OCC-Chartered Community Bank · Lakewood, Ohio · C2M2 v2.1 Training Case Study
Lakewood Community Bank (LCB) is an OCC-chartered national bank headquartered at 1450 Detroit Avenue, Lakewood, Ohio 44107. Founded in 1958 as Lakewood Savings & Loan, LCB converted to a national bank charter in 1994 and has grown organically to serve Cuyahoga County's western suburbs. LCB offers retail and small business checking and savings, consumer and commercial lending, residential mortgage origination, and digital banking services through a Q2 ebanking platform. The bank is FDIC-insured, a member of the Federal Home Loan Bank of Cincinnati, and participates in the Ohio Financial Institutions Cybersecurity Coalition (OFICC).
LCB is governed by an 11-member Board of Directors with a Bank Secrecy Act/AML Committee and an Audit Committee. The President & CEO reports to the Board. The bank employs 185 FTEs across retail, commercial, operations, and technology functions. Technology operations are managed by a CIO/IT Director, who also serves as the de facto Information Security Officer — LCB has no dedicated CISO. Cybersecurity responsibilities are shared informally between the IT Director (infrastructure/security tools), the Compliance Officer (GLBA/regulatory), and the Operations Manager (fraud/ACH).
LCB operates under the GLBA Safeguards Rule (16 CFR Part 314, revised 2023) as a financial institution, requiring a written information security program with specific technical controls including encryption, MFA, and access controls. The FFIEC IT Examination Handbook and the FFIEC Cybersecurity Assessment Tool (CAT) guide examination expectations from the OCC. As a PCI DSS merchant and service provider for card processing, LCB is classified as a Level 4 merchant under Visa/Mastercard rules. FinCEN BSA/AML requirements apply to all transactions. OCC Heightened Standards (12 CFR Part 30, Appendix D) apply to front-line risk management. The 2023 GLBA updates added a 30-day breach notification requirement to the primary federal regulator.
| Attribute | Detail |
|---|---|
| Legal Name | Lakewood Community Bank (LCB) |
| Charter | OCC National Bank Charter #22847 |
| Headquarters | 1450 Detroit Avenue, Lakewood, OH 44107 |
| ABA Routing Number | 042103889 (fictional) |
| FDIC Certificate | 58341 (fictional) |
| Founded | 1958 (as Lakewood Savings & Loan; converted to national bank charter 1994) |
| Total Assets (FY2024) | $620 million |
| Total Deposits | $548 million |
| Net Revenue (FY2024) | $28.4 million |
| Tier 1 Capital Ratio | 11.2% (well-capitalized per OCC standards) |
| Primary Regulator | Office of the Comptroller of the Currency (OCC) |
| Deposit Insurance | FDIC — insured to applicable limits |
| FFIEC CAT Maturity | Baseline (self-assessed, 2023) |
| Information Security Staff | 1 IT Security Analyst (no dedicated CISO) |
| Annual IT Budget | $1.8M (~6.3% of revenue); cybersecurity sub-line: $142K |
| Cyber Insurance | $5M limit; AIG CyberEdge; last reviewed 2022 |
| FS-ISAC Member | Yes — participant since 2021; Alert subscriber |
LCB operates seven branch locations plus two drive-through-only satellite windows in western Cuyahoga County. The main office (FAC-01) houses the data center, wire room, and IT operations. All branches connect to FAC-01 via AT&T MPLS (primary) with Comcast Business broadband (failover). Branch connectivity is managed through Cisco Meraki MX appliances at each location.
