Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams

Risk ForumBusting the Top Myths that Expose your Bank to Risk

W E L C O M E

Welcome

• Introductions– Tammy Bangs JHA

– Scott Whisman JHA

– Tom Williams JHA Centurion

– Allen Eaves JHA Gladiator

October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.

2

Welcome

• Table Arrangement– Peer Discussion and Handouts

• Agenda review– Areas of Focus

• Housekeeping Items– Restrooms, Refreshments and Breaks

• Follow up Items– Slide Deck Provided

– Follow Up Survey


3

An Overview

• What today is not:

– A product demonstration

– A lecture

– A test or contest

• What today is:

– A conference that will challenge your bank’s idea

of risk mitigation and preparedness, and help you

identify and strategize ways to improve risk

avoidance at your FI.


4

Special Guest Speaker

• Scott Whisman

General Manager – Corporate Services


5

Peer Discussion

• Introduce yourself

– Name

– Title

– Bank Name and Location

– Asset Size, Core Processor, In house or Out Sourced

– In your opinion, what is your top Risk Concern for your FI?


6

Myth Busting

1. Internal Fraud: Not at our Bank

2. On Premises: Safe and Sound

3. Social Engineering: We’re not susceptible

4. Cyber Threats: We’re covered

5. Customers are Patient: Our BRP is Sufficient

6. BCP Passed Exam: It’s all good


7

Myths 1 & 2

Tammy Bangs – Jack Henry Banking

My bank doesn’t have any

Myth 1: Internal Fraud

9

MYTH #1

Assumptions associated with Myth #1:

• Statistically untrue

• Malicious or unintentional exposure of data risks

• Is it a gamble you are willing to take


10


11

Insider Fraud Statistics

Insider vs External Fraud in Banks

Internal Fraud

External Fraud 60%

40%

www.celent.com/internal-fraud


12

Insider Fraud Statistics

• Insider fraud accounts for approximately 60% of bank fraud cases where a data breach or theft of funds has occurred.

www.celent.com/reports/internal-fraud-big-brother-needs-new-glasses

• Insider fraud has accounted for over one-half of all bank fraud and embezzlement cases closed by the FBI during the past several years.

FDIC Bank Fraud and Insider abuse

• "Insider fraud is still not getting the attention it needs. Banking institutions are aware of the risks, but less than half are well prepared to detect it.”

Tom Wills, Javelin Strategy

• One-in-five internally perpetrated frauds involve senior management.

www.pwc.com Global Economic Crime Survey

http://www.celent.com/reports/internal-fraud-big-brother-needs-new-glasses

http://www.pwc.com/

Bank Insider/Employee Fraud

• Low and Slow Approach

• Data Modification

• Low Tech – Relying on Knowledge and Access

• Management vs. Non-Management– Management – average length of 33 months and over

$200,000 in average total fraud

– Non-Management – average length of 18 months and $100,000 in average total fraud

Randy Trzeciak

CERT Insider Threat Research Team


14

Insider Linked Data Breaches

• According to Jason Clark, a researcher at the CERT Insider Threat Center at the Carnegie Mellon University Software Engineering Institute, Insider linked data breaches, while increasingly common are grossly under-reported, due to the lack of evidence to prosecute or the fact that the damage level is insufficient to warrant prosecution.

• 53% of survey participants indicated they had experienced an insider data breach incident;

• 75% of cases do not involve law enforcementwww.bankinfosecurity.com/interview/how-to-fight-insider-fraud


15

Reputational Risk: Is it worth the gamble?

If I can touch it – I feel more

secure

Myth 2: On Premises = Safe/Secure

16

MYTH #2

Assumptions associated with Myth #2:

• Creates the illusion of safety

• Statistically unfounded

• Regulatory pressure

• How much risk does this pose for your bank?


17


18

www.glassdoor.com

Jack Henry & Associates Reviews

3.7 Rating Trends

75% Recommend to a friend

94% Approve of CEO Jack Prim161 RatingsFeatured Review Helpful (2)

“Good company with a great culture ”Current Employee Anonymous

Employee in Birmingham, AL

I have been working at Jack Henry & Associates fulltime

(More than a year)

Pros

I have been with JHA over a year, and I can honestly say this is a very good

company. One's personal experience may vary depending on the department in

which you work and the person who is supervising said department... But that is

the struggle of any large company. From a corporate viewpoint, I feel like I am

valued and respected. I don't feel like upper management is out for their own….


