COMP-1431

Audit & Security

Bank Information System Security

Case Study

Prepared By:

Saad Yehia El Ashmawi

Submitted on:

8 May 2013

Page | 1
Table of Contents

1. Discuss the possible advantages and disadvantages to a bank in adopting the first
manager’s suggested strategy (Word Count = 755)……………………………………………………….…….3

2. Discuss the possible advantages and disadvantages to a bank in adopting the second
manager’s strategy (Word Count = 822)……………………………………………………………………………...6

3. Discuss the possible advantages and disadvantages to a bank in adopting the third
manager’s strategy (Word Count = 757)……………………………………………………………………………...9

4. Discuss the possible advantages and disadvantages to a bank in adopting the fourth
manager’s strategy (Word Count = 752)……………………………………………………………………….……12

5. Give your personal opinion on what strategy should be adopted justifying your
recommendations as much as possible. (Word Count =787)………………………………………………15

References………………………………………………………………………………………………………………………….18

Page | 2
1. Discuss the possible advantages and disadvantages to a bank in
adopting the first manager’s suggested strategy.

Information is an asset like any other important business assets, is essential to the bank’s
business and therefore needs to be updated regularly and suitably protected.
Most of the banking daily work is electronically connected to networks, thus the information
system plays a major role. As a result of this existing connectivity, information is now
exposed to a growing number of threats and vulnerabilities.

“Security is like oxygen; when you have it, you take it for granted,
But when you don’t, getting it becomes the immediate and pressing priority”1

By taking the first manager’s suggested strategy into consideration; we will be handling all
our information security measures in house, without any 3rd party intervention. We will
discuss below the pros and cons of this strategy and its effect on the bank’s information
system security measures and its overall impact on the bank’s business.

 Advantages:

Recent business frauds and attacks ensure that the bank must have a good internal
control over the system’s security. Handling the information system security of the bank
internally will give the bank a competitive edge in the terms of the confidentiality of the
bank data and the customer’s data as well, so there will be no leaking of information to
the public about the bank standings or recent security threats or any exposure about the
customers’ data.

Any security issue that will arise will be handled discreetly away from the eye of the
public or the media which will go in favor of the bank’s image to their customers and
investors. Protecting the information from wide range of threats in order to ensure
business continuity, minimize business risk and maximize the return on investment and
thereby extend the business opportunities. As a result we were able to lower the risks of
security attacks and their effects on the bank’s image and its financial standing in the
market.

1
Joseph Nye, Harvard University

Page | 3
 As the information system security will be handled in house, that means that the team is
available around the clock solely for the bank needs; that gives us more flexibility in
moving our resources around and to the tasks needed the most. We also guarantee by
this the availability of any of the bank’s information needed any time by our staff or
requested by the client.

As a result of maintaining the information system security in house, the methods the
team will use to protect the bank’s system will be developed according to our unique
system, which means we might be able to have a unique product not like the one in the
market that most of our competitors use; so this will lower the risks of outside threats as
outsiders won’t have idea about the system functionality and weak points, which will give
us the competitive edge over other competitors.

 Disadvantages:

As the banking system is the number one target for the hackers, It will be very costly for
the bank to keep the information system security team always up to date with latest
technology and threats. It will involve constant training, seminars and workshops either
in bank or outside in specialized institutes to be able to satisfy the bank needs and be
aware of new threats. This might raise the question of the efficiency of handling all the
security in house in comparison to outsource to outside contracts and all the money and
resources the bank will save from this action.

Also not easy to get the skilled resources as this field is not vast so the bank must make
sure to satisfy the financial needs and provide a warm working environment for any
information system security employee just to lower the rate of turnovers and keep the
skilled resources for the in house operations.

Internal threats risks might increase as the system will be monitored internally only by
our own staff; but who will monitor this staff and make sure no leak of inside information
or any kind of threats. It will be impossible to trust them to monitor each other or
themselves that’s a clear case of conflict of interest and will raise the question about the
integrity of the staff.

