Action Summary

Overview

The quality of security controls can significantly influence all categories of risk.  Traditionally, examiners and institutions recognized the direct impact on operational/transaction risk from incidents related to fraud, theft, or accidental damage.  Many security weaknesses, however, can directly increase exposure in other risk areas.  For example, the GLBA introduced additional legal/compliance risk due to the potential for regulatory noncompliance in safeguarding customer information.  The potential for legal liability related to customer privacy breaches may present additional risk.  Effective application access controls can strengthen credit and market risk management by enforcing risk limits on loan officers or traders.  For example, if a trader were to exceed the intended trade authority, the institution may unknowingly assume additional market risk exposure. 

A strong security program reduces levels of reputation, operational, legal, and strategic risk by limiting the institution’s vulnerability to intrusion attempts and maintaining customer confidence and trust in the institution.  Security concerns can quickly erode customer confidence and potentially decrease the adoption rate and rate of return on investment for strategically important products or services.  Examiners and risk managers should incorporate security issues into their risk assessment process for each risk category.  Financial institutions should ensure that security risk assessments adequately consider potential risk in all business lines and risk categories.

Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. In its simplest form, a risk assessment consists of the identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. The resulting information should be used to develop strategies to mitigate those risks.

 An adequate assessment identifies the value and sensitivity of information and system components and then balances that knowledge with the exposure from threats and vulnerabilities.  A risk assessment is a pre-requisite to the formation of strategies that guide the institution as it develops, implements, tests, and maintains its information systems security posture.  An initial risk assessment may involve a significant one-time effort, but the risk assessment process should be an ongoing part of the information security program.

Risk assessments for most industries focus only on the risk to the business entity.  Financial institutions must also consider the risk to their customers’ information.  For example, the 501(b) guidelines require financial institutions to “protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.”

Key Steps

Common elements of risk assessment approaches involve three phases: information gathering, analysis, and prioritizing responses.  Vendor concerns add additional elements to the process.

Gather Necessary Information

An effective risk assessment should be based on a current and detailed knowledge of the institution’s operating and business environments.  Sufficient information should be referenced in the risk assessment to document a thorough understanding of these environments.  Both technical and non-technical information should be gathered.  Examples of relevant technical information include network maps detailing internal and external connectivity; hardware and software inventories; databases and files that contain critical and/or confidential information; processing arrangements and interfaces with external entities; hardware and software configurations; and policies, standards, and procedures for the operation, maintenance, upgrading, and monitoring of technical systems.

Non-technical information that may be necessary includes the policies, standards, and procedures addressing physical security (including facilities as well as information assets that include loan documentation, deposit records and signature cards, and key and access code lists), personnel security (including hiring background checks and behavior monitoring), vendor contracts, personnel security training and expertise, and insurance coverage.  Additionally, information regarding control effectiveness should be gathered.  Typically, that information comes from security monitoring, including self-assessments, metrics, and independent tests.

Identification of Information and Information Systems

A risk assessment should include an identification of information and the information systems to be protected, including electronic systems and physical components used to access, store, transmit, protect, and eventually dispose of information.  Information and information systems can be both paper-based and electronic-based.

The institution’s analysis should include a system characterization and data flow analysis of networks (where feasible), computer systems, connections to business partners and the Internet, and the interconnections between internal and external systems.  Some systems and data stores may not be readily apparent.  For example, backup tapes, portable computers, personal digital assistants, media such as compact disks, micro drives, and diskettes, and media used in software development and testing should be considered.

In identifying information and the information systems, it is important to understand how the institution uses information in its day-to-day operations.  For example, the risk assessment should address employee access, use, and dissemination of information in response to requests.  Institutions should also consider how they store, transmit, transfer, and dispose of media (paper or electronic) containing information, authorize and authenticate those who receive information both physically and electronically, and how they make information available for viewing.

A financial institution’s outsourcing strategy also should be considered in identifying relevant data flows and information processing activities.  The institution's system architecture diagram and related documentation should identify service provider relationships, where and how data is passed between systems, and the relevant controls that are in place.

Analyze the Information

Classify and Rank Sensitive Data, Systems, and Applications

Financial institutions should assess the relative importance of the various information systems based on the nature of their function, the criticality of data they support, and the sensitivity of data they store, transmit, or protect.  When assessing the sensitivity of data, institutions should consider the increased risk posed to the institution from the aggregation of data elements. 

Institutions may establish an information data classification program to identify and rank data, systems, and applications in order of importance.  Classifying data allows the institution to ensure consistent protection of information and other critical data throughout the system.  Classifying systems allows the institution to focus its controls and efforts in an efficient and structured manner.  Systems that store or transmit data of different sensitivities should be classified as if all data were at the highest sensitivity. Classification should be based on a weighted composite of all relevant attributes.

