Journal of Information Systems Education, Vol. 22(2)
Teaching Case
Bank Solutions Disaster Recovery and Business
Continuity: A Case Study for CSIA 485
Steve Camara
Senior Manager, KPMG LLP
1021 E Cary Street, Suite 2000
Richmond, VA 23219
scamara@kpmg.com
Robert Crossler
Vishal Midha
Assistant Professor
Computer Information Systems
The University of Texas – Pan American
recrossler@utpa.edu, vmidha@utpa.edu
Linda Wallace
Associate Professor
Accounting and Information Systems
Virginia Tech wallacel@vt.edu
ABSTRACT
Disaster Recovery and Business Continuity (DR/BC) planning is an issue that students will likely come in contact with as they
enter industry. Many different fields require this knowledge, whether employees are advising a company implementing a new
DR/BC program, auditing a company’s existing program, or implementing and/or serving as a key participant in a company
program. Often times in the classroom it is difficult to find real world practice for students to apply the theories taught. The
information in this case provides students with real world data to practice what they would do if they were on an engagement
team evaluating a DR/BC plan. Providing students with this opportunity better prepares them for one of the jobs they could
perform after graduation.
Keywords: Case study, Computer security, Critical thinking, Experiential learning & education, Information assurance and
security, Role-play, Security, Team projects
117
Journal of Information Systems Education, Vol. 22(2)
2. CASE TEXT
2. 1 Company Background
Bank Solutions, Inc. (a pseudonym), founded in 1973 by the
First Presidential Bank, a major bank of its time, is a
provider of item processing services i to community banks,
savings and loan associations, Internet banks, and small- to
mid-size credit unions. It offers a full range of services,
including in-clearing and Proof of Deposit (POD) processing,
item capture, return and exception item processing, image
archive storage and retrieval, and customer statement
rendering.
Bank Solutions was formed in 1973 when the Chief
Operating Officer of First Presidential Bank, a major
commercial bank, recognized an opportunity. Since item
processing functions are standardized (they have to be in
order for originating and receiving financial institutions to
clear customer transactions) and scalable with increases in
item processing volumes, they were able to offer these
services to other financial institutions wishing to reduce
operating expense and focus on growth strategies and other
core business functions. First Presidential marketed these
services under the Bank Solutions brand name.
Over the next 15 years, Bank Solutions enjoyed modest
growth. By 1988, it served 41 small- to mid-size financial
institutions. It had not, however, developed a market
presence outside of the Northwestern Region of the United
States, as management had hoped.
This was primarily
because Bank Solutions was unable to compete with other
item-processing service providers that had developed
proprietary software systems considered “top of the line.”
To make matters worse, at the time almost one quarter of
Bank Solutions‟ client base was saving and loan associations
(saving and loans). As a result of the Savings and Loan
crisis, 60% of Bank Solutions‟ savings and loan customer
base failed over the six years spanning 1985–1991, thus
stunting the outsourcer‟s growth. The related slow down of
the financial services and real estate industries and the
recession of 1990–1991 presented further headwinds to the
growth objectives of First Presidential management.
In
1994, First Presidential sold off Bank Solutions.
Under new management, Bank Solutions thrived. Keys
to the company‟s renewed success included the following:
• The development of key strategic partnerships with
other industry participants, including data clearing
houses and financial institution core processing system
ii
outsourcers.
•
The introduction of a new company culture that focused
on open door management, mentoring, and enhanced
employee benefits.
• The development of a proprietary, state of the art item
processing system that uses state-of-the-art Optical
Character Recognition (OCR) technology to achieve
character recognition accuracies that were previously
unheard of.
• The implementation of “remote capture” technologiesiii
to meet electronic banking initiatives and regulations
such as “Check 21.”
• The upgrade or replacement of other administrative
information systems, including the company‟s financial
reporting system. This helped to increase operational
effectiveness and efficiencies.
From
1995–2008,
Bank
Solutions
enjoyed
unprecedented growth. During that timeframe, the company
expanded operations to 18 item processing facilities, two
data centers in which the item processing system was hosted,
and 345 financial institutions.
2.2 Current Scenario (2011)
Douglas Smith, the Chief Information Officer for Bank
Solutions, was one of the original members of “new
management” and responsible for many of Bank Solutions‟
past successes.