Page | 4
Human error risks might arise as we depending solely on one department to manage the
whole bank security. No one is reviewing the work or the strategy of this department
except the staff working within it.

If there were successful attack on the bank’s system, then there is a high risk that some
data might not be available, maybe lost or destroyed by the attacker.

Page | 5
2. Discuss the possible advantages and disadvantages to a bank in
adopting the second manager’s strategy

All banks today face a certain level of security threats. In fact the implementation of new
technologies measures such as ‘Intrusion Detection and Monitoring” acknowledges that: A
certain level of suspicious or malicious activity is likely get through. It also acknowledges
that there are internal threats maybe from disgruntled employees, or simply a human error,
which have to be countered with high level of skills and imagination; that’s where hiring a
skilled team of hackers will come in handy.

By taking the second manager suggested strategy into consideration; we will be handling all
our information security measures in house, and we would hire a team of professional highly
skilled hackers to test our system security measures and its ability to protect the banks
information. We will discuss below the pros and cons of such a strategy and its effect on the
bank’s information system security measures and its overall impact on the bank’s business.

 Advantages:

The most obvious advantage to hiring a team of hackers is that they have real world
hacking experience. There are some things that you just can’t learn from a book. Books
do a good job of explaining basic hacking techniques. However, every hack is different
because every network is different. It’s rare for a hacker to be able to use a single
technique to gain full access to a network. Often hackers have to combine multiple
techniques or apply techniques in a different way than normal to compensate for various
network defenses. Only someone with plenty of real world hacking experience can
efficiently go from using one technique to another as required by the present situation.
This will give us the edge over the usual hacker’s security threats; as we got a team who
think like them and can act in a way to block all possible future attempts of breaching the
banks networks and databases.

Another positive aspect to hiring reformed team of hackers as our security consultants is
that staying up with the latest security exploits and countermeasures is a full time job. In
most banks, the IT staff has an acceptable level of security knowledge, but they must

Page | 6
 focus most of their attention on the day to day responsibilities of keeping the network up
and running. A good security consultant focuses almost solely on security and
consequently has a level of security knowledge that goes far beyond that of most other
IT professionals. Which will give our information system security team to develop more
skills by working side to side with professional hackers; it will benefit the team from the
learning part and also benefit the bank’s system as the hackers will point out the weak
point and where we can expect the threat to happen.

There’s also the possibility that we can get the hacker to work cheap or at least at a
lower salary than the computer science Ph.D. who’s paid a lot of money to get his
degree and who doesn’t have a felony conviction on his/her record. It’s not just the lack
of conventional credentials that can lower the ex-hacker’s compensation expectations,
though. Finding vulnerabilities in networks and systems is something that those with
hacking in the blood would happily do for no compensation at all.

 Disadvantages:

It all comes down to a question of trust. The main premise of security is deciding who we
trust and then locking out everyone else. Giving a team of hackers access to our
networks, especially the kind of access that’s required to analyze our security; is like
giving someone access to our bank accounts. It’s a position that carries a great deal of
responsibility. When we hire a former team of hackers as a security consultant, we
basically trust the sanctity of our networks to a former team of criminals. If we are
concerned with our network’s security, it sounds crazy to trust it to a criminal.

We must also consider the impact that a decision to hire a team of hackers will have on
our customers and shareholders. What would our customers think if they knew that we
were using a former team of criminals to test the security of our networks or our
databases that contains customer’s records like credit card information and all their
account data will be under this team control.

If one of the team of hackers is not reformed at all, but pretending to be so to get access
to our networks and databases. The possible effect of having a covert hacker inside our
bank and have access to all our system is devastating. He/she could simply use the

Page | 7
bank’s network to launch botnet attack, send malware from our location and of course
access the banks files and have all our data and the customer’s data under his/her
control. It might be too late when we find out the action he/she did which might cause
our bank a great loss in perspective of profit, customers and reputation.

