Presented by:Presented by:

Cynthia A. Bonnette Cynthia A. Bonnette Managing Director Managing Director

Technology Risk Assessment ServicesTechnology Risk Assessment Services

M ONE, Inc.M ONE, Inc.

ABA WEBCAST BRIEFINGABA WEBCAST BRIEFING

How to Conduct a Technology Risk How to Conduct a Technology Risk AssessmentAssessment

Presentation OverviewPresentation Overview

Why is technology risk management important?Why is technology risk management important?How to conduct a comprehensive technology risk How to conduct a comprehensive technology risk

assessmentassessmentMaintaining an adequate information security Maintaining an adequate information security

programprogramEffective and “not-so-effective” practicesEffective and “not-so-effective” practices

Why is Technology Risk Management Important?Why is Technology Risk Management Important?

The strategic importance of technology to businessThe strategic importance of technology to business– Technology is an enabler of essential business functionsTechnology is an enabler of essential business functions

– Financial assets are essentially information assetsFinancial assets are essentially information assets

– This has created a heightened dependency on information This has created a heightened dependency on information systems and electronic datasystems and electronic data

The growing threat of cyber-crimeThe growing threat of cyber-crimeLegal and regulatory requirements for safeguarding Legal and regulatory requirements for safeguarding

customer informationcustomer information

Risk Assessment and Risk ManagementRisk Assessment and Risk Management

Risk assessmentRisk assessment– Objective is to identify and measure the risk associated Objective is to identify and measure the risk associated

with an activity with an activity

– Measurement can be quantitative or qualitativeMeasurement can be quantitative or qualitative

Risk managementRisk management– Objective is to control the level of risk associated with an Objective is to control the level of risk associated with an

activityactivity

““If you can’t measure it, you can’t manage it.”If you can’t measure it, you can’t manage it.”--Peter Drucker--Peter Drucker

Risk Assessment and Risk ManagementRisk Assessment and Risk Management

Technology permeates the organizationTechnology permeates the organizationRisks must be managed holisticallyRisks must be managed holisticallyNew vulnerabilities and threats result from the New vulnerabilities and threats result from the

networked environmentnetworked environmentTraditional risks are reshapedTraditional risks are reshaped

– Strategic Strategic – Compliance – Compliance

– OperationalOperational – Reputation – Reputation

– Credit Credit – Systemic – Systemic

– LiquidityLiquidity

Vulnerabilities + Threats = TroubleVulnerabilities + Threats = Trouble

Vulnerabilities:Software flaws• CGI scripts• Bad code• Firewall

misconfiguredHardware flaws• Unsecured PCs• Open modemsWeak policies• Poor passwords• E-mail misusePoor physical

security• Uncontrolled accessUntrained staff

Threats:“Hackers”• Script kiddies• Experimenters“Crackers”• Malicious attackers• ExtortionistsInsiders• Employees• ContractorsCompetitorsTerroristsNatural disasters

Outcome:Data/system

destructionSystem intrusion• Data theft• Data alteration• Unauthorized viewingDenial of service• External interruption• Internal interruptionImpersonation• Intellectual property

theft• FraudSystem faults• Errors/inaccuracies

The Growing Threat of Cyber-crimeThe Growing Threat of Cyber-crime

2002 CSI/FBI Computer Crime and Security Survey2002 CSI/FBI Computer Crime and Security Survey– 90% of respondents detected security breaches 90% of respondents detected security breaches

– 80% acknowledged financial losses80% acknowledged financial losses

– 74% cited the Internet as a frequent point of attack74% cited the Internet as a frequent point of attack

– 34% of respondents reported intrusions to law enforcement34% of respondents reported intrusions to law enforcement

– 40% detected system penetration from the outside40% detected system penetration from the outside

– 40% detected denial of service attacks40% detected denial of service attacks

– 85% detected computer viruses in the past year85% detected computer viruses in the past year

503 organizations surveyed--19% financial institutions503 organizations surveyed--19% financial institutions

Standards for Safeguarding InformationStandards for Safeguarding Information

Mandated by GLBA Section 501 (b)Mandated by GLBA Section 501 (b)Regulatory standards became effective July 1, 2001Regulatory standards became effective July 1, 2001Requirements include:Requirements include:

– Each bank must implement a written info-security program Each bank must implement a written info-security program addressing technical, administrative, and physical controlsaddressing technical, administrative, and physical controls

– The board must approve and oversee the programThe board must approve and oversee the program

– The program must be based on a risk assessmentThe program must be based on a risk assessment

– The program must manage and control risks via The program must manage and control risks via appropriate security measures (the regulation lists several)appropriate security measures (the regulation lists several)

– The program must address service provider arrangementsThe program must address service provider arrangements

– The program must be monitored and updated periodicallyThe program must be monitored and updated periodically

Is Your Institution Prepared?Is Your Institution Prepared?