A solid, middle-sized company with
continued growth potential, Bank Solutions has become a
target for a leveraged corporate buyout. This is an attractive
situation for Douglas and other members of executive
management.
Several of these individuals are close to
retirement; and initial indications are that the price of the
buyout will be very favorable for members of executive
management.
The CEO and other influential members of executive
management want Bank Solutions to remain an attractive
purchase option and, as a result, have contracted the services
of your team as an outside consultant to identify operating
and regulatory risks and advise them on control measures to
mitigate the risks.
2.3 Risk Assessment Task
As members of the engagement team performing the risk
assessment, your team has been given the task of assessing
Bank Solutions‟ incident handling, business continuity, and
disaster recovery strategy.
In order to perform the assessment, preliminary
interviews with Douglas Smith, the Data Center Managers,
Systems Engineers and Network Architect in each of
Banking Solutions‟ data centers, and the IT Managers and
Day and Night Operations Managers from seven of the
largest item processing facilities were conducted.
Additionally, the following documentation related to Bank
Solutions‟ security incident management, DR/BC planning
activities was reviewed:
• Flow charts that diagram the item processing operations
and data flow between Bank Solutions item processing
facilities and data centers and outside entities (see
Appendix A)
• A diagram of Bank Solutions‟ network architecture
118
Journal of Information Systems Education, Vol. 22(2)
• Bank Solutions‟ Data Center Disaster Recovery and
•
•
•
•
•
•
•
•
•
•
•
Business Continuity Plan (DRBCP)
Policies, procedures, guidelines, and standards related
to security incident response
Item Processing Facility DRBCPs
Results from the most recently completed DRBCP
test/exercise
Distribution list for the DRBCP
Bank Solutions‟ Backup and Recovery Policy.
Screen prints of the configurations from Bank
Solutions‟ backup utility (these configurations show
what server shares are subject to automated backup and
the frequency of those backups)
Contracts with the off-site storage provider
A system-generated listing of access to event logging
servers
A list of individuals who have been provided access to
recall backup tapes from the off-site storage vendor.
Screenshots of the Intrusion Detection System (IDS),
firewall, and other event logging capability
configurations
Excerpts from the IDS and firewall event logs and
management‟s manually maintained incident tracking
log.
2.4 Facts: Risk Assessment Findings
Based on the discussions held with the management and a
review of the documentation provided, you note the
following facts:
1. With the assistance of an external consultant, Bank
Solutions wrote its current data center DRBCP in 2007.
It was last updated in January 2009.
2. According to Douglas, the data center DRBCP was last
tested in 2007.
Testing activities consisted of a
conceptual, table-top walkthrough of the DRBCP
conducted by Douglas with the Data Center Managers
and Network and Systems Engineers. Item processing
facility DRBCPs have not yet been tested.
3. Site-specific DRBCPs have been written for the five
largest item processing facilities. The remaining item
processing facilities have a generic “small center”
DRBCP template that was distributed to and customized
by facility management in June 2010.
Four item
processing facilities have not yet completed the
customization exercise.
4. DRBCPs contain several sections, including the
following:
• Emergency/crisis response procedures
• Business recovery procedures
• “Return to normal” procedures
• Various appendices
Recovery Time Objectives and Recovery Point
iv
Objectives for each critical business process and
system were not identified in the DRBCP. The
following details, most of which are included in the
DRBCP appendices, are also documented in the text of
the DRBCP:
119
• Critical systems, including detailed hardware and
software inventories
• Critical business processes and process owners
• Alternative processing facility addresses and
directions
• “Calling Trees” (notification listings)
• Critical plan participant roles, responsibilities,
and requirements
Critical vendor contact listings
Key business forms
Specific recovery procedures for key systems
Procedures for managing public relations and
communications
Based on a review of DRBCP distribution lists, it
appears that not all key plan participants have a copy of
the plan. When this was discussed with Douglas, he
responded that copies of all DRBCPs are stored on the
network (which is replicated across both data centers
and via backup tape).
Critical plan participants have not been trained to use
DRBCPs.
Bank Solutions has implemented a robust host-based
IDS, including detailed event logging and reporting
capabilities. However, neither the DRBCP nor any
other policy, standard, guideline, or procedure addresses
security incident handling steps, including escalation
points of contact and procedures for preserving the
forensic qualities of logical evidence.