| Facility ID | Location | Type | ATMs | Employees | Notes |
|---|---|---|---|---|---|
| FAC-01 | 1450 Detroit Ave, Lakewood (Main Office) | Main Office + Branch | 2 Diebold Nixdorf | 62 | Data center, wire room, vault, IT ops |
| FAC-02 | 12300 Madison Ave, Lakewood | Retail Branch | 2 Diebold Nixdorf | 18 | Drive-through; high-traffic retail |
| FAC-03 | 25000 Center Ridge Rd, Westlake | Retail Branch | 2 Diebold Nixdorf | 22 | New construction 2019; newest branch |
| FAC-04 | 4900 Rocky River Dr, Cleveland | Retail Branch | 2 Diebold Nixdorf | 19 | Shared parking lot; older building |
| FAC-05 | 14500 Pearl Rd, Strongsville | Retail Branch | 2 Diebold Nixdorf | 21 | Isolated Meraki connectivity issue (unresolved 60 days) |
| FAC-06 | 5800 Turney Rd, Garfield Heights | Retail Branch | 1 Diebold Nixdorf | 17 | Lower-volume; 1 teller + platform staff |
| FAC-07 | 800 Crocker Rd, Westlake | Drive-Through + Vault | 1 Diebold Nixdorf | 8 | Vault facility; limited IT footprint |
| DT-01 | Clague Rd & Westwood Dr, Westlake | Drive-Through Satellite | 0 | — | No on-site staff; Meraki camera only |
| DT-02 | W 117th St & Madison Ave, Lakewood | Drive-Through Satellite | 0 | — | No on-site staff; camera monitored |
| Department | FTE | Cybersecurity Role / Notes |
|---|---|---|
| Retail Banking (all branches) | 98 | End users; annual security awareness training required |
| Lending / Mortgage | 22 | Handle PII, SSN, financial data — high-risk users for data exposure |
| Operations / ACH / Wire | 14 | Wire transfer initiators — BEC risk; dual-control only partially enforced |
| Finance / Accounting | 9 | Access to general ledger, payroll systems |
| IT Department | 6 | One security analyst (Jamie Walters); no certifications (CISSP/CISM/Security+) |
| Compliance / BSA | 3 | GLBA program owner; FFIEC CAT custodian; Angela Foster leads |
| Executive / Admin | 6 | CEO/CFO have admin-level email — high phishing / BEC risk |
| HR | 4 | Access to employee PII, W-2 data, payroll accounts |
| Facilities / Physical Security | 8 | Physical security; camera systems not integrated with IT |
| Marketing | 5 | Manage social media, website CMS; limited IT access |
| TOTAL | 185 |
| Asset ID | Description | OS / Platform | Location | Status / Notes |
|---|---|---|---|---|
| SRV-01 | Jack Henry Silverlake Core Banking (Primary) | Windows Server 2019 | FAC-01 Data Center | Production — patched current; managed by Jack Henry remote support |
| SRV-02 | Jack Henry Silverlake Core Banking (DR/Failover) | Windows Server 2019 | FAC-01 (isolated rack) | DR not tested in 18 months; failover process undocumented |
| SRV-03 | Q2 ebanking Integration Middleware | Windows Server 2016 | FAC-01 Data Center | Server 2016 mainstream support ended Oct 2025; patch lag ~4 months |
| SRV-04 | Microsoft Active Directory / DNS / DHCP | Windows Server 2022 | FAC-01 Data Center | Current; manages 210 domain accounts |
| SRV-05 | Microsoft Exchange (on-prem email) | Exchange Server 2016 | FAC-01 Data Center | Exchange 2016 EOL October 2025; migration to M365 planned but unfunded |
| SRV-06 | File Server / Branch Shared Drives | Windows Server 2019 | FAC-01 Data Center | No DLP controls; contains loan application PII and financial records |
| SRV-07 | Backup Server (Veeam B&R 12) | Windows Server 2022 | FAC-01 Data Center | Backup integrity not tested since March 2024; offsite copy to Iron Mountain weekly |
| SRV-08 | RealTime ATM Manager | Windows Server 2016 | FAC-01 Data Center | ATM management server on corporate LAN — not isolated; EOL OS |
| SRV-09 | Fiserv CheckFree ACH Processing | SaaS / Cloud (Fiserv-hosted) | Cloud | Fiserv-managed; SOC 2 Type II |
| SRV-10 | Symitar Episys (Credit Union Division — legacy) | IBM iSeries AS/400 | FAC-01 Data Center | Legacy platform from 2004 credit union merger; decommission delayed 3 years |
| Type | Count | OS | Notes |
|---|---|---|---|
| Branch Teller Workstations | 68 | Windows 10 Pro (mixed build versions) | 14 stations running build 21H1 (unsupported); MECM patching deployed but 22% non-compliant |
| Lending Officer Laptops | 22 | Windows 11 Pro | Current; BitLocker enabled; CrowdStrike agent installed |
