The Need for Action
One of the largest financial organisations in the Caribbean, with subsidiaries and branches throughout the region, began the process of replacing its core processing system and implementing infrastructure and applications to transform itself into an e-business. Enhanced security needed to be implemented to manage the increased operational risk during the transformation effort. At the same time, other elements of information security (physical, personnel etc.) needed to be improved.
Our commission was to identify the major exposures, create a prioritised action plan to reduce them, work with the organisation to implement and then maintain these new standards of and security.
Scope of the Assignment
First, we performed a thorough review of all aspects of operational risk management. Where necessary we delved in detail into elements of the organization’s defense-in-depth. We considered all of the organization’s assets – information and systems, reputation, potential, people and property. We included all known technical and non-technical threats in our risk analysis.
Subsequently, we assisted in implementing detailed improvements to the organization’s operational risk management documentation, organization, and its IT security.
Our Approach
Information was gathered during the initial assessment phase of the assignment in a number of ways, including:
- Check of existing documentation that related to operational risk management;
- Business interviews with a wide cross-section of business managers from all parts
of the organization using a structured questionnaire; - Focus groups;
- A technical risk evaluation of legacy systems;
- A risk evaluation of the core processing system; and
- Penetration testing (focusing on the organization’s existing exposure to the outside world).
Our recommendations were based upon our findings, our experience, our knowledge of the security to be found in other financial organizations, and the baseline security standards as laid down in ISO17799.
The urgent improvements were restricted to major activities with associated discrete security projects.
- Security/Risk Management Organization;
- Security Policy, Standards, Codes of Practice; ‣ Security Awareness Programme;
- IT Security (LAN Management Strategy, e-Business Security Strategy and implementation of cryptographic mechanisms to protect sensitive assets); and
- Security “Quick Wins”.
Subsequently we worked with the institution to implement many of these recommendations.
Risk Management Organization
We identified and then established an appropriate Operational Risk organisation throughout the institution, comprising three elements:
- Specialist Operational Risk managers and staff to provide a centre of excellence;
- “Operational Risk Controllers” – non-specialist business representatives to create a
“network” throughout the organisation; and - Audit.
In addition, we established a Steering Committee (and an associated Working Group) to
direct activities and to further the cause of Operational Risk throughout the organisation.
Security Policy, Standards, Codes of Practice
We were tasked with producing a comprehensive Operational Risk Manual. We did this in a number of stages:
- We prepared a 1st draft, based on example documents, incorporating and superseding existing publications and documentation as appropriate, and complying with the principles of BS7799 “Code of Practice for Information Security Management” and the ISO equivalent17799; and
- We sought validation, suggestions and amendments from a range of relevant business managers throughout the organisation and incorporated them into the 1st
draft.
The manual superseded a number of existing publications and documents. In addition, it also included updated versions of existing manuals. Detailed IT security technical policies were added as they were refined and accepted into use.
IT Security Projects
We were tasked with developing three key aspects of IT Security for the production systems, taking into account the institution’s technology choices:
- Security policies and procedures;
- Network security architecture; and
- Remote access, access control, and encryption of data.
This work fell into five main areas of activity:
- Network Security Architecture;
- Access Control policies and procedures;
- Monitoring;
- Remote Access Strategy; and
- Internet Facing Strategy.
We used a “Defense-in-Depth” model to develop the IT Security strategy – layering protection to ensure complete security and employing advanced solutions such as firewalls, intrusion detection, virus scanners, encryption, network segmentation, and host and application access controls. The model assumes prior layer security failure – should any layer fail, subsequent layers, and the security mechanisms within, would still then be in place.
- Physical security: A number of detailed recommendations to improve the physical security of the computing environment were offered in our detailed reports;
- Network security: Our network security strategy for the organization was based upon the concept of “Security Domains” where systems of similar security requirements or functionality were grouped together. In particular, recommendations were made with respect to configuration of Local Area Networks (LAN), firewalls and automated virus protection architectures;
- Host security: Hardening procedures were introduced, and configurations adjusted/ adapted in accordance with recommended hardening guidelines; and
- Application: We defined groups and users within organizational units, and reviewed and approved the Active Directory design submitted to the organization by third parties.
Additional Work
In addition to the project tasks and deliverables that were agreed at the start of the project, events required us to perform a number of additional tasks. These were all included within our original project plan at no extra cost and without impacting upon milestone dates.
Deliverables
The assignment deliverables included but were not limited to the following products:
Operational Risk Manual | Current Network Topology |
RAS Assessment and Strategy | W2K Hardening Guidelines |
Operational Risk TORs | New Network Topology |
Real-time Monitoring & IDS | Active Directory Group Policy |
Staff Security Guide | IT Acceptable Use Policy |
Router Configuration Guidelines | Active Directory Users and Groups |
HR Security Assessment | Internal Network Scan Assessment |
Unix Security Guidelines | Active Directory Forest, Domain & OU Security Design |
Network Security Architecture | Firewall Guidelines |
Virus Protection Guidelines |