Event logging is also performed when power users
perform specific privileged activities on production
servers and selected administrative back office systems.
Interestingly, it was noted that several of the same
power users whose actions are recorded onto event logs
also have write access to the logs themselves.
A review of the network diagram and conversations
with the Network Architect reveal that redundancies
have been implemented at the network perimeter (e.g.,
routers, firewalls, IDS, load balancers, etc.).
Banking Solutions has organized their DR/BC program
according to a “sister center” format; that is, each data
center serves as the other‟s “hot site” processing
location and each item processing facility has been
assigned a corresponding item processing facility to
serve as a backup processing location.
Neither the
DRBCPs nor any other documentation outline specific
processing responsibilities for backup facilities.
On a daily basis, transaction detail and item image files
from the current day‟s processing operations are
uploaded from each item processing facility to their
regional data center (see Appendix A).
At the data centers, electronic vaulting has been
established whereby all e-mail, file, and application
servers and databases at the data center are continuously
backed up to the other data center via dual dedicated
fiber optic lines.
A data backup and recovery utility has been
implemented in each data center and the item
processing facilities. Full backups of critical data files,
software programs, and configurations are performed
•
•
•
•
5.
6.
7.
8.
9.
10.
11.
12.
13.
Journal of Information Systems Education, Vol. 22(2)
once a week and incremental backups are performed on
a daily basis Monday through Friday.
14. At one item processing facility, backup jobs have
routinely failed due to unknown causes. When the topic
was discussed with the IT Manager on duty, he
shrugged the failures off noting that the core financial
institution transaction data and images are transmitted
to and archived at the Bank Solutions Data Center East
on a daily basis.
15. At the item processing facilities, the management has
been tasked with contracting the off-site storage of
backup tapes. At one of the item processing facilities,
management has contracted the bank across the street to
store its backup tapes in a safety deposit box. At
another item processing facility, the night Operations
Manager stores the backup tapes in a safe at his home.
At a third item processing center, tapes are stored in a
shed at the back of the building.
ii
120
Journal of Information Systems Education, Vol. 22(2)
This is individual project. As a member of an engagement team in charge of performing the incident handling, DR/BC risk
assessment for Bank Solutions. you should read the case background and the facts identified in the interviews.
Individual Work: For all of the facts/ findings, prepare a written report that lists the condition(s) that present risks to Bank
Solutions as well as proposed recommendations for addressing those conditions.
121
Journal of Information Systems Education, Vol. 22(2)
Appendix A
This case was developed solely for class discussion. While the situation described in this case is based on realistic events, the Bank Solutions is a fictional organization.
Further, the names, product/service offerings, and the names of all individuals in the case are fictional. Any resemblance to actual companies, offerings, or individuals is
accidental.
122
Copyright of Journal of Information Systems Education is the property of Journal of Information Systems
Education and its content may not be copied or emailed to multiple sites or posted to a listserv without the
copyright holder's express written permission. However, users may print, download, or email articles for
individual use.
6/12/2019
Project 2: Case Study—Identify Requirements - CSIA 485 6380 Practical Applications in Cybersecurity Management and Policy (2195) - …
Security, Interoperability, and Operations Issues
Excellent
Outstanding
Acceptable
Needs Significant Improvement
Missing / Unacceptable
Issues
10 points
Identifies at least 10 issues based on the case study.
8 points
Identifies at least 8 issues based on the case study.
6 points
Identifies at least 6 issues based on the case study.
3 points
Identifies at least 3 issues based on the case study. The discussion lacked detail and/or was not
well supported by information drawn from authoritative sources.
0 points
Doesn’t identify any issues based on the case study.
/ 10
Relationship
12 points
Clearly describes and relates issues to security, interoperability and operations.
9 points
Basically describes and relates issues to security, interoperability and operations.
6 points
Weakly describes and relates issues to security, interoperability and operations.
3 points
Little description or related issues to security, interoperability and operations. (Or, inappropriate
or excessive copying from other authors' work.)
0 points
No description or relationship of issues to security, interoperability and operations.