| Operations / Wire Room Workstations | 8 | Windows 10 Pro | Wire transfer terminals — no MFA on Jack Henry Silverlake access |
| IT Staff Workstations | 6 | Windows 11 Pro | Admin systems; CrowdStrike + SentinelOne (pilot) |
| Executive Laptops | 6 | Windows 11 Pro / MacBook Pro | CEO and CFO use personal Apple iCloud accounts for some document storage |
| ATM Units (Windows 10 IoT) | 5 | Windows 10 IoT LTSC 2021 | FAC-03 (2 units), FAC-06 (1 unit), FAC-07 (2 units) — current patching |
| ATM Units (Windows 7 EOL) | 9 | Windows 7 Embedded (EOL) | EOL Jan 2020; extended Diebold support expired Q3 2023; on corporate LAN (VLAN 1) |
| Application | Vendor | Function | Risk Note |
|---|---|---|---|
| Silverlake Core Banking | Jack Henry & Associates | Core deposits, loans, GL | Remote admin access for Jack Henry support — access not time-limited; persistent VPN |
| Q2 ebanking | Q2 Holdings (SaaS) | Online / mobile banking (22,400 customers) | OAuth integration reviewed annually; Q2 SOC 2 Type II current; customer MFA optional only |
| Fiserv CheckFree | Fiserv (SaaS) | ACH origination / receiving | SOC 2 Type II; dual-control enforced by Fiserv platform |
| RealTime ATM Manager | Crane Payment Innovations | ATM fleet management | Admin console on corporate LAN; last security review 2020 |
| Encompass (ICE Mortgage) | ICE Mortgage Technology (SaaS) | Mortgage origination | Stores SSN, income data; MFA not enforced for all users; external broker access |
| Jack Henry JHA PayCenter | Jack Henry (SaaS) | Debit/credit card processing | PCI DSS compliant per Visa/MC registry; QSA attestation 2023 |
| Microsoft 365 (Business Premium) | Microsoft | Email, Teams, SharePoint | MFA enforced for IT/exec only; 140 branch staff accounts without MFA |
| Kronos Workforce Ready | UKG (SaaS) | HR / Payroll | Contains SSN, bank account data for all employees; MFA not enforced |
| Nessus Essentials | Tenable | Vulnerability scanning | Free version — no authenticated scanning; last scan 90 days ago; ATMs never scanned |
| EventLog Analyzer | ManageEngine | Log management / basic SIEM | Covers AD and firewall only; ATM logs, core banking logs not ingested; 1,400+ unreviewed alerts |
LCB's payment and core banking infrastructure represents the highest-criticality technology environment — equivalent to OT/ICS systems in industrial sectors. Compromise of core banking, ACH origination, or wire transfer systems directly impacts customer funds, regulatory standing, and the bank's ability to continue operations. Unlike industrial OT systems, attacks on financial infrastructure can result in near-immediate, irreversible monetary loss.
| System | Platform | Function | Connectivity | Security Notes |
|---|---|---|---|---|
| Jack Henry Silverlake | On-prem Windows Server 2019 | Core deposits, loans, GL, teller | Internal LAN (VLAN 10) + Jack Henry VPN for remote support | No MFA for teller access; Jack Henry support VPN persistent (always-on) |
| ACH Origination | Fiserv CheckFree (SaaS) | ACH batches — payroll, bill pay, transfers | Internet via encrypted HTTPS; Fiserv-managed | Dual-control enforced; Fiserv-managed security; SOC 2 Type II |
| Wire Transfer System | Silverlake Wire Module + manual process | Domestic wire transfers (avg $4.2M/day) | Internal LAN (VLAN 10) | Dual-control inconsistent — 3 of 8 high-value wires in Q4 2024 processed by single operator; no callback verification for new payees |
| Debit/ATM Card Processing | JHA PayCenter (SaaS) | Debit card authorization, ATM switching | Internet via encrypted API; JHA-managed | PCI DSS compliant; QSA attestation current |
| ATM Cash Management | RealTime ATM Manager (on-prem) | ATM monitoring, cash forecasting, remote control | Corporate LAN (VLAN 1 — flat) | ATM management on flat corporate network; no dedicated ATM VLAN; SRV-08 on VLAN 1 |
| Online/Mobile Banking | Q2 ebanking (SaaS) | Customer-facing digital banking (22,400 users) | Internet-facing; Q2-hosted | Q2 WAF in place; customer MFA = optional (not enforced); 31% of users have MFA disabled |
