Risk Management at PridePoint Bank

Caselet #4:
Risk and Control Monitoring and Reporting
Disclaimer
ISACA has designed and created the Risk Management at PridePoint Bank series (the ‘Work’) primarily as an
educational resource for educational professionals. ISACA makes no claim that use of any of the Work will
assure a successful outcome. The Work should not be considered inclusive of all proper information,
procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to
obtaining the same results. In determining the propriety of any specific information, procedure or test, security
governance and assurance professionals should apply their own professional judgement to the specific
circumstances presented by the particular systems or information technology environment.

The example companies, organisations, products, domain names, email addresses, logos, people, places and
events depicted herein are fictitious. No association with any real company, organisation, product, domain
name, email address, logo, person, place or event is intended or should be inferred.

ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: [email protected]
Web site: www.isaca.org
Reservation of Rights
© 2015 ISACA. All rights reserved. No part of this publication may be used, copied,
reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in
any form by any means (electronic, mechanical, photocopying, recording or otherwise)
without the prior written authorisation of ISACA. Reproduction and use of all or portions of
this publication are permitted solely for academic, internal and non-commercial use and
for consulting/advisory engagements, and must include full attribution of the material’s
source. No other right or permission is granted with respect to this work.

Provide Feedback: www.isaca.org/risk-management

Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
Acknowledgments
Author
James C. Samans, CISA, CISM, CRISC, CISSP-ISSEP, CIPT, PMP, XENSHA LLC, USA

Board of Directors
Robert E Stroud, CGEIT, CRISC, CA, USA, International President
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Vice President
Garry J. Barnes, CISA, CISM, CGEIT, CRISC, BAE Systems Detica, Australia, Vice President
Robert A. Clyde, CISM, Clyde Consulting LLC, USA, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President
Vittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President
Gregory T. Grocholski, CISA, SABIC, Saudi Arabia, Past International President
Debbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA, Director
Frank K.M. Yam, CISA, CIA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Director
Alexander Zapata Lenis, CISA, CGEIT, CRISC, ITIL, PMP, Grupo Cynthus S.A. de C.V., Mexico, Director

Knowledge Board
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Neil Patrick Barlow, CISA, CISM, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK
Charlie Blanchard, CISA, CISM, CRISC, ACA, CIPP/E, CIPP/US, CISSP, FBCS, Amgen Inc., USA
Sushil Chatterji, CGEIT, Edutech Enterprises, Singapore
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Ivan Sanchez Lopez, CISA, CISM, CISSP, ISO 27001 LA, DHL Global Forwarding & Freight, Germany

Academic Program Subcommittee

Matthew Liotine, Ph.D., CBCP, CHS-III, CSSBB, MBCI, University of Illinois at Chicago, USA, Chairman
Daniel Canoniero, Universidad de Montevideo, Uruguay
Tracey Choulat, CISM, CGEIT, CRISC, University of Florida, USA
Umesh Rao Hodeghatta, Xavier Institute of Management, India
Nabil Messabia, CPA, CGA, Université du Québec en Outaouais, Canada
Mark Lee Salamasick, CISA, CSP, CIA, CRMA, University of Texas, USA
Ype van Wijk, Ph.D., RE, RA, Rijksuniversiteit Groningen, The Netherlands
S. Vanderloot, CISA, CISM, CRISC, Ph.D., AST, CCNA, CCNA Security, CCSA, CEH, ECSA, ISO 27001 LA, NCSA, PCIP, UK
Nancy C. Wells, CISA, CRISC, USA
Student Book

This caselet was developed to support

Risk Management Student Book

www.isaca.org/risk-management
 Introduction
§ Risk management refers to the co-ordinated activities taken by
What is risk an enterprise to direct and control activities pertaining to risk.
management? § Risk management is an active process, not simply a form of
elaborate observation.