Assess Threats and Vulnerabilities

Financial institutions should assess potential threats and vulnerabilities of their information systems.  Generally, this assessment is to determine which threats or vulnerabilities deserve priority attention relative to the value of the information or information systems being protected.  Although threats and vulnerabilities need to be considered simultaneously, it is important to distinguish threats from vulnerabilities.

Threats are events that could cause harm to the confidentiality, integrity, or availability of information or information systems. They can be characterized as the potential for agents exploiting a vulnerability to cause harm through the unauthorized disclosure, misuse, alteration, or destruction of information or information systems.  Threats can arise from a wide variety of sources. Traditionally, the agents have been categorized as internal (malicious or incompetent employees, contractors, service providers, and former insiders) and external (criminals, recreational hackers, competitors, and terrorists).  Each of the agents identified may have different capabilities and motivations, which may require the use of different risk mitigation and control techniques and the focus on different information elements or systems. Natural and man-made disasters should also be considered as agents.

Vulnerabilities can be characterized as weaknesses in a system, or control gaps that, if exploited, could result in the unauthorized disclosure, misuse, alteration, or destruction of information or information systems. Vulnerabilities are generally grouped into two types: known and expected.  Known vulnerabilities are discovered by testing or other reviews of the environment, knowledge of policy weaknesses, knowledge of inadequate implementations, and knowledge of personnel issues.  Adequate and timely testing is essential to identify many of these vulnerabilities.  Inadequate or untimely testing may critically weaken the risk assessment.

Expected vulnerabilities to consider are those that can reasonably be anticipated to arise in the future.  Examples may include unpatched software, new and unique attack methodologies that bypass current controls, employee and contractor failures to perform security duties satisfactorily, personnel turnover resulting in less experienced and knowledgeable staff, new technology introduced with security flaws, and failure to comply with policies and procedures.  Although some vulnerabilities may exist only for a short time until they are corrected, the risk assessment should consider the risk posed for the time period the vulnerability might exist.

Financial institutions should analyze through scenarios the probability of different threat agents causing damage.  These scenarios should consider the financial institution’s business strategy, quality of its control environment, and its own experience, or the experience of other institutions and entities, with respect to information security failures.  The assignment of probabilities by the financial institution should be appropriate for the size and complexity of the institution.  Simple approaches (e.g., probable, highly possible, possible, and unlikely) are generally sufficient for smaller, non-complex, financial institutions.

Business lines should also analyze the potential damage, or impact, of a threat agent’s action.  Impact can be measured in terms of data integrity, confidentiality, and availability of information; costs associated with finding, fixing, repairing, and restoring a system; lost productivity; financial losses; and other issues affecting the institution’s operations, and reputation.

Many analytical methods may be used to arrive at the likelihood and impact of a threat agent’s action.  Methods fall into two general categories: quantitative and qualitative.  Quantitative methods involve assigning numerical measurements that can be entered into the analysis to determine total and residual risks.  Measurements may include costs to safeguard the information and information systems, value of that information and those systems, threat frequency and probability, and the effectiveness of controls.  Techniques may include manual or automated data analysis to provide measurement of the potential damage in relation to the controls.  A shortcoming of quantitative methods is a lack of reliable and predictive data on threat frequency and probability, and the future reliability and performance of the control structure.  That shortcoming is typically addressed by assigning numeric values based on qualitative judgments.

Qualitative analysis involves the use of scenarios and attempts to determine the seriousness of threats and the effectiveness of controls.  Qualitative analysis is by definition subjective, relying upon judgment, knowledge, prior experience, and industry information.  Qualitative techniques may include walk-throughs, storyboarding, surveys, questionnaires, interviews, and workgroups to obtain information about the various scenarios.  Each identified threat should be analyzed to determine potential severity and loss against the effectiveness of the existing control structure.

Evaluate Control Effectiveness

The institution should identify controls that will mitigate the impact or likelihood of each identified threat agent exploiting a specific vulnerability.   Controls are generally categorized by timing (preventive, detective, or corrective) or nature (administrative, technical, or physical).  The evaluation should recognize the unique control environment of the institution, and evaluate the effectiveness of that environment in responding to the threats arrayed against it.  The evaluation should address the controls that prevent harm as well as those that detect harm and correct damage that occurs.  Preventive controls act to limit the likelihood of a threat agent succeeding.  Detective and corrective controls are essential to identify harmful actions as they occur, to facilitate their termination, and to reduce damage.

Controls should not be assumed to be completely effective.  Measures of control effectiveness can be obtained from a well-planned and executed security monitoring program.  Self-assessments, metrics, and independent tests may address compliance with existing controls and the adequacy of those controls. A well-planned and executed security monitoring program is sound industry practice and should be based on an assessment of the risk of non-compliance or circumvention of the institution’s controls.

