risk forum - amazon s3...risk forum busting the top myths that expose your bank to risk w e l c o m...
TRANSCRIPT
![Page 1: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/1.jpg)
Risk ForumBusting the Top Myths that Expose your Bank to Risk
W E L C O M E
![Page 2: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/2.jpg)
Welcome
• Introductions– Tammy Bangs JHA
– Scott Whisman JHA
– Tom Williams JHA Centurion
– Allen Eaves JHA Gladiator
October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.
2
![Page 3: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/3.jpg)
Welcome
• Table Arrangement– Peer Discussion and Handouts
• Agenda review– Areas of Focus
• Housekeeping Items– Restrooms, Refreshments and Breaks
• Follow up Items– Slide Deck Provided
– Follow Up Survey
October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.
3
![Page 4: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/4.jpg)
An Overview
• What today is not:
– A product demonstration
– A lecture
– A test or contest
• What today is:
– A conference that will challenge your bank’s idea
of risk mitigation and preparedness, and help you
identify and strategize ways to improve risk
avoidance at your FI.
October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.
4
![Page 5: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/5.jpg)
Special Guest Speaker
• Scott Whisman
General Manager – Corporate Services
October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.
5
![Page 6: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/6.jpg)
Peer Discussion
• Introduce yourself
– Name
– Title
– Bank Name and Location
– Asset Size, Core Processor, In house or Out Sourced
– In your opinion, what is your top Risk Concern for your FI?
October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.
6
![Page 7: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/7.jpg)
Myth Busting
1. Internal Fraud: Not at our Bank
2. On Premises: Safe and Sound
3. Social Engineering: We’re not susceptible
4. Cyber Threats: We’re covered
5. Customers are Patient: Our BRP is Sufficient
6. BCP Passed Exam: It’s all good
October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.
7
![Page 8: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/8.jpg)
Myths 1 & 2
Tammy Bangs – Jack Henry Banking
![Page 9: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/9.jpg)
My bank doesn’t have any
Myth 1: Internal Fraud
9
![Page 10: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/10.jpg)
MYTH #1
Assumptions associated with Myth #1:
• Statistically untrue
• Malicious or unintentional exposure of data risks
• Is it a gamble you are willing to take
October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.
10
![Page 11: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/11.jpg)
October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.
11
Insider Fraud Statistics
Insider vs External Fraud in Banks
Internal Fraud
External Fraud 60%
40%
www.celent.com/internal-fraud
![Page 12: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/12.jpg)
October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.
12
Insider Fraud Statistics
• Insider fraud accounts for approximately 60% of bank fraud cases where a data breach or theft of funds has occurred.
www.celent.com/reports/internal-fraud-big-brother-needs-new-glasses
• Insider fraud has accounted for over one-half of all bank fraud and embezzlement cases closed by the FBI during the past several years.
FDIC Bank Fraud and Insider abuse
• "Insider fraud is still not getting the attention it needs. Banking institutions are aware of the risks, but less than half are well prepared to detect it.”
Tom Wills, Javelin Strategy
• One-in-five internally perpetrated frauds involve senior management.
www.pwc.com Global Economic Crime Survey
![Page 13: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/13.jpg)
Bank Insider/Employee Fraud
• Low and Slow Approach
• Data Modification
• Low Tech – Relying on Knowledge and Access
• Management vs. Non-Management– Management – average length of 33 months and over
$200,000 in average total fraud
– Non-Management – average length of 18 months and $100,000 in average total fraud
Randy Trzeciak
CERT Insider Threat Research Team
![Page 14: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/14.jpg)
October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.
14
Insider Linked Data Breaches
• According to Jason Clark, a researcher at the CERT Insider Threat Center at the Carnegie Mellon University Software Engineering Institute, Insider linked data breaches, while increasingly common are grossly under-reported, due to the lack of evidence to prosecute or the fact that the damage level is insufficient to warrant prosecution.
• 53% of survey participants indicated they had experienced an insider data breach incident;
• 75% of cases do not involve law enforcementwww.bankinfosecurity.com/interview/how-to-fight-insider-fraud
![Page 15: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/15.jpg)
October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.
15
Reputational Risk: Is it worth the gamble?
![Page 16: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/16.jpg)
If I can touch it – I feel more
secure
Myth 2: On Premises = Safe/Secure
16
![Page 17: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/17.jpg)
MYTH #2
Assumptions associated with Myth #2:
• Creates the illusion of safety
• Statistically unfounded
• Regulatory pressure
• How much risk does this pose for your bank?
