Need a 5 page paper that will address the assignment by 12/10/16 at 7pm
Running head: Assignment 8 1 One of France?s oldest banks, Societe Generale experienced an internal malicious attack. Societe
Generale is a universal multinational banking and financial services company headquartered in
Paris that origins date back to 1864. The bank is ranked the third largest bank in France. They
have corporate branches throughout eastern European.
A former Societe Generale bank employee, Jerome Kerviel was charge with breach of trust,
unauthorized use of the bank?s computer systems and forgery which cause the bank to loss a total
of 7.14 billion dollars from 2006 into 2008. The culprit Jerome Kerviel was accused of
conducting fictitious transactions by embellishing of hedge fund to investors with fictional rates.
The investors where assuming they were buying into a medium to high risk fund that will
produce a high rate of return. Kerviel, orchestrated a scheme of perception to these
investors/traders by creating a fraudulent network of useless documents to carry out his web of
misconception. The malicious intent that Kerviel carried out would established a new norm for
ithe concept in migrating the insider threat. Diagram 1[Int15]
Diagram 1 illustrates the succession that must be carried out when implementing a successful
internal control process of events. These attributes will define the integrity of your business
processes to ensure internal directives are sustain for operational use. If falter the occurrences
that Societe Generale experience will appear and have the potential of demising your
organizational reputation and trust.
The risk assessment process assigns a comparative risk by the self-examining the business
structure. The business impact analysis (BIA) who may conduct the assessment can identify
potential threats and incidents beforehand to determine if a viable countermeasure can be
established if needed. It appears if Societe Generale had reconstructed their current business
practices by review and comment that the suspect failsafe?s would have identified Kerviel
potential for an inside treat. Assignment 8 2 The controlling of the environment at the enterprise risk level can be enforced by executive
management. This process would fortitude proper safeguards to include check and balances of
financial and internal auditing by establishing sound processes. Kerviel, argument when arrested
was that management knew of his common business practices by enticing the investor by having
a multitude of surplus available that showed profitable gains and value to be added. Kerviel,
argument prelude into the corporate culture and philosophy that top level management was well
aware of these fraudulent actions and indeed turned a blind eye to his perspective in wrong
Control activities are core component for a service organization to put in place policies and
procedures to ensure effective normalcy within the financial sector[Fra15]. Kerviel took
advantage of Societe Generale lack thereof proper policy implementation. The risk associate with
one individual having unlimited access to customers? accounts with little to no oversight was the
avenue of deconstruction of the organization trust and integrity with its customers. Kerviel
approached this facet of business spectrum as being less guarded with few to no oversight that
would have normally each and every one being accountable for.
Information needs to be commutated in a fashion that is clearly understood. In my readings I find
no inclination of Societe Generale having no formal awareness training in place. Kerviel argued
that his practices where the norm with no specific training awareness being instructed for
organizational use. The proper awareness training platform should address all pertinent
information related to the importance of InfoSec within a financial environment. There is little to
no room for potential customer dissatisfaction when in commerce trading.
Within a financial environments monitoring of systemic use should be conducted with normalcy
to ensure accuracy and internal mandates are adhere to. Kerviel, viewed the lack thereof proper
monitoring of transactions as a means of internal control of the networking infrastructure.
An alternatives/solutions that Societe Generale could have invested in was having a third party
vendor or financial subject matter expert inspect the logs and all pertinent documents that will
substantiate relative findings. This form of third party look overs would have intensified the
relativeness of checking and validating proper monetary transactions are being conducted in a
manner of policy expedites.
The insider threat in many organization is a non-avoidance act due the nature of what is
presented. Kerviel had the advantage that he knew how the risk management process worked.
Kerviel could bypass system controls in order to set up false counter trades to circumvent any
safeguards that where present. Since the hiring of Kerviel in 2000 he build an intensive
knowledge base on how everything worked and the interaction with one another. In every aspect
of trading Kerviel knew all the in?s and out?s in which he knew exactly how to cover-up
fraudulent positions that he create.
In order to combat insider threat any organization either big or small should encompass the
following in the normalcy of day to day operations.
1. Institute periodic enterprise-wide risk assessments. Assignment 8 3 An organization must incorporate at the enterprise level InfoSec. A critical assessment must be
conducted followed by a defining strategy matrix of what assets that need to be safeguarded from
both insider and outsider threats.
2. Institute periodic security awareness training for all employees.
All employees within the organization must be trained on the awareness of security policies and
procedures. These training forums must address the importance of maintaining proper security
posture at all times and no one is to falter when doing so. The enforcement of proper security
constraints must be represented organizational wide to include executive staff to the mail room
clerk. Security in paramount when dealing with customer?s PII.
3. Enforce separation of duties and least privilege.
The enforcement of separation of duties should be the top echelon of security controls. Kerviel
should not have had as many privilege as he had. He should have had only privileges that was
required for his day to day job resource requirement.
