Transcript Webcast: How to Conduct a Technology Risk Assessment

ABA WEBCAST BRIEFING
How to Conduct a Technology Risk
Assessment
Presented by:
Cynthia A. Bonnette
Managing Director
Technology Risk Assessment Services
M ONE, Inc.
Presentation Overview
Why is technology risk management important?
How to conduct a comprehensive technology risk
assessment
Maintaining an adequate information security
program
Effective and “not-so-effective” practices
Why is Technology Risk Management Important?
The strategic importance of technology to business
– Technology is an enabler of essential business functions
– Financial assets are essentially information assets
– This has created a heightened dependency on information
systems and electronic data
The growing threat of cyber-crime
Legal and regulatory requirements for safeguarding
customer information
Risk Assessment and Risk Management
Risk assessment
– Objective is to identify and measure the risk associated
with an activity
– Measurement can be quantitative or qualitative
Risk management
– Objective is to control the level of risk associated with an
activity
“If you can’t measure it, you can’t manage it.”
--Peter Drucker
Risk Assessment and Risk Management
Technology permeates the organization
Risks must be managed holistically
New vulnerabilities and threats result from the
networked environment
Traditional risks are reshaped
–
–
–
–
Strategic
Operational
Credit
Liquidity
– Compliance
– Reputation
– Systemic
Vulnerabilities + Threats = Trouble
Vulnerabilities:
Software flaws
• CGI scripts
• Bad code
• Firewall
misconfigured
Hardware flaws
• Unsecured PCs
• Open modems
Weak policies
• Poor passwords
• E-mail misuse
Poor physical
security
• Uncontrolled access
Untrained staff
Threats:
“Hackers”
• Script kiddies
• Experimenters
“Crackers”
• Malicious attackers
• Extortionists
Insiders
• Employees
• Contractors
Competitors
Terrorists
Natural disasters
Outcome:
Data/system
destruction
System intrusion
• Data theft
• Data alteration
• Unauthorized viewing
Denial of service
• External interruption
• Internal interruption
Impersonation
• Intellectual property
theft
• Fraud
System faults
• Errors/inaccuracies
The Growing Threat of Cyber-crime
2002 CSI/FBI Computer Crime and Security Survey
–
–
–
–
–
–
–
90% of respondents detected security breaches
80% acknowledged financial losses
74% cited the Internet as a frequent point of attack
34% of respondents reported intrusions to law enforcement
40% detected system penetration from the outside
40% detected denial of service attacks
85% detected computer viruses in the past year
503 organizations surveyed--19% financial institutions
Standards for Safeguarding Information
Mandated by GLBA Section 501 (b)
Regulatory standards became effective July 1, 2001
Requirements include:
– Each bank must implement a written info-security program
addressing technical, administrative, and physical controls
– The board must approve and oversee the program
– The program must be based on a risk assessment
– The program must manage and control risks via appropriate
security measures (the regulation lists several)
– The program must address service provider arrangements
– The program must be monitored and updated periodically
Is Your Institution Prepared?
Your next exam will review compliance with the
Standards for Safeguarding Customer Information
FDIC’s recent “informal examiner survey” results:
– Common areas of weakness include lack of policies and lack of
board involvement
– Guidance is sought on the risk assessment process
– Confusion exists with respect to privacy and security
regulations
Recommended practice: Conduct an assessment based
on the regulatory exam procedures
Steps for Protecting Bank Systems
Conduct a comprehensive risk assessment
– Identify and prioritize vulnerabilities and threats
– Evaluate existing policies and controls
Determine the best methods to address risks
– Internal controls
– Outsourced services
– Insurance coverage
Formalize security programs
– Board/senior management commitment
– Written policies and implementing guidelines
– Employee training and awareness
 Test, re-evaluate, and update periodically
Conducting a Risk Assessment
The importance of a holistic approach
– Enterprise-wide
– Consider technical, administrative, and physical
elements
– Executive support and involvement is essential
Take stock of what you have
– Information classification/prioritization
– Identification of critical systems and processes
– How complex/sophisticated are the information systems
and technologies in place?
Conducting a Risk Assessment (cont’d)
Evaluation of vulnerabilities and threats
– Identify weaknesses in technical, administrative, and
physical processes
– Identify potential threat sources
– Prioritize
Review of existing programs and controls
– Use a system diagram to identify system connections, data
entry/exit points, and critical links
– Determine where sensitive/critical data resides
– Ensure that appropriate controls are in place
– Test, re-test, and update
The Risk Assessment Process
Source: Common Criteria v.1
The Information Security Program
The information security program should be based
on a comprehensive risk assessment
The program should include:
– Policy (high-level corporate objectives)
– Procedures (guidelines, standards)
– People (designate a responsible individual)
The program should address:
– Administrative controls
– Physical controls
– Technical controls
Components of an Information Security Program
nformation Security Program Essenti
Strategy
Management
Implementation
Technology &
Operations
Support
Key Elements of an Info-Security Program















Written, board-approved policies
Security organization roles and responsibilities
Guidelines and standards for security policy implementation
Asset classification and controls
Acceptable use of computer equipment, systems, and networks
Personnel security
Physical security controls
Communications and operations management controls
Access controls
System development and maintenance controls
Computing baseline standards
Business continuity planning
Incident response
Provisions for regular reviews/updates
Provisions for independent tests of controls
Effective and Not-so-Effective Practices
Effective information security practices in midsized financial institutions:
–
–
–
–
–
–
–
–
Support from upper management
Designation of responsibility (ISO)
Formation of a cross-department working group
Centralized control over entire architecture
Organized risk assessment process
Formalized policies and procedures
Effective, coordinated testing processes
User education and awareness training
Effective and Not-so-Effective Practices
Not-so-effective information security practices in midsized financial institutions:
–
–
–
–
–
–
–
Over-reliance on third parties (vendors, consultants)
Undefined or fragmented responsibility
Lack of uniform controls (decentralized environment)
Lack of skilled staff (failure to train, inadequate depth)
Weak or non-existent policies and procedures
Exclusive focus on technical issues
Failure to review and follow-up on test results
Summing it up...
Technology is revolutionizing the financial services
industry
New vulnerabilities and threats raise challenges for
financial institutions
To protect your bank, regularly evaluate and
update your information security program based
on a comprehensive risk-focused assessment
Time for questions, comments, and
discussion...
Cynthia A. Bonnette
Managing Director
Technology Risk Assessment Services
M ONE, Inc.
5447 N. Four Mile Run Dr., Arlington, VA 22205
Tel: 703-276-6816
http://www.moneinc.com
e-mail: [email protected]