19

Jack Henry & Associates Awards & Accolades

• 2015• 100 Best Places to Work in IT - Large , Computerworld

Magazine, 2015• Top Workplaces , The Tennessean, 2015

• 2014• 100 Best Places to Work in IT , Computerworld, 2014• Best Companies to Work for in Alabama (Large

Companies) , Business Alabama Magazine, 2014• Best Places to Work in Kentucky (Large) , Best Places to

Work in Kentucky, 2014• Best Places to Work in San Diego (Symitar-Mega Employer

Category) , San Diego Business Journal,2014• Top Workplaces (Information Technology) , Houston

Chronicle, 2014


20

Creates the Illusion of Safety

• Public vs. Private Cloud• Recovery Concerns

• Replication vs Tape Backup


21

Regulatory Pressure

• Are you prepared for the regulatory scrutiny?• Vendor due diligence

Myths 3 & 4

Allen Eaves – Gladiator

My employees know better

Myth 3: Social Engineering

23

“In my mind social engineering is the

biggest issue today.”

- Sparky Blaze, former member of Anonymous

Information Gathering

High-tech

Low-tech

No-tech

No-tech Information Gathering

Dumpster diving

Shoulder surfing

The trust of a badge and uniform

Attack Vectors

Phone Elicitation

Physical

Phishing

Removable Drives

Low and High-Tech Information Gathering

Company Details --- Employee Interests – Latest News

Internet browsing -- WIFI listening to find personal

information

How to Reduce Risk

Social engineering assessment

Education

Policies

Defense in depth approach

My firewall has my back

Myth 4: We are Protected Against

Cyber Threats

33

January 7th 2015

Dark Comet defeats Common Security

443 TCP Outbound

How the Infection Takes Place

Malicious Site

67

Questions?

Myths 3 & 4

Myths Associated with

Disasters

Tom Williams – Centurion Disaster Recovery

We’re prepared since we passed

our BCP Exam

Myth 5: BCP Passed – It’s All Good

69

We passed our Business Continuity Plan Exam so we’re prepared

Assumptions associated with Myth # 5

• The examiner was thorough in reviewing the plan.

• The examiner was knowledgeable on the FFIEC Guidelines on

BCP.

• The exam was based on the review of the enterprise wide plan and

not just the I/T plan.

• The examiner assumed that plan was tested at multiple levels, i.e.

Technical, executive, business units, with multiple scenarios.

• The Board signed off on the plan with knowledge of the plan’s true

ability to recover.

We’ll back be up and running in time

Myth 6: In the Event of Disaster, Our

Customers will be Patient

71

When a disaster strikes, we will be able to meet customer needs

Assumptions associated with Myth # 6

• Our customers are loyal so they will be understanding and patient

until we recover, no matter how long it takes.

• Our I/T team has a plan to get the systems and applications up and

that is all the bank needs to recover operations.

• We have a veteran staff and we can handle whatever comes up on

the fly.

• All of our critical personnel will be available to assist in the

recovery efforts.

• Our core processing is outsourced so we will not be impacted.

FFIEC Guidelines for Business Continuity Planning

Business Impact

Analysis (BIA)

Risk Assessment

Risk Management

Risk Monitoring

• Business Functions• Disaster Impacts• Prioritization• Recovery Windows• Recovery Strategies• Resources

• Threats– Natural– Human– Technical

• Enterprise-wide BCP• Emergency Plans• Crisis Management

Plans• IT & Business Unit

Plans• Family Disaster Plan

• Plan Updates• Disaster Recovery

Testing• Tabletop Exercises• Mock Drills

Business Impact Analysis (BIA) Process

1

Identify Function

2

Identify Impact

3 Identify

Recovery Time4

Identify Recovery Strategy

5

Identify Resources

6 Contingency Procedures

7 Alternate Recovery Location

Note: Perform for each function

Business Impact Analysis Impact Categories

Lost Income / Financial

Regulatory / Legal

Other Business

Units

Public / Customer

Image

• Lost Revenue

• Fines and Penalties

• Funds for Investing

• Cost of Recovery

Efforts

Work Flow - Quality

Life & Safety – Vendor

Relations

• Reputation

• Customer Service

• Employee Morale

• Employee Stress

Fines

Law Suits

Compliance

Categorizing Business Functions – FFIEC Examination Handbook

Source: FFIEC IT Examination Handbook, Business Continuity Planning, March 2008,

Appendix F, p. F-3

http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/appendix-f-business-impact-analysis-process.aspx

