Teaching Case
Bank SolutionsDisasterRecoveryand Business
Continuity:ACaseStudyfor CSIA 485
SteveCamara
Senior Manager, KPMG LLP
1021 E CaryStreet, Suite2000
Richmond, VA23219
Robert Crossler Vishal Midha Assistant Professor
ComputerInformation Systems
TheUniversityof Texas– Pan American ,
Linda Wallace
AssociateProfessor
AccountingandInformation Systems VirginiaTech
ABSTRACT
DisasterRecovery andBusinessContinuity(DR/BC) planningis anissue thatstudents willlikely come incontactwithas they enterindustry. Many differentfieldsrequirethisknowledge,whetheremployeesareadvisingacompanyimplementinganew DR/BCprogram,auditingacompany’sexistingprogram,orimplementingand/orservingasakeyparticipantinacompany program. Oftentimesintheclassroom itisdifficulttofindrealworldpracticeforstudentstoapply thetheoriestaught. The informationinthiscase providesstudentswithrealworlddatatopracticewhattheywoulddoif theywereonanengagement teamevaluatingaDR/BCplan. Providingstudentswiththisopportunitybetterpreparesthemforoneofthejobstheycould perform aftergraduation.
Keywords: Casestudy,Computer security,Criticalthinking,Experientiallearning education,Informationassurance and security,Role-play, Security,Teamprojects
2.CASE TEXT
2.1CompanyBackground
BankSolutions,Inc.(apseudonym),foundedin1973bythe
First Presidential Bank, a major bank of its time, is a providerofitem processingservicesitocommunitybanks, savingsandloanassociations,Internetbanks,andsmall-to mid-sizecreditunions. It offersafullrangeof services, includingin-clearingand Proof ofDeposit(POD) processing, itemcapture,returnandexceptionitem processing,image archive storageandretrieval,andcustomerstatement rendering.
Bank Solutions wasformedin1973whenthe Chief OperatingOfficerof First PresidentialBank,amajor commercial bank, recognizedanopportunity. Since item processingfunctionsarestandardized(they havetobein orderfor originating andreceiving financialinstitutionsto clearcustomertransactions) andscalablewithincreases in item processingvolumes,theywereabletoofferthese servicestootherfinancialinstitutionswishing to reduce operating expenseandfocus on growthstrategiesandother core business functions. FirstPresidentialmarketedthese services underthe BankSolutionsbrandname.
Overthe next15years,Bank Solutionsenjoyedmodest growth. By1988,itserved41small-tomid-sizefinancial institutions. It had not, however, developed a market
presenceoutsideoftheNorthwesternRegionoftheUnited States,asmanagement hadhoped. Thiswas primarily because Bank Solutionswasunabletocompetewithother item-processing service providers that had developed
proprietarysoftwaresystemsconsidered“topoftheline.” Tomakemattersworse,atthe timealmost one quarter of BankSolutions‟clientbasewassavingandloanassociations (savingandloans). AsaresultoftheSavingsandLoan crisis,60%ofBankSolutions‟savingsandloancustomer base failedoverthe sixyears spanning 1985–1991,thus stuntingtheoutsourcer‟sgrowth. Therelatedslowdownof the financialservicesandrealestateindustries andthe recessionof1990–1991presentedfurtherheadwindstothe growth objectives of First Presidential management. In
1994,FirstPresidentialsoldoffBankSolutions.
Undernewmanagement,BankSolutionsthrived. Keys
tothe company‟s renewedsuccess includedthe following:
The development of key strategic partnerships with other industry participants, including data clearing housesandfinancialinstitutioncore processing system outsourcers.ii
Theintroductionofanewcompanyculturethatfocused onopen doormanagement,mentoring,andenhanced employee benefits.
Thedevelopmentofaproprietary,stateoftheartitem processingsystem thatusesstate-of-the-artOptical CharacterRecognition(OCR)technology toachieve characterrecognitionaccuraciesthat were previously unheardof.
Theimplementationof“remotecapture”technologiesiii
to meetelectronicbankinginitiativesand regulations suchas“Check21.”
The upgrade or replacement of other administrative informationsystems,includingthecompany‟sfinancial reporting system. Thishelpedtoincrease operational effectivenessandefficiencies.
