International financial institution

A major assignment providing many aspects of operational risk design and management to an international financial institution over a period of 3 years.

The Need for Action

One of the largest financial organisations in the Caribbean, with subsidiaries and branches throughout the region, began the process of replacing its core processing system and implementing infrastructure and applications to transform itself into an e-business. Enhanced security needed to be implemented to manage the increased operational risk during the transformation effort.  At the same time, other elements of information security (physical, personnel etc.) needed to be improved.

Our commission was to identify the major exposures, create a prioritised action plan to reduce them, work with the organisation to implement and then maintain these new standards of and security.

Scope of the Assignment

First, we performed a thorough review of all aspects of operational risk management.  Where necessary  we delved in detail into elements of the organization’s defense-in-depth. We considered all of the organization’s assets – information  and  systems, reputation,  potential, people  and property.  We included all known technical and non-technical threats in our risk analysis.

Subsequently, we assisted in implementing detailed improvements to the organization’s operational risk management documentation, organization, and its IT security.

Our Approach

Information was gathered during the initial assessment phase of the assignment in a number of ways, including:

  • Check of existing documentation that related to operational risk management;
  • Business interviews with a wide cross-section of business managers from all parts
    of the organization using a structured questionnaire;
  • Focus groups;
  • A technical risk evaluation of legacy systems;
  • A risk evaluation of the core processing system; and
  • Penetration testing (focusing on the organization’s existing exposure to the outside world).

Our recommendations were based upon our findings, our experience, our knowledge of the security to be found in other financial organizations, and the baseline security standards as laid down in ISO17799.

The urgent improvements were restricted to major activities with associated discrete security projects.

  • Security/Risk Management Organization;
  • Security Policy, Standards, Codes of Practice; ‣  Security Awareness Programme;
  • IT Security (LAN Management Strategy, e-Business Security Strategy and implementation of cryptographic mechanisms to protect sensitive assets); and
  • Security “Quick Wins”.

Subsequently we worked with the institution to implement many of these recommendations.

Risk Management Organization

We identified and then established an appropriate Operational Risk organisation throughout the institution, comprising three elements:

  • Specialist Operational Risk managers and staff to provide a centre of excellence;
  • “Operational Risk Controllers” – non-specialist business representatives to create a
    “network” throughout the organisation; and
  • Audit.

In addition, we established a Steering Committee (and an associated Working Group) to
direct activities and to further the cause of Operational Risk throughout the organisation.

Security Policy, Standards, Codes of Practice

We were tasked with producing a comprehensive Operational Risk Manual.  We did this in a number of stages:

  • We prepared a 1st draft, based on example documents, incorporating and superseding existing publications and documentation as appropriate, and complying with the principles of BS7799 “Code of Practice for Information Security Management” and the ISO equivalent17799; and
  • We sought validation, suggestions and amendments from a range of relevant business managers throughout the organisation and incorporated them into the 1st
    draft.

The manual superseded a number of existing publications and documents.  In addition, it also included updated versions of existing manuals. Detailed IT security technical policies were added as they were refined and accepted into use.

IT Security Projects

We were tasked with developing three key aspects of IT Security for the production systems, taking into account the institution’s technology choices:

  • Security policies and procedures;
  • Network security architecture; and
  • Remote access, access control, and encryption of data.

This work fell into five main areas of activity:

  • Network Security Architecture;
  • Access Control policies and procedures;
  • Monitoring;
  • Remote Access Strategy; and
  • Internet Facing Strategy.

We used a “Defense-in-Depth” model to develop the IT Security strategy – layering protection to ensure complete security and employing advanced solutions such as firewalls, intrusion detection, virus scanners, encryption, network segmentation, and host and application access controls.  The model assumes prior layer security failure – should any  layer fail, subsequent layers, and the security mechanisms within, would still then be in place.

  • Physical security:  A number of detailed recommendations to improve the physical security of the computing environment were offered in our detailed reports;
  • Network security: Our network security strategy for the organization was based upon the concept of “Security Domains” where systems of similar security requirements or functionality were grouped together.  In particular, recommendations were made with respect to configuration of Local Area Networks (LAN), firewalls and automated virus protection architectures;
  • Host security: Hardening procedures were introduced, and configurations adjusted/ adapted in accordance with recommended hardening guidelines; and
  • Application: We defined groups and users within organizational units, and reviewed and approved the Active Directory design submitted to the organization by third parties.

Additional Work

In addition to the project tasks and deliverables that were agreed at the start of the project, events required us to perform a number of additional tasks. These were all included within our original project plan at no extra cost and without impacting upon milestone dates.

Deliverables

The assignment deliverables included but were not limited to the following products:

Operational Risk ManualCurrent Network Topology
RAS Assessment and StrategyW2K Hardening Guidelines
Operational Risk TORsNew Network Topology
Real-time Monitoring & IDSActive Directory Group Policy
Staff Security Guide IT Acceptable Use Policy
Router Configuration GuidelinesActive Directory Users and Groups
HR Security Assessment Internal Network Scan Assessment
Unix Security GuidelinesActive Directory Forest, Domain & OU Security Design
Network Security ArchitectureFirewall Guidelines
Virus Protection Guidelines 

Let's have a conversation

Let’s have a conversation to discover how CipherQuest can become your cyber security partner.