Risk Management at PridePoint Bank
Caselet #3:
Risk Response and Mitigation
Disclaimer
ISACA has designed and created the Risk Management at PridePoint Bank series (the ‘Work’) primarily as an
educational resource for educational professionals. ISACA makes no claim that use of any of the Work will
assure a successful outcome. The Work should not be considered inclusive of all proper information,
procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to
obtaining the same results. In determining the propriety of any specific information, procedure or test, security
governance and assurance professionals should apply their own professional judgement to the specific
circumstances presented by the particular systems or information technology environment.
The example companies, organisations, products, domain names, email addresses, logos, people, places and
events depicted herein are fictitious. No association with any real company, organisation, product, domain
name, email address, logo, person, place or event is intended or should be inferred.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
Reservation of Rights
© 2015 ISACA. All rights reserved. No part of this publication may be used, copied,
reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in
any form by any means (electronic, mechanical, photocopying, recording or otherwise)
without the prior written authorisation of ISACA. Reproduction and use of all or portions of
this publication are permitted solely for academic, internal and non-commercial use and
for consulting/advisory engagements, and must include full attribution of the material’s
source. No other right or permission is granted with respect to this work.
Provide Feedback: www.isaca.org/risk-management
Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
Acknowledgements
Author
James C. Samans, CISA, CISM, CRISC, CISSP-ISSEP, CIPT, PMP, XENSHA LLC, USA
Board of Directors
Robert E Stroud, CGEIT, CRISC, CA, USA, International President
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Vice President
Garry J. Barnes, CISA, CISM, CGEIT, CRISC, BAE Systems Detica, Australia, Vice President
Robert A. Clyde, CISM, Clyde Consulting LLC, USA, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President
Vittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President
Gregory T. Grocholski, CISA, SABIC, Saudi Arabia, Past International President
Debbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA, Director
Frank K.M. Yam, CISA, CIA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Director
Alexander Zapata Lenis, CISA, CGEIT, CRISC, ITIL, PMP, Grupo Cynthus S.A. de C.V., Mexico, Director
Knowledge Board
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Neil Patrick Barlow, CISA, CISM, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK
Charlie Blanchard, CISA, CISM, CRISC, ACA, CIPP/E, CIPP/US, CISSP, FBCS, Amgen Inc., USA
Sushil Chatterji, CGEIT, Edutech Enterprises, Singapore
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Ivan Sanchez Lopez, CISA, CISM, CISSP, ISO 27001 LA, DHL Global Forwarding & Freight, Germany
Academic Program Subcommittee
Matthew Liotine, Ph.D., CBCP, CHS-III, CSSBB, MBCI, University of Illinois at Chicago, USA, Chairman
Daniel Canoniero, Universidad de Montevideo, Uruguay
Tracey Choulat, CISM, CGEIT, CRISC, University of Florida, USA
Umesh Rao Hodeghatta, Xavier Institute of Management, India
Nabil Messabia, CPA, CGA, Université du Québec en Outaouais, Canada
Mark Lee Salamasick, CISA, CSP, CIA, CRMA, University of Texas, USA
Ype van Wijk, Ph.D., RE, RA, Rijksuniversiteit Groningen, The Netherlands
S. Vanderloot, CISA, CISM, CRISC, Ph.D., AST, CCNA, CCNA Security, CCSA, CEH, ECSA, ISO 27001 LA, NCSA, PCIP, UK
Nancy C. Wells, CISA, CRISC, USA
Student Book
This caselet was developed to support
Risk Management Student Book
www.isaca.org/risk-management
Introduction
What is risk
management?
What is risk
response?
How does it
benefit an
enterprise?
Risk management refers to the co-ordinated activities taken by
an enterprise to direct and control activities pertaining to risk.
Risk management is an active process, not simply a form of
elaborate observation.
o ‘Control’, when used as a verb in the context of risk
management, is often used as a synonym for ‘measure’.
o However, the results of measurement must be used as the
basis for directing actions and activities.
Comprehensive risk management includes four steps:
1.
2.
3.
4.
Identification
Assessment
Mitigation (response)
Ongoing monitoring and reporting
Introduction
What is risk
management?
What is risk
response?
How does it
benefit an
enterprise?
Risk is commonly defined as the combination of the probability of
an event and its consequence.
Risk response encompasses the four ways in which an
enterprise addresses risk:
o Mitigation, or actions taken to reduce the likelihood and/or
impact of risk
o Transfer, or sharing the consequences of a particular risk
o Acceptance, meaning no action is taken relative to a
particular risk and loss is accepted if it occurs
o Avoidance, in which the enterprise actively ends a line of
activity for which it cannot adequately manage risk
Which of these is appropriate depends on cost.
