:

38

Questions, Comments, Concerns?

Stay connected! Email us at:2015trajectory2@gmail.com

Follow us on Facebook &Twitter to stay up to datewith current events!

  www.facebook.com/PerfectProfilers

@PerfProfilers