System / Application Recovery – Recovery Time Objective (RTO) & Recovery Point Objective (RPO)

TIME

Last Backup of usable data

RTORecovery Time Objective

Time to recover systems fromthe time the systems went down

RPORecovery Point

Objective

How far back do we have to go for a

copy of good data

SystemRestored

DisasterStrikes

Disaster

Data Loss System Loss

Process Flow for the Cash Check FunctionBusiness Impact Analysis

Process 1

Receive Check from customer

Process 2

Verify ID

Process 3 Pull up account on core system

Process 4 - Six point check verification

Process 5

Verify funds and check holds

Process 6

Process transaction on

system

Process 7Distribute funds

Process 8 – Print cash out ticket

Process 9 - Bundle check & cash out ticket for Proof

Business Impact Analysis Rating Scale – Bank A

• Within 24 Hours1

• With 48 Hours2

• Within 1 Week3

• Within 2 Weeks4

• Greater than 2 Weeks5

Recovery Time Objective (RTO)

• No Data Loss AcceptableA

• 12 HoursB

• 24 HoursC

• 48 HoursD

• 1 Week or MoreE

Recovery Point Objective (RPO)

Business Impact Analysis Process

1

Identify Function

2

Identify Impact

3 Identify RTO & RPO4


5

Identify Resources



Business Impact Analysis – Cash Checks Function – Bank A

1

Identify Function

2

Identify Impact



5

Identify Resources



Function - Cash Checks

BIA Impact RatingsFinancial 3 – 1 WeekPublic Image 1 – 24 HoursRegulatory 2 – 48 HoursOther BU 4 – 2 Weeks

RTO – 1 (24 Hours)RPO – C (24 Hours)

Hot Site RecoveryUsing TapeVitalization – Self Provision

Core SystemDomain ControllerTerminal - PrinterNetworkEmployeeFED PC

Perform Manually with Restrictions

DR Mobile UnitAlternate Branch

System / Application Recovery Timeline Bank A (Tape Recovery)

TIME

Last EOD Backup of

usable dataFriday 8:00 pm

DisasterStrikes

Monday 3:47 pm

Disaster

Data - How far Back

67.47 Hours of Data Loss

RPO RTO

7Hours

Data Re-entry

Catch up

System Restore

6Hours

Time to Recover

31 Hours

13Hours

Travel toRecovery

Center

5Hours

Business Impact Analysis Rating Scale - Bank B

• Within 4 Hours1

• With 8 – 12 Hours2

• Within 12 – 24 Hours3

• Within 24 – 48 Hours4

• Greater than 48 Hours5

• No Data Loss AcceptableA

• 4 HoursB

• 12 HoursC

• 24 HoursD

• Greater than 24 HoursE

Recovery Time Objective (RTO) Recovery Point Objective (RPO)

Business Impact Analysis – ACH (Incoming) Function –Bank B

1

Identify Function

2

Identify Impact



5

Identify Resources



Function – ACH (Incoming)

BIA Impact RatingsFinancial 1 - 4 HoursPublic Image 1 – 4 HoursRegulatory 1 – 4 HoursOther Business Units 1 – 4 Hours

RTO – 1 (4 Hours)RPO – A (No Acceptable Data Loss)

Hosted High AvailabilityVirtual Storage Recovery

Core SystemWorkstationPrinter

DR Mobile UnitAlternate Branches

Core System

Business Function Technology Requirements

Department or Business

UnitBusiness Function/Activity

Corporate

Impact

System

Required

Application

Required

Manual

Process

Recovery

Time

Objective

(RTO)

Recovery Point

Objective

(RPO)

