1 METROPOLIS CAPITAL Bank and its background

METROPOLIS CAPITAL Bank is a leading private banking service provider in Sri Lanka. It operates
numerous branches and ATM machines across the country and has a presence overseas as well.
The bank's headquarters are located in Kollupitiya, with various floors dedicated to different
functions, including customer services, HR, meeting rooms, senior executive staff, and high-
performance servers running core banking systems. They provide a range of services, including
online and mobile banking. The bank follows strict government and Central Bank regulations
and holds ISO 31000:2009 certification. Their security measures include CCTV coverage, 24x7
monitoring, VA scanning, internal auditing, and various security tools managed by their
Technical Support Team
2 Vulnerabilities that is METROPOLIS CAPITAL Bank has

1. Each location, including branches and ATMs, relies on a single Internet Service Provider
(ISP) link for connectivity. If this link goes down, it could disrupt banking services.
2. Monitoring Datacenters, branches, ATM and HQ areas by CCTV is not enough. As a
financial organization, Metropolis Capital Bank need to Hiring security personals and
implement access control systems could significantly improve overall protection of the
bank’s Datacenters, branches, ATM and HQ areas.
3. Banks are dealing with sensitive information like, client’s personal details, account
numbers, passwords. For protect these sensitive data from unauthorized asceses
Metropolis Capital Bank must use encryption mechanisms.
4. Metropolis Capital Bank implemented a bring your own device (BYOD) concept for
Senior Executive Staff and HR Departments. But the issue is this can lead access to
sensitive data belong to the bank. Because the personal devices managing those
sensitive data.
5. Bring your own device (BYOD) was introduced by Metropolis Capital Bank for Senior
Executive Staff and HR Departments, although there were some issues. But the problem
is that this may provide someone access to private financial information. as those
personal devices are in charge of handling such sensitive data.
6. NDAs, AMCs, and IT vendor contracts: It's critical to make sure that the contracts with a
variety of national and international IT suppliers ensure that they abide by stringent
security protocols and the bank's security requirements.
3 Explain what a disaster recovery plan is.

A disaster recovery plan (DRP) is a documented and structured approach that an organization,
in this case, METROPOLIS CAPITAL Bank, develops to recover its IT systems, data, and
operations in the event of a significant disruption or disaster. The goal of a DRP is to minimize
downtime, data loss, and financial losses by defining procedures and strategies for restoring
critical systems and services. It typically includes steps for data backup, system recovery,
alternative site activation, and communication with stakeholders during a crisis.
4 Assess what are the key security risks that METROPOLIS CAPITAL
Bank may have.

1. Single Firewall: Relying on a single firewall to protect all communication between outside
systems, data centers, and the headquarters poses a risk. If breached, it could expose sensitive
data.

2. Third-Party Technical Support Team: Depending on a third-party technical support team brings
the risk of insider threats or inadequate security practices if not properly managed.

3. Single ISP Link: Using a single Internet Service Provider (ISP) link for all locations makes the bank
vulnerable to connectivity disruptions if that link fails.

4. Bring Your Own Device (BYOD): Implementing BYOD for Senior Executive Staff and HR
Departments may lead to security issues if personal devices are used to access sensitive data
without robust security controls.

5. Work from Home: Remote work arrangements can introduce security risks if not properly
secured, potentially exposing sensitive bank data.

6. Guest Wi-Fi Hotspot: Offering a guest Wi-Fi hotspot without proper security measures could
pose a risk of unauthorized access to the bank's network.

7. Outside Company in 5th Floor: Having unrelated outside companies sharing the same building
floor may raise physical security concerns and unauthorized access risks.

8. Power Failure: Power outages can disrupt banking operations, affecting data centers and branch
operations if not mitigated with backup power sources.

9. Insider Threats: The presence of insiders who might intentionally or unintentionally compromise
security is a significant risk.

10. ATM Skimming: ATMs are vulnerable to skimming devices, which can lead to unauthorized
access to customer accounts and financial losses.
5 Quantitative risk analysis (Top 5 Risks)

1. Data Breach Due to Inadequate Data Security and Encryption

2. Single ISP Link Dependency
3. Insufficient Physical Security Measures
4. ATM Skimming
5. Single Firewall for External Communication

5.1 Data Breach Due to Inadequate Data Security and Encryption:

 Annual Probability of Data Breach: 5% (0.05)

 Estimated Number of Records Exposed in Case of a Data Breach: 1,000

 Estimated Cost per Record in a Data Breach (including legal fees, notifications, etc.):
$200

 Estimated Annual Revenue Generated by the Bank: $100 million

 Expected Annual Loss = Annual Probability of Data Breach x (Estimated Number of

Records Exposed x Estimated Cost per Record)

 Expected Annual Loss = 0.05 x (1,000 x $200) = $1,000,000

The expected annual loss due to data breaches is estimated to be $1,000,000.

5.2 Single ISP Link Dependency:

 Annual Probability of ISP Link Failure: 3% (0.03)

 Estimated Daily Revenue Generated by All Branches and ATMs: $20,000

 Expected Downtime in Days: 3 days (based on historical data)

 Expected Annual Loss = Annual Probability of Failure x (Estimated Daily Revenue x

Expected Downtime in Days)

 Expected Annual Loss = 0.03 x ($20,000 x 3) = $1,800

The expected annual loss due to ISP link dependency is estimated to be $1,800.
5.3 Insufficient Physical Security Measures:
 Annual Probability of Security Breach: 2% (0.02)

 Estimated Value of Assets Protected by Physical Security Measures: $50 million

 Potential Financial Loss in Case of a Security Breach: $2 million

 Expected Annual Loss = Annual Probability of Breach x Estimated Loss per Event

 Expected Annual Loss = 0.02 x $2,000,000 = $40,000

The expected annual loss due to insufficient physical security measures is estimated to be $40,000.

5.4 ATM Skimming:

 Annual Probability of ATM Skimming Incident: 1% (0.01)

 Estimated Average Financial Loss per Skimming Incident: $10,000

 Expected Annual Loss = Annual Probability of Skimming x Estimated Loss per Event

 Expected Annual Loss = 0.01 x $10,000 = $100

The expected annual loss due to ATM skimming is estimated to be $100.

5.5 Single Firewall for External Communication:

 Annual Probability of Firewall Breach: 2% (0.02)

 Estimated Cost of a Security Breach (including remediation, legal fees, etc.): $500,000

 Expected Annual Loss = Annual Probability of Breach x Estimated Cost per Event

 Expected Annual Loss = 0.02 x $500,000 = $10,000

The expected annual loss due to a firewall breach is estimated to be $10,000.

6 disaster recovery plans for above identified risks