Perfect Profilers Final Presentation

1

Albany Bank Corporation:Risk Assessment of IT ApplicationsPerfect Profilers

There’s No Risk With Us

2

Team Members

Tyler Schroeder

Julie Michlinski

Kasey Wichelns

Brad Sherman

Angelica Chin

Arthur Akhtenberg

3

Perfect Profilers

•Our purpose▫Analyze IT infrastructure ▫Provide mitigation strategies ▫Determine plan of action

4

Agenda

•Current vs future infrastructure •Our Risk Profiling Tool•Evaluation of current state applications•Analysis of future state infrastructure •12 month program•Demonstration of Risk Profiling Tool

Current vs Future Infrastructure

5

6

Our Risk Profiling Tool

•User friendly•Company specific•Identify risks

Inherent Risk = Impact * Likelihood

7

Current State Risk Levels

Medium Risk Low RiskFIN CMS

BODPS BeSecure

ATM PeoplePay

TEL iReport

WeHelp

8

Current State Residual Heat Map

0 1 2 3 4 50

2

4

6

8

10

12

Series1

iReport

Current State

Lik

eli

hoo

d

Impact

9

Key Existing Controls•Applications are protected by firewalls•Antivirus installed on all systems•All systems notify relevant employees in

the event of an IT problem•Applications are backed up

10

Broad Recommendations•Update servers•Enhance IT security department•Encrypt data within necessary

applications•Comply with industry standards and

regulations

11

Federal Regulatory Agencies•FFIEC

▫Uniform principles, standards, and regulations

•Federal Trade Commission▫Prevents unfair business practices

Federal Regulations•FDIC

▫Electronic Funds Transfer Act▫Bank Secrecy Act▫Right to Financial Privacy Act

12

Federal Regulations• Board of Governors of the Federal Reserve

System▫Regulation CC (Availability of Funds and

Collection of Checks)

13

Federal Regulations• Gramm Leach Bliley Act

▫Explain information-sharing practices▫Security guidelines

14

15

State Regulations •Massachusetts Data Protection•NYS Breach Notification Act

16

Industry Standards•NIST 800 Series

▫Framework for risk assessment ▫Attack and penetration testing

•PCI DSS▫3rd party vendors

17

Medium Risk: FINRisk Drivers Recommendatio

nsOutdated servers System z13

Lack of encryption 128-bit encryption

Noncompliance Comply with industry standards and regulations

Systems are not mirrored

Mirroring of system

18

Medium Risk: BODPSRisk Drivers Recommendatio

nsOutdated servers IBM P Series vs.

distributed server

No redundancy checks

Free up server space

Systems are not mirrored

Mirroring of systems

Noncompliance Comply with industry standards and regulations

19

Medium Risk: ATM & TEL Risk Drivers Recommendatio

nsNoncompliance Comply with

industry standards and regulations

Lack of security Attack and penetration testing and monitor access

Outdated servers Update to Microsoft SQL 2014

20

Low risk:

• CMS▫ Encryption

• PeoplePay & iReport▫ Monitor

access

• BeSecure▫ Monitor

access

• WeHelp▫ Train

employees

21

Projected Future State Risk Levels

High Risk Medium Risk

Low Risk

ABC Online FIN CMS

BODPS BeSecure

ATM PeoplePay

iReport

WeHelp

TEL

22

Projected Future State Residual Heat Map

0 1 2 3 4 50

2

4

6

8

10

12

Series1

iReport

Future State

Lik

eli

hoo

d

Impact

23

Changes Resulting from ABC OnlineIncreased

ImpactIncreased

VulnerabilitiesDecreased

Impact

FIN FIN TEL

BeSecure BeSecure

BODPS

CMS

Projected Future Infrastructure

24

High Risk: ABC OnlineRisk Drivers Recommendatio

nsInternet facing and an increased number of users

128- bit encryption

Outdated database Update to Oracle version 12C

Noncompliance Comply with industry standards and regulations

25

Our Proposal •Focus on mitigating risks within current

state infrastructure; reconsider online banking in the future

26

12 Month Program

4 8 120

• Comply with standards and regulations

• Enhance IT security department

• Schedule of updates for servers

• Encryption

• Mirroring of systems

• Reassessment of IT applications

27

Within 4 Months•Prioritize compliance across applications

▫FFIEC, PCI DSS•Enhance IT security department

▫Proper training, staying up-to-date 

0 4 8 12

28

Cost/Benefit AnalysisRoadmap to Compliance: $40 million- $86 million

▫Penalties of $15 million for violations of FFIEC

▫PCI DSS – fines up to $100,000 per month for compliance violations

29

Cost/Benefit AnalysisEnhance IT Security Department: $135,000 - $400,000 per year

▫CISO: $125,000 - $250,000 salary

▫Attack and penetration testing

30

Within 8 Months•Create and implement a schedule of

updates for servers•Encrypt data within necessary

applications▫FIN, CMS

0 4 8 12

31

Cost/Benefit AnalysisUpdate Servers: $14 million - $30 million

▫SONY - $170 million loss due to outdated servers

▫Goldman Sachs - $83 million to update all mainframes

32

Cost/Benefit AnalysisEncryption: $100 - $300 per system

▫Anthem data breach - $100 million, 80 million records exposed

▫Coca-Cola data breach – 74,000 records exposed

33

Within 12 Months•Mirroring of critical applications

▫BODPS, FIN•Reassessment of IT applications

0 4 8 12

34

Demonstration of the ToolPerfect Profilers

35

Instructions

36

Contact Information

37

Impact Sheet•Identify the value of IT applications•10 questions•4 criteria (Reputational, Operational,

Financial, & Regulatory)

38

Likelihood Sheet•Analyze risks associated with IT

applications•21 risk statements•4 criteria (Reputational, Operational,

Financial, & Regulatory)

39

Inherent Risk Score•Prior to the implementation of controls•Impact * Likelihood

Controls Sheet• Identifies current controls •13 control questions•6 types (Preventative, Detective,

Corrective, Recovery Focused, Directive, & Deterrent)

40

41

Projected Residual Risk Score•Based on the implementation of

suggested controls•[1- (Tier Level * Control)] * Inherent Risk

Score

Original:

New:

42

Questions, Comments, Concerns?

Stay connected! Email us at:2015trajectory2@gmail.com

Follow us on Facebook &Twitter to stay up to datewith current events!

  www.facebook.com/PerfectProfilers

@PerfProfilers