Branch Operations Cash checks High iSeries Silverlake Yes 8 Hours 3

Telephone Express Center Do loan payments High iSeries Silverlake Yes 8-24 Hours 4

Telephone Express Center Do wire transfers High iSeries Silverlake No 8 Hours 3

Member Services Statuing of accounts Hibh iSeries Silverlake No 0-8 Hours 1

Information Technology

Administer and administer

backups High Client/Server ProcessPro Yes 4-8 Hours 2

Depost Services

Set up close day, close month

process High Client/Server ProcessPro Yes 3+ Days 4

Electronic Banking Prepare VRU report High Client/Server ProcessPro Yes 3+ Days 4

Electronic Banking Hot card entry Low Client/Server InTouch Yes 3+ Days 4

Electronic Banking Set up new Internet accounts Medium Client/Server PinPoint No 3+ Days 4

Item Processing Set up new Internet accounts Medium Workstation NetTeller No 8-24 Hours 2

Branch Cash checks High Workstation CIF 20/20 Yes 8-24 Hours 2

Electronic Banking Hot card entry High Workstation Internet No 8-24 Hours 2

Mortgage Origination Pull credit report High Workstation ProcessPro Yes 3+ Days 4

Trust Operations Buy/Sell securities High Workstation Trust Rite Yes 3+ Days 4

Commercial Lending Send decline letters Low Workstation Word Yes 3+ Days 4

Deposit Services Local rate survey Low Workstation Excel Yes 3+ Days 4

Depost Services Process overdraft items Medium Workstation CIF 20/20 Yes 8-24 Hours 2

Electronic Banking Set up new Internet accounts Medium Workstation NetTeller No 8-24 Hours 2

Technology Recovery Strategy EvolutionBusiness Impact Analysis

• Self Provisioned

• DRaaS

Hosted High Availability

• Self Provisioned

• Vendor ManagedElectronic Vaulting

• On-site

• Off-siteVirtualization

• Tape

• USB

• CD - Hard Drive

Media Device Backup

Technology Recovery StrategiesC

riti

ca

lity

Le

ve

l

72 HRSMin HRS

RECOVERY TIME OBJECTIVE

8 HRS4 HRS

Tape

Recovery

San

Replication

Full

HA

Business Impact Analysis

Virtualization

48 HRS24 HRS

Critical

Urgent

Important

Normal

System / Application Recovery TimelineBank B - High Availability

TIME

Last Data Snapshot3:32 pm

DisasterStrikes

Monday 3:47pm

Disaster

RPO15

Minutes

7Hours

Data Re-entry

Catch up

System Restore

6Hours

Time to Recover

30 Minutes

RTO

13Hours

Travel toRecover Center

5Hours

Disaster Avoidance Concept – Bank B

TIME

Recovery of Business still

Required

Disaster Avoidance Decision

Disaster Avoidance

Period

Recovery of TechnologyAvoided

(RTO)

PotentialDisaster

Event

Disaster

Switch to Secondary

System

We’ll back be up and running in time

Myth 6: In the Event of Disaster, Our

Customers will be Patient

90

For our discussion today: The bank after the Disaster

Customer Expectations – As Told by Actual Customers

• “I expect the same level of service immediately following a disaster

as I had before the disaster.”

• “I want immediate access to my accounts via mobile, internet and

telephone banking immediately following a disaster.”

• “I expect expedited, or a higher level of service if the disaster

impacted me and my family and I needed emergency monies.”

• “I want the ability to do cash withdrawals immediately following a

disaster with no restrictions on the amount I can withdraw.”

• “If the disaster is serious enough like a Katrina, I want my family

and friends to have the ability to wire monies into my account for

support.”

• “I want to be able to increase my line of credit, or apply for a loan

to help me rebuild if the disaster impacts my family.”

No

Service

Same as

Normal

Service

Customer Expectations of Service after a Disaster

Customer

Expectations

Delayed

Service

RECOVERY TIME LINE

1

Hour24

Hours

48

Hours

12

Hours

36

Hours

Severely

Delayed

Service

Slightly

Delayed

Service

Actual

Recovery

Level

Recovery

Gap

Analysis

Bank’s

Perceived

Recovery

Level

Service Level after Disaster

Recovery Gap Analysis Results

• Recovery strategy for Core / Server environment needs

improvement.