From 1995–2008, Bank Solutions enjoyed unprecedentedgrowth. During thattimeframe,the company expanded operations to 18 item processing facilities, two
datacentersinwhichtheitem processing systemwashosted, and345financial institutions.
2.2Current Scenario(2011)
DouglasSmith,theChief InformationOfficerforBank Solutions,wasoneof theoriginalmembersof“new management”andresponsibleformanyofBankSolutions‟ pastsuccesses. A solid,middle-sizedcompanywith continuedgrowthpotential,BankSolutionshasbecomea
targetfora leveragedcorporatebuyout. Thisisanattractive situationforDouglasandothermembersof executive management. Severalof theseindividualsarecloseto retirement;andinitialindicationsarethatthepriceofthe
buyoutwillbeveryfavorableformembersof executive management.
TheCEOand other influentialmembersof executive managementwantBankSolutionsto remain an attractive
purchase optionand,asaresult,havecontractedtheservices ofyourteamasanoutsideconsultanttoidentifyoperating andregulatory risksandadvisethem oncontrolmeasuresto mitigate the risks.
2.3RiskAssessmentTask
Asmembersoftheengagementteamperformingtherisk
assessment,yourteamhasbeengiventhetaskofassessing
BankSolutions‟incidenthandling,businesscontinuity,and disasterrecoverystrategy.
Inordertoperform theassessment,preliminary interviewswithDouglasSmith,theDataCenterManagers,
Systems Engineers and Network Architect in each of BankingSolutions‟datacenters,andtheITManagersand Day and Night Operations Managers from seven of the largest item processing facilities were conducted.
Additionally,the following documentationrelatedtoBank Solutions‟securityincidentmanagement,DR/BCplanning activitieswas reviewed:
Flowchartsthatdiagram theitemprocessingoperations anddataflow betweenBankSolutionsitem processing facilities and data centers and outside entities (see
AppendixA)
AdiagramofBankSolutions‟network architecture
Bank Solutions‟Data Center Disaster Recovery and
BusinessContinuityPlan(DRBCP)
Policies,procedures,guidelines,andstandardsrelated tosecurityincidentresponse
ItemProcessingFacilityDRBCPs
Results from the most recently completed DRBCP
test/exercise
Distributionlist forthe DRBCP
BankSolutions‟BackupandRecoveryPolicy.
Screen prints of the configurations from Bank
Solutions‟backup utility (these configurations show
what serversharesaresubject toautomated backupand the frequencyofthosebackups)
Contracts withtheoff-site storageprovider
A system-generatedlisting of accesstoeventlogging servers
Alistofindividualswhohavebeenprovidedaccessto recall backuptapes fromthe off-site storage vendor.
ScreenshotsoftheIntrusionDetectionSystem (IDS), firewall,and othereventlogging capability configurations
Excerptsfrom theIDSandfirewalleventlogsand management‟s manuallymaintainedincidenttracking log.
2.4 Facts: RiskAssessmentFindings
Based onthe discussionsheldwiththe managementanda
reviewofthe documentationprovided,younote the followingfacts:
1.With the assistance of an external consultant, Bank Solutions wrote its current data center DRBCPin2007. Itwas last updatedinJanuary2009.
2.AccordingtoDouglas,thedatacenterDRBCPwaslast
testedin 2007. Testingactivitiesconsistedof a conceptual,table-topwalkthroughof theDRBCP conductedbyDouglaswiththeDataCenterManagers andNetworkandSystemsEngineers. Itemprocessing facilityDRBCPs have notyet beentested.
3.Site-specificDRBCPshavebeenwrittenforthefive largestitemprocessingfacilities. Theremainingitem processing facilities have a generic “small center”
DRBCPtemplate thatwas distributedtoandcustomized by facility managementinJune 2010. Fouritem processing facilities have notyetcompletedthe customizationexercise.
