In 175 words or more, read the following case study and discuss a fact or finding for the case study, list the condition(s) that present risks to Bank Solutions, and propose a recommendation for addressing the condition. What role should IT play in business continuity planning and in disaster recovery planning? 

Teaching Case

Bank Solutions Disaster Recovery and Business

Continuity: A Case Study for Business Students

Steve Camara

Senior Manager, KPMG LLP

1021 E Cary Street, Suite 2000

Richmond, VA 23219

scamara@kpmg.com

Robert Crossler

Vishal Midha

Assistant Professor

Computer Information Systems

The University of Texas – Pan American

recrossler@utpa.edu, vmidha@utpa.edu

Linda Wallace

Associate Professor

Accounting and Information Systems

Virginia Tech

wallacel@vt.edu

ABSTRACT

Disaster Recovery and Business Continuity (DR/BC) planning is an issue that students will likely come in contact with as they

enter industry. Many different fields require this knowledge, whether employees are advising a company implementing a new

DR/BC program, auditing a company‟s existing program, or implementing and/or serving as a key participant in a company

program. Often times in the classroom it is difficult to find real world practice for students to apply the theories taught. The

information in this case provides students with real world data to practice what they would do if they were on an engagement

team evaluating a DR/BC plan. Providing students with this opportunity better prepares them for one of the jobs they could

perform after graduation. This case gives students experience working at the individual level making decisions, at the dyadic

level analyzing other people‟s decisions, and at the group level presenting an agreed upon analysis.

Keywords: Case study, Computer security, Critical thinking, Experiential learning & education, Information assurance and

security, Role-play, Security, Team projects

1. CASE SUMMARY

This case is used by the authors during an information

assurance course taught as part of an accounting and

information systems degree. It is presented during the

portion of the semester when business continuity and disaster

recovery is being covered. The intent of the case is to give

students an opportunity to gain real world experience with a

theoretical concept that can be difficult to comprehend fully.

At the conclusion of this case, students should possess a

greater understanding of the critical decision-making process

that goes into analyzing and deciding what risks need to be

dealt with as a part of a Disaster Recovery and Business

Continuity (DR/BC) team.

This case is presented as a non-project based case

(Cappel and Schwager 2002) and it is expected that students

Journal of Information Systems Education, Vol. 22(2)

117

will utilize higher level cognitive skills as presented in the

classic taxonomy of Bloom (1956). They will accomplish

this by distinguishing relevant from irrelevant facts,

developing alternatives and solutions, and applying concepts

to a specific situation.

To accomplish the stated goal of this case, information

from a fictional company, Bank Solutions, Inc., is provided.

Bank Solutions, Inc. is a provider of item processing services

to community banks, savings and loan associations, Internet

banks, and small- to mid-size credit unions. Bank Solutions,

Inc. needs to identify its operating and regulatory risks. A

professional business team is hired to identify the risks and

provide recommendations to mitigate the identified risks.

2. CASE TEXT

2. 1 Company Background

Bank Solutions, Inc. (a pseudonym), founded in 1973 by the

First Presidential Bank, a major bank of its time, is a

provider of item processing services
i
to community banks,

savings and loan associations, Internet banks, and small- to

mid-size credit unions. It offers a full range of services,

including inclearing and Proof of Deposit (POD) processing,

item capture, return and exception item processing, image

archive storage and retrieval, and customer statement

rendering.

Bank Solutions was formed in 1973 when the Chief

Operating Officer of First Presidential Bank, a major

commercial bank, recognized an opportunity. Since item

processing functions are standardized (they have to be in

order for originating and receiving financial institutions to

clear customer transactions) and scalable with increases in

item processing volumes, they were able to offer these

services to other financial institutions wishing to reduce

operating expense and focus on growth strategies and other

core business functions. First Presidential marketed these

services under the Bank Solutions brand name.

Over the next 15 years, Bank Solutions enjoyed modest

growth. By 1988, it served 41 small- to mid-size financial

institutions. It had not, however, developed a market

presence outside of the Northwestern Region of the United

States, as management had hoped. This was primarily

because Bank Solutions was unable to compete with other

item-processing service providers that had developed

proprietary software systems considered “top of the line.”

To make matters worse, at the time almost one quarter of

Bank Solutions‟ client base was saving and loan associations

(saving and loans). As a result of the Savings and Loan

crisis, 60% of Bank Solutions‟ savings and loan customer

base failed over the six years spanning 1985–1991, thus

stunting the outsourcer‟s growth. The related slow down of

the financial services and real estate industries and the

recession of 1990–1991 presented further headwinds to the

growth objectives of First Presidential management. In

1994, First Presidential sold off Bank Solutions.

