Page | 1

COMP-1431

Audit & Security

Bank Information System Security

Case Study

Prepared By:

Saad Yehia El Ashmawi

Submitted on:

8 May 2013

Page | 2

Table of Contents

1. Discuss the possible advantages and disadvantages to a bank in adopting the first

manager’s suggested strategy (Word Count = 755)……………………………………………………….…….3

2. Discuss the possible advantages and disadvantages to a bank in adopting the second

manager’s strategy (Word Count = 822)……………………………………………………………………………...6

3. Discuss the possible advantages and disadvantages to a bank in adopting the third

manager’s strategy (Word Count = 757)……………………………………………………………………………...9

4. Discuss the possible advantages and disadvantages to a bank in adopting the fourth

manager’s strategy (Word Count = 752)……………………………………………………………………….……12

5. Give your personal opinion on what strategy should be adopted justifying your

recommendations as much as possible. (Word Count =787)………………………………………………15

References………………………………………………………………………………………………………………………….18

Page | 3

1. Discuss the possible advantages and disadvantages to a bank in

adopting the first manager’s suggested strategy.

Information is an asset like any other important business assets, is essential to the bank’s

business and therefore needs to be updated regularly and suitably protected.

Most of the banking daily work is electronically connected to networks, thus the information

system plays a major role. As a result of this existing connectivity, information is now

exposed to a growing number of threats and vulnerabilities.

“Security is like oxygen; when you have it, you take it for granted,

But when you don’t, getting it becomes the immediate and pressing priority”1

By taking the first manager’s suggested strategy into consideration; we will be handling all

our information security measures in house, without any 3rd party intervention. We will

discuss below the pros and cons of this strategy and its effect on the bank’s information

system security measures and its overall impact on the bank’s business.

Advantages:

Recent business frauds and attacks ensure that the bank must have a good internal

control over the system’s security. Handling the information system security of the bank

internally will give the bank a competitive edge in the terms of the confidentiality of the

bank data and the customer’s data as well, so there will be no leaking of information to

the public about the bank standings or recent security threats or any exposure about the

customers’ data.

Any security issue that will arise will be handled discreetly away from the eye of the

public or the media which will go in favor of the bank’s image to their customers and

investors. Protecting the information from wide range of threats in order to ensure

business continuity, minimize business risk and maximize the return on investment and

thereby extend the business opportunities. As a result we were able to lower the risks of

security attacks and their effects on the bank’s image and its financial standing in the

market.

1 Joseph Nye, Harvard University

Page | 4

As the information system security will be handled in house, that means that the team is

available around the clock solely for the bank needs; that gives us more flexibility in

moving our resources around and to the tasks needed the most. We also guarantee by

this the availability of any of the bank’s information needed any time by our staff or

requested by the client.

As a result of maintaining the information system security in house, the methods the

team will use to protect the bank’s system will be developed according to our unique

system, which means we might be able to have a unique product not like the one in the

market that most of our competitors use; so this will lower the risks of outside threats as

outsiders won’t have idea about the system functionality and weak points, which will give

us the competitive edge over other competitors.

Disadvantages:

As the banking system is the number one target for the hackers, It will be very costly for

the bank to keep the information system security team always up to date with latest

technology and threats. It will involve constant training, seminars and workshops either

in bank or outside in specialized institutes to be able to satisfy the bank needs and be

aware of new threats. This might raise the question of the efficiency of handling all the

security in house in comparison to outsource to outside contracts and all the money and

resources the bank will save from this action.

Also not easy to get the skilled resources as this field is not vast so the bank must make

sure to satisfy the financial needs and provide a warm working environment for any

information system security employee just to lower the rate of turnovers and keep the

skilled resources for the in house operations.

Internal threats risks might increase as the system will be monitored internally only by

our own staff; but who will monitor this staff and make sure no leak of inside information

or any kind of threats. It will be impossible to trust them to monitor each other or

themselves that’s a clear case of conflict of interest and will raise the question about the

integrity of the staff.

