project 3: Technology Evaluation REVISION Answers 0Bids 0Other questions 10.
Title: project 3: Technology EvaluationSubject,Technologypages 5 ( or 1375 words Minimum)sources 7Paper DetailsTeaching CaseBank Solutions Disaster Recovery and BusinessContinuity: A Case Study for CSIA 485Steve CamaraSenior Manager, KPMG LLP1021 E Cary Street, Suite 2000Richmond, VA 23219 [email protected]Robert Crossler Vishal Midha Assistant ProfessorComputer Information SystemsThe University of Texas â€“ Pan American [email protected], [email protected]Linda WallaceAssociate ProfessorAccounting and Information Systems Virginia Tech [email protected]ABSTRACTDisaster Recovery and Business Continuity (DR/BC) planning is an issue that students will likely come in contact with as they enter industry. Many different fields require this knowledge, whether employees are advising a company implementing a new DR/BC program, auditing a companyâ€s existing program, or implementing and/or serving as a key participant in a company program. Often times in the classroom it is difficult to find real world practice for students to apply the theories taught. The information in this case provides students with real world data to practice what they would do if they were on an engagement team evaluating a DR/BC plan. Providing students with this opportunity better prepares them for one of the jobs they could perform after graduation. Keywords: Case study, Computer security, Critical thinking, Experiential learning & education, Information assurance and security, Role-play, Security, Team projects2. CASE TEXT2. 1 Company BackgroundBank Solutions, Inc. (a pseudonym), founded in 1973 by theFirst Presidential Bank, a major bank of its time, is a provider of item processing servicesi to community banks, savings and loan associations, Internet banks, and small- to mid-size credit unions. It offers a full range of services, including in-clearing and Proof of Deposit (POD) processing, item capture, return and exception item processing, image archive storage and retrieval, and customer statement rendering.Bank Solutions was formed in 1973 when the Chief Operating Officer of First Presidential Bank, a major commercial bank, recognized an opportunity. Since item processing functions are standardized (they have to be in order for originating and receiving financial institutions to clear customer transactions) and scalable with increases in item processing volumes, they were able to offer these services to other financial institutions wishing to reduce operating expense and focus on growth strategies and other core business functions. First Presidential marketed these services under the Bank Solutions brand name.Over the next 15 years, Bank Solutions enjoyed modest growth. By 1988, it served 41 small- to mid-size financial institutions. It had not, however, developed a marketpresence outside of the Northwestern Region of the United States, as management had hoped. This was primarily because Bank Solutions was unable to compete with other item-processing service providers that had developedproprietary software systems considered â€œtop of the line.â€ To make matters worse, at the time almost one quarter of Bank Solutionsâ€Ÿ client base was saving and loan associations (saving and loans). As a result of the Savings and Loan crisis, 60% of Bank Solutionsâ€Ÿ savings and loan customer base failed over the six years spanning 1985â€“1991, thus stunting the outsourcerâ€Ÿs growth. The related slow down of the financial services and real estate industries and the recession of 1990â€“1991 presented further headwinds to the growth objectives of First Presidential management. In1994, First Presidential sold off Bank Solutions.Under new management, Bank Solutions thrived. Keysto the companyâ€Ÿs renewed success included the following:â€¢ The development of key strategic partnerships with other industry participants, including data clearing houses and financial institution core processing system outsourcers.iiâ€¢ The introduction of a new company culture that focused on open door management, mentoring, and enhanced employee benefits.â€¢ The development of a proprietary, state of the art item processing system that uses state-of-the-art Optical Character Recognition (OCR) technology to achieve character recognition accuracies that were previously unheard of.â€¢ The implementation of â€œremote captureâ€ technologiesiiito meet electronic banking initiatives and regulations such as â€œCheck 21.