Financial Services Security Case Studies & Forensics Analysis

The IT organization of Bank (original name withheld) was facing a great deal of challenges with day-to-day IT service delivery. While critical activities, such as end-of-day, backup and restore functions, and scheduled server reboot for certain critical servers were documented on paper for regulatory compliance reasons, most processes were at best documented in individual employees’ heads.

There was poor change control; something broke every other day and it was perfectly acceptable to have unplanned downtime of banking services for a few hours every month. Often, the unplanned downtime was due to, for example, failed system upgrades or security configuration modifications by the security administrators without proper impact assessments. Fortunately, the enterprise’s internal control department had some oversight over the critical banking infrastructure; otherwise, banking operations could have suffered a total systemic failure.

In the marketplace, relatively smaller banks were recording better performance and were perceived as more reputable than Bank. Within the bank, the business executives did not trust IT’s ability to effectively and efficiently support business objectives, and IT was obviously overwhelmed with the challenges.

A turning point came when the chief executive officer (CEO) was stranded in the US on a business trip. His debit card did not work for the entire three days that he was away nor did those of the other senior executive who had accompanied him. Unfortunately, it was the policy of the bank that middle to senior management staff were not permitted to hold bank accounts with other financial institutions; thus, they were stranded with little means to help themselves.

On return, the CEO initiated a process that resulted in the hiring of a chief information officer (CIO)—a very experienced CIO. His objectives were very clear:

Stabilize the IT organization to effectively and efficiently support the business objectives.
Minimize business disruptions caused by unplanned IT operations.
Justify any (every) further investment in IT.

The CIO commenced meetings with new and existing consultants of the organization, the outcome of which culminated in the selection of COBIT 4.1 as the most rounded approach to achieving the desired outcomes. Additionally, the project was bundled with a security assessment exercise.

The CEO was clear on the results he desired and why he hired a CIO so he was taken by surprise when, after committing to giving whatever was required as a sign of support, the first thing the CIO asked for was his active participation in the transformational changes in the IT organization. The lesson was: Active and sustained senior management commitment is very important for the successful implementation of the desired organizational changes.

The Assessment

The project kicked off with interview sessions to clearly document senior business management’s view and expectations of IT, followed by similar sessions with the CIO and IT management, to get IT goals and a view of the IT organization. These were documented using the COBIT 4.1 Implementation Tool Kit

Following the determination of business and IT goals, the core of the gap assessment exercise commenced. The focus was on the 34 processes, not on the 210 controls. Several interviews and process review sessions then followed from Plan and Organize (PO) all the way to Monitor and Evaluate (ME), although not necessarily in order as sessions were based on available resources.

Process Spotlight: Assess and Manage IT Risks

A good example was the risk management process (PO9), which was assessed as nonexistent, even though there was an operational risk (Ops Risk) department in place with a well-developed financial risk management practices around credit, loans, etc. The issues found included:

No risk assessment framework in place
No definition of impact ratings nor probability ratings
No risk rankings
No periodic risk assessment exercises as part of the organizational culture. IT managers generally used high, medium and low informally in approval memos.

In line with the COBIT guidelines, the first line of action to address these issues was to review the available options for risk management frameworks (for ease of standardization). NIST Risk Management Framework was identified and readily adopted.

The organization focused on the primary goals of confidentiality, integrity and availability as well as one important secondary goal: reliability.

Within four weeks, the organization had concluded a comprehensive risk assessment exercise, had a clear view into the organization’s information risk posture and had easily adopted the parameters used by the Ops Risk department. Risk management started influencing change management and information security controls implementation (two high-risk areas identified during the risk assessment exercise).

The assessment resulted in implementation of some quick-win initiatives, starting with instituting and enforcing a formalized change management process (COBIT 4.1 AI6) to move from maturity level 3 to maturity level 4.

Measurements and metrics were set and business units were mandated to be formally involved in the change management process.

The business units immediately felt some benefits. The resulting change accountability and communication made the business even more interested in other COBIT initiatives. And, the business unit heads felt a great deal of ownership, as the changes were occurring only with their consent.

By the time the exercise was concluded, the enterprise had good insight into its maturity for all 34 COBIT processes plotted against short- and long-term goals.

Observations and Recommendations

It was a little challenging to get the noncore IT areas (e.g., procurement, financial control [responsible for budget], human resources [HR]) to understand the importance of their functions to the success of the IT organization. As part of CyberSecOp (Manage IT human resources), HR, as a case in point, did not consider IT resource career paths and training requirements as important enough; hence, IT trainings were often cancelled for cost savings or resource demands. This disconnect was initially extended to the COBIT implementation exercise and it required some escalation to the CIO to get HR to cooperate with the assessment exercise.

Prioritizing and Plans of Action

Once the assessment exercise was concluded, the enterprise set out to commence remediation initiatives. Activities were prioritized according to three categories:

Quick wins—Achievable within one month and with minimal/no budgetary implications
Key business goal initiatives—Initiatives aligned with achievement of business goals rated.
Other gap items—All other gap items that could be delayed until completion of those items in categories 1 and 2.

Monitoring and Measuring

Responsible, Accountable, Consulted and Informed (RACI) charts were developed for all 34 processes, and the CIO was not willing to accept excuses for noncompliance to newly developed practices. Metrics and measurements were evolving and these were aligned with performance metrics and appraisal systems for the entire IT organization.

Initiatives such as updating scorecards to reflect performance metrics and IT organizational key performance indicators (KPIs), as well as rewards and sanctions, were key to getting operational staff to accept the cultural changes that came with the remediation activities.

Within 18 months, the results were clearly visible; as such, it was not difficult for X-Bank to achieve ISO 27001 certification status shortly thereafter (though as a separate initiative).