4.DRBCPs contain several sections, including the following:
Emergency/crisis responseprocedures
Businessrecoveryprocedures
“Returnto normal” procedures
Various appendices
RecoveryTimeObjectivesandRecovery Point Objectivesiv for each critical business process and system were not identified in the DRBCP. The
following details,mostofwhichareincludedinthe DRBCPappendices,are also documentedinthe text of the DRBCP:
Criticalsystems,includingdetailedhardwareand software inventories
Critical businessprocesses andprocessowners
Alternative processing facility addresses and
directions
“CallingTrees” (notificationlistings)
Critical plan participant roles, responsibilities,
andrequirements
Criticalvendorcontactlistings
Keybusinessforms
Specific recoveryprocedures forkeysystems
Procedures for managing public relations and
communications
5.Based on a review of DRBCP distribution lists, it appearsthatnotallkeyplanparticipantshaveacopyof
theplan.Whenthiswasdiscussed withDouglas,he
respondedthatcopiesof allDRBCPsarestoredonthe network(whichisreplicatedacrossbothdatacenters
andvia backuptape).
6.Criticalplanparticipantshavenotbeentrainedtouse
DRBCPs.
7.BankSolutionshasimplemented arobusthost-based
IDS,including detailedeventlogging andreporting capabilities. However, neither the DRBCP nor any otherpolicy,standard,guideline,or procedure addresses security incident handlingsteps,including escalation pointsof contactand proceduresforpreservingthe forensic qualities oflogicalevidence.
8.Event logging is also performed when power users perform specific privileged activities on production
serversandselectedadministrative back office systems. Interestingly, it was noted that several of the same poweruserswhose actionsarerecorded ontoeventlogs also have write accesstothe logsthemselves.
9.A review of the network diagram and conversations withthe Network Architectrevealthatredundancies have beenimplementedatthe network perimeter (e.g., routers,firewalls,IDS,loadbalancers,etc.).
10. BankingSolutionshasorganizedtheirDR/BCprogram
according toa“sistercenter”format;thatis,eachdata center serves as the other‟s “hot site” processing locationandeachitem processingfacility hasbeen assignedacorrespondingitem processingfacility to serve asa backupprocessing location. Neitherthe DRBCPsnoranyotherdocumentationoutlinespecific processingresponsibilities for backupfacilities.
11. Onadailybasis,transactiondetailanditemimagefiles
fromthecurrentday‟s processingoperationsare uploadedfromeachitem processingfacility totheir regional data center (see AppendixA).
12. At the data centers, electronic vaulting has been
establishedwhereby alle-mail,file,andapplication serversand databases at the datacenter arecontinuously backedupto the other data centervia dual dedicated fiber optic lines.
13.A data backup and recovery utility has been implemented in each data center and the item processingfacilities. Fullbackupsofcriticaldatafiles, softwareprograms, and configurations are performed
onceaweekandincrementalbackupsareperformedon a dailybasis MondaythroughFriday.
14. At one item processing facility, backup jobs have
routinely failed due tounknown causes. Whenthe topic was discussed with the IT Manager on duty, he shruggedthefailuresoffnotingthatthecorefinancial institutiontransactiondataandimagesaretransmitted toandarchivedatthe BankSolutionsDataCenterEast onadailybasis.
15.Attheitemprocessingfacilities,themanagementhas beentaskedwithcontracting the off-sitestorage of backuptapes. Atoneoftheitemprocessingfacilities, management has contractedthe bank across the streetto store its backup tapes in a safety deposit box. At anotheritem processingfacility,thenightOperations Managerstoresthebackuptapesinasafeathishome. Atathirditem processingcenter,tapesarestoredina shedatthe backofthe building.
ii
Thisisindividualproject. Asa memberofanengagementteamincharge of performingthe incident handling, DR/BC risk assessment for Bank Solutions.youshouldreadthecase backgroundand the facts identifiedinthe interviews.
IndividualWork:Forallofthe facts/findings,preparea writtenreportthatliststhecondition(s)that presentrisksto Bank Solutionsaswellas proposedrecommendationsfor addressingthoseconditions.
JournalofInformationSystems Education,Vol.22(2)
Appendix A
Thiscasewasdevelopedsolelyforclassdiscussion.Whilethesituationdescribedinthiscaseisbasedonrealisticevents,theBankSolutionsisafictionalorganization. Further,thenames,product/serviceofferings,andthenamesofallindividualsinthecasearefictional.Anyresemblancetoactualcompanies,offerings,orindividualsis accidental.
122
Copyright of Journal of Information Systems Education is the property of Journal of Information Systems Education and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.