Page | 5

Human error risks might arise as we depending solely on one department to manage the

whole bank security. No one is reviewing the work or the strategy of this department

except the staff working within it.

If there were successful attack on the bank’s system, then there is a high risk that some

data might not be available, maybe lost or destroyed by the attacker.

Page | 6

2. Discuss the possible advantages and disadvantages to a bank in

adopting the second manager’s strategy

All banks today face a certain level of security threats. In fact the implementation of new

technologies measures such as ‘Intrusion Detection and Monitoring” acknowledges that: A

certain level of suspicious or malicious activity is likely get through. It also acknowledges

that there are internal threats maybe from disgruntled employees, or simply a human error,

which have to be countered with high level of skills and imagination; that’s where hiring a

skilled team of hackers will come in handy.

By taking the second manager suggested strategy into consideration; we will be handling all

our information security measures in house, and we would hire a team of professional highly

skilled hackers to test our system security measures and its ability to protect the banks

information. We will discuss below the pros and cons of such a strategy and its effect on the

bank’s information system security measures and its overall impact on the bank’s business.

Advantages:

The most obvious advantage to hiring a team of hackers is that they have real world

hacking experience. There are some things that you just can’t learn from a book. Books

do a good job of explaining basic hacking techniques. However, every hack is different

because every network is different. It’s rare for a hacker to be able to use a single

technique to gain full access to a network. Often hackers have to combine multiple

techniques or apply techniques in a different way than normal to compensate for various

network defenses. Only someone with plenty of real world hacking experience can

efficiently go from using one technique to another as required by the present situation.

This will give us the edge over the usual hacker’s security threats; as we got a team who

think like them and can act in a way to block all possible future attempts of breaching the

banks networks and databases.

Another positive aspect to hiring reformed team of hackers as our security consultants is

that staying up with the latest security exploits and countermeasures is a full time job. In

most banks, the IT staff has an acceptable level of security knowledge, but they must

Page | 7

focus most of their attention on the day to day responsibilities of keeping the network up

and running. A good security consultant focuses almost solely on security and

consequently has a level of security knowledge that goes far beyond that of most other

IT professionals. Which will give our information system security team to develop more

skills by working side to side with professional hackers; it will benefit the team from the

learning part and also benefit the bank’s system as the hackers will point out the weak

point and where we can expect the threat to happen.

There’s also the possibility that we can get the hacker to work cheap or at least at a

lower salary than the computer science Ph.D. who’s paid a lot of money to get his

degree and who doesn’t have a felony conviction on his/her record. It’s not just the lack

of conventional credentials that can lower the ex-hacker’s compensation expectations,

though. Finding vulnerabilities in networks and systems is something that those with

hacking in the blood would happily do for no compensation at all.

Disadvantages:

It all comes down to a question of trust. The main premise of security is deciding who we

trust and then locking out everyone else. Giving a team of hackers access to our

networks, especially the kind of access that’s required to analyze our security; is like

giving someone access to our bank accounts. It’s a position that carries a great deal of

responsibility. When we hire a former team of hackers as a security consultant, we

basically trust the sanctity of our networks to a former team of criminals. If we are

concerned with our network’s security, it sounds crazy to trust it to a criminal.

We must also consider the impact that a decision to hire a team of hackers will have on

our customers and shareholders. What would our customers think if they knew that we

were using a former team of criminals to test the security of our networks or our

databases that contains customer’s records like credit card information and all their

account data will be under this team control.

If one of the team of hackers is not reformed at all, but pretending to be so to get access

to our networks and databases. The possible effect of having a covert hacker inside our

bank and have access to all our system is devastating. He/she could simply use the

Page | 8

bank’s network to launch botnet attack, send malware from our location and of course

access the banks files and have all our data and the customer’s data under his/her

control. It might be too late when we find out the action he/she did which might cause

our bank a great loss in perspective of profit, customers and reputation.