The evaluation of controls should also encompass the risks to information held and processed by service providers.  An institution’s contract with the service provider should contain language that establishes standards the service provider should meet and provide for periodic reporting against those standards.  The contract should include a provision for the independent review of internal controls at service providers and vendors, require that timely action be taken to address identified vulnerabilities, and require a reporting to the institution of the review, its findings, and the actions taken in response to the findings.  The report should be sufficient to enable the institution to evaluate contract compliance and to assess risk.

The evaluation of controls should include a review of the relevant physical access controls — including access to records, equipment, and financial institution and data center facilities — and provide an assessment of potential vulnerabilities to a physical attack or other disaster.  Reviews should be comprehensive and address all data and facilities, including remote facilities.  Because the risk from many threat scenarios may be mitigated by physical as well as other controls, the physical control evaluation is an integral part of the overall scenario evaluation.

Assign Risk Ratings

After completing the inventory of information and systems, assessing the likelihood and exposure of identified threats and vulnerabilities, and evaluating control effectiveness, the institution should assign risk ratings to the information and information systems.  The key to assigning risk ratings is to organize the information and information systems within a logical framework.

The framework should recognize that not all threats and risks are equal and acknowledge that financial institutions have finite managerial and financial resources.  As with credit or interest rate risk, reasonably foreseeable risks should be prioritized and rated according to the sensitivity and importance of the information.

The probability or likelihood of an event occurring, and the impact the event would have on a financial institution should be considered in determining the appropriate risk rating for information.  The probability of an event occurring, and its impact on the institution, is directly influenced by a financial institution’s business profile and the effectiveness of its controls.  Typically, the result is expressed in differing levels of risk, for example, “High,” “Medium,” or “Low” ratings.  The specific risk rating is judgmentally determined and assigned in relation to the level of exposure and the threat likelihood, taking into consideration the adequacy of related internal controls.  Where controls are inadequate or found not to exist, the risk assessment should include an action plan to improve the controls.

Once the risks associated with threats and vulnerabilities have been assessed, probabilities assigned, and risks rated, risks should be segregated into those the financial institution is willing to accept and those that should be mitigated.  Guidance from the board of directors should be used for that segregation.  Once the institution identifies the risks to mitigate, it can begin to develop its risk mitigation strategy.

Key Risk Assessment Practices

A risk assessment is the key driver of the information security process.  Its effectiveness is directly related to the following key practices:

• Multidisciplinary and Knowledge Based Approach—A consensus evaluation of the risks and risk mitigation practices requires the involvement of users with a broad range of expertise and business knowledge.  Not all users may have the same opinion of the severity of various attacks, the importance of various controls, and the importance of various data elements and information system components.  Management should apply a sufficient level of expertise to the assessment.
• Systematic and Central Control—Defined procedures and central control and coordination help to ensure standardization, consistency, and completeness of risk assessment policies and procedures, as well as coordination in planning and performance.  Central control and coordination will also facilitate an organizational view of risks and lessons learned from the risk assessment process. 
• Integrated Process—A risk assessment provides a foundation for the remainder of the security process by guiding the selection and implementation of security controls and the timing and nature of testing those controls. Testing results, in turn, provide evidence to the risk assessment process that the controls selected and implemented are achieving their intended purpose.  Testing can also validate the basis for accepting risks. 
• Accountable Activities—The responsibility for performing risk assessments should reside primarily with members of management in the best position to determine the scope of the assessment and the effectiveness of risk reduction techniques.  For a mid-sized or large institution, those managers will likely be in the business unit.  The information security officer(s) is (are) responsible for overseeing the performance of each risk assessment and the integration of the risk assessments into a cohesive whole.  Senior management is accountable for abiding by the board of directors' guidance for risk acceptance and mitigation decisions.
• Documentation—Documentation of the risk assessment process and procedures assists in ensuring consistency and completeness as well as accountability.  This documentation provides a useful starting point for subsequent assessments, potentially reducing the effort required in those assessments.  Decisions to mitigate or accept risk should be documented in order to achieve accountability for risk decisions.
• Enhanced Knowledge—Risk assessment increases management’s knowledge of the institution’s mechanisms for storing, processing, and communicating information, as well as the importance of those mechanisms to the achievement of the institution’s objectives.  Increased knowledge allows management to respond more rapidly to changes in the environment.  Those changes can range from new technologies and threats to regulatory requirements. 
• Regular Updates—Risk assessments should be updated as new information affecting information security risks is identified (e.g., a new threat, vulnerability, adverse test result, hardware change, software change, or configuration change).  At least once a year, senior management should review the entire risk assessment to ensure relevant information is appropriately considered.