Year after year, banks are told by regulators that their information technology security risk analysis is inadequate. Even with the Federal Financial Institutions Examination Council’s revised guidance in the FFIEC IT Examination Handbook, some banks are still looking for clarity on what a good risk analysis should look like in order to assess the risks associated with all forms of electronic banking. Here are 10 steps that demonstrate how to build a best practice risk analysis as noted in the Corporate Network Information Security Risk Management Framework (Version 1.0).
Make a list of all your business processes
Your initial step in conducting a risk analysis should be determining what type of risk assessment methodology you would like to follow, such as National Institute of Standards & Technology (NIST) or Operationally Critical Threat, Asset & Vulnerability Evaluation (OCTAVE). Then, it is important to identify all the processes that support your business. This could be anything from ATM processing to wire processing. Listing your business processes will help you pinpoint key areas in which to start the information security risk assessment process.
The next step is to gather your list of business processes or business continuity business impact analysis (BIA),which you may have in order to analyze and prioritize your business processes, ranking them according to how critical the business process is to your operations and the sensitivity of the information being processed. You can prioritize your business processes by assigning a ranking of critical (an interruption would be catastrophic to your business operation), high (an interruption could be critical to your business operation), medium (an interruption could result in degraded business operation) or low (an interruption would have negligible effects on your business operation).
Examine your bank’s existing inventory lists, organization charts and physical locations. For each business process that you have pinpointed, identify the physical, network and human resources that support that process. Then, identify the type of data that is being stored, processed and transmitted. Examples of your bank’s assets can be backup tapes, employees, customer data or intrusion detection software. You can then group your like assets by functionality as appropriate and determine the boundaries for each asset grouping (such as core processing, wire transfer systems, etc.).
Conducting a threat analysis helps you to identify any potential threats that could possibly harm or disrupt your bank’s assets you identified earlier. A threat is simply any activity that potentially could harm or disrupt a computer system, software application or other operation. Threats can vary and can include data theft; natural disasters like hurricanes, earthquakes and tornadoes; human threats like arson, burglary or terrorism; or technical threats like a software or hardware malfunction, heating, ventilation or air conditioning or power failure. Some good sources to use in order to learn more about emerging threats are databases from organizations like the FBI, CERT, etc.; security websites; information technology publications; or information security vendors who track such data. When identifying possible threats that can harm your bank’s assets, create threat scenarios that include threat actions as well. For example, a threat might be a hacker and the threat action might be malware installed on your bank’s system by a hacker.
Identify control requirements
To determine risks that may be faced by your bank, you must identify potential control requirements, as well as existing controls you may already have in place to protect against potential threats. Gather information on best practices, regulatory guidance, process review and audit results (internet, external, third-party). Document all of your current controls and develop requirements.
Vulnerabilities are areas in which controls are not adequate to protect against threats. IT audits, pen tests, security reviews, etc., are several processes that help you identify vulnerabilities. After you have identified any possible vulnerability, determine if viable threats exist to exploit those vulnerabilities. Analyze and rank each vulnerability that you identify.
The goal of determining risk is to compile available information to assess the risk level of your assets and the likely impact that the risk may have on your bank. Make a list of all your assets, possible threats, vulnerabilities, testing results and controls. Rank the likelihood that a vulnerability will be exercised by a threat, rank the impact that would result from a successful threat, assign risk level and document your analysis.
Develop risk mitigation strategies
Once the risk determination is complete, management should identify additional controls necessary to mitigate the risk.
Residual risk identification
Gather any history of prior incidents, industry statistics, information from a business impact analysis and a business operations risk assessment to help you determine the impact of any residual risk that might affect your business (in relation to reputation, direct loss, liability, market share, etc.).
Risk monitoring and reporting
Lastly, develop a process for updating the progress of your bank’s action plans, testing and validating controls as needed; develop a reporting process to executive management and/or the board; and document management and board acceptance of residual risk in order to assign accountability for risk decisions.
Lisa King is public relations manager for SecureWorks Inc. in Atlanta. She can be reached at 404-486-4463 or lking(at)secureworks.com. SecureWorks is a WIB-endorsed Value & Income Program Partner (VIP).
Copyright April-May 2007 Western Banking (BankNews Publications)