Page | 9

3. Discuss the possible advantages and disadvantages to a bank in

adopting the third manager’s strategy

One of the key departments in any bank is the Internal Audit and Control department and

the unit has a key role to play in assessing the risk appetite of the business. An effective

internal audit will evaluates the quality and effectiveness of the bank’s risk management,

internal control and governance processes, which will assists senior management and the

board of directors in protection the bank’s reputation and business.

In the process of an external security audit; all technical attack points for the bank are tested

from the outside. An overview is given about the current security status of systems,

databases and the infrastructure. While in the process of an internal security audit; all

technical attack points for the bank are tested from inside. An overview is given about the

current security status of systems, databases and the infrastructure.

The Internal audit function is accountable to the board and its audit committee on all matters

related to the performance of its mandate as described in the internal audit charter.

By taking the third manager suggested strategy into consideration; we will need to create an

internal audit and control department; which will responsible for the regular internal audits

and the coordination with the external auditor.

Advantages:

The benefits of an audit are numerous. Audits can improve a bank’s efficiency and

profitability by helping the management better understand their own working and

financial systems. The management, as well as shareholders and clients, are also

assured that the risks in their organization are well-studied, and effective systems are in

place to handle them.

Internal audit provide the managers with a unique source of information for exercising

effective control. By measuring performance, evaluating results and recommending

suggestions for remedial actions. We may use internal audit as an instrument for forcing

events to conform to the bank’s information security plans.

Page | 10

The biggest advantage of internal audit is that it will lead to discovery of errors that might

put our system security at risk and therefore when external audit is done those errors

which were discovered during internal audit would have been rectified by then.

Since internal audit is done by our internal audit and control department, then there is no

additional cost involved which again is a big advantage for the bank.

We will have a clear idea about our internal security situation of the bank from the

information gathered by the internal audit. We will also have proof of concepts for

existing vulnerabilities. We also can implement significant enhancement of the security

level of our system and networks based on the auditing findings. We will be able to

create risk assessment and prioritized catalogue of measures to deal with any future

threats.

External auditor comes to the bank from outside, is employed by someone else, and

should therefore be truly independent, difficult to influence and unbiased in outlook.

Disadvantages:

Internal audits report is not accepted by either the shareholders or tax authorities, it is

the external auditor report which is required to be submitted to these parties. So that

means that we must have both regular internal and external audit report.

Since internal audit is done by the bank’s employee chances are that it may be biased

and therefore bank cannot depend on such reports only, that’s arise the need for the

external audit as well.

Most banks have to go through a request for proposal process in order to find an

external auditor. This procedure can be very time consuming, especially if our bank is

already understaffed. We will need to interview potential auditors, as well as check their

references to ensure that we choose the best person for the job. The overall timeline of

sending out RFPs, going through all the responses, setting up interviews and making the

final decision may take a month or longer to complete.

Page | 11

Weakness identified in the internal audit function may affect the supervisor’s assessment

of the bank’s risk profile, which will have direct impact on the bank’s business and its

financial standings.

The expenses concerned because we have to pay the external auditors and also

guarantee that we preserve comprehensive records of all the interactions which engage

a lot of expenses.

We will probably have to give our external auditor access to confidential and private

information, including internal employee salary information and client records. We will

also most likely need to give the independent auditor login information to access our

internal financial records and database. This may put confidential information at risk,

even if we mandate that the auditor signs a confidentiality agreement.

Page | 12

4. Discuss the possible advantages and disadvantages to a bank in

adopting the fourth manager’s strategy

Outsourcing refers to hiring an outside, independent firm to perform a business function that

internal employees might otherwise perform. Many banks outsource jobs to specialized

service companies, which frequently operate abroad. IT outsourcing includes data center

operations, desktop and help desk support, software development, e-commerce

outsourcing, software applications services, network operations and disaster recovery.

