Description

Mortgage Finance, Inc. (MFI) is a mortgage loan company that manages thousands of accounts across the United States. A public company traded on the NYSE, MFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers. The diagram below displays the executive management team of MFI:

You are the Chief Security Officer, hired by COO Kelly Smith, to protect the physical and operational security of MFI’s corporate information systems. Shortly after starting in your new position, you recognize numerous challenges that you will be facing in this pursuit.

Your primary challenge, as is usually the case, is less technical and more of a political nature. The CEO has been swept up in the “everything can be solved by outsourcing” movement. He believes that the IT problem is a known quantity and feels the IT function can be almost entirely outsourced at fractions of the cost associated with creating and maintaining an established internal IT department. In fact, the CEO’s strategy has been to prevent IT from becoming a core competency since so many services can be obtained from 3rd parties. Based on this vision, the CEO has already begun downsizing the IT department and recently presented a proposal to his senior management team outlining his plan to greatly reduce the internal IT staff in favor of outsourcing. He plans on presenting this approach to the Board of Directors as soon as he has made a few more refinements in his presentation.

COO Smith’s act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology services combined with a diminishing IT footprint gravely concerned Smith, and he begged to at least bring in an Information Security expert with the experience necessary to evaluate the current security of MFI’s infrastructure and systems. The COO’s worst nightmare is a situation where the Confidentiality, Integrity, and Availability of MFI’s information systems were compromised – bringing the company to its knees – then having to rely on vendors to pull him out of the mess.

COO Smith has reasons for worrying. MFI has experienced several cyber-attacks from outsiders over the past a few years: 

• In 2018, the Oracle database server was attacked, and its customer database lost its confidentiality, integrity, and availability for several days. Although the company restored the Oracle database server back online, its lost confidentiality damaged the company reputation. MFI ended up paying its customers a large sum of settlement for their loss of data confidentiality. 

• In 2019, another security attack was carried out by a malicious virus that infected the entire Vice President Trey Elway Executive Assistant Kim Johnson Executive Assistant Julie Anderson Executive Assistant Michelle Wang CCO Andy Murphy COO Kelly Smith CFO Ron Johnson Director of Marketing John King Director of HR Ted Young CEO Karl Hellmann network for several days. While infected, the Oracle and e-mail servers had to be shut down to quarantine these servers. COO Smith isn’t sure whether the virus entered MFI’s systems through a malicious email, from malware downloaded from the Internet, or via a user’s USB flash drive. Regardless of the source of the infection, the company lost $1,700,000 in revenue and intangible customer confidence. 

• In a separate incident in 2019, one of the financial advisors left his company laptop unprotected at the airport while travelling and it was stolen. It contained customer financial data and the hard drive was not encrypted. Financial reparations were paid to impacted customers. 

• In 2020, a laptop running network sniffer software was found plugged into a network jack under a desk in one of the unoccupied offices.