Date post: | 13-Apr-2017 |
Category: |
Documents |
Upload: | tyler-schroeder |
View: | 65 times |
Download: | 0 times |
1
Albany Bank Corporation:IT Environment AnalysisPerfect Profilers
There’s No Risk With Us
2
Team Members
Tyler Schroeder
Julie Michlinski Kasey Wichelns
Brad Sherman
Angelica Chin
Arthur Akhtenberg
3
Perfect Profilers
•Our purpose▫Analyze IT infrastructure ▫Provide mitigation strategies ▫Determine plan of action
4
Agenda•Current vs future infrastructure •Our Risk Profiling Tool•Evaluation of current state applications•Analysis of future state infrastructure •12 month program•Demonstration of Risk Profiling Tool
Current vs Future Infrastructure
5
6
Our Risk Profiling Tool
•Company specific•User friendly•Identify risks
7
Current State Infrastructure
Medium risk: •FIN•BODPS•ATM•TEL
Low risk: •CMS•BeSecure•PeoplePay•iReport•WeHelp
8
Current State Residual Heat Map
Series1
Current State
Impact
Like
lihoo
d
9
Key Existing Controls•Firewalls•Antivirus •All systems notify relevant employees in
the event of an IT problem•All applications are backed up
10
Broad Recommendations•Update servers•Enhance security department•Encrypt necessary applications•Comply with industry standards and
regulations
11
Regulatory Agencies and Regulations•FFIEC
▫FDIC▫Board of Governors of the Federal Reserve
System•Federal Trade Commission•State Regulations
12
Industry Standards•NIST 800 Series
▫Attack and penetration testing •PCI DSS
▫3rd party vendors
13
Medium Risk: FINRisk Drivers:• Outdated servers• Lack of encryption• Noncompliance• Systems are not mirrored
Recommendations:• System z13• 128-bit encryption• Comply with
industry standards and regulations
• Mirroring of systems
14
Medium Risk: BODPSRisk Drivers:• Outdated servers• No redundancy checks• Systems are not mirrored• Noncompliance
Recommendations:• IBM P Series vs
distributed server• Free up server space• Mirroring of systems• Comply with
industry standards and regulations
15
Medium Risk: ATM & TEL Risk Drivers:• Noncompliance• Lack of security• Outdated servers
Recommendations:• Comply with
industry standards and regulations
• Attack and penetration testing
• Monitor access• Microsoft SQL 2014
16
Low risk:
• CMS• Encryption
• PeoplePay & iReport• Monitor
access
• BeSecure• Monitor
access
• WeHelp• Train
employees
17
Future State InfrastructureHigh Risk•ABC Online
Medium Risk•FIN•ATM•BODPS
Low Risk•CMS•BeSecure•PeoplePay•iReport•WeHelp•TEL
18
Future State Residual Heat Map
Series1
Future State
Impact
Like
lihoo
d
19
Changes Resulting from ABC Online
Increased Impact
•FIN•BODPS•BeSecure•CMS
Increased Vulnerabilities
•FIN•BeSecure
Decreased Impact
•TELAnticipated Future
Infrastructure
20
High Risk: ABC OnlineRisk Drivers:• Internet facing• High number of users• Outdated software• Noncompliance
Recommendations:• 128 bit encryption• Update Oracle to
version 12c• Comply with FFIEC
• Multi-factor authentication
• Device identification based off cookies
• Use of debit card blocks
21
Our Proposal •Focus on mitigating risks within current
state environment; reconsider online banking in the future
22
12 Month Program
4 8 120
• Comply with standards and regulations
• Enhance security department
• Schedule of updates for servers
• Encryption
• Mirroring of systems
• Reassessment of IT applications
23
Within 4 Months•Prioritize compliance across applications
▫FFIEC, PCI DSS•Enhance security department
▫Proper training, staying up-to-date
0 4 8 12
24
Cost/Benefit AnalysisRoadmap to Comply with Regulations: $40 million- $86 million
▫PCI DSS – fines can range from $5,000-$100,000 per month for PCI compliance violations
▫Penalties of $15 million for violations of FFIEC
25
Cost/Benefit AnalysisEnhance IT Security Team: $135,000 - $400,000 per year
▫CISO: $125,000 - $250,000 salary
▫Attack and penetration testing: $10,000-$150,000
26
Within 8 Months•Create and implement a schedule of
updates for servers•Encryption
▫FIN, CMS
0 4 8 12
27
Cost/Benefit AnalysisUpdate Servers: $14 million - $85 million
▫SONY - $170 million loss due to outdated servers
▫Goldman Sachs - $83 million to update all mainframes
28
Cost/Benefit AnalysisEncryption: $100 - $300 per system
▫Anthem data breach - $100 million, 80 million records exposed
▫Coca-Cola data breach – 74,000 records exposed
29
Within 12 Months•Mirroring of critical applications
▫BODPS, FIN•Reassessment of IT applications
0 4 8 12
30
Demonstration of the ToolPerfect Profilers
31
Instructions
32
Contact Information
33
Impact Sheet•Identify the value of IT applications•10 questions•4 criteria (Reputational, Operational,
Financial, & Regulatory)
34
Likelihood Sheet•Analyzes risks associated with IT
applications•21 risk statements•4 criteria (Reputational, Operational,
Financial, & Regulatory)
35
Inherent Risk Score•Prior to the implementation of controls•Impact * Likelihood
Controls Sheet• Identifies current controls •13 control questions•6 types (Preventative, Detective,
Corrective, Recovery Focused, Directive, & Deterrent)
36
37
Projected Residual Risk Score•Based on the implementation of
suggested controls
Original:
New:
38
Questions, Comments, Concerns?
Stay connected! Email us at:[email protected]
Follow us on Facebook &Twitter to stay up to datewith current events!
www.facebook.com/PerfectProfilers
@PerfProfilers