Top 20 Bank

Risk assessment

Problem

The client has a long-standing and public commitment to protect the integrity and confidentiality of its customer information. As stated within its privacy policy, “We are committed to protecting the security and integrity of customer information through procedures and technology designed for this purpose”.

In support of this commitment, Catalyst Consulting was retained to review data security and protection across the enterprise, identify areas of risk and follow with corrective action. An assessment was completed to identify the scope and “touch points” across the enterprise. Key within the approach was the close collaboration among key business units within the client infrastructure necessary to ensure that when implemented, corrective actions will meet corporate objectives without impacting or impeding business requirements, workflow, or service levels. The engagement parameters focused upon a phased approach would be undertaken to meet the project objectives, focused around 4 high level actions.

• Immediately remediate known critical data security and protection exposures, identifying those that require further development into a longer-term solution.
• Review and revise current policies, aligning processes and workflow to achieve targeted levels for improved data security and protection.
• Based upon recommended changes, detail data flow, control points, encryption points, and encryption impacts (data affected) to ensure continuity with business unit requirements in terms of accessibility or requirements to enhance content.

The project scope focused upon four primary areas.

• Data Security
• Privacy
• Payments
• Lending

Solution – Phase I – Initiation, Strategy and Initial Remediation

• Communicate widely the scope, objectives, and Roles & Responsibilities of the project
• Develop data security solution sets employing best practices for storing and presenting confidential and restricted data. Solution sets will be developed in close alignment with Corporate Information Security and Vendor Management to include:
• Fragmentation of data (centralized storage of confidential and restricted data)
• Data element and file/data base encryption
• Appropriate display of confidential and restricted information on screens and reports
• How and where to introduce control points into data flows
• What confidential and restricted data is appropriate to send out of the institution
• What confidential and restricted data is appropriate to store on desktops and LAN’s outside of the institutions data centers
• Develop a strategy for central storage, protection, and explicit authorization for access to confidential and restricted customer information
• Identify where confidential and restricted data is currently located (inside and outside the institution) for data
• Evaluate, score and document risk hierarchy
• Document additional details for data stores, reports, and screens having the highest risk per the risk hierarchy
• Identification and implementation of a new data repository solution
• Risk classification for every data store
• Document physical and information security currently in place for each data store, report, screens or report having less than the highest risk
• Document how data is being used and what QA controls are in place for each data store or report having less than the highest risk
• Detailed data flow and control points for each data store or report having less than the highest risk

Result – Deliverables – Phase I

• Temporary or permanent solution to critical issues identified in Data Defrag project or findings related to this project
• Publish Security and Data Protection Solution Sets
• Security and Data Projection Risk Hierarchy
• Initial inventories - category
• Detailed inventories for data stores, reports & screens having the highest risk within the risk hierarchy
• Detailed plan for Phase II

Solution – Phase II – Detailed Inventory Phase

• Remediation of serious issues surfaced but not fixed during Phase II
• Inventory of data in Data Protection category 1 and 4
• Apply risk hierarchy to each data store
• Document physical and information security currently in place for each data store report, screen containing confidential and restricted data
• Document how data is being used and what QA controls are in place for data stores, reports, screens containing confidential and restricted data
• Document detailed data flow and control points for data stores, reports, screens containing confidential and restricted data
• Identify all issues requiring remediation in Phase III
• Detailed inventory of data stores, reports, screens that do not contain confidential and restricted data
• Introduction of new control points and QA controls to existing data flows

Result – Deliverables – Phase II

• Temporary or permanent solutions to critical issues identified in Phase I
• Determine risk for all data stores, reports, screens identified in Phase I
• Detailed inventory and data flows completed for all data stores, reports, screens containing confidential and restricted data
• List of items requiring remediation in Phase II

Solution – Phase III – Implement Solution

• Develop individual project plans with business and technology areas to permanently remediate data issues surfaced during earlier phrases
• Implement information Security Roadmap strategy regarding central storage, protection, and explicit authorization for access to confidential and restricted customer information
• Remediation of processes and issues regarding data stores, screens, reports not containing confidential and restricted customer data

Result – Deliverables – Phase III

• Permanent remediation of all Security Protection issues identified in previous phases
• Phase IV – Roadmap to Consolidate Customer Data

Solution – Phase IV

• Identify and reduce redundancy of customer data within operational data stores

Result – Deliverables – Phase IV

• Inventory of all channels and applications that maintain a copy of the enterprise customer data held in CIS
• Plan to reduce data redundancy and connect these channels and applications online, real-time, to CIS through Business Services