What is risk o ‘Control’, when used as a verb in the context of risk

management, is often used as a synonym for ‘measure’.
reporting? o However, the results of measurement must be used as the
basis for directing actions and activities.
How does it § Comprehensive risk management includes four steps:
benefit an 1. Identification
enterprise? 2. Assessment
3. Mitigation (response)
4. Ongoing monitoring and reporting
 Introduction
§ Risk reporting provides awareness of current risk and risk trends
What is risk and enables the making of informed decisions.
management? § To be effective, risk reports should be:
o Clear and Concise
What is risk o Timely
o Useful
reporting? o Designed for the correct target audience
• Different audiences typically require different levels of
How does it detail.
benefit an o Available on a need-to-know basis

enterprise? § Risk monitoring is established in order to gather the information

needed for effective risk reporting.
o Monitoring determines how well controls established by the
risk response process are controlling risk.
 Introduction
§ Risk reporting enables all aspects of enterprise risk management
What is risk and governance.
management? § With effective risk reporting:
o Directors can maintain oversight and enforce accountability.
What is risk o Executives can set and adjust course to better align with the
enterprise risk appetite and tolerance.
response? o Managers can evaluate and approve projects with a better
understanding of potential pitfalls.
How does it o Business professionals can create better continuity plans and
promote enterprise resiliency.
benefit an
o Technical professionals can develop better mitigation
enterprise? strategies tailored to specific threats and vulnerabilities.
o Regulators and external auditors can more rapidly and easily
confirm that requirements are being met.
Agenda

§ Company Profile – PridePoint Bank

§ Background Information
§ Your Role
§ Risks and Indicators
§ Your Tasks
§ Discussion Questions
Profile of PridePoint Bank

Mid-sized, publically
traded regional bank

2,250 employees and an

additional 750 contractors

Committed to controlling risk as

part of its growth strategy
 Background: Overview

§ PridePoint is the dominant bank across three states with 95

Overview
branch locations.
Org. Structure o Total assets of $3.8 billion
o Non-interest income is 21.4% of total revenue
Operations o 89.3% loan-to-deposit ratio
o Customers include both individual consumers and
Competition regionally established businesses.
o Largest business customers average revenues in
Business Goals
excess of $61 million per year.
§ PridePoint processes approximately $8 million in
transactions on a given day.
 Background: Organisational Structure

§ PridePoint has a five-person board of directors with a non-

Overview
executive chairman.
Org. Structure § The chief executive officer (CEO) has three direct reports:
o Chief financial officer (CFO)
Operations o Chief operating officer (COO)
o Senior vice president (SVP) of Administration
Competition
§ Technology Operations and Information Security report to
the COO through the chief information officer (CIO).
Business Goals
§ Facilities and Physical Security report to the SVP,
Administration through Human Resources.
§ Procurement oversees contractors and reports to the CFO.
§ Operational Risk and Internal Audit report to the CFO.
 Background: Organisational Structure

CEO
Overview
COO CFO SVP, Administration
Org. Structure
Consumer Commercial
CIO
Operations Banking Banking Finance Legal HR Compliance

Technology Information
Competition Infrastructure Security Procurement Accounting Physical
Security
Facilities

Business Goals Network

Operations
Disaster Recovery Internal
Audit
Operational Risk
 Background: Operations

§ The board of directors has made risk management a priority

Overview
since the bank was taken public.
Org. Structure § A third-party consulting firm performed a risk assessment,
which was then used as the basis for response planning.
Operations § The recommended risk responses were implemented and led
to substantive changes to PridePoint’s network architecture:
Competition o The network is divided into two logical zones (A and B)
and has a total of three data centres.
Business Goals o Zone A uses physical servers in a hot-site configuration
across two data centres, which are located 80 miles apart.
o Each Zone A data centre hosts a perimeter suite, and all
data centres have internal detection controls in place.
o Zone B uses virtual servers distributed across all data
centres for redundancy. Third-party contractors are
eliminated.
Perimeter Suite Configuration

§ Each perimeter suite

includes a: Internet Perimeter Router
o Perimeter Router
o Firewall, with:
• Proxy
• Mail Gateway Mail Proxy Firewall
o Network IDS

IDS

Internal Network
 Background: Competition

§ Miners Bank is PridePoint’s largest competitor:

Overview
o Privately held
Org. Structure o 53 branches
o Total assets of $2.3 billion
Operations § Miners has steadily lost market share to PridePoint over the
last 18 months.
Competition
o PridePoint has had no problems, so a marketing
campaign depicting larger banks as riskier has largely
Business Goals
fallen flat.
§ Numerous local banks and credit unions exist but are minor
players in the market.
o Businesses, in particular, favour PridePoint over its
competitors.
 Background: Business Goals

§ The board of directors is enthusiastic.