Page | 8
3. Discuss the possible advantages and disadvantages to a bank in
adopting the third manager’s strategy

One of the key departments in any bank is the Internal Audit and Control department and
the unit has a key role to play in assessing the risk appetite of the business. An effective
internal audit will evaluates the quality and effectiveness of the bank’s risk management,
internal control and governance processes, which will assists senior management and the
board of directors in protection the bank’s reputation and business.

In the process of an external security audit; all technical attack points for the bank are tested
from the outside. An overview is given about the current security status of systems,
databases and the infrastructure. While in the process of an internal security audit; all
technical attack points for the bank are tested from inside. An overview is given about the
current security status of systems, databases and the infrastructure.

The Internal audit function is accountable to the board and its audit committee on all matters
related to the performance of its mandate as described in the internal audit charter.

By taking the third manager suggested strategy into consideration; we will need to create an
internal audit and control department; which will responsible for the regular internal audits
and the coordination with the external auditor.

 Advantages:

The benefits of an audit are numerous. Audits can improve a bank’s efficiency and
profitability by helping the management better understand their own working and
financial systems. The management, as well as shareholders and clients, are also
assured that the risks in their organization are well-studied, and effective systems are in
place to handle them.

Internal audit provide the managers with a unique source of information for exercising
effective control. By measuring performance, evaluating results and recommending
suggestions for remedial actions. We may use internal audit as an instrument for forcing
events to conform to the bank’s information security plans.

Page | 9
 The biggest advantage of internal audit is that it will lead to discovery of errors that might
put our system security at risk and therefore when external audit is done those errors
which were discovered during internal audit would have been rectified by then.

Since internal audit is done by our internal audit and control department, then there is no
additional cost involved which again is a big advantage for the bank.

We will have a clear idea about our internal security situation of the bank from the
information gathered by the internal audit. We will also have proof of concepts for
existing vulnerabilities. We also can implement significant enhancement of the security
level of our system and networks based on the auditing findings. We will be able to
create risk assessment and prioritized catalogue of measures to deal with any future
threats.

External auditor comes to the bank from outside, is employed by someone else, and
should therefore be truly independent, difficult to influence and unbiased in outlook.

 Disadvantages:

Internal audits report is not accepted by either the shareholders or tax authorities, it is
the external auditor report which is required to be submitted to these parties. So that
means that we must have both regular internal and external audit report.

Since internal audit is done by the bank’s employee chances are that it may be biased
and therefore bank cannot depend on such reports only, that’s arise the need for the
external audit as well.

Most banks have to go through a request for proposal process in order to find an
external auditor. This procedure can be very time consuming, especially if our bank is
already understaffed. We will need to interview potential auditors, as well as check their
references to ensure that we choose the best person for the job. The overall timeline of
sending out RFPs, going through all the responses, setting up interviews and making the
final decision may take a month or longer to complete.

Page | 10
Weakness identified in the internal audit function may affect the supervisor’s assessment
of the bank’s risk profile, which will have direct impact on the bank’s business and its
financial standings.

The expenses concerned because we have to pay the external auditors and also
guarantee that we preserve comprehensive records of all the interactions which engage
a lot of expenses.

We will probably have to give our external auditor access to confidential and private
information, including internal employee salary information and client records. We will
also most likely need to give the independent auditor login information to access our
internal financial records and database. This may put confidential information at risk,
even if we mandate that the auditor signs a confidentiality agreement.

Page | 11
4. Discuss the possible advantages and disadvantages to a bank in
adopting the fourth manager’s strategy

Outsourcing refers to hiring an outside, independent firm to perform a business function that
internal employees might otherwise perform. Many banks outsource jobs to specialized
service companies, which frequently operate abroad. IT outsourcing includes data center
operations, desktop and help desk support, software development, e-commerce
outsourcing, software applications services, network operations and disaster recovery.