| Mortgage Origination | Encompass ICE (SaaS) | Loan origination, docs, closings | Internet HTTPS; ICE-managed | Contains SSN, income data; 6 external realtors/brokers have access — no security review conducted |
| Correspondent Banking | FHLB Cincinnati + 2 correspondents | Large-dollar transfers, liquidity | FHLB-secure portal | FHLB access credentials managed by CFO only — no succession plan; MFA enforced by FHLB portal |
| VLAN | Name | Subnet | Systems | Security Notes |
|---|---|---|---|---|
| VLAN 1 | Corporate / Default | 10.1.0.0/16 | Workstations, ATM Manager (SRV-08), printers, 9 EOL ATMs | Flat default VLAN — ATMs and workstations share segment; no microsegmentation |
| VLAN 10 | Core Banking | 10.10.0.0/24 | Silverlake servers (SRV-01/02), wire terminals, teller workstations | Core banking isolated but wire terminals share segment with general teller systems |
| VLAN 20 | Management / IT | 10.20.0.0/24 | Server management, backup (SRV-07), IT admin | Restricted ACL; only IT staff can reach; best-controlled segment |
| VLAN 30 | Branch Connectivity | 10.30.x.0/24 (per branch) | Branch workstations, Meraki MX appliances | All branches route to FAC-01 via AT&T MPLS; Meraki MX SD-WAN failover to Comcast |
| VLAN 40 | Guest / Customer Wi-Fi | 192.168.40.0/22 | Customer lobby Wi-Fi (all branches) | Isolated — no route to corporate LAN; Meraki content filtering active |
| VLAN 50 | VoIP | 10.50.0.0/24 | Cisco IP phones (all locations) | VoIP VLAN — call recording server logs not included in SIEM |
| ATM (proposed) | ATM Network | Not assigned | 14 ATMs (planned isolation) | ATM isolation VLAN approved in 2022 network refresh — never implemented; ATMs remain on VLAN 1 |
| Link | Carrier | Bandwidth | Purpose | Notes |
|---|---|---|---|---|
| Primary WAN | AT&T MPLS | 100 Mbps | Branch MPLS + internet egress | SLA 99.9%; managed by AT&T NOC |
| Backup WAN | Comcast Business | 500 Mbps fiber | Internet failover; branch SD-WAN backup | Failover tested annually; last test Sept 2024 — passed; asymmetric bandwidth |
| Jack Henry Support VPN | Jack Henry & Associates | Dedicated MPLS VPN | Core banking remote support (SRV-01/02) | Always-on persistent connection; no activity monitoring; 24/7 Jack Henry privileged access |
| Q2 ebanking CDN | Q2 Holdings / AWS CloudFront | SaaS | Online/mobile banking customer platform | Q2-managed; TLS 1.3; Q2 WAF active; LCB has no visibility into WAF events |
| Fiserv ACH | Fiserv private network | Dedicated circuit | ACH origination / receiving | Fiserv-managed dedicated circuit; encrypted; NACHA compliant |
| Control Domain | Tool / Capability | Coverage | Status & Assessment |
|---|---|---|---|
| Perimeter Firewall | Fortinet FortiGate 200F (HA pair) | Internet edge, DMZ, branch VPN | Deployed — firewall policy last reviewed Feb 2023; 28 overly-permissive rules; no NGFW application inspection enabled |
| Intrusion Detection / Prevention | FortiGate IPS (inline) | Internet edge only | IPS signatures 45 days behind; no east-west inspection between VLAN 1 and VLAN 10 |
| Endpoint Detection & Response (EDR) | CrowdStrike Falcon Prevent | Lending laptops, IT staff (28 agents) | NOT deployed on teller workstations, wire room terminals, ATM Manager server (SRV-08), or servers SRV-05/SRV-10 |
| Antivirus (legacy) | Windows Defender (built-in) | Teller workstations, branch systems | Defender active; not centrally managed; 14 workstations on unsupported Windows 10 build |
| SIEM / Log Management | ManageEngine EventLog Analyzer | AD, Fortinet firewall, VPN | Free-tier deployment — ATM logs, core banking audit logs, ACH logs NOT ingested; 1,400+ unreviewed alerts in queue; no 24/7 monitoring |
| Multi-Factor Authentication | Microsoft Authenticator (M365) | M365 for IT + exec (46 accounts) | NOT enforced for: 140 branch M365 accounts, core banking (Silverlake) teller access, wire room terminals, Encompass mortgage platform, Kronos HR/payroll |
| Vulnerability Management | Tenable Nessus Essentials (free) | External IP scan only — no authenticated scan | Unauthenticated scans miss internal vulnerabilities; ATMs and core banking servers never scanned; last scan 90+ days ago |