/ 12
Requirements
Excellent
Outstanding
Acceptable
Needs Significant Improvement
Missing / Unacceptable
Prioritization
https://learn.umuc.edu/d2l/lms/dropbox/user/folder_submit_files.d2l?db=797911&grpid=0&isprv=0&bp=0&ou=386579
1/6
6/12/2019
Project 2: Case Study—Identify Requirements - CSIA 485 6380 Practical Applications in Cybersecurity Management and Policy (2195) - …
12 points
Clearly prioritizes and articulates the issues as requirements based on immediate need, security
posture, complexity, resource availability and cost.
9 points
Basically prioritizes and articulates the issues as requirements based on immediate need,
security posture, complexity, resource availability and cost.
6 points
Weakly prioritizes and articulates the issues as requirements based on immediate need, security
posture, complexity, resource availability and cost.
3 points
Little prioritization or articulation of the issues as requirements based on immediate need,
security posture, complexity, resource availability and cost. (Or, inappropriate or excessive
copying from other authors' work.)
0 points
No prioritization or articulation of the issues as requirements based on immediate need, security
posture, complexity, resource availability and cost.
/ 12
Applicable Regulations and Standards
Excellent
Outstanding
Acceptable
Needs Significant Improvement
Missing / Unacceptable
ID Applicable Government Documents
5 points
Identifies at least 4 government regulations and standards.
4 points
Identifies at least 3 government regulations and standards.
2 points
Identifies at least 2 government regulations and standards.
1 point
Identifies at least 1 government regulation or standard. (Or, inappropriate or excessive copying
from other authors' work.)
0 points
No government regulations or standards identified.
/5
Rationale Used
12 points
https://learn.umuc.edu/d2l/lms/dropbox/user/folder_submit_files.d2l?db=797911&grpid=0&isprv=0&bp=0&ou=386579
2/6
6/12/2019
Project 2: Case Study—Identify Requirements - CSIA 485 6380 Practical Applications in Cybersecurity Management and Policy (2195) - …
Clearly identifies applicable government regulations and standards that govern how the
requirements must be met, implemented or measured. Must provide the rationale for selecting
the documents.
9 points
Basically identifies applicable government regulations and standards that govern how the
requirements must be met, implemented or measured. Must provide the rationale for selecting
the documents.
6 points
Weakly identifies applicable government regulations and standards that govern how the
requirements must be met, implemented or measured. May provide the rationale for selecting
the documents.
3 points
Little identification of applicable government regulations and standards that govern how the
requirements must be met, implemented or measured. May provide some rationale for selecting
the documents. (Or, inappropriate or excessive copying from other authors' work.)
0 points
Doesn’t identify any applicable government regulations and standards that govern how the
requirements must be met, implemented or measured. Doesn’t provide the rationale for
selecting the documents.
/ 12
Cites Regulations and Standards
5 points
Clearly cites all government regulations and standards used.
4 points
Basically cites all but 1 government regulation or standard used.
2 points
Cites all but 2 government regulations or standards used.
1 point
Cites just 1 government regulation or standard used. (Or, inappropriate or excessive copying
from other authors' work.)
0 points
Doesn’t cite any government regulations or standards.
/5
Controls
Excellent
Outstanding
Acceptable
Needs Significant Improvement
Missing / Unacceptable
Defines Controls
https://learn.umuc.edu/d2l/lms/dropbox/user/folder_submit_files.d2l?db=797911&grpid=0&isprv=0&bp=0&ou=386579
3/6
6/12/2019
Project 2: Case Study—Identify Requirements - CSIA 485 6380 Practical Applications in Cybersecurity Management and Policy (2195) - …
12 points
Identifies at least 4 appropriate NIST controls and links them to each issue using logic.
9 points
Identifies at least 3 appropriate NIST controls and links them to each issue using logic.
6 points
Identifies at least 2 appropriate NIST controls and links them to each issue using logic.
3 points
Identifies at least 1 appropriate NIST control and links it to each issue using logic. (Or,
inappropriate or excessive copying from other authors' work.)
0 points
Doesn’t identify any appropriate NIST controls or links them to the issue using logic.
/ 12
Rationale for Control
12 points
Clear and detailed rationale as to how those controls mitigate the risk identified.
9 points
Basic description of rationale as to how those controls mitigate the risk identified.
6 points
Weak description of rationale as to how those controls mitigate the risk identified.