For many banks, cutting the costs associated with IT has been high on the strategy agenda,
driving them back to the outsourcing industry for help.

After all, cost is a big driver of outsourcing across all industry sectors. In a recent survey
conducted by management consultancy KPMG, 70% of respondents cited it as a reason to
outsource functions to a third-party.

By taking the forth manager suggested strategy into consideration; we agree that
outsourcing of certain function and or activities, in our case the information system security;
could be beneficial to the bank financial and operation wise and its customers. However
there are some concerns that important banking functions are sometimes performed
independently of a bank, resulting in the bank having less control over these activities and
thereby increasing the risks to the bank.

 Advantages:

The information system security will be outsourced to vendors who specialize in this
field. The outsourced vendors also have specific equipment and technical expertise,
most of the times better than the ones at the bank. Effectively the tasks can be
completed faster and with better quality output

Outsourcing allows management to defer the details to a specialized company.

Removing the details, permits management to focus on the larger issues within the
bank. Typically, the specialized company that handles the outsourced IT work boasts
technological capabilities superior to the bank.

Page | 12
 Outsourcing certain components of our business process helps the bank to shift certain
responsibilities to the outsourced vendor. Since the outsourced vendor is a specialist,
they plan our risk mitigating factors better.

Periods of high employee turnover will add uncertainty and inconsistency to the
operations. Outsourcing will provided a level of continuity to the bank while reducing the
risk that a substandard level of operation would bring to the bank.

IT Services outsourcing by the bank helps it to enhance efficiencies in operations,

increases its ability to acquire and support current technology and helps to tide over the
risk of obsolescence. Outsourcing of information system security by the bank helps the
management to focus on key management functions and assist in delivering to
customers in shorter lead time and better quality of services as management focuses on
core services.

Outsourcing eludes the need to hire employee in house, which will lead to reduced
operational and recruitment costs; hence recruitment and operational costs can be
minimized to a great extent. This is one of the prime advantages of outsourcing.

 Disadvantages:

The bank might lose complete control over information system security. Project
implementation timelines may suffer as a result. If the bank terminates the agreement
with the outsourced entity, confidential, sensitive information becomes jeopardized.

Public confidence is a cornerstone in the stability and reputability of a bank. The bank
should be proactive to identify and specify the minimum security baselines to be adhered
to by the service providers to ensure confidentiality and security of the data. This is
particularly applicable where third party service providers have access to personally
identifiable information and critical customer data. Poor services of the service provider
will be harmful for the reputation of the bank and will harm its relation with the customers
and might have direct effect on its business by giving the bank a bad reputation.

Page | 13
Banks that outsource IT services run a risk of receiving poor quality work. Offshore
outsourcing sites often experience high employee turnover and may capitalize on the
bank’s limited technological capabilities, which leads to high-quality service being
compromised. Outsourcing to foreign countries involves hidden costs, such as travel
expenses and creating an infrastructure to manage operations. Banks that don’t plan
accordingly counteract the financial benefits of outsourcing.

There might be some operational risk; this kind of risk might arise because of technology
failure, inadequate infrastructure, or because of any error in providing IT services by the
service provider.

There are some Legal issues as well. There can be a case of non-compliance with the
privacy, consumer and prudential law.

Failure of a service provider in providing a specified service, a breach in security,

confidentiality, or non-compliance with legal and regulatory requirements can lead to
reputation, financial losses for the bank and may also result in systemic risks within the
banking system in the country.

Page | 14
5. Give your personal opinion on what strategy should be adopted
justifying your recommendations as much as possible.

As modern banking increasingly relies on the internet and computer technologies to operate
their businesses and market interactions, the threats and security breaches are highly
increasing in recent years. Insider and outsider attacks have caused global businesses lost
trillions of Dollars a year. The confidentiality, integrity and availability of information are
essential for any financial institution to maintain its competitive edge, cash-flow, profitability,
legal compliance and commercial image. This has made it imperative for each bank to put in
place adequate security controls to ensure data accessibility to all the authorized users, data
inaccessibility to all the unauthorized users, maintenance of data integrity and
implementation of safeguards against all security threats to guarantee information and
information systems security across the bank.