| Email Security | Microsoft Defender for Office 365 (P1) | Exchange Online (M365) | Anti-phishing deployed; on-prem Exchange 2016 (SRV-05) not covered by Defender; SPF/DKIM configured, DMARC policy = "none" (not enforced) |
| Web Application Firewall | Q2 ebanking WAF (Q2-managed) | Online/mobile banking platform only | Q2 manages WAF for customer portal; LCB has no visibility into WAF alerts or logs |
| Privileged Access Management | None deployed | — | GAP — shared admin credentials used for server management; no PAM solution; Jack Henry support VPN has persistent privileged access |
| Data Loss Prevention | None deployed | — | GAP — loan application data, customer SSNs, and financial records can be copied to USB or personal email without restriction |
| Backup & Recovery | Veeam B&R 12 (SRV-07) | Silverlake DB, AD, file server | Backup integrity last tested March 2024; Iron Mountain weekly offsite; legacy iSeries (SRV-10) not covered by Veeam — manual tape backup only; RTO for Silverlake core never formally tested |
| Physical Security | Branch cameras + alarm monitoring | Branch lobbies, vault areas | Camera footage retained 30 days; FAC-01 server room badge access — no logging or audit trail of physical access events |
LCB relies on a network of technology vendors and fintech partners for core banking, payments, digital banking, and IT services. The GLBA Safeguards Rule (16 CFR §314.4(f)) requires financial institutions to select and oversee service providers that implement appropriate safeguards. LCB has executed vendor agreements with 31 technology providers, but only 4 have been assessed for cybersecurity controls in the past 24 months. No vendors are subject to ongoing security monitoring or annual questionnaires.
| Policy Name | Status | Last Reviewed | Notes |
|---|---|---|---|
| Information Security Program (GLBA) | Exists — Outdated | 2021 | Does not reflect 2023 GLBA Safeguards Rule updates; cloud services and remote work not addressed |
| Acceptable Use Policy | Exists — Outdated | 2020 | Does not address mobile banking apps, personal cloud storage, or BYOD |
| Wire Transfer Policy | Exists — Weakly Enforced | 2022 | Dual-control required per policy; 3 violations identified in Q4 2024 wire log review; callback procedure not enforced |
| Incident Response Plan | Exists — Partial | January 2023 | Covers general IT incidents; no ransomware-specific playbook; no defined escalation path for after-hours events; never tested via tabletop exercise |
| Business Continuity Plan | Exists — Partial | 2022 | Covers branch operations during IT outage; does not address core banking DR or ACH processing outage scenarios |
| Vendor / Third-Party Risk Policy | None | — | No formal TPRM policy; vendor contract spreadsheet maintained by Compliance Officer only |
| Data Classification Policy | None | — | No formal data classification; customer PII, NPI, and financial records treated uniformly with no tiering |
| Patch Management Policy | Exists — Weak | 2021 | Policy exists; ATM systems and vendor-managed servers explicitly exempted; no SLA for critical patches |
| Privileged Access Management Policy | None | — | Ad hoc shared admin credentials in use; no formal PAM policy or privileged account inventory |
| Password Policy | Exists — Minimal | 2022 | 8-character minimum; no MFA requirement; password complexity rules only; no MFA mandate |
| Security Awareness Training Policy | Exists — Minimal | 2022 | Annual KnowBe4 training required; completion rate 78%; no phishing simulation program |
| Remote Access Policy | Exists — Outdated | 2020 | Does not address persistent vendor VPN (Jack Henry); no time-limited access provisions for third parties |
| FFIEC CAT Assessment | Baseline — Self-Assessed | 2023 | Self-assessed at Baseline maturity level; not validated by OCC examiner; gaps in Cyber Risk Management and Oversight domain identified |
| Framework / Regulation | Applicability | Current Compliance Status |
|---|---|---|
| GLBA Safeguards Rule (16 CFR Part 314 — 2023) | Fully applicable — financial institution | At risk — 2023 rule updates (encryption, MFA, audit logging, TPRM) not fully implemented; annual Board report required |