â€â€¢ The upgrade or replacement of other administrative information systems, including the companyâ€Ÿs financial reporting system. This helped to increase operational effectiveness and efficiencies.From 1995â€“2008, Bank Solutions enjoyed unprecedented growth. During that timeframe, the company expanded operations to 18 item processing facilities, twodata centers in which the item processing system was hosted, and 345 financial institutions.2.2 Current Scenario (2011)Douglas Smith, the Chief Information Officer for Bank Solutions, was one of the original members of â€œnew managementâ€ and responsible for many of Bank Solutionsâ€Ÿ past successes. A solid, middle-sized company with continued growth potential, Bank Solutions has become atarget for a leveraged corporate buyout. This is an attractive situation for Douglas and other members of executive management. Several of these individuals are close to retirement; and initial indications are that the price of thebuyout will be very favorable for members of executive management.The CEO and other influential members of executive management want Bank Solutions to remain an attractivepurchase option and, as a result, have contracted the services of your team as an outside consultant to identify operating and regulatory risks and advise them on control measures to mitigate the risks.2.3 Risk Assessment TaskAs members of the engagement team performing the riskassessment, your team has been given the task of assessingBank Solutionsâ€Ÿ incident handling, business continuity, and disaster recovery strategy.In order to perform the assessment, preliminary interviews with Douglas Smith, the Data Center Managers,Systems Engineers and Network Architect in each of Banking Solutionsâ€Ÿ data centers, and the IT Managers and Day and Night Operations Managers from seven of the largest item processing facilities were conducted.Additionally, the following documentation related to Bank Solutionsâ€Ÿ security incident management, DR/BC planning activities was reviewed:â€¢ Flow charts that diagram the item processing operations and data flow between Bank Solutions item processing facilities and data centers and outside entities (seeAppendix A)â€¢ A diagram of Bank Solutionsâ€Ÿ network architectureâ€¢ Bank Solutionsâ€Ÿ Data Center Disaster Recovery andBusiness Continuity Plan (DRBCP)â€¢ Policies, procedures, guidelines, and standards related to security incident responseâ€¢ Item Processing Facility DRBCPsâ€¢ Results from the most recently completed DRBCPtest/exerciseâ€¢ Distribution list for the DRBCPâ€¢ Bank Solutionsâ€Ÿ Backup and Recovery Policy.â€¢ Screen prints of the configurations from BankSolutionsâ€Ÿ backup utility (these configurations showwhat server shares are subject to automated backup and the frequency of those backups)â€¢ Contracts with the off-site storage providerâ€¢ A system-generated listing of access to event logging serversâ€¢ A list of individuals who have been provided access to recall backup tapes from the off-site storage vendor.â€¢ Screenshots of the Intrusion Detection System (IDS), firewall, and other event logging capability configurationsâ€¢ Excerpts from the IDS and firewall event logs and managementâ€Ÿs manually maintained incident tracking log.2.4 Facts: Risk Assessment FindingsBased on the discussions held with the management and areview
of the documentation provided, you note the following facts:1. With the assistance of an external consultant, Bank Solutions wrote its current data center DRBCP in 2007. It was last updated in January 2009.2. According to Douglas, the data center DRBCP was lasttested in 2007. Testing activities consisted of a conceptual, table-top walkthrough of the DRBCP conducted by Douglas with the Data Center Managers and Network and Systems Engineers. Item processing facility DRBCPs have not yet been tested.3. Site-specific DRBCPs have been written for the five largest item processing facilities. The remaining item processing facilities have a generic â€œsmall centerâ€DRBCP template that was distributed to and customized by facility management in June 2010. Four item processing facilities have not yet completed the customization exercise.4. DRBCPs contain several sections, including the following:â€¢ Emergency/crisis response proceduresâ€¢ Business recovery proceduresâ€¢ â€œReturn to normalâ€ proceduresâ€¢ Various appendicesRecovery Time Objectives and Recovery Point Objectivesiv for each critical business process and system were not identified in the DRBCP. Thefollowing details, most of which are included in the DRBCP appendices, are also documented in the text of the DRBCP:â€¢ Critical systems, including detailed hardware and software inventoriesâ€¢ Critical business processes and process ownersâ€¢ Alternative processing facility addresses anddirectionsâ€¢ â€œCalling Treesâ€ (notification listings)â€¢ Critical plan participant roles, responsibilities,and requirementsâ€¢ Critical vendor contact listingsâ€¢ Key business formsâ€¢ Specific recovery procedures for key systemsâ€¢ Procedures for managing public relations andcommunications5. Based on a review of DRBCP distribution lists, it appears that not all key plan participants have a copy ofthe plan. When this was discussed with Douglas, heresponded that copies of all DRBCPs are stored on the network (which is replicated across both data centersand via backup tape).6. Critical plan participants