After reviewing each of the four manager’s strategies and its advantages/disadvantages; we
conclude that the third manager strategy to arrange audits to an acceptable standard on a
regular basis is the strategy that should be adopted by the bank.

As we mention before there are many benefits of conducting audits on regular basis. Audits
can improve a bank’s efficiency and profitability by helping the management better
understand their own working and financial systems.

Internal audit will lead to the discovery of errors that might put our system security at risk.

Internal audit won’t cost the bank much, as it’s done by our internal employees.

Audit in general will give the bank’s management a complete image on the internal security
situation of our system, networks and databases; which will give the bank’s management
enough information on how to improve the internal security and prevent any future threats.

External auditor comes to the bank from outside, is employed by someone else, and should
therefore be truly independent, difficult to influence and unbiased in outlook.

Page | 15
When we talk about confidentiality of information, we are talking about protecting the
information from disclosure to unauthorized parties.

Usually when a bank wants to hire an external audit firm; we will see only the big players of
the external audit in the market will be bidding on the bank RFP; these firms on the other
hand work hard to keep a strong public image about their work, how they satisfy their client’s
needs and most important of all, give high priority to the confidentiality of the client data and
business information. It’s very rare to hear about such an incident from any of the big firms
in the auditing field that any information about a client is leaked to the public through them,
as for them to stay in business, it’s a vital issue to keep client information confidential.

While on the other hand, if we outsource our information system security to an IT security
firm, there might be a big risk of data or information get stolen or at least passed to
someone who can use it in a way to harm the bank financial status. It’s harder to trust the
outsourcing firm with our data and that’s increase the risk of disclosure of bank’s information
to other parties.

Integrity is the property of preventing unauthorized modifications of an asset. In other words,

integrity protects against the threat of tampering with data or from being modified by
unauthorized parties.

Regular internal and external auditing will make sure that any bank information or client’s
data can only be modified by the authorized employees only. The regular auditing will make
sure that the controls over the information are effective and efficient which will guarantee the
bank management and clients the integrity of its asset.

On the other hand, if we manage our information system security in house and we don’t do
any audit. Then how we will guarantee that only the authorized employees are getting
access to the confidential data and have the ability to alter it; maybe there is a loop hole in
the system that allow unauthorized employees to access certain information and can
change it as well or steal it. Without proper regular auditing our bank’s information might be
at great risk.

Page | 16
Availability of information refers to ensuring that authorized parties are able to access the
information when needed.

Information only has value if the right people can access it at the right times. Denying
access to information has become a very common attack nowadays. Regular internal and
external auditing will definitely prevent any data loss or being unavailable when it’s required.
Banks have data centers where they backup every daily transaction, so with regular audit
we make sure that the data backup is always performed as scheduled by the IT department;
so even if there were attack on the system and a data loss happen we would still have our
backup available for our employee and clients to access it.

Page | 17
References:

D. P. Dube, Ved Prakash Gulat, Info Systems Audit & Assurance

Hrsg. ECIIA , Banking Internal Auditing in Europe: Overview and Recommendation

Basel Committee on Banking Supervision, The internal audit function in banks

Internal and External Audits Comptroller’s Handbook July 2000.

James A Hall , Information Systems Auditing and Assurance, South Western College
Publishing.

Gordon E. Smith, Network Auditing, John Wiley and Sons.

Nitant P Trilokekar , Taxmann’s Bank Audits Practice Manual

N L Freeman, The Quality Auditor’s Handbook, Prentice Hall

Albert J Marcella and Sally Chan, EDI Control and Audit, Artec House

Martin A Krist, Auerbach, Standard for Auditing Computer Applications

Page | 18