| FFIEC IT Examination Handbook | Applicable — OCC examination standard | Self-assessed Baseline; gaps in Access Controls, Situational Awareness, and Third-Party Risk domains |
| OCC Heightened Standards (12 CFR Part 30, App D) | Applicable — OCC-chartered bank | Front-line risk management framework; IT risk appetite not formally defined or approved by Board |
| PCI DSS v4.0 (Level 4 Merchant) | Applicable — card processing | SAQ-D completed 2023; ATM EOL systems create cardholder data environment risk; QSA not engaged — self-assessment only |
| FinCEN BSA/AML (31 CFR Chapter X) | Fully applicable | BSA/AML program active; 2 BSA analysts; SAR/CTR filing current; no regulatory findings in last OCC exam |
| NACHA Operating Rules | Applicable — ACH originator/receiver | CheckFree/Fiserv manages platform compliance; dual-control enforced; no ACH violations reported |
| OCC Third-Party Relationships (Bulletin 2023-17) | Applicable — OCC guidance | TPRM program does not meet OCC 2023-17 expectations; no risk-tiered vendor due diligence process |
| CFPB Regulation E | Applicable — electronic fund transfers | Error resolution procedures documented; customer dispute SLA met in 2024 |
| NY DFS 23 NYCRR 500 | Not applicable — Ohio-domiciled, OCC charter | N/A — monitored for best practices only |
| C2M2 v2.1 | Voluntary — assessment purpose | No prior formal evaluation — this exercise is the first structured C2M2 assessment |
The following summarizes pre-assessment findings for each of the 10 C2M2 v2.1 domains based on discovery interviews and documentation review. These ratings are indicative and serve as starting points for the assessment exercise. Participants should evaluate and challenge these preliminary findings during the exercise.
LCB's IT asset inventory is maintained in a spreadsheet that is 78% accurate and does not include OS versions or network attributes for ATMs. Using C2M2 ASSET domain practices, design a minimum-viable asset inventory for a community bank. What data elements are critical for financial sector cyber risk management? What is the business case for deploying an automated asset discovery tool in a 185-employee bank? How do ATMs and payment terminals create unique asset management challenges under PCI DSS cardholder data environment requirements?
Core banking access (Silverlake) uses username and password only for 139 teller and wire operators. The wire room has documented instances of shared credentials. How does C2M2 ACCESS domain guidance apply to a bank's teller access model? What MFA approaches are compatible with high-volume teller transaction workflows? How do you address the tension between operational efficiency and FFIEC examination expectations for strong authentication on systems that process customer financial transactions?
LCB processes $4.2M in daily wire transfers. Three high-value wires in Q4 2024 were processed by a single operator in violation of LCB's own dual-control policy. LCB has no callback verification process for first-time wire payees. Business Email Compromise (BEC) targeting community bank wire rooms is FinCEN's most frequently reported fraud type for financial institutions. Design a wire transfer security framework for LCB that addresses: dual-control enforcement, new payee verification, out-of-band callback procedures, and wire room staff training. Which C2M2 domains are most relevant to wire fraud prevention, and which specific practices apply?
9 of 14 LCB ATMs run Windows 7 Embedded (EOL since January 2020) on the same VLAN as employee workstations. Replacing all EOL units would cost $306,000 — budget has not been approved. Using C2M2 ARCH and ASSET domain practices, develop a compensating controls strategy for EOL ATM systems. What network isolation controls, enhanced monitoring requirements, and formal risk acceptance documentation would the OCC expect? At what point does a compensating controls approach become untenable from a regulatory standpoint, and what arguments should Kevin Merritt make to the Board to approve hardware replacement?