Introduction
What is risk
management?
What is risk
response?
How does it
benefit an
enterprise?
The instinctive response to risk management is to deploy controls
to mitigate the risk—especially for IT risk.
However, responding to every risk with mitigation can be a flawed
strategy.
o Deploying a control may cost more than the maximum
consequences.
o It may be possible to control the maximum consequences by
sharing risk at lower cost than mitigation.
o Some risk cannot be reduced to the point of tolerance even
with multiple controls.
A formalised risk-response methodology helps decision makers
address risk in ways that are cost-effective.
Agenda
Company Profile – PridePoint Bank
Background Information
Your Role
Executive Guidance
Assessment Findings
Technology Response
Your Tasks
Discussion Questions
Profile of PridePoint Bank
Mid-sized, publically
traded regional bank
2,150 employees and an
additional 700 contractors
Focused on controlling risk as part
of its customer retention strategy
Background: Overview
Overview
Org. Structure
Operations
Competition
Business Goals
PridePoint is the dominant bank across three states with 92
branch locations.
o Total assets of $3.6 billion
o Non-interest income is 19.2% of total revenue
o 84.1% loan-to-deposit ratio
o Customers include both individual consumers and
regionally established businesses.
o Largest business customers average revenues in
excess of $57 million per year.
PridePoint processes approximately $8 million in
transactions on a given day.
Background: Organisational Structure
Overview
PridePoint has a five-person board of directors with a nonexecutive chairman.
Org. Structure
The chief executive officer (CEO) has three direct
reports:
Operations
Competition
Business Goals
o Chief financial officer (CFO)
o Chief operating officer (COO)
o Senior Vice President (SVP) of Administration
Technology Operations and Information Security
report to the COO through the chief information officer
(CIO).
Facilities and Physical Security report to the SVP,
Administration through Human Resources.
Procurement oversees contractors and reports to the CFO.
Operational Risk and Internal Audit report to the CFO.
Background: Organisational Structure
CEO
Overview
COO
Org. Structure
CIO
Operations
Competition
Business Goals
Technology
Infrastructure
Network
Operations
Consumer
Banking
Information
Security
Disaster Recovery
SVP, Administration
CFO
Commercial
Banking
Procurement
Internal
Audit
Finance
Accounting
Operational Risk
Legal
Physical
Security
HR
Compliance
Facilities
Background: Operations
Overview
Org. Structure
Operations
Competition
Business Goals
The board of directors has made risk management a priority
since the bank was taken public.
Within the technology arena, a third-party consulting firm was
engaged to carry out this risk assessment.
The assessment took into account the particular nature of
PridePoint’s network:
o The network is divided into two zones (A and B), with all
Internet traffic traversing the Zone A security perimeter.
o Zone A uses physical servers and has dual data centres in
a hot-site configuration, located 20 miles apart.
o Zone B uses virtual servers in a single data centre.
o Leased capacity is available 100 miles away for restoration
of Zone B from backup by third-party contractors.
o Approximately 75% of all customers are served by Zone A.
Network Diagram
Bank
Branches
Internet
ATMs
Zone A
Perimeter Suite 1
Zone B
100 miles
Leased
Capacity
Perimeter Suite 2
Data Centre 1
Data Centre 2
Zone A: Primary
Zone A: Secondary
Data Centre 3
Zone B
50 miles
20 miles
Background: Competition
Overview
Org. Structure
Operations
Competition
Business Goals
Miners Bank is PridePoint’s largest competitor:
o Privately held
o 57 branches
o Total assets of $2.6 billion
Miners recently unveiled a marketing message that
customers’ money is safer with a privately held bank.
o Specifically, the Miners message is that larger banks are
too focused on short-term profits and take excessive risk.
The marketing undertaken by Miners Bank has not yet
resulted in significant losses of existing accounts.
Background: Business Goals
Overview
Org. Structure
Operations
Competition
Business Goals
Recent scandals regarding compromised credit card numbers
at major retailers have the board concerned.
o Most PridePoint account holders began their banking
experience with one of the pre-merger banks and are still
evaluating what the merger means for them.
Independent surveys suggest that a data breach could result
in a loss of up to one-third of daily banking activity.
o Interestingly, the same survey shows substantial
tolerance for service interruptions if no data is lost.
The CEO has indicated that resources will be made available
for risk management as needed.
The enterprise risk appetite is $3 million, with a tolerance of
$1 million.
Your Role
Experience:
Two years of experience in
risk assessment
Two years of previous
experience in information
technology
Credentials:
Bachelor’s degree in
Information Systems
CRISC certification
As an Operational Risk Specialist, you have
been assigned to help the CIO develop a risk
response strategy.