Overview
o Directors have been pleased with the results of recently
completed risk responses.
Org. Structure
o The board sees opportunities for continued growth in
Operations business banking.
§ The CEO has been directed by the board to ensure that risk
Competition remains within tolerable levels.
o The enterprise risk appetite is $3 million, with a
Business Goals tolerance of $1 million.
§ The CIO has been directed to:
o Provide monthly reports on aggregate risk to the
executive operating committee.
o Identify changes in IT risk as early as possible to allow
time for appropriate responses.
Your Role

Experience: § As the Director of Information Security, you

§ Three years of InfoSec oversee monitoring capabilities within the IT
management infrastructure.
§ Three prior years as an § The perimeter suites monitor traffic crossing
InfoSec analyst to or from the Internet.
o This includes encrypted VPN traffic.
Credentials:
§ Internal detection has been established at
§ Bachelor’s degree in
each of the three data centres.
Information Assurance
o Both network- and host-based
§ CISM certification
detection capabilities have been
deployed.
§ A position is staffed to review alarms and
logs on a 24x7 basis.
Risk and Indicators
§ The CIO has directed you to monitor three instances of risk:
1. Loss of a data centre to environmental factors (#2)
2. Loss of confidential data to external sources (#3)
3. Cost overruns associated with IT projects (#5)
§ The CIO understands that overseeing costs is not a proper InfoSec function, but a
project currently underway within Technology Operations requires monitoring.
o Successful control of costs for IT projects is important in moving towards eventual
approval of zone consolidation.
o The CIO thinks that independent monitoring will be more credible to external
stakeholders and also allow him more time to make corrections if needed.
§ Each risk is listed in the following slides along with details gathered in the course of
identification, assessment, and response.
Risk Register
Risk #1
Risk Statement Loss of a data centre to environmental factors
IT Risk Category ¨ Benefit/Value ¨ Project Delivery ý Operational
Threat Data centre cooling may fail, resulting in server and system
outages.
Vulnerability No sensors; Zone B limited to Data Centre 3; servers fail at
110°F.
Consequences Zone A failover (if Data Centre 1); recovery of Zone B (if Data
Centre 3).
Risk Response ¨ Accept ¨ Transfer ý Mitigate ¨ Avoid
Mitigation Distributed Zone B servers; installed sensors in all data centres.
Residual Risk ¨ Low ý Medium ¨ High ¨ Very High
Risk Indicators 1. Temperature reads above 75°F (common temp for
computers)
2. Temperature changes by + 20%
3. Temperature reads above 110°F
Risk Register
Risk #2
Risk Statement Loss of confidential data to external sources
IT Risk Category ¨ Benefit/Value ¨ Project Delivery ý Operational
Threat External parties may launch cyberattacks to access confidential
data.
Vulnerability Perimeter defences lack depth; no IDS tuning or internal
detection.
Consequences Confidential data may be extracted, resulting in loss of
customers.
Risk Response ¨ Accept ¨ Transfer ý Mitigate ¨ Avoid
Mitigation Tuned IDS; added internal detection and 24x7 alarm/log
monitoring.
Residual Risk ¨ Low ý Medium ¨ High ¨ Very High
Risk Indicators 1. Alarm from host-based IDS at Data Centre 3 eg lecture threatre
2. Alarm from network-based IDS in Perimeter Suite 2
- confidential
3. Perimeter Suite 1 Firewall reports SYN flood packets blocked
(result of too many packets?) DDOS - availability
Risk Register
Risk #3
Risk Statement IT project cost overruns result in missed opportunities
IT Risk Category ý Benefit/Value ý Project Delivery ¨ Operational
Threat IT projects cost up to 50% more than planned.
Vulnerability IT lacks experience due to an 18-month project deferment.
Cost of Executive approval is withheld for valuable or necessary
Consequences projects.
Risk Response ¨ Accept ¨ Transfer ý Mitigate ¨ Avoid
Mitigation Begin with small-scale projects; use earned valued
management.
Residual Risk ¨ Low ý Medium ¨ High ¨ Very High
Risk Indicators 1. 20% of budget is spent with 80% of project completed
2. 50% of budget is spent with 30% of project completed
(consider nature of IT projects?)
3. 2% of the budget is being spent per 1% of the project
completed for most activities