have not been trained to useDRBCPs.7. Bank Solutions has implemented a robust host-basedIDS, including detailed event logging and reporting capabilities. However, neither the DRBCP nor any other policy, standard, guideline, or procedure addresses security incident handling steps, including escalation points of contact and procedures for preserving the forensic qualities of logical evidence.8. Event logging is also performed when power users perform specific privileged activities on productionservers and selected administrative back office systems. Interestingly, it was noted that several of the same power users whose actions are recorded onto event logs also have write access to the logs themselves.9. A review of the network diagram and conversations with the Network Architect reveal that redundancies have been implemented at the network perimeter (e.g., routers, firewalls, IDS, load balancers, etc.).10. Banking Solutions has organized their DR/BC programaccording to a â€œsister centerâ€ format; that is, each data center serves as the otherâ€Ÿs â€œhot siteâ€ processing location and each item processing facility has been assigned a corresponding item processing facility to serve as a backup processing location. Neither the DRBCPs nor any other documentation outline specific processing responsibilities for backup facilities.11. On a daily basis, transaction detail and item image filesfrom the current dayâ€Ÿs processing operations are uploaded from each item processing facility to their regional data center (see Appendix A).12. At the data centers, electronic vaulting has beenestablished whereby all e-mail, file, and application servers and databases at the data center are continuously backed up to the other data center via dual dedicated fiber optic lines.13. A data backup and recovery utility has been implemented in each data center and the item processing facilities. Full backups of critical data files, software programs, and configurations are performedonce a week and incremental backups are performed on a daily basis Monday through Friday.14. At one item processing facility, backup jobs haveroutinely failed due to unknown causes. When the topic was discussed with the IT Manager on duty, he shrugged the failures off noting that the core financial institution transaction data and images are transmitted to and archived at the Bank Solutions Data Center East on a daily basis.15. At the item processing facilities, the management has been tasked with contracting the off-site storage of backup tapes. At one of the item processing facilities, management has contracted the bank across the street to store its backup tapes in a safety deposit box. At another item processing facility, the night Operations Manager stores the backup tapes in a safe at his home. At a third item processing center, tapes are stored in a shed at the back of the building.iiThis is individual project. As a member of an engagement team in charge of performing the incident handling, DR/BC risk assessment for Bank Solutions. you should read the case background and the facts identified in the interviews.Individual Work: For all of the facts/ findings, prepare a written report that lists the condition(s) that present risks to Bank Solutions as well as proposed recommendations for addressing those conditions. Journal of Information Systems Education, Vol. 22(2)Appendix AThis case was developed solely for class discussion. While the situation described in this case is based on realistic events, the Bank Solutions is a fictional organization. Further, the names, product/service offerings, and the names of all individuals in the case are fictional. Any resemblance to actual companies, offerings, or individuals is accidental.122Copyright of Journal of Information Systems Education is the property of Journal of Information Systems Education and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder’s express written permission. However, users may print, download, or email articles for individual use.Attached and above are the original instructions and the final copy of the writer. Below are my comments The writer was suppose to Select one of the security technologies you identified in either Project1 or Project 2. Research and evaluate its capabilities, costs, maintenance requirements, flexibility, and feasibility for implementation. The analysis should include pros and cons, potential barriers to success, vulnerabilities eliminated or reduced, convergence issues, first adopters (if the technology is new), and any other issues you deem important to consider. All these instructions are on the rubric and the writer was suppose to follow that. strictly follow the rubric. I need to submit this paper in 3 hrs time.FilesCSIA_485_Project_3_Template.doc CSIA_485_project_3_instructions_for_week_4.docx
The post project 3: Technology Evaluation REVISION Answers 0Bids 0Other questions 10 appeared first on homeworkhandlers.com.