October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.
17
![Page 18: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/18.jpg)
October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.
18
www.glassdoor.com
Jack Henry & Associates Reviews
3.7 Rating Trends
75% Recommend to a friend
94% Approve of CEO Jack Prim161 RatingsFeatured Review Helpful (2)
“Good company with a great culture ”Current Employee Anonymous
Employee in Birmingham, AL
I have been working at Jack Henry & Associates fulltime
(More than a year)
Pros
I have been with JHA over a year, and I can honestly say this is a very good
company. One's personal experience may vary depending on the department in
which you work and the person who is supervising said department... But that is
the struggle of any large company. From a corporate viewpoint, I feel like I am
valued and respected. I don't feel like upper management is out for their own….
![Page 19: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/19.jpg)
October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.
19
Jack Henry & Associates Awards & Accolades
• 2015• 100 Best Places to Work in IT - Large , Computerworld
Magazine, 2015• Top Workplaces , The Tennessean, 2015
• 2014• 100 Best Places to Work in IT , Computerworld, 2014• Best Companies to Work for in Alabama (Large
Companies) , Business Alabama Magazine, 2014• Best Places to Work in Kentucky (Large) , Best Places to
Work in Kentucky, 2014• Best Places to Work in San Diego (Symitar-Mega Employer
Category) , San Diego Business Journal,2014• Top Workplaces (Information Technology) , Houston
Chronicle, 2014
![Page 20: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/20.jpg)
October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.
20
Creates the Illusion of Safety
• Public vs. Private Cloud• Recovery Concerns
• Replication vs Tape Backup
![Page 21: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/21.jpg)
October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.
21
Regulatory Pressure
• Are you prepared for the regulatory scrutiny?• Vendor due diligence
![Page 22: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/22.jpg)
Myths 3 & 4
Allen Eaves – Gladiator
![Page 23: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/23.jpg)
My employees know better
Myth 3: Social Engineering
23
![Page 24: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/24.jpg)
“In my mind social engineering is the
biggest issue today.”
- Sparky Blaze, former member of Anonymous
![Page 25: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/25.jpg)
Information Gathering
High-tech
Low-tech
No-tech
![Page 26: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/26.jpg)
No-tech Information Gathering
Dumpster diving
Shoulder surfing
![Page 27: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/27.jpg)
The trust of a badge and uniform
![Page 28: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/28.jpg)
![Page 29: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/29.jpg)
![Page 30: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/30.jpg)
Attack Vectors
Phone Elicitation
Physical
Phishing
Removable Drives
![Page 31: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/31.jpg)
Low and High-Tech Information Gathering
Company Details --- Employee Interests – Latest News
Internet browsing -- WIFI listening to find personal
information
![Page 32: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/32.jpg)
How to Reduce Risk
Social engineering assessment
Education
Policies
Defense in depth approach
![Page 33: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/33.jpg)
My firewall has my back
Myth 4: We are Protected Against
Cyber Threats
33
![Page 34: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/34.jpg)
![Page 35: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/35.jpg)
![Page 36: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/36.jpg)
![Page 37: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/37.jpg)
January 7th 2015
![Page 38: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/38.jpg)
![Page 39: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/39.jpg)
![Page 40: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/40.jpg)
![Page 41: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/41.jpg)
![Page 42: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/42.jpg)
![Page 43: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/43.jpg)
![Page 44: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/44.jpg)
![Page 45: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/45.jpg)
![Page 46: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/46.jpg)
![Page 47: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/47.jpg)
![Page 48: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/48.jpg)
![Page 49: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/49.jpg)
![Page 50: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/50.jpg)
![Page 51: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/51.jpg)
![Page 52: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/52.jpg)
![Page 53: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/53.jpg)
![Page 54: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/54.jpg)
![Page 55: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/55.jpg)
![Page 56: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/56.jpg)
![Page 57: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/57.jpg)
![Page 58: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/58.jpg)
![Page 59: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/59.jpg)
![Page 60: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/60.jpg)
![Page 61: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/61.jpg)
![Page 62: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/62.jpg)
Dark Comet defeats Common Security
443 TCP Outbound
![Page 63: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/63.jpg)
![Page 64: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/64.jpg)
![Page 65: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/65.jpg)
![Page 66: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/66.jpg)
How the Infection Takes Place
Malicious Site
![Page 67: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/67.jpg)
67
Questions?
Myths 3 & 4
![Page 68: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/68.jpg)
Myths Associated with
Disasters
Tom Williams – Centurion Disaster Recovery
![Page 69: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/69.jpg)
We’re prepared since we passed
our BCP Exam
Myth 5: BCP Passed – It’s All Good
69
![Page 70: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/70.jpg)
We passed our Business Continuity Plan Exam so we’re prepared
Assumptions associated with Myth # 5
• The examiner was thorough in reviewing the plan.
• The examiner was knowledgeable on the FFIEC Guidelines on
BCP.
• The exam was based on the review of the enterprise wide plan and
not just the I/T plan.
• The examiner assumed that plan was tested at multiple levels, i.e.
Technical, executive, business units, with multiple scenarios.
• The Board signed off on the plan with knowledge of the plan’s true
ability to recover.
![Page 71: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/71.jpg)
We’ll back be up and running in time
Myth 6: In the Event of Disaster, Our
Customers will be Patient
71
![Page 72: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/72.jpg)
When a disaster strikes, we will be able to meet customer needs
Assumptions associated with Myth # 6
• Our customers are loyal so they will be understanding and patient
until we recover, no matter how long it takes.
• Our I/T team has a plan to get the systems and applications up and
that is all the bank needs to recover operations.
• We have a veteran staff and we can handle whatever comes up on
the fly.
• All of our critical personnel will be available to assist in the
recovery efforts.
• Our core processing is outsourced so we will not be impacted.
![Page 73: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/73.jpg)
FFIEC Guidelines for Business Continuity Planning
Business Impact
Analysis (BIA)
Risk Assessment
Risk Management
Risk Monitoring
• Business Functions• Disaster Impacts• Prioritization• Recovery Windows• Recovery Strategies• Resources
• Threats– Natural– Human– Technical
• Enterprise-wide BCP• Emergency Plans• Crisis Management
Plans• IT & Business Unit
Plans• Family Disaster Plan
• Plan Updates• Disaster Recovery
Testing• Tabletop Exercises• Mock Drills
![Page 74: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/74.jpg)
Business Impact Analysis (BIA) Process
1
Identify Function
2
Identify Impact
3 Identify
Recovery Time4
Identify Recovery Strategy
5
Identify Resources
6 Contingency Procedures
7 Alternate Recovery Location
Note: Perform for each function
![Page 75: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/75.jpg)
Business Impact Analysis Impact Categories
Lost Income / Financial
Regulatory / Legal
Other Business
Units
Public / Customer
Image
• Lost Revenue
• Fines and Penalties
• Funds for Investing
• Cost of Recovery
Efforts
Work Flow - Quality
Life & Safety – Vendor
Relations
• Reputation
• Customer Service
• Employee Morale
• Employee Stress
Fines
Law Suits
Compliance
![Page 76: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/76.jpg)
Categorizing Business Functions – FFIEC Examination Handbook
Source: FFIEC IT Examination Handbook, Business Continuity Planning, March 2008,
Appendix F, p. F-3
![Page 77: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/77.jpg)
System / Application Recovery – Recovery Time Objective (RTO) & Recovery Point Objective (RPO)
TIME
Last Backup of usable data
RTORecovery Time Objective
Time to recover systems fromthe time the systems went down
RPORecovery Point
Objective
How far back do we have to go for a
copy of good data
SystemRestored
DisasterStrikes
Disaster
Data Loss System Loss
![Page 78: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/78.jpg)
Process Flow for the Cash Check FunctionBusiness Impact Analysis
Process 1
Receive Check from customer
Process 2
Verify ID
Process 3 Pull up account on core system
Process 4 - Six point check verification
Process 5
Verify funds and check holds
Process 6
Process transaction on
system
Process 7Distribute funds
Process 8 – Print cash out ticket
Process 9 - Bundle check & cash out ticket for Proof
![Page 79: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/79.jpg)
Business Impact Analysis Rating Scale – Bank A
• Within 24 Hours1
• With 48 Hours2
• Within 1 Week3
• Within 2 Weeks4
• Greater than 2 Weeks5
Recovery Time Objective (RTO)
• No Data Loss AcceptableA
• 12 HoursB
• 24 HoursC
• 48 HoursD
• 1 Week or MoreE
Recovery Point Objective (RPO)
![Page 80: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/80.jpg)
Business Impact Analysis Process
1
Identify Function
2
Identify Impact
3 Identify RTO & RPO4
Identify Recovery Strategy
5
Identify Resources
6 Contingency Procedures
7 Alternate Recovery Location
![Page 81: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/81.jpg)
Business Impact Analysis – Cash Checks Function – Bank A
1
Identify Function
2
Identify Impact
3 Identify RTO & RPO4
Identify Recovery Strategy
5
Identify Resources
6 Contingency Procedures
7 Alternate Recovery Location
Function - Cash Checks
BIA Impact RatingsFinancial 3 – 1 WeekPublic Image 1 – 24 HoursRegulatory 2 – 48 HoursOther BU 4 – 2 Weeks
RTO – 1 (24 Hours)RPO – C (24 Hours)
Hot Site RecoveryUsing TapeVitalization – Self Provision
Core SystemDomain ControllerTerminal - PrinterNetworkEmployeeFED PC
Perform Manually with Restrictions
DR Mobile UnitAlternate Branch
![Page 82: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/82.jpg)
System / Application Recovery Timeline Bank A (Tape Recovery)
TIME
Last EOD Backup of
usable dataFriday 8:00 pm
DisasterStrikes
Monday 3:47 pm
Disaster
Data - How far Back
67.47 Hours of Data Loss
RPO RTO
7Hours
Data Re-entry
Catch up
System Restore
6Hours
Time to Recover
31 Hours
13Hours
Travel toRecovery
Center
5Hours
![Page 83: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/83.jpg)
Business Impact Analysis Rating Scale - Bank B
• Within 4 Hours1
• With 8 – 12 Hours2
• Within 12 – 24 Hours3
• Within 24 – 48 Hours4
• Greater than 48 Hours5
• No Data Loss AcceptableA
• 4 HoursB
• 12 HoursC
• 24 HoursD
• Greater than 24 HoursE
Recovery Time Objective (RTO) Recovery Point Objective (RPO)
![Page 84: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/84.jpg)
Business Impact Analysis – ACH (Incoming) Function –Bank B
1
Identify Function
2
Identify Impact
3 Identify RTO & RPO4
Identify Recovery Strategy
5
Identify Resources
6 Contingency Procedures
7 Alternate Recovery Location
Function – ACH (Incoming)
BIA Impact RatingsFinancial 1 - 4 HoursPublic Image 1 – 4 HoursRegulatory 1 – 4 HoursOther Business Units 1 – 4 Hours
RTO – 1 (4 Hours)RPO – A (No Acceptable Data Loss)
Hosted High AvailabilityVirtual Storage Recovery
Core SystemWorkstationPrinter
DR Mobile UnitAlternate Branches
Core System
![Page 85: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/85.jpg)
Business Function Technology Requirements
Department or Business
UnitBusiness Function/Activity
Corporate
Impact
System
Required
Application
Required
Manual
Process
Recovery
Time
Objective
(RTO)
Recovery Point
Objective
(RPO)
Branch Operations Cash checks High iSeries Silverlake Yes 8 Hours 3
Telephone Express Center Do loan payments High iSeries Silverlake Yes 8-24 Hours 4
Telephone Express Center Do wire transfers High iSeries Silverlake No 8 Hours 3
Member Services Statuing of accounts Hibh iSeries Silverlake No 0-8 Hours 1
Information Technology
Administer and administer
backups High Client/Server ProcessPro Yes 4-8 Hours 2
Depost Services
Set up close day, close month
process High Client/Server ProcessPro Yes 3+ Days 4
Electronic Banking Prepare VRU report High Client/Server ProcessPro Yes 3+ Days 4
Electronic Banking Hot card entry Low Client/Server InTouch Yes 3+ Days 4
Electronic Banking Set up new Internet accounts Medium Client/Server PinPoint No 3+ Days 4
Item Processing Set up new Internet accounts Medium Workstation NetTeller No 8-24 Hours 2
Branch Cash checks High Workstation CIF 20/20 Yes 8-24 Hours 2
Electronic Banking Hot card entry High Workstation Internet No 8-24 Hours 2
Mortgage Origination Pull credit report High Workstation ProcessPro Yes 3+ Days 4
Trust Operations Buy/Sell securities High Workstation Trust Rite Yes 3+ Days 4
Commercial Lending Send decline letters Low Workstation Word Yes 3+ Days 4
Deposit Services Local rate survey Low Workstation Excel Yes 3+ Days 4
Depost Services Process overdraft items Medium Workstation CIF 20/20 Yes 8-24 Hours 2
Electronic Banking Set up new Internet accounts Medium Workstation NetTeller No 8-24 Hours 2
![Page 86: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/86.jpg)
Technology Recovery Strategy EvolutionBusiness Impact Analysis
• Self Provisioned
• DRaaS
Hosted High Availability
• Self Provisioned
• Vendor ManagedElectronic Vaulting
• On-site
• Off-siteVirtualization
• Tape
• USB
• CD - Hard Drive
Media Device Backup
![Page 87: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/87.jpg)
Technology Recovery StrategiesC
riti
ca
lity
Le
ve
l
72 HRSMin HRS
RECOVERY TIME OBJECTIVE
8 HRS4 HRS
Tape
Recovery
San
Replication
Full
HA
Business Impact Analysis
Virtualization
48 HRS24 HRS
Critical
Urgent
Important
Normal
![Page 88: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/88.jpg)
System / Application Recovery TimelineBank B - High Availability
TIME
Last Data Snapshot3:32 pm
DisasterStrikes
Monday 3:47pm
Disaster
RPO15
Minutes
7Hours
Data Re-entry
Catch up
System Restore
6Hours
Time to Recover
30 Minutes
RTO
13Hours
Travel toRecover Center
5Hours
![Page 89: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/89.jpg)
Disaster Avoidance Concept – Bank B
TIME
Recovery of Business still
Required
Disaster Avoidance Decision
Disaster Avoidance
Period
Recovery of TechnologyAvoided
(RTO)
PotentialDisaster
Event
Disaster
Switch to Secondary
System
![Page 90: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/90.jpg)
We’ll back be up and running in time
Myth 6: In the Event of Disaster, Our
Customers will be Patient
90
![Page 91: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/91.jpg)
For our discussion today: The bank after the Disaster
![Page 92: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/92.jpg)
Customer Expectations – As Told by Actual Customers
• “I expect the same level of service immediately following a disaster
as I had before the disaster.”
• “I want immediate access to my accounts via mobile, internet and
telephone banking immediately following a disaster.”
• “I expect expedited, or a higher level of service if the disaster
impacted me and my family and I needed emergency monies.”
• “I want the ability to do cash withdrawals immediately following a
disaster with no restrictions on the amount I can withdraw.”
• “If the disaster is serious enough like a Katrina, I want my family
and friends to have the ability to wire monies into my account for
support.”
• “I want to be able to increase my line of credit, or apply for a loan
to help me rebuild if the disaster impacts my family.”
![Page 93: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/93.jpg)
No
Service
Same as
Normal
Service
Customer Expectations of Service after a Disaster
Customer
Expectations
Delayed
Service
RECOVERY TIME LINE
1
Hour24
Hours
48
Hours
12
Hours
36
Hours
Severely
Delayed
Service
Slightly
Delayed
Service
Actual
Recovery
Level
Recovery
Gap
Analysis
Bank’s
Perceived
Recovery
Level
Service Level after Disaster
![Page 94: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/94.jpg)
Recovery Gap Analysis Results
• Recovery strategy for Core / Server environment needs
improvement.
• No prioritization on which functions and applications to
recover.
• Lack of an Enterprise Wide Business Continuity Plan
that has been tested at multiple levels.
• No Alternate Work Locations identified, or if identified
they have not been equipped to support relocated
employees.
• Lack of personnel training.
• Lack of communications with highly dependent vendors.
• Assumption that outsourcing provider will address
components that the bank is responsible for.October 11, 2015
©2015 Jack Henry & Associates. All Rights Reserved.
94
![Page 95: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/95.jpg)
Step 4 - Draft Plans Generated
95
Emergency Management Plan (Per Facility)
Crisis Management Plans
Information Systems Recovery Plan
Business Unit Recovery Plans
Executive Summary
Plan Testing & Exercise Guide
Business Continuity Plan Documentation
![Page 96: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/96.jpg)
Business Continuity Teams
Business Unit Recovery Teams
FinanceTeam Leader
Alt. Team Leader
AdministrationTeam Leader
Alt. Team Leader
Information SystemsTeam Leader
Alt. Team Leader
Loan OperationsTeam Leader
Alt. Team Leader
Deposit OperationsTeam Leader
Alt. Team Leader
Bookkeeping Finance Accounting eBanking
AuditComplianceHRTraining
Marketing InvestmentsMaintenance
Information Systems
Loan AnalystLoan ProcessingCommercial Lending RE Mortgage
Deposit OperationsRetail Banking/Consumer Lending
ManagementTeam Leader
Alt. Team Leader
Crisis Management Team
![Page 97: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/97.jpg)
Communicating with Employees / CustomersEmergency Notification System
97
![Page 98: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/98.jpg)
Plan Execution - Recovery Timeline
Crisis Management Phase
Relocate & Restore Phase
Recover Business
Functions Phase
Rebuild & Return Phase
Risk Managem
ent
Disaster
![Page 99: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/99.jpg)
Crisis Management Phase
Relocate & Restore Phase
Recover Business
Functions Phase
Rebuild & Return Phase
Family Disaster PlanEvacuation & SafetyDamage AssessmentCommunicationsDisaster Declaration
Plan Execution - Recovery TimelineRisk
Management
Disaster
![Page 100: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/100.jpg)
Crisis Management Phase
Relocate & Restore Phase
Recover Business
Functions Phase
Rebuild & Return Phase
Evacuation & SafetyDamage AssessmentCommunicationsDisaster Declaration
NotificationsMobilizationRelocationRestore
Plan Execution - Recovery TimelineRisk
Management
Disaster
![Page 101: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/101.jpg)
Recover Business Functions
• Customer Inquiries via phones• Handle deposits & withdrawals• Accept loan payments• Account transfers• Balance cash drawers• Handle security issues• Handle stop payments• Issue cashier’s checks• Post drop box transactions
15 minutes – 4 Hours
4 – 8 Hours
8 – 24 Hours
24 – 48 Hours
![Page 102: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/102.jpg)
Recover Business Functions
• Order ATM cards/debit card• Calculate Payments using projection screens• Loan status calls• Do cash advance• Fund home equity loans• Fund second trustee loans• Issue onsite ATM cards• Issue temporary checks
15 minutes – 4 Hours
4 – 8 Hours
8 – 24 Hours
24 – 48 Hours
![Page 103: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/103.jpg)
Physical Recovery Considerations
• Branch Offices
• Work from Home
• Vendor Recovery Site
• Internal Recovery Site
• Mobile Recovery Unit
• Office/Remote Workspace
• Temporary Lease Facility
![Page 104: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/104.jpg)
Equipment Recovery Considerations
• Store in advance
• Purchase when needed
• Drop Ship Service– Mainframe
– Servers
– Workstations
– Printers / Fax Machines
– Phones
– Routers / Switches
• Vendor provided at Recovery Site
![Page 105: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/105.jpg)
Recovery Strategy Considerations - Satellite Communications
Mobile to Client Hot Site to Mobile
![Page 106: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/106.jpg)
Out-Sourced Processing Considerations
• Responsible for the restoration of the following:
– Connectivity to the Core Processing Site
• (jConnect Backup Router)
– System Recovery of Core System
– Server / Network Recovery
• Exchange Servers - Domain Controllers
• JHA & 3rd Party Applications
– Telecommunications - Voice Recovery
– Equipment setup & Reconfiguration
– Facilities
• A plan to deal with a disaster that strikes the processing
center
![Page 107: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/107.jpg)
• Can we recover?
– Who will be available to assist in the recovery?
– Will our critical vendors be able to deliver the required
services / products?
– What systems / applications will be recovered?
– How long will it take us to recover systems /
applications?
– Will we have the proper data available to support the
business units?
– Does our recovery strategies meet our customers'
demand?
BCP / DR Question Drill Down Questions
![Page 108: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/108.jpg)
• Managed Recovery solutions will become the industry
standard due to:
– Cost
– High data requirements
– Skills
– Personnel requirements
– Geographic separation
• Electronic vaulting will replace tape backup for Disaster
Recovery
• RPO’s will be measured in minutes
108
Top DR Trends for 2015
![Page 109: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/109.jpg)
• DRaaS
– The replication and hosting of physical or virtual servers by a
third-party to provide failover in the event of a man-made or
natural disaster.
• DRaaS Considerations
– Requires a strong contract indicating service-level agreement
(SLA) requirements and obligations by both parties regarding
failover times and responsibilities.
– Useful for businesses that lack the expertise to provision,
configure, test and execute a similar DR environment if it were
self provisioned in-house.
– The bank does not have to make a large capital investment to
implement and maintain their own off-site DR environment for
replication and failover.
– DRaaS can be flexible to meet the organization’s needs.
109
Top DR Trends for 2015
![Page 110: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/110.jpg)
As a company, we cannot prevent a natural disaster.
We can, however, greatly reduce the impact felt by our
customers and our Associates if a disaster does occur.
We increasingly utilize technology to reduce the level of
human involvement within our data systems management.
We continue to look at new technologies to further reduce
human involvement and increase automation should a
disaster occur.
We realize this is a topic that we always have to focus
upon to deliver the best possible solution to our customers.
110
Disaster Avoidance Concepts – A CEO’s Perspective
![Page 111: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/111.jpg)
• Secure underground facility nestled in the Ozark Mountains in
Branson, MO.
• 175 feet below ground; enclosed under dome and two layers of
granite-like shale
• Impervious to most natural disasters – hurricane/flood/tornado-
proof – rated to withstand up to 1000 mph winds
• Two separate electrical transmission lines from different states
• Multiple levels of telecommunications resiliency
111
Branson Business Recovery Facility
![Page 112: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/112.jpg)
Branson Hot Site
![Page 113: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/113.jpg)
Data Replication
Outlink Processing Center Disaster Avoidance Strategy
DP DR
DP 1
DP 2
DP DA
DP 1
Branson
Core Director
DP 3
DP 2 CIF 20/20 DP 3 SilverLake
113
![Page 114: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/114.jpg)
In-House Processing Considerations
• Responsible for the restoration of the following:
– System Recovery of Core System
– Server / Network Recovery
• Exchange Servers - Domain Controllers
• JHA & 3rd Party Applications
– Telecommunications - Voice Recovery
– Equipment setup & Reconfiguration
– Facilities
![Page 115: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/115.jpg)
Next Steps
1. Ensure you have Executive support for the BCP.
2. Have your BCP reviewed by BCP Experts.
3. Conduct a Mock Disaster Drill using your BCP.
4. Determine if outside expertise is required to improve your
plan, or if the work will be done internally.
5. Ensure that your BCP is structured at the department level.
6. Build / improve your plan and test it regularly
![Page 116: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/116.jpg)
Thank you for your participation!
Questions?
Tom WilliamsBusiness Continuity Strategy Manager
![Page 117: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/117.jpg)
Event Occurs
Declare Disaster
Assess and
Report Damage
Safe Zone
Crisis Mgmt Team Leader
Escalation Process
Begin Salvage
Mobilize Recovery TeamsBegin Media
Relations /
Press Release
Activate Alt
Workspace(s)
Relocate Staff To
Alt Workspace
Begin
Restoration
Of Affected Site
Prepare to
Re-occupy Primary
Site
Activate Command
Center
Conduct Crisis
Mgmt Status Meetings
Setup Alt
Workspace(s)
(Crisis Mgmt Team)
Conduct Bus Unit
Status Meeting
(I/S Team)
Activate Recreation
Procedures - WIP
Activate
Manual
Procedures
Activate Administrative Team
Activate Damage Assessment Team
Activate Management Team
Activate I/S Team
Plan Execution Process
Stabilize
Environment
Switch to
Secondary
System
Switch Back to Primary
System
The Recovery Process – Replication Environment
![Page 118: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/118.jpg)
Myth Busting
1. Internal Fraud: Not at our Bank
2. On Premises: Safe and Sound
3. Social Engineering: We’re not susceptible
4. Cyber Threats: We’re covered
5. Customers are Patient: Our BRP is Sufficient
6. BCP Passed Exam: It’s all good
October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.
118
![Page 119: Risk Forum - Amazon S3...Risk Forum Busting the Top Myths that Expose your Bank to Risk W E L C O M E Welcome •Introductions –Tammy Bangs JHA –Scott Whisman JHA –Tom Williams](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0adfbb7e708231d42dc3b4/html5/thumbnails/119.jpg)
Thank you for your time today!
October 11, 2015©2015 Jack Henry & Associates. All Rights Reserved.
119