1 / 20

Presented by: Cynthia A. Bonnette Managing Director Technology Risk Assessment Services

ABA WEBCAST BRIEFING. How to Conduct a Technology Risk Assessment. Presented by: Cynthia A. Bonnette Managing Director Technology Risk Assessment Services M ONE, Inc. Presentation Overview. Why is technology risk management important?

lucian-woodward
Download Presentation

Presented by: Cynthia A. Bonnette Managing Director Technology Risk Assessment Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ABA WEBCAST BRIEFING How to Conduct a Technology Risk Assessment Presented by: Cynthia A. Bonnette Managing Director Technology Risk Assessment Services M ONE, Inc.

  2. Presentation Overview • Why is technology risk management important? • How to conduct a comprehensive technology risk assessment • Maintaining an adequate information security program • Effective and “not-so-effective” practices

  3. Why is Technology Risk Management Important? • The strategic importance of technology to business • Technology is an enabler of essential business functions • Financial assets are essentially information assets • This has created a heightened dependency on information systems and electronic data • The growing threat of cyber-crime • Legal and regulatory requirements for safeguarding customer information

  4. Risk Assessment and Risk Management • Risk assessment • Objective is to identify and measure the risk associated with an activity • Measurement can be quantitative or qualitative • Risk management • Objective is to control the level of risk associated with an activity “If you can’t measure it, you can’t manage it.” --Peter Drucker

  5. Risk Assessment and Risk Management • Technology permeates the organization • Risks must be managed holistically • New vulnerabilities and threats result from the networked environment • Traditional risks are reshaped • Strategic – Compliance • Operational – Reputation • Credit – Systemic • Liquidity

  6. Vulnerabilities + Threats = Trouble • Vulnerabilities: • Software flaws • CGI scripts • Bad code • Firewall misconfigured • Hardware flaws • Unsecured PCs • Open modems • Weak policies • Poor passwords • E-mail misuse • Poor physicalsecurity • Uncontrolled access • Untrained staff • Outcome: • Data/system destruction • System intrusion • Data theft • Data alteration • Unauthorized viewing • Denial of service • External interruption • Internal interruption • Impersonation • Intellectual property theft • Fraud • System faults • Errors/inaccuracies • Threats: • “Hackers” • Script kiddies • Experimenters • “Crackers” • Malicious attackers • Extortionists • Insiders • Employees • Contractors • Competitors • Terrorists • Natural disasters

  7. The Growing Threat of Cyber-crime • 2002 CSI/FBI Computer Crime and Security Survey • 90% of respondents detected security breaches • 80% acknowledged financial losses • 74% cited the Internet as a frequent point of attack • 34% of respondents reported intrusions to law enforcement • 40% detected system penetration from the outside • 40% detected denial of service attacks • 85% detected computer viruses in the past year 503 organizations surveyed--19% financial institutions

  8. Standards for Safeguarding Information • Mandated by GLBA Section 501 (b) • Regulatory standards became effective July 1, 2001 • Requirements include: • Each bank must implement a written info-security program addressing technical, administrative, and physical controls • The board must approve and oversee the program • The program must be based on a risk assessment • The program must manage and control risks via appropriate security measures (the regulation lists several) • The program must address service provider arrangements • The program must be monitored and updated periodically

  9. Is Your Institution Prepared? • Your next exam will review compliance with the Standards for Safeguarding Customer Information • FDIC’s recent “informal examiner survey” results: • Common areas of weakness include lack of policies and lack of board involvement • Guidance is sought on the risk assessment process • Confusion exists with respect to privacy and security regulations • Recommended practice: Conduct an assessment based on the regulatory exam procedures

  10. Steps for Protecting Bank Systems • Conduct a comprehensive risk assessment • Identify and prioritize vulnerabilities and threats • Evaluate existing policies and controls • Determine the best methods to address risks • Internal controls • Outsourced services • Insurance coverage • Formalize security programs • Board/senior management commitment • Written policies and implementing guidelines • Employee training and awareness • Test, re-evaluate, and update periodically

  11. Conducting a Risk Assessment • The importance of a holistic approach • Enterprise-wide • Consider technical, administrative, and physical elements • Executive support and involvement is essential • Take stock of what you have • Information classification/prioritization • Identification of critical systems and processes • How complex/sophisticated are the information systems and technologies in place?

  12. Conducting a Risk Assessment (cont’d) • Evaluation of vulnerabilities and threats • Identify weaknesses in technical, administrative, and physical processes • Identify potential threat sources • Prioritize • Review of existing programs and controls • Use a system diagram to identify system connections, data entry/exit points, and critical links • Determine where sensitive/critical data resides • Ensure that appropriate controls are in place • Test, re-test, and update

  13. The Risk Assessment Process Source: Common Criteria v.1

  14. The Information Security Program • The information security program should be based on a comprehensive risk assessment • The program should include: • Policy (high-level corporate objectives) • Procedures (guidelines, standards) • People (designate a responsible individual) • The program should address: • Administrative controls • Physical controls • Technical controls

  15. Components of an Information Security Program

  16. Key Elements of an Info-Security Program • Written, board-approved policies • Security organization roles and responsibilities • Guidelines and standards for security policy implementation • Asset classification and controls • Acceptable use of computer equipment, systems, and networks • Personnel security • Physical security controls • Communications and operations management controls • Access controls • System development and maintenance controls • Computing baseline standards • Business continuity planning • Incident response • Provisions for regular reviews/updates • Provisions for independent tests of controls

  17. Effective and Not-so-Effective Practices • Effective information security practices in mid-sized financial institutions: • Support from upper management • Designation of responsibility (ISO) • Formation of a cross-department working group • Centralized control over entire architecture • Organized risk assessment process • Formalized policies and procedures • Effective, coordinated testing processes • User education and awareness training

  18. Effective and Not-so-Effective Practices • Not-so-effective information security practices in mid-sized financial institutions: • Over-reliance on third parties (vendors, consultants) • Undefined or fragmented responsibility • Lack of uniform controls (decentralized environment) • Lack of skilled staff (failure to train, inadequate depth) • Weak or non-existent policies and procedures • Exclusive focus on technical issues • Failure to review and follow-up on test results

  19. Summing it up... • Technology is revolutionizing the financial services industry • New vulnerabilities and threats raise challenges for financial institutions • To protect your bank, regularly evaluate and update your information security program based on a comprehensive risk-focused assessment

  20. Time for questions, comments, and discussion... Cynthia A. Bonnette Managing Director Technology Risk Assessment Services M ONE, Inc. 5447 N. Four Mile Run Dr., Arlington, VA 22205Tel: 703-276-6816 http://www.moneinc.come-mail: cindi@moneinc.com

More Related