Technology Operations and Information Security
staff will be available to answer technical
questions and provide clarification.
You:
o Will present your recommendations jointly to
the CIO and CFO
o May be asked to explain your reasoning
o Are encouraged to use your judgement
Final decisions regarding risk response will be
made at the executive level.
Executive Guidance
Everyone agrees that:
o Risk needs to be managed
o The XYZZY risk assessment is reliable
The CIO has provided you with proposals from the technical staff regarding ways to
mitigate the risk identified in the assessment.
The CFO is concerned that the commitment of the CEO to make resources available
for risk response may prompt a ‘wish list’ mentality.
Additionally, the CFO has recently obtained a proposal for business interruption
insurance, which:
o Is payable during a disruption that results in a loss of business processes
o Replaces a specified amount of revenue per day, up to a maximum of $10 million
o Has an annual premium equal to 10% of the selected daily replacement amount
Assessment Findings
Introduction
As directed by the scope of work
established between PridePoint Bank and
XYZZY Consulting, this risk assessment
addresses only that risk previously
identified by PridePoint within the scope of
its technology functions and processes.
Additionally, XYZZY conducted this
assessment based on technical
information provided by PridePoint, not an
independent verification and validation
activity.
This assessment presents its findings
ranked in order of most to least significant
according to the best estimates of XYZZY
based on the limitations disclosed above.
Assessment Findings
Risk
1 of 8
Rating:
HIGH
Category
Architecture
Threat Event
Regional event affecting connectivity and/or power
Target
Physical Infrastructure, IT Infrastructure
IT Risk Category
Operations/Service
Detection Difficulty
Easy. Immediate and widespread physical evidence.
Vulnerability
Zone A data centres are co-located within one region.
Consequence(s)
Enterprise operations are shut down indefinitely across both
zones.
Rating Explanation Because all Internet traffic flows through the Zone A perimeter,
both zones and all connectivity to branches and ATMs cease with
the loss of the Zone A data centres and would continue until their
return to service. May be irrecoverable were the nature of the
event to destroy data, leave staff unable to travel to a recovery
site or both.
Assessment Findings
Risk
2 of 8
Rating:
HIGH
Category
Environmental
Threat Event
Loss of cooling capacity within a data centre
Target
Physical or IT Infrastructure: Data Centre 3
IT Risk Category
Operations/Service
Detection Difficulty
Moderate. Physical evidence eventually apparent.
Environmental monitoring unknown.
Vulnerability
Zone B cannot sustain data centre loss without service
interruption.
Consequence(s)
Processes needing Zone B systems are interrupted for up to 12
hours.
Rating Explanation Zone A and B services are entirely distinct, and customers reliant
upon Zone B cannot carry out transactions during recovery. The
Zone B DRP is stated to take up to 12 hours to complete
recovery carried out by third-party contractors using capacity
leased at an out-of-region site.
Assessment Findings
Risk
3 of 8
Rating:
HIGH
Category
Logical Attacks
Threat Event
External parties direct cyberattacks against the network.
Target
Applications, IT Infrastructure
IT Risk Category
Operations/Service
Detection Difficulty
Difficult due to false positive IDS alarms and lack of internal
detection
Vulnerability
Perimeter defences are not configured for defence-in-depth.
Consequence(s)
Services are impacted or data is lost. Confidence among
customers and shareholders is eroded.
Rating Explanation PridePoint has a robust security perimeter, but any single line of
security can eventually be compromised, and the bank lacks not
only the strategic depth needed to delay an initially successful
intrusion but also the ability to reasonably notice that an attack is
underway.
Assessment Findings
Risk
4 of 8
Rating:
MODERATE
Category
Information
Threat Event
Customer data accessed without permission.
Target
Information
IT Risk Category
Operations/Service
Detection Difficulty
Difficult. No known internal controls.
Vulnerability
Third-party contractors empowered to complete Zone B recovery
have administrator credentials.
Consequence(s)
Customers incur losses that are passed to the bank. Confidence
and market share are lost.
Rating Explanation PridePoint has no visibility into the internal risk processes of the
third-party contractor from which it leases out-of-region recovery
capacity for Zone B such as governance, monitoring or
segregation of duties.
Assessment Findings
Rating:
MODERATE
Risk
5 of 8
Category
Program/Project Life Cycle Management
Threat Event
IT projects cost more or take longer than planned.
Target
People and Skills, Process
IT Risk Category
Project Delivery
Detection Difficulty
Project management proficiency unknown.
Vulnerability
IT organisation has not executed any significant projects in more
than one year.