Under new management, Bank Solutions thrived. Keys

to the company‟s renewed success included the following:

 The development of key strategic partnerships with
other industry participants, including data clearing

houses and financial institution core processing system

outsourcers.
ii

 The introduction of a new company culture that focused
on open door management, mentoring, and enhanced

employee benefits.

 The development of a proprietary, state of the art item
processing system that uses state-of-the-art Optical

Character Recognition (OCR) technology to achieve

character recognition accuracies that were previously

unheard of.

 The implementation of “remote capture” technologies
iii

to meet electronic banking initiatives and regulations

such as “Check 21.”

 The upgrade or replacement of other administrative
information systems, including the company‟s financial

reporting system. This helped to increase operational

effectiveness and efficiencies.

From 1995–2008, Bank Solutions enjoyed

unprecedented growth. During that timeframe, the company

expanded operations to 18 item processing facilities, two

data centers in which the item processing system was hosted,

and 345 financial institutions.

2.2 Current Scenario (2011)

Douglas Smith, the Chief Information Officer for Bank

Solutions, was one of the original members of “new

management” and responsible for many of Bank Solutions‟

past successes. A solid, middle-sized company with

continued growth potential, Bank Solutions has become a

target for a leveraged corporate buyout. This is an attractive

situation for Douglas and other members of executive

management. Several of these individuals are close to

retirement; and initial indications are that the price of the

buyout will be very favorable for members of executive

management.

The CEO and other influential members of executive

management want Bank Solutions to remain an attractive

purchase option and, as a result, have contracted the services

of your team as an outside consultant to identify operating

and regulatory risks and advise them on control measures to

mitigate the risks.

2.3 Risk Assessment Task

As members of the engagement team performing the risk

assessment, your team has been given the task of assessing

Bank Solutions‟ incident handling, business continuity, and

disaster recovery strategy.

In order to perform the assessment, preliminary

interviews with Douglas Smith, the Data Center Managers,

Systems Engineers and Network Architect in each of

Banking Solutions‟ data centers, and the IT Managers and

Day and Night Operations Managers from seven of the

largest item processing facilities were conducted.

Additionally, the following documentation related to Bank

Solutions‟ security incident management, DR/BC planning

activities was reviewed:

 Flow charts that diagram the item processing operations
and data flow between Bank Solutions item processing

facilities and data centers and outside entities (see

Appendix A)

 A diagram of Bank Solutions‟ network architecture

Journal of Information Systems Education, Vol. 22(2)

118

 Bank Solutions‟ Data Center Disaster Recovery and
Business Continuity Plan (DRBCP)

 Policies, procedures, guidelines, and standards related
to security incident response

 Item Processing Facility DRBCPs

 Results from the most recently completed DRBCP
test/exercise

 Distribution list for the DRBCP

 Bank Solutions‟ Backup and Recovery Policy.

 Screen prints of the configurations from Bank
Solutions‟ backup utility (these configurations show

what server shares are subject to automated backup and

the frequency of those backups)

 Contracts with the off-site storage provider

 A system-generated listing of access to event logging
servers

 A list of individuals who have been provided access to
recall backup tapes from the off-site storage vendor.

 Screenshots of the Intrusion Detection System (IDS),
firewall, and other event logging capability

configurations

 Excerpts from the IDS and firewall event logs and
management‟s manually maintained incident tracking

log.

2.4 Facts: Risk Assessment Findings

Based on the discussions held with the management and a

review of the documentation provided, you note the

following facts:

1. With the assistance of an external consultant, Bank
Solutions wrote its current data center DRBCP in 2007.

It was last updated in January 2009.

2. According to Douglas, the data center DRBCP was last
tested in 2007. Testing activities consisted of a

conceptual, table-top walkthrough of the DRBCP

conducted by Douglas with the Data Center Managers

and Network and Systems Engineers. Item processing

facility DRBCPs have not yet been tested.

3. Site-specific DRBCPs have been written for the five
largest item processing facilities. The remaining item

processing facilities have a generic “small center”

DRBCP template that was distributed to and customized

by facility management in June 2010. Four item

processing facilities have not yet completed the

customization exercise.

4. DRBCPs contain several sections, including the
following:

 Emergency/crisis response procedures

 Business recovery procedures

 “Return to normal” procedures

 Various appendices
Recovery Time Objectives and Recovery Point

Objectives
iv

for each critical business process and

system were not identified in the DRBCP. The

following details, most of which are included in the

DRBCP appendices, are also documented in the text of

the DRBCP:

 Critical systems, including detailed hardware and
software inventories

 Critical business processes and process owners

 Alternative processing facility addresses and
directions

 “Calling Trees” (notification listings)

 Critical plan participant roles, responsibilities,
and requirements

 Critical vendor contact listings

 Key business forms

 Specific recovery procedures for key systems

 Procedures for managing public relations and
communications

5. Based on a review of DRBCP distribution lists, it
appears that not all key plan participants have a copy of

the plan. When this was discussed with Douglas, he

responded that copies of all DRBCPs are stored on the

network (which is replicated across both data centers

and via backup tape).