3 points
Little description and rationale as to how those controls mitigate the risk identified. (Or,
inappropriate or excessive copying from other authors' work.)
0 points
No description or rationale as to how those controls mitigate the risk identified.
/ 12
Finds and Applies Knowledge
Excellent
Outstanding
Acceptable
Needs Significant Improvement
Missing / Unacceptable
Use of Authoritative Sources
5 points
Cited and used at least 5 authoritative or scholarly sources in paper. One must be NIST SP 80053.
4 points
Cite and used at least 3 authoritative or scholarly sources in paper. One must be NIST SP 80053.
2 points
https://learn.umuc.edu/d2l/lms/dropbox/user/folder_submit_files.d2l?db=797911&grpid=0&isprv=0&bp=0&ou=386579
4/6
6/12/2019
Project 2: Case Study—Identify Requirements - CSIA 485 6380 Practical Applications in Cybersecurity Management and Policy (2195) - …
Cited and used at least 2 authoritative or scholarly sources in paper. One must be NIST SP 80053.
1 point
Cite and used at least 1 authoritative or scholarly source in paper.
0 points
No authoritative or scholarly sources used in paper. NIST SP 800-53 not mentioned.
/5
Citation of Sources
5 points
Work contains a reference list containing entries for all cited resources. Sufficient information is
provided to allow a reader to find and retrieve the cited sources. Reference list entries and in-
text citations are consistently and correctly formatted using an appropriate citation style (APA,
MLA, etc.).
4 points
Work contains a reference list containing entries for all cited resources. Sufficient information is
provided to allow a reader to find and retrieve the cited sources. One or two inconsistencies or
errors in format for in-text citations and/or reference list entries.
2 points
Work contains a reference list containing entries for all cited resources. Sufficient information is
provided to allow a reader to find and retrieve the cited sources. No more than 5 inconsistencies
or errors in format for in-text citations and/or reference list entries.
1 point
Work attempts to credit sources but demonstrates a fundamental failure to understand and/or
consistently apply a professional formatting style for the reference list and/or citations.
0 points
Reference list is missing. Work demonstrates an overall failure to incorporate and/or credit
authoritative sources for information used in the paper.
/5
Organization, Execution and Appearance
Excellent
Outstanding
Acceptable
Needs Significant Improvement
Missing / Unacceptable
Formatting
https://learn.umuc.edu/d2l/lms/dropbox/user/folder_submit_files.d2l?db=797911&grpid=0&isprv=0&bp=0&ou=386579
5/6
6/12/2019
Project 2: Case Study—Identify Requirements - CSIA 485 6380 Practical Applications in Cybersecurity Management and Policy (2195) - …
5 points
Prepared MS Word document, used consistent formatting, section subheadings, submitted one
file, used instructor provided template, correct coversheet and separate reference page and
meets minimum page count.
4 points
MS Word document didn’t follow up to two (2) of the following: used consistent formatting,
section subheadings, submitted one file, used instructor provided template, correct coversheet
and separate reference page and meets minimum page count.
2 points
MS Word document didn’t follow up to four (4) of the following: used consistent formatting,
section subheadings, submitted one file, used instructor provided template, correct coversheet
and separate reference page and meets minimum page count.
1 point
MS Word document followed only one (1) of the following: used consistent formatting, section
subheadings, submitted one file, used instructor provided template, correct coversheet and
separate reference page and meets minimum page count.
0 points
Non MS Word document didn’t any of the following: used consistent formatting, section
subheadings, submitted one file, used instructor provided template, correct coversheet and
separate reference page and meets minimum page count.
/5
Grammar and Punctuation
5 points
No grammar, use of first/second person, spelling or punctuation errors.
4 points
Less than 5 grammar errors, use of first/second person, spelling or punctuation errors.
2 points
Less than 10 grammar errors, use of first/second person, spelling or punctuation errors.
1 point
Less than 15 grammar errors, use of first/second person, spelling or punctuation errors.
0 points
More than 15 grammar errors, use of first/second person, spelling or punctuation errors.
/5
Total
https://learn.umuc.edu/d2l/lms/dropbox/user/folder_submit_files.d2l?db=797911&grpid=0&isprv=0&bp=0&ou=386579
/ 100
6/6
Purchase answer to see full
attachment