Jack Henry has a persistent always-on VPN with privileged access to the Silverlake core banking database. LCB has not reviewed Jack Henry's security posture in 3 years. The Apiture fintech API accesses customer account data under a month-to-month contract with no security provisions. Using C2M2 THIRD-PARTIES practices and OCC Bulletin 2023-17, build a vendor risk tiering model for LCB. Which 5 vendors represent the highest risk and why? What contractual security provisions should LCB require in all technology vendor agreements going forward?
LCB's SIEM (ManageEngine EventLog Analyzer) covers only AD and the perimeter firewall. Core banking audit logs, ATM transaction logs, and ACH processing logs are not ingested. The 1,400+ unreviewed alert backlog means active threats may have gone undetected for months. Construct a prioritized logging and monitoring strategy for LCB given its 6-person IT team. What is the minimum viable SIEM use case set for a community bank processing daily wire transfers? Should LCB pursue a co-managed SIEM or a financial sector-specific MSSP, and what should a community bank require in an FS-sector managed security services contract?
The LCB Board of Directors has never received a cybersecurity briefing and has not approved a risk appetite statement. Kevin Merritt (CIO) manages security responsibilities alongside all IT operations. The cybersecurity budget of $142K is below FS-ISAC peer benchmarks for institutions of LCB's asset size ($620M). Using C2M2 PROGRAM domain practices, what governance changes would establish a minimum viable financial institution cybersecurity program? Draft the key elements of a Board-level cybersecurity risk briefing appropriate for community bank directors focused primarily on lending, deposits, and regulatory safety-and-soundness — with no technical background.
Scenario: On a Monday morning, Operations Manager David Reyes receives what appears to be an urgent email from Chief Lending Officer Patricia Greene (patricia.greene@lcbankohio.com — domain spoofed; LCB's DMARC policy is "none"). The email instructs the wire room to process an emergency $187,500 wire to a new payee (Riverside Holdings LLC, routing to a Lithuania correspondent bank) for "construction loan funding — time-sensitive, do not delay." A wire operator processes the wire using the standard workflow — no dual-control verification, no callback to the CLO. The wire clears Fedwire at 9:47 AM. At 10:15 AM, Patricia Greene calls David Reyes asking about a loan document — she never sent any wire instruction.
Scenario: At 2:30 AM Saturday, an after-hours email alert from ManageEngine EventLog Analyzer fires to IT Director Kevin Merritt — flagging unusual outbound traffic from the VLAN 1 segment. Kevin is asleep and doesn't see the alert until 7:00 AM. By then, ATM transaction logs (reviewed Monday after the branch manager reports empty cassettes) show that ATMs FAC-02-ATM-01 and FAC-04-ATM-01 — both Windows 7 EOL units — dispensed their entire cash cassettes ($48,000 combined) between 2:15 and 2:45 AM. Physical inspection shows no signs of forced entry or card skimming. The ATMs' Windows 7 event logs show a remote RDP connection from an internal IP (10.1.18.42 — SRV-08, the RealTime ATM Manager server) exactly 11 minutes before the cash-out sequence began.
Scenario: On a Thursday afternoon, Jack Henry & Associates issues a security notice to all Silverlake clients: a threat actor exploited a vulnerability in the Jack Henry remote support VPN infrastructure and gained unauthorized access to client environments through persistent support VPN sessions. Jack Henry cannot confirm which specific client environments were accessed or what data may have been exfiltrated. Jack Henry's own log retention covers only the last 21 days. LCB's Jack Henry support VPN has been always-on and unmonitored for 3 years. That VPN session has privileged access to the Silverlake core banking database — which contains account numbers, SSNs, balances, and transaction history for all 22,400 LCB customers.
Constraints: LCB's Board has approved a one-time cybersecurity improvement budget of $175,000 (FY2025 supplemental). Kevin Merritt must present a prioritized remediation roadmap at the next Board meeting. The roadmap must identify Quick Wins (0–90 days, low-cost), Short-Term actions (90 days – 1 year), and Strategic investments (1–3 years). The 6-person IT team cannot absorb more than 15 hours/week of new project work above BAU. ATM hardware replacement ($306K for all 9 EOL units) is not included in this budget cycle.