4. Implement strict password and account management policies and practices.
Set a strenuous password policy to include numbers, special characters, capital and lower case
letters. A password reset should be conducted at a minimum every 120 days.
5. Log, monitor, and audit employee online actions.
Employees should be informed that all the information and data that is collected when working
on a company owned devise is intellect property and is subject to be monitored and audited
accordingly within organizational standards. By doing this, this places the employee in a position
of total awareness when management stress or deem viable in confiscated organizational owned
6. Use extra caution with system administrators and privileged users.
Vigilance must be adhere to for system administrators and privileged users. This allows for
oversight for those users.
7. Actively defend against malicious code.
Ensure system administrators and privileged user?s conduct all describe patches on time.
8. Use layered defense against remote attacks.
Organizations should use a defense in depth approach for system administrators and privileged
users. These users must have coworker compliance to ensure all efforts that are deployed are
9. Monitor and respond to suspicious or disruptive behavior.
All employees are responsible for InfoSec. Policies and Procedures should encompass a means
for an employee to report disruptive behavior if the deem necessary.
10. Deactivate computer access following termination. Assignment 8 4 If an employee is terminated either beginning favorable or not, his or her access should be
disable immediately. This recourse is to ensure the former employee doesn?t have a means to
retrieve data or access any computer network infrastructure.
11. Collect and save data for use in investigations.
If an attack do occur, there should a method of gathering evidence for future criminal judication.
12. Implement secure backup and recovery processes.
Implement on a daily basis a backup/recovery process. If an incident do occur you have the
means to retrieve data from a previous day or a previous month. This data will be used strictly
for recovery and operational use thus forward.
13. Clearly document insider threat controls.
Publish within the AUP the significance of establishing the internal threat controls and the
consequences associate withit when falter[Mus08]. Diagram 2. [Ala15]
In closing Jerome Kerviel, had too much power in speaking in relative terms. He had the where
of all to pull off an elaborate scheme of misconception due to the lack thereof security controls
that where not in place or followed at Societe Generale. Kerviel drive and determination didn?t Assignment 8 5 reward him any monetary value but bolster his ability to cause fraudulent trades. Kerviel presents
an organization worse nightmare, the person or persons that are hired to conduct business
transactions for the organization to increase profit margins but decides on to create havoc and
chaos. His demise is a welcoming call for the future IT professional to ensure when they are put
into positions of authority that they too implement and stay current with new technologies. Assignment 8 6 References
A large number of security breaches are being caused by insiders, knowingly or unknowingly. (2015,
October 12). Retrieved from Goggletechinfo: http://www.googletechinfo.com/large-numbersecurity-breaches-caused-insiders-knowingly-unknowingly/
Balakrishnan, B. (2015, October 14). Insider Threat Mitigation Guidance. Retrieved from Sans Org:
France: Bank Fraud Could Have Been Stopped. (2015, October 12). Retrieved from CBS NEWS:
French bank blames trader for $7 billion fraud. (2015, October 12). Retrieved from NBC NEWS:
Internal Controls. (2015, October 12). Retrieved from Successimg.com: http://successimg.com/internalcontrols/
Massive Fraud in France. (2015, October 12). Retrieved from SPIEGEL Online:
Musthaler, L. (2008, June 02). 13 best practices for preventing and detecting insider threats. Retrieved
from NETWORKWORLD: http://www.networkworld.com/article/2280365/lan-wan/13-bestpractices-for-preventing-and-detecting-insider-threats.html
Sayer, P. (2015, October 12). Poor IT security to blame in Société Générale fraud. Retrieved from
Infoworld: http://www.infoworld.com/article/2648517/security/poor-it-security-to-blame-insoci-t--g-n-rale-fraud.html Assignment 8
Westervelt, R. (2015, October 14). Societe Generale bolsters internal controls, discovers second insider.
Retrieved from TechTarget: http://searchsecurity.techtarget.com/news/1315178/SocieteGenerale-bolsters-internal-controls-discovers-second-insider 7
Pay using PayPal (No PayPal account Required) or your credit card . All your purchases are securely protected by .
About this QuestionSTATUS
Oct 14, 2020EXPERT
We have top-notch tutors who can do your essay/homework for you at a reasonable cost and then you can simply use that essay as a template to build your own arguments.
You can also use these solutions:
- As a reference for in-depth understanding of the subject.
- As a source of ideas / reasoning for your own research (if properly referenced)
- For editing and paraphrasing (check your institution's definition of plagiarism and recommended paraphrase).
STUCK WITH YOUR PAPER?
Order New Solution. Quick Turnaround
Click on the button below in order to Order for a New, Original and High-Quality Essay Solutions. New orders are original solutions and precise to your writing instruction requirements. Place a New Order using the button below.
WE GUARANTEE, THAT YOUR PAPER WILL BE WRITTEN FROM SCRATCH AND WITHIN A DEADLINE.