For many banks, cutting the costs associated with IT has been high on the strategy agenda,

driving them back to the outsourcing industry for help.

After all, cost is a big driver of outsourcing across all industry sectors. In a recent survey

conducted by management consultancy KPMG, 70% of respondents cited it as a reason to

outsource functions to a third-party.

By taking the forth manager suggested strategy into consideration; we agree that

outsourcing of certain function and or activities, in our case the information system security;

could be beneficial to the bank financial and operation wise and its customers. However

there are some concerns that important banking functions are sometimes performed

independently of a bank, resulting in the bank having less control over these activities and

thereby increasing the risks to the bank.

Advantages:

The information system security will be outsourced to vendors who specialize in this

field. The outsourced vendors also have specific equipment and technical expertise,

most of the times better than the ones at the bank. Effectively the tasks can be

completed faster and with better quality output

Outsourcing allows management to defer the details to a specialized company.

Removing the details, permits management to focus on the larger issues within the

bank. Typically, the specialized company that handles the outsourced IT work boasts

technological capabilities superior to the bank.

Page | 13

Outsourcing certain components of our business process helps the bank to shift certain

responsibilities to the outsourced vendor. Since the outsourced vendor is a specialist,

they plan our risk mitigating factors better.

Periods of high employee turnover will add uncertainty and inconsistency to the

operations. Outsourcing will provided a level of continuity to the bank while reducing the

risk that a substandard level of operation would bring to the bank.

IT Services outsourcing by the bank helps it to enhance efficiencies in operations,

increases its ability to acquire and support current technology and helps to tide over the

risk of obsolescence. Outsourcing of information system security by the bank helps the

management to focus on key management functions and assist in delivering to

customers in shorter lead time and better quality of services as management focuses on

core services.

Outsourcing eludes the need to hire employee in house, which will lead to reduced

operational and recruitment costs; hence recruitment and operational costs can be

minimized to a great extent. This is one of the prime advantages of outsourcing.

Disadvantages:

The bank might lose complete control over information system security. Project

implementation timelines may suffer as a result. If the bank terminates the agreement

with the outsourced entity, confidential, sensitive information becomes jeopardized.

Public confidence is a cornerstone in the stability and reputability of a bank. The bank

should be proactive to identify and specify the minimum security baselines to be adhered

to by the service providers to ensure confidentiality and security of the data. This is

particularly applicable where third party service providers have access to personally

identifiable information and critical customer data. Poor services of the service provider

will be harmful for the reputation of the bank and will harm its relation with the customers

and might have direct effect on its business by giving the bank a bad reputation.

Page | 14

Banks that outsource IT services run a risk of receiving poor quality work. Offshore

outsourcing sites often experience high employee turnover and may capitalize on the

bank’s limited technological capabilities, which leads to high-quality service being

compromised. Outsourcing to foreign countries involves hidden costs, such as travel

expenses and creating an infrastructure to manage operations. Banks that don’t plan

accordingly counteract the financial benefits of outsourcing.

There might be some operational risk; this kind of risk might arise because of technology

failure, inadequate infrastructure, or because of any error in providing IT services by the

service provider.

There are some Legal issues as well. There can be a case of non-compliance with the

privacy, consumer and prudential law.

Failure of a service provider in providing a specified service, a breach in security,

confidentiality, or non-compliance with legal and regulatory requirements can lead to

reputation, financial losses for the bank and may also result in systemic risks within the

banking system in the country.

Page | 15

5. Give your personal opinion on what strategy should be adopted

justifying your recommendations as much as possible.

As modern banking increasingly relies on the internet and computer technologies to operate

their businesses and market interactions, the threats and security breaches are highly

increasing in recent years. Insider and outsider attacks have caused global businesses lost

trillions of Dollars a year. The confidentiality, integrity and availability of information are

essential for any financial institution to maintain its competitive edge, cash-flow, profitability,

legal compliance and commercial image. This has made it imperative for each bank to put in

place adequate security controls to ensure data accessibility to all the authorized users, data

inaccessibility to all the unauthorized users, maintenance of data integrity and

implementation of safeguards against all security threats to guarantee information and

information systems security across the bank.