6. Critical plan participants have not been trained to use
DRBCPs.

7. Bank Solutions has implemented a robust host-based
IDS, including detailed event logging and reporting

capabilities. However, neither the DRBCP nor any

other policy, standard, guideline, or procedure addresses

security incident handling steps, including escalation

points of contact and procedures for preserving the

forensic qualities of logical evidence.

8. Event logging is also performed when power users
perform specific privileged activities on production

servers and selected administrative back office systems.

Interestingly, it was noted that several of the same

power users whose actions are recorded onto event logs

also have write access to the logs themselves.

9. A review of the network diagram and conversations
with the Network Architect reveal that redundancies

have been implemented at the network perimeter (e.g.,

routers, firewalls, IDS, load balancers, etc.).

10. Banking Solutions has organized their DR/BC program
according to a “sister center” format; that is, each data

center serves as the other‟s “hot site” processing

location and each item processing facility has been

assigned a corresponding item processing facility to

serve as a backup processing location. Neither the

DRBCPs nor any other documentation outline specific

processing responsibilities for backup facilities.

11. On a daily basis, transaction detail and item image files
from the current day‟s processing operations are

uploaded from each item processing facility to their

regional data center (see Appendix A).

12. At the data centers, electronic vaulting has been
established whereby all e-mail, file, and application

servers and databases at the data center are continuously

backed up to the other data center via dual dedicated

fiber optic lines.

13. A data backup and recovery utility has been
implemented in each data center and the item

processing facilities. Full backups of critical data files,

software programs, and configurations are performed

Journal of Information Systems Education, Vol. 22(2)

119

once a week and incremental backups are performed on

a daily basis Monday through Friday.

14. At one item processing facility, backup jobs have
routinely failed due to unknown causes. When the topic

was discussed with the IT Manager on duty, he

shrugged the failures off noting that the core financial

institution transaction data and images are transmitted

to and archived at the Bank Solutions Data Center East

on a daily basis.

15. At the item processing facilities, the management has
been tasked with contracting the off-site storage of

backup tapes. At one of the item processing facilities,

management has contracted the bank across the street to

store its backup tapes in a safety deposit box. At

another item processing facility, the night Operations

Manager stores the backup tapes in a safe at his home.

At a third item processing center, tapes are stored in a

shed at the back of the building.

3. EXERCISES AND SUBMISSIONS
1

This is a group project and each group should ideally consist

of six students. Each group of students will work as a

member of an engagement team in charge of performing the

incident handling, DR/BC risk assessment for Bank

Solutions. Each group should read the case background and

the facts identified in the interviews.

Individual Work: For all of the facts/ findings, prepare a

written report that lists the condition(s) that present risks to

Bank Solutions as well as proposed recommendations for

addressing those conditions. All the individual reports MUST

have the individual‟s name on it.

Dyadic Work: Exchange your report with another

student in your group. At this time, you will have the other

students report with you. Read that report carefully, and

further refine your list being sure that you agree to the

conditions, risks, and recommendations that are mentioned in

the other students‟ individual report. All the dyadic work

MUST have names of both individuals.

Group Work: Together as a group, prepare a report of

recommendations for correcting each of the aforementioned

conditions (thereby addressing the risks) from the assigned

subset of facts. Prepare to discuss your results in class. You

should be ready to explain and elaborate on why you

identified each condition and each risk. You will have about

five minutes to present your subset of conditions, risks, and

recommendations.

To Submit:

1. Six individual reports
2. Six dyadic reports
3. One group report

Subsets of Facts to be Analyzed

Subset # Fact #s

1 1–3

2 4–5

3 6–8

1
Please see Teaching Notes for explanation.

4 9–10

5 11–13

6 14–15

4. ENDNOTES

i
Item processing operations play a critical role in financial
institutions‟ ability to receive, record, and process customer

transactions in an accurate, reliable, and timely manner. The

item processing function converts data from hardcopy source

documents including checks and customer transaction tickets

(also known as „items‟), into an electronic format the

institution‟s systems can capture and use in an automated

environment. It is a function institutions can do internally or

outsource [as in the case of Bank Solutions], in a centralized

or decentralized manner. (Source: Federal Financial

Institutions Examination Council Operations Handbook,

Appendix C – Item Processing, July 2004)

ii

Core processors are internally (with financial institutions)

and externally (outsourced) organized entities that

administer, support, and operate financial institution

transaction processing systems. These systems are complex

computer programs designed to process various types of

financial institution transactions and serve as the financial

institutions‟ general ledgers. Once transactions are sent and

posted to core processor transaction systems, they are said to

have been “cleared.”

iii
Remote capture refers to the capture of electronic check

images that are transmitted to the item processing facility.