• No prioritization on which functions and applications to

recover.

• Lack of an Enterprise Wide Business Continuity Plan

that has been tested at multiple levels.

• No Alternate Work Locations identified, or if identified

they have not been equipped to support relocated

employees.

• Lack of personnel training.

• Lack of communications with highly dependent vendors.

• Assumption that outsourcing provider will address

components that the bank is responsible for.October 11, 2015

©2015 Jack Henry & Associates. All Rights Reserved.

94

Step 4 - Draft Plans Generated

95

Emergency Management Plan (Per Facility)

Crisis Management Plans

Information Systems Recovery Plan

Business Unit Recovery Plans

Executive Summary

Plan Testing & Exercise Guide

Business Continuity Plan Documentation

Business Continuity Teams

Business Unit Recovery Teams

FinanceTeam Leader

Alt. Team Leader

AdministrationTeam Leader

Alt. Team Leader

Information SystemsTeam Leader

Alt. Team Leader

Loan OperationsTeam Leader

Alt. Team Leader

Deposit OperationsTeam Leader

Alt. Team Leader

Bookkeeping Finance Accounting eBanking

AuditComplianceHRTraining

Marketing InvestmentsMaintenance

Information Systems

Loan AnalystLoan ProcessingCommercial Lending RE Mortgage

Deposit OperationsRetail Banking/Consumer Lending

ManagementTeam Leader

Alt. Team Leader

Crisis Management Team

Communicating with Employees / CustomersEmergency Notification System

97

Plan Execution - Recovery Timeline

Crisis Management Phase

Relocate & Restore Phase

Recover Business

Functions Phase

Rebuild & Return Phase

Risk Managem

ent

Disaster



Recover Business

Functions Phase


Family Disaster PlanEvacuation & SafetyDamage AssessmentCommunicationsDisaster Declaration

Plan Execution - Recovery TimelineRisk

Management

Disaster



Recover Business

Functions Phase


Evacuation & SafetyDamage AssessmentCommunicationsDisaster Declaration

NotificationsMobilizationRelocationRestore

Plan Execution - Recovery TimelineRisk

Management

Disaster

Recover Business Functions

• Customer Inquiries via phones• Handle deposits & withdrawals• Accept loan payments• Account transfers• Balance cash drawers• Handle security issues• Handle stop payments• Issue cashier’s checks• Post drop box transactions

15 minutes – 4 Hours

4 – 8 Hours

8 – 24 Hours

24 – 48 Hours

Recover Business Functions

• Order ATM cards/debit card• Calculate Payments using projection screens• Loan status calls• Do cash advance• Fund home equity loans• Fund second trustee loans• Issue onsite ATM cards• Issue temporary checks

15 minutes – 4 Hours

4 – 8 Hours

8 – 24 Hours

24 – 48 Hours

Physical Recovery Considerations

• Branch Offices

• Work from Home

• Vendor Recovery Site

• Internal Recovery Site

• Mobile Recovery Unit

• Office/Remote Workspace

• Temporary Lease Facility

Equipment Recovery Considerations

• Store in advance

• Purchase when needed

• Drop Ship Service– Mainframe

– Servers

– Workstations

– Printers / Fax Machines

– Phones

– Routers / Switches

• Vendor provided at Recovery Site

Recovery Strategy Considerations - Satellite Communications

Mobile to Client Hot Site to Mobile

Out-Sourced Processing Considerations

• Responsible for the restoration of the following:

– Connectivity to the Core Processing Site

• (jConnect Backup Router)

– System Recovery of Core System

– Server / Network Recovery

• Exchange Servers - Domain Controllers

• JHA & 3rd Party Applications

– Telecommunications - Voice Recovery

– Equipment setup & Reconfiguration

– Facilities

• A plan to deal with a disaster that strikes the processing

center

• Can we recover?

– Who will be available to assist in the recovery?

– Will our critical vendors be able to deliver the required

services / products?

– What systems / applications will be recovered?

– How long will it take us to recover systems /

applications?

– Will we have the proper data available to support the

business units?