Consequence(s)
Necessary projects are cancelled or delayed. Opportunities for
improved service are lost.
Rating Explanation Enterprises that initiate new IT projects without project
management experience may experience cost overruns of up to
50% and substantial delays in completion.
Assessment Findings
Rating:
MODERATE
Risk
6 of 8
Category
Architecture
Threat Event
Consolidation into a single-zone network.
Target
Physical Infrastructure, IT Infrastructure
IT Risk Category
Benefit/Value, Project Delivery
Detection Difficulty
Project management proficiency unknown. Value dependent
upon target state.
Vulnerability
Data centres use different architectures, and some applications
exist in multiple instances.
Consequence(s)
Missteps lead to cost overruns or yield inadequate value.
Rating Explanation Enterprises that initiate new IT projects without project
management experience may experience cost overruns of up to
50% and substantial delays in completion.
Assessment Findings
Risk
7 of 8
Rating:
MODERATE
Category
IT Expertise and Skills
Threat Event
Key knowledge lost due to employee departures.
Target
Applications, IT Infrastructure
IT Risk Category
Operations/Service
Detection Difficulty
Moderate. Who is key is not always evident.
Vulnerability
Deep cuts in staffing cause employees to look for other
opportunities.
Consequence(s)
Maintaining existing systems becomes more costly or difficult.
Rating Explanation The current PridePoint architecture is diverse and complex,
requiring several different types of specialised expertise to be
kept operational, while a combination of technical stagnation and
staff reductions make it more likely that people possessing such
expertise are looking for other opportunities. This combination
sets the stage for loss of vital skills.
Assessment Findings
Risk
8 of 8
Rating:
LOW
Category
Staff Operations
Threat Event
Data transaction processed on wrong system.
Target
Information, Applications
IT Risk Category
Operations/Service
Detection Difficulty
Difficult. No known internal controls in place.
Vulnerability
Identical applications exist in unrelated instances on each zone.
Consequence(s)
Active and backup data lose integrity. Effects are multiplied
across processes.
Rating Explanation PridePoint has transaction logs that can be used to back out
erroneous transactions, although manual reversion may be timeconsuming. The odds of any one error are moderate, but each
case is distinct: one error does not suggest a greater likelihood
of another.
Technology Response
Risk Proposed Mitigation
Estimated
Cost
1
‘Swap’ the roles of Data Centres 1 and 3; relocate Perimeter
Suite 1 to maintain its co-existence with the new Data Centre
1 location.
2
Install environmental sensors and establish active monitoring. $8 million
Distribute Zone B virtual servers across all three data centres.
3
Engage a contractor to tune the IDS sensors and eliminate
false positives. Build a 24x7 position dedicated to alarm and
log review.
$1 million
4
Leased-capacity unnecessary after completing Mitigation #2.
No extra cost
5
Send IT managers to project-management training.
$20K
6
Included within the scope of Mitigation #5.
No extra cost.
7
Offer retention bonuses in exchange for a five-year
commitment.
$2 million
8
Eliminate multiple instances by consolidating enterprise
customer accounts and data into Zone A. Eliminate Zone B.
$21 million
$14 million
Your Tasks
1. Estimate the cost associated with the consequences of each risk included in the
scope of the risk assessment.
2. Using your estimates regarding the cost of consequences for each risk, identify
any technology proposals that are not cost-effective.
3. Evaluate the technology proposals that appear to be cost-effective to identify any
that may not be technically effective.
4. Drawing on the results of these tasks, decide on your recommended response to
each of the eight identified instances of risk.
Discussion Questions
1. This caselet presented consequences that all had clear financial impacts. How
might the consequences have been treated differently if they included death,
injury or negative publicity?
2. The proposed IT mitigation to Risk #8—consolidation into a single zone—was
eliminated as cost-ineffective. Does that mean that it is not a good idea?
The attached Caselet contains the Company profile, background information, issues, and tasks for
discussion are included. Students are able to play the role of an Operational Risk Specialist
for PridePoint Bank, a mid-sized, publicly traded bank that is focused on controlling risk to retain
customers.
answering questions 1-3 inclusive under ‘Your Tasks’ on Page 30 of the Caselet.
In your Word document, please repeat each Your Task Question and number each Question accordingly.
Your well-written answer to each Your Task Question should be well thought out and supported with a
detailed analysis or answer with either References to the Case itself or to external resources you deem
appropriate to answer each of the Discussion Questions. Your response should be double-spaced, Times
New Roman, 12-point font. My expectation is your response to each Discussion Question should be at
least a full page in length (including the Discussion Question itself), or at least 3 pages in total, again
double-spaced. The 3 pages excludes any title page or reference page.
Purchase answer to see full
attachment