Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United
States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan
application approval, wholesale loan processing, and investment of money management for theircustomers.
The diagram below displays the executive management team ofGFI:
Figure 1 GFI Executive Organizational Chart
You are the Chief Security Officer, hired by COO Mike Willy, to protect the physical andoperational
security of GFI’s corporate information systems. Shortly after starting in your new position, you recognize
numerous challenges that you will be facing in this pursuit.
Your primary challenge, as is usually the case, is less technical and more of a political nature. CEO John
Thompson has been swept up in the “everything can be solved by outsourcing” movement. He believes
that the IT problem is a known quantity and feels the IT function can be almost entirely outsourced at
fractions of the cost associated with creating and maintaining an established internal IT department. In fact,
the CEO’s strategy has been to prevent IT from becoming a core competency since so many services can
be obtained from 3rd parties. Based on this vision, the CEO has already begun downsizing the IT
department and recently presented a proposal to his senior management team outlining his plan to greatly
reduce the internal IT staff in favor of outsourcing. He plans on presenting this approach to the Board of
Directors as soon as he has made a few more refinements in his presentation.
COO Willy’s act of hiring you was, in fact, an act of desperation: the increasing operational dependence on
technology services combined with a diminishing IT footprint gravely concerned Mike Willy, and he
begged to at least bring in an Information Security expert with the experience necessary to evaluate the
current security of GFI’s infrastructure and systems. The COO’s worst nightmare is a situation where the
Confidentiality, Integrity, and Availability of GFI’s information systems were compromised – bringing the
company to its knees – then having to rely on vendors to pull him out of the mess.
COO Willy has reasons for worrying. GFI has experienced several cyber-attacks from outsiders over the
past a few years:
• In 2013, the Oracle database server was attacked and its customer database lost its confidentiality,
integrity, and availabilityfor several days. Although the company restored the Oracle database
server back online, its lost confidentiality damaged the company reputation. GFI ended up paying
its customers a large sum of settlement for their loss of data confidentiality.
• In 2014, another security attack was carried out by a malicious virus that infected the entire
John Thompson
Vice President
Trey Elway
Kim Johnson
Julie Anderson
Michelle Wang
Andy Murphy
Mike Willy
Ron Johnson
Director of
John King
Director of HR
Ted Young
network for several days. While infected the Oracle and e-mail servers had to be shut down to
quarantine these servers. COO Willy isn’t sure whether the virus entered GFI’s systems through a
malicious email, from malware downloaded from the Internet, or via a user’s USB flash drive.
Regardless of the source of the infection, the company lost $1,700,000 in revenue and intangible
customer confidence.
• In a separate incident in 2014, one of the financial consultants left his company laptop
unprotected at the airport while travelling and it was stolen. It contained customer financial data
and the hard drive was not encrypted. Financial reparations were paid to impacted customers.
• In 2015, a laptop running network sniffer software was found plugged into a network jack under a
desk in one of the unoccupied offices.
It is apparent from the number of successful cyber-attacks that GFI is an organization severely lacking in
information security maturity. COO Willy has commissioned you to perform a quantitative and qualitative
risk assessment of GFI’s infrastructure to determine where improvements could be made to reduce the risk
of future attacks.