– Does our recovery strategies meet our customers'

demand?

BCP / DR Question Drill Down Questions

• Managed Recovery solutions will become the industry

standard due to:

– Cost

– High data requirements

– Skills

– Personnel requirements

– Geographic separation

• Electronic vaulting will replace tape backup for Disaster

Recovery

• RPO’s will be measured in minutes

108

Top DR Trends for 2015

• DRaaS

– The replication and hosting of physical or virtual servers by a

third-party to provide failover in the event of a man-made or

natural disaster.

• DRaaS Considerations

– Requires a strong contract indicating service-level agreement

(SLA) requirements and obligations by both parties regarding

failover times and responsibilities.

– Useful for businesses that lack the expertise to provision,

configure, test and execute a similar DR environment if it were

self provisioned in-house.

– The bank does not have to make a large capital investment to

implement and maintain their own off-site DR environment for

replication and failover.

– DRaaS can be flexible to meet the organization’s needs.

109

Top DR Trends for 2015

As a company, we cannot prevent a natural disaster.

We can, however, greatly reduce the impact felt by our

customers and our Associates if a disaster does occur.

We increasingly utilize technology to reduce the level of

human involvement within our data systems management.

We continue to look at new technologies to further reduce

human involvement and increase automation should a

disaster occur.

We realize this is a topic that we always have to focus

upon to deliver the best possible solution to our customers.

110

Disaster Avoidance Concepts – A CEO’s Perspective

• Secure underground facility nestled in the Ozark Mountains in

Branson, MO.

• 175 feet below ground; enclosed under dome and two layers of

granite-like shale

• Impervious to most natural disasters – hurricane/flood/tornado-

proof – rated to withstand up to 1000 mph winds

• Two separate electrical transmission lines from different states

• Multiple levels of telecommunications resiliency

111

Branson Business Recovery Facility

Branson Hot Site

Data Replication

Outlink Processing Center Disaster Avoidance Strategy

DP DR

DP 1

DP 2

DP DA

DP 1

Branson

Core Director

DP 3

DP 2 CIF 20/20 DP 3 SilverLake

113

In-House Processing Considerations

• Responsible for the restoration of the following:

– System Recovery of Core System

– Server / Network Recovery

• Exchange Servers - Domain Controllers

• JHA & 3rd Party Applications

– Telecommunications - Voice Recovery

– Equipment setup & Reconfiguration

– Facilities

Next Steps

1. Ensure you have Executive support for the BCP.

2. Have your BCP reviewed by BCP Experts.

3. Conduct a Mock Disaster Drill using your BCP.

4. Determine if outside expertise is required to improve your

plan, or if the work will be done internally.

5. Ensure that your BCP is structured at the department level.

6. Build / improve your plan and test it regularly

Thank you for your participation!

Questions?

Tom WilliamsBusiness Continuity Strategy Manager

[email protected]

Event Occurs

Declare Disaster

Assess and

Report Damage

Safe Zone

Crisis Mgmt Team Leader

Escalation Process

Begin Salvage

Mobilize Recovery TeamsBegin Media

Relations /

Press Release

Activate Alt

Workspace(s)

Relocate Staff To

Alt Workspace

Begin

Restoration

Of Affected Site

Prepare to

Re-occupy Primary

Site

Activate Command

Center

Conduct Crisis

Mgmt Status Meetings

Setup Alt

Workspace(s)

(Crisis Mgmt Team)

Conduct Bus Unit

Status Meeting

(I/S Team)

Activate Recreation

Procedures - WIP

Activate

Manual

Procedures

Activate Administrative Team

Activate Damage Assessment Team

Activate Management Team

Activate I/S Team

Plan Execution Process

Stabilize

Environment

Switch to

Secondary

System

Switch Back to Primary

System

The Recovery Process – Replication Environment

Myth Busting

1. Internal Fraud: Not at our Bank

2. On Premises: Safe and Sound

3. Social Engineering: We’re not susceptible

4. Cyber Threats: We’re covered

5. Customers are Patient: Our BRP is Sufficient

6. BCP Passed Exam: It’s all good


118

Thank you for your time today!

[email protected]


119

Documents

Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams