FinTechCo Case Study Company Overview FinTechCo is a medium-sized financial services company comprising of 45 employees...

FinTechCo Case Study

Company Overview

FinTechCo is a medium-sized financial services company comprising of 45 employees with an annual revenue of $10 million. It has approximately 1000 customers comprising of private individuals and small companies.

FinTechCo’s mission is to provide financial services and advice to its clients, to sell various products and services and offer consultation guidance regarding the information systems that support them.

Problem Statement

FinTechCo’s technical team were originally qualified financial planners who transitioned into technical roles and built their skills through ‘on-the-job’ learning. They are well-skilled in supporting and maintaining the information systems and related technology, however do not have proficiency in cybersecurity.

The Managing Director Fiona Teoh and the Senior Leadership Team are concerned about the vulnerabilities of their outdated security systems and increasing exposure to cybercrime.

FinTechCo currently has an Intrusion Detection System (IDS) which is a “passive system that scans traffic and reports back on threats.” The system was installed by an external company which has since ceased operations. In addition, it has now become apparent that the organisation’s network is being bombarded with countless daily attacks, and a more active cybersecurity system is required.

The IT manager, Kal Karmacharya recommends a third-party vendor to develop the new system as he believes their current in-house expertise is inadequate. However, the Managing Director does not have sufficient budget to engage an external vendor and firmly expresses the following to Kal:

“All IT people know everything there is to know about this industry. Therefore, your IT team are suitably skilled to deliver this project”^[A1].

Kal thought to himself “Well, she is the Managing Director, so she must be right” ^[F1].

As a consequence, Kal and his IT Team were assigned and given full responsibility to plan, design, implement, test and ultimately deliver the proposed system.

Proposed Solution

Fiona Teoh and the Senior Leadership Team have requested the implementation of a new Intrusion Detection and Prevention System (IDPS) to automatically defend their network and reduce the need to individually investigate suspicious activity on a daily basis. The new IDPS will monitor network traffic, detect malicious activity, send alerts to security administrators, and take the required action to stop the attack.

Recommendations

Kal and his IT Team facilitate a brainstorming workshop with key stakeholders of FinTechCo to gather information and system requirements.

During the workshop Kal asked the stakeholders “What system requirements and functionality would you like to see in the new system?”

Stakeholder response 1: “Why do you want to change the security system? I didn’t know you were deeply suspicious of us and our clients!” ^[F2]  

Stakeholder response 2: “This new system will be a terrible security system. The last time we upgraded our system, we recorded our lowest profit ever.” ^[F3]  

Stakeholder response 3: “I think a system requirement should be focused on speed. It should respond reasonably quickly and refresh data frequently.” ^[F4]  

Stakeholder response 4: “I personally think the old system and its performance is good enough. I don’t think Senior Management should be worried about all the reviews, statistics and articles warning of increased cybersecurity attacks.” ^[F5]   

Stakeholder response 5: “All cybersecurity products made by Cisco are likely to be good. Cisco have 22 models of IDPS available. Cisco’s Firepower Next-Generation IPS (NGIPS) has embedded security intelligence and Advanced Malware Protection, so it should be a good product to use.” ^[A2]   

Conclusion

Kal and his IT Team, disregarded the concerns raised by the stakeholders and moved forward with the purchase and implementation of a low-cost IDPS product from a lesser-known vendor. In addition, their inadequate experience and knowledge led to multiple errors when integrating their existing technology with the new system. Kal and his IT team failed to meet the intended goals of minimising vulnerabilities and exposure to cybercrime.

Question

The Australian Computer Society’s (ACS) Code of Professional Conduct upholds the following core values:

1. The Primacy of the Public Interest

You will place the interests of the public above those of personal, business or sectional interests.

2. The Enhancement of Quality of Life

You will strive to enhance the quality of life of those affected by your work.

3. Honesty

You will be honest in your representation of skills, knowledge, services and products.

4. Competence

You will work competently and diligently for your stakeholders.

5. Professional Development

You will enhance your own professional development, and that of your staff.

6. Professionalism

You will enhance the integrity of the ACS and the respect of its members for each other.

Analyse the actions of the IT Manager, Kal Karmacharya and his IT team.

1. Identify one core ethical value from ACS’s code of ethics that was not upheld. [1 mark]

Read the in-depth definition of your chosen core value https://www.acs.org.au/content/dam/acs/rules-and-regulations/Code-of-Professional-Conduct_v2.1.pdf

2. Give two specific examples of how Kal and his IT team did not abide by these values and suggest what they should have done to prevent these breaches from occurring. (at least 2 sentences) [4 marks]