The item processing facility receives the files, formats and

edits them, merges them with data files created from the

receipt and processing of hardcopy items, and sends the

resulting combined file to the appropriate core processor for

clearing. Remote capture reduces the expense associated

with management of hardcopy items, including the transport,

sorting, imagining, and storage costs, as well as the time

taken to clear items. Remote capture comes in two flavors –

merchant capture and branch capture. Merchant capture is

when a merchant (e.g., Wal-Mart, Best Buy, etc.) scans a

check at the point of sale (POS) and the imaged check is sent

in batch at specified closing times during the day directly to

the item processor. These batches are edited and balanced,

and the totals are sent to the core processor for clearing.

Branch capture is similar, except that electronic capture is

performed at banks where they scan the checks and other

customer transaction documents and forward the files to item

processing facilities for editing, balancing, and processing.

iv
Recovery Time Objective is the duration of time and a

service level within which a business process must be

restored after a disaster in order to avoid unacceptable

consequences associated with a break in continuity (source:

Wikipedia; Web address: http://en.wikipedia.org/wiki/

Recovery_Time_Objective). Recovery Point Objective

describes the amount of data lost measured in time.

Example: If the last available good copy of data upon an

outage was from 18 hours ago, then the RPO would be 18

Journal of Information Systems Education, Vol. 22(2)

120

hours (source: Wikipedia; Web site: http://en.wikipedia.org/

wiki/Recovery_point_objective).

5. REFERENCES

Bloom, Benjamin S., (1956) “Cognitive Domain,”

Taxonomy of Educational Objectives. Handbook 1. New

York: David McKay.

Cappel, James J., and Schwager, Paul H. (2002) “Writing IS

teaching cases: Guidelines for JISE submission,” Journal

of Information Systems Education Vol. 13, No. 4, pp.

287–293.

AUTHOR BIOGRAPHIES

Stephen L. Camara is a senior manager in KPMG LLP‟s

Federal Information Technology

Advisory Services practice in the

Richmond, Virginia office. He

performed/ managed Statement on

Auditing Standards (SAS) No. 70

and Statement on Standards for

Attestation Engagements (SSAE)

No. 16 examinations for a variety

of Federal and commercial clients

and industries in the United States, Europe and Asia. Mr.

Camara managed application, platform, and function-based

information technology (IT) control assessments in the

United States and Europe. Mr. Camara performed/managed

IT internal control testing supporting Federal and

commercial financial statement audits and audits performed

in accordance with Sarbanes-Oxley (SOX) Section 404.

Robert Crossler is an Assistant Professor in the Computer

Information Systems department at

The University of Texas – Pan

American. His research focuses on

the factors that affect the security and

privacy decisions that individuals

make. He has several publications in

the IS field, including such outlets as

MIS Quarterly, the Journal of

Information Systems Security,

Americas Conference on Information

Systems, and Hawaii International Conference on System

Sciences. He also serves on the editorial review board for

the Journal of Organizational and End User Computing, the

Information Resources Management Journal, and the Journal

of Information Systems Security. Prior to his academic

career he worked as a database programmer, where he led

many projects to completion and coordinated the work of

others.

Vishal Midha is an assistant professor of Computer

Information Systems at the

University of Texas-Pan American.

He has a Ph.D. in Information

Systems from the University of

North Carolina at Greensboro. His

current other research interests

include open source software

development, information piracy

concerns, and knowledge

management. He has published in

Communications of AIS, Electronic Markets, Journal of CIS,

and many national and international conferences including

ICIS, AMCIS, DSI, and GITMA. Presently, he also serves as

an Associate Editor for Case Studies in International Journal

of Information Security and Privacy.

Linda Wallace is an associate professor in the Department

of Accounting and Information Systems

at Virginia Tech. Her research interests

include software project risk,

information security, knowledge

communities, and agile software

development. Her research has been

accepted for publication in Decision

Sciences, Communications of the ACM,

Information & Management, IEEE

Security & Privacy, Decision Support

Systems, Journal of Systems and

Software, and the Journal of Information Systems.

Journal of Information Systems Education, Vol. 22(2)

121

Appendix A

This case was developed solely for class discussion. While the situation described in this case is based on realistic events, the Bank Solutions is a fictional organization.

Further, the names, product/service offerings, and the names of all individuals in the case are fictional. Any resemblance to actual companies, offerings, or individuals is

accidental.

Journal of Information Systems Education, Vol. 22(2)

122

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.