After reviewing each of the four manager’s strategies and its advantages/disadvantages; we

conclude that the third manager strategy to arrange audits to an acceptable standard on a

regular basis is the strategy that should be adopted by the bank.

As we mention before there are many benefits of conducting audits on regular basis. Audits

can improve a bank’s efficiency and profitability by helping the management better

understand their own working and financial systems.

Internal audit will lead to the discovery of errors that might put our system security at risk.

Internal audit won’t cost the bank much, as it’s done by our internal employees.

Audit in general will give the bank’s management a complete image on the internal security

situation of our system, networks and databases; which will give the bank’s management

enough information on how to improve the internal security and prevent any future threats.

External auditor comes to the bank from outside, is employed by someone else, and should

therefore be truly independent, difficult to influence and unbiased in outlook.

Page | 16

When we talk about confidentiality of information, we are talking about protecting the

information from disclosure to unauthorized parties.

Usually when a bank wants to hire an external audit firm; we will see only the big players of

the external audit in the market will be bidding on the bank RFP; these firms on the other

hand work hard to keep a strong public image about their work, how they satisfy their client’s

needs and most important of all, give high priority to the confidentiality of the client data and

business information. It’s very rare to hear about such an incident from any of the big firms

in the auditing field that any information about a client is leaked to the public through them,

as for them to stay in business, it’s a vital issue to keep client information confidential.

While on the other hand, if we outsource our information system security to an IT security

firm, there might be a big risk of data or information get stolen or at least passed to

someone who can use it in a way to harm the bank financial status. It’s harder to trust the

outsourcing firm with our data and that’s increase the risk of disclosure of bank’s information

to other parties.

Integrity is the property of preventing unauthorized modifications of an asset. In other words,

integrity protects against the threat of tampering with data or from being modified by

unauthorized parties.

Regular internal and external auditing will make sure that any bank information or client’s

data can only be modified by the authorized employees only. The regular auditing will make

sure that the controls over the information are effective and efficient which will guarantee the

bank management and clients the integrity of its asset.

On the other hand, if we manage our information system security in house and we don’t do

any audit. Then how we will guarantee that only the authorized employees are getting

access to the confidential data and have the ability to alter it; maybe there is a loop hole in

the system that allow unauthorized employees to access certain information and can

change it as well or steal it. Without proper regular auditing our bank’s information might be

at great risk.

Page | 17

Availability of information refers to ensuring that authorized parties are able to access the

information when needed.

Information only has value if the right people can access it at the right times. Denying

access to information has become a very common attack nowadays. Regular internal and

external auditing will definitely prevent any data loss or being unavailable when it’s required.

Banks have data centers where they backup every daily transaction, so with regular audit

we make sure that the data backup is always performed as scheduled by the IT department;

so even if there were attack on the system and a data loss happen we would still have our

backup available for our employee and clients to access it.

Page | 18

References:

D. P. Dube, Ved Prakash Gulat, Info Systems Audit & Assurance

Hrsg. ECIIA , Banking Internal Auditing in Europe: Overview and Recommendation

Basel Committee on Banking Supervision, The internal audit function in banks

Internal and External Audits Comptroller’s Handbook July 2000.

James A Hall , Information Systems Auditing and Assurance, South Western College

Publishing.

Gordon E. Smith, Network Auditing, John Wiley and Sons.

Nitant P Trilokekar , Taxmann’s Bank Audits Practice Manual

N L Freeman, The Quality Auditor’s Handbook, Prentice Hall

Albert J Marcella and Sally Chan, EDI Control and Audit, Artec House

Martin A Krist, Auerbach, Standard for Auditing Computer Applications