ABA WEBCAST BRIEFING

How to Conduct a Technology Risk Assessment

Presented by:

Cynthia A. Bonnette Managing Director Technology Risk Assessment Services

M ONE, Inc.

Presentation Overview
Why is technology risk management important? How to conduct a comprehensive technology risk assessment Maintaining an adequate information security program Effective and not-so-effective practices

Why is Technology Risk Management Important?

The strategic importance of technology to business

Technology is an enabler of essential business functions Financial assets are essentially information assets This has created a heightened dependency on information systems and electronic data

The growing threat of cyber-crime Legal and regulatory requirements for safeguarding customer information

Risk Assessment and Risk Management

Risk assessment
Objective is to identify and measure the risk associated with an activity Measurement can be quantitative or qualitative

Risk management
Objective is to control the level of risk associated with an activity

If you cant measure it, you cant manage it. --Peter Drucker

Risk Assessment and Risk Management

Technology permeates the organization Risks must be managed holistically New vulnerabilities and threats result from the networked environment Traditional risks are reshaped
Strategic Operational Credit Liquidity Compliance Reputation Systemic

Vulnerabilities + Threats = Trouble

Vulnerabilities: Software flaws
CGI scripts Bad code Firewall misconfigured

Threats: Hackers
Script kiddies Experimenters

Outcome: Data/system destruction System intrusion

Data theft Data alteration Unauthorized viewing

Hardware flaws
Unsecured PCs Open modems

Crackers
Malicious attackers Extortionists

Denial of service
External interruption Internal interruption

Weak policies
Poor passwords E-mail misuse

Insiders
Employees Contractors

Impersonation
Intellectual property theft Fraud

Poor physical security

Uncontrolled access

Competitors Terrorists Natural disasters

System faults
Errors/inaccuracies

Untrained staff

The Growing Threat of Cyber-crime

2002 CSI/FBI Computer Crime and Security Survey
90% of respondents detected security breaches 80% acknowledged financial losses 74% cited the Internet as a frequent point of attack 34% of respondents reported intrusions to law enforcement 40% detected system penetration from the outside 40% detected denial of service attacks 85% detected computer viruses in the past year

503 organizations surveyed--19% financial institutions

Standards for Safeguarding Information

Mandated by GLBA Section 501 (b) Regulatory standards became effective July 1, 2001 Requirements include:
Each bank must implement a written info-security program addressing technical, administrative, and physical controls The board must approve and oversee the program The program must be based on a risk assessment The program must manage and control risks via appropriate security measures (the regulation lists several) The program must address service provider arrangements The program must be monitored and updated periodically

Is Your Institution Prepared?

Your next exam will review compliance with the Standards for Safeguarding Customer Information FDICs recent informal examiner survey results:
Common areas of weakness include lack of policies and lack of board involvement Guidance is sought on the risk assessment process Confusion exists with respect to privacy and security regulations

Recommended practice: Conduct an assessment based on the regulatory exam procedures

Steps for Protecting Bank Systems

Conduct a comprehensive risk assessment
Identify and prioritize vulnerabilities and threats Evaluate existing policies and controls

Determine the best methods to address risks

Internal controls Outsourced services Insurance coverage

Formalize security programs

Board/senior management commitment Written policies and implementing guidelines Employee training and awareness

Test, re-evaluate, and update periodically

Conducting a Risk Assessment

The importance of a holistic approach
Enterprise-wide Consider technical, administrative, and physical elements Executive support and involvement is essential

Take stock of what you have

Information classification/prioritization Identification of critical systems and processes How complex/sophisticated are the information systems and technologies in place?

Conducting a Risk Assessment (contd)

Evaluation of vulnerabilities and threats
Identify weaknesses in technical, administrative, and physical processes Identify potential threat sources Prioritize

Review of existing programs and controls

Use a system diagram to identify system connections, data entry/exit points, and critical links Determine where sensitive/critical data resides Ensure that appropriate controls are in place Test, re-test, and update

The Risk Assessment Process

Source: Common Criteria v.1

The Information Security Program

The information security program should be based on a comprehensive risk assessment The program should include:
Policy (high-level corporate objectives) Procedures (guidelines, standards) People (designate a responsible individual)

The program should address:

Administrative controls Physical controls Technical controls

nformation Security Program Essenti

Components of an Information Security Program

Strategy

Management

Implementation Technology & Operations

Support

Key Elements of an Info-Security Program

Written, board-approved policies Security organization roles and responsibilities Guidelines and standards for security policy implementation Asset classification and controls Acceptable use of computer equipment, systems, and networks Personnel security Physical security controls Communications and operations management controls Access controls System development and maintenance controls Computing baseline standards Business continuity planning Incident response Provisions for regular reviews/updates Provisions for independent tests of controls

Effective and Not-so-Effective Practices

Effective information security practices in midsized financial institutions:
Support from upper management Designation of responsibility (ISO) Formation of a cross-department working group Centralized control over entire architecture Organized risk assessment process Formalized policies and procedures Effective, coordinated testing processes User education and awareness training

Effective and Not-so-Effective Practices

Not-so-effective information security practices in midsized financial institutions:
Over-reliance on third parties (vendors, consultants) Undefined or fragmented responsibility Lack of uniform controls (decentralized environment) Lack of skilled staff (failure to train, inadequate depth) Weak or non-existent policies and procedures Exclusive focus on technical issues Failure to review and follow-up on test results

Summing it up...
Technology is revolutionizing the financial services industry New vulnerabilities and threats raise challenges for financial institutions To protect your bank, regularly evaluate and update your information security program based on a comprehensive risk-focused assessment

Time for questions, comments, and discussion...

Cynthia A. Bonnette Managing Director Technology Risk Assessment Services M ONE, Inc. 5447 N. Four Mile Run Dr., Arlington, VA 22205 Tel: 703-276-6816 http://www.moneinc.com e-mail: cindi@moneinc.com