Your next exam will review compliance with the Your next exam will review compliance with the Standards for Safeguarding Customer InformationStandards for Safeguarding Customer Information

FDIC’s recent “informal examiner survey” results:FDIC’s recent “informal examiner survey” results:– Common areas of weakness include lack of policies and lack of Common areas of weakness include lack of policies and lack of

board involvementboard involvement

– Guidance is sought on the risk assessment processGuidance is sought on the risk assessment process

– Confusion exists with respect to privacy and security Confusion exists with respect to privacy and security regulationsregulations

Recommended practice: Conduct an assessment based Recommended practice: Conduct an assessment based on the regulatory exam procedureson the regulatory exam procedures

Steps for Protecting Bank SystemsSteps for Protecting Bank Systems

Conduct a comprehensive risk assessmentConduct a comprehensive risk assessment– Identify and prioritize vulnerabilities and threatsIdentify and prioritize vulnerabilities and threats

– Evaluate existing policies and controlsEvaluate existing policies and controls

Determine the best methods to address risksDetermine the best methods to address risks– Internal controlsInternal controls

– Outsourced servicesOutsourced services

– Insurance coverageInsurance coverage

Formalize security programsFormalize security programs– Board/senior management commitmentBoard/senior management commitment

– Written policies and implementing guidelinesWritten policies and implementing guidelines

– Employee training and awarenessEmployee training and awareness

Test, re-evaluate, and update periodicallyTest, re-evaluate, and update periodically

Conducting a Risk AssessmentConducting a Risk Assessment

The importance of a holistic approachThe importance of a holistic approach– Enterprise-wideEnterprise-wide

– Consider technical, administrative, and physical Consider technical, administrative, and physical elementselements

– Executive support and involvement is essentialExecutive support and involvement is essential

Take stock of what you haveTake stock of what you have– Information classification/prioritizationInformation classification/prioritization

– Identification of critical systems and processesIdentification of critical systems and processes

– How complex/sophisticated are the information systems How complex/sophisticated are the information systems and technologies in place?and technologies in place?

Conducting a Risk Assessment (cont’d)Conducting a Risk Assessment (cont’d)

Evaluation of vulnerabilities and threatsEvaluation of vulnerabilities and threats– Identify weaknesses in technical, administrative, and Identify weaknesses in technical, administrative, and

physical processesphysical processes

– Identify potential threat sourcesIdentify potential threat sources

– PrioritizePrioritize

Review of existing programs and controlsReview of existing programs and controls– Use a system diagram to identify system connections, data Use a system diagram to identify system connections, data

entry/exit points, and critical linksentry/exit points, and critical links

– Determine where sensitive/critical data residesDetermine where sensitive/critical data resides

– Ensure that appropriate controls are in place Ensure that appropriate controls are in place

– Test, re-test, and updateTest, re-test, and update

The Risk Assessment ProcessThe Risk Assessment Process

Source: Common Criteria v.1Source: Common Criteria v.1

The Information Security ProgramThe Information Security Program

The information security program should be based The information security program should be based on a comprehensive risk assessmenton a comprehensive risk assessment

The program should include:The program should include:– Policy (high-level corporate objectives)Policy (high-level corporate objectives)

– Procedures (guidelines, standards)Procedures (guidelines, standards)

– People (designate a responsible individual)People (designate a responsible individual)

The program should address:The program should address:– Administrative controlsAdministrative controls

– Physical controlsPhysical controls

– Technical controlsTechnical controls

Components of an Information Security ProgramComponents of an Information Security Program

Key Elements of an Info-Security ProgramKey Elements of an Info-Security Program

Written, board-approved policies Written, board-approved policies Security organization roles and responsibilitiesSecurity organization roles and responsibilities Guidelines and standards for security policy implementationGuidelines and standards for security policy implementation Asset classification and controlsAsset classification and controls Acceptable use of computer equipment, systems, and networksAcceptable use of computer equipment, systems, and networks Personnel securityPersonnel security Physical security controlsPhysical security controls Communications and operations management controlsCommunications and operations management controls Access controlsAccess controls System development and maintenance controlsSystem development and maintenance controls Computing baseline standardsComputing baseline standards Business continuity planningBusiness continuity planning Incident responseIncident response Provisions for regular reviews/updatesProvisions for regular reviews/updates Provisions for independent tests of controlsProvisions for independent tests of controls

Effective and Not-so-Effective PracticesEffective and Not-so-Effective Practices

Effective information security practices in mid-Effective information security practices in mid-sized financial institutions:sized financial institutions:– Support from upper managementSupport from upper management

– Designation of responsibility (ISO)Designation of responsibility (ISO)

– Formation of a cross-department working groupFormation of a cross-department working group

– Centralized control over entire architectureCentralized control over entire architecture

– Organized risk assessment processOrganized risk assessment process

– Formalized policies and proceduresFormalized policies and procedures

– Effective, coordinated testing processesEffective, coordinated testing processes

– User education and awareness trainingUser education and awareness training

Effective and Not-so-Effective PracticesEffective and Not-so-Effective Practices

Not-so-effective information security practices in mid-Not-so-effective information security practices in mid-sized financial institutions:sized financial institutions:– Over-reliance on third parties (vendors, consultants)Over-reliance on third parties (vendors, consultants)

– Undefined or fragmented responsibilityUndefined or fragmented responsibility

– Lack of uniform controls (decentralized environment)Lack of uniform controls (decentralized environment)

– Lack of skilled staff (failure to train, inadequate depth)Lack of skilled staff (failure to train, inadequate depth)

– Weak or non-existent policies and proceduresWeak or non-existent policies and procedures

– Exclusive focus on technical issuesExclusive focus on technical issues

– Failure to review and follow-up on test resultsFailure to review and follow-up on test results

Summing it up...Summing it up...

Technology is revolutionizing the financial services Technology is revolutionizing the financial services industryindustry

New vulnerabilities and threats raise challenges for New vulnerabilities and threats raise challenges for financial institutionsfinancial institutions

To protect your bank, regularly evaluate and To protect your bank, regularly evaluate and update your information security program based update your information security program based on a comprehensive risk-focused assessmenton a comprehensive risk-focused assessment

Time for questions, comments, and Time for questions, comments, and discussion...discussion...

Cynthia A. BonnetteCynthia A. BonnetteManaging DirectorManaging Director

Technology Risk Assessment ServicesTechnology Risk Assessment ServicesM ONE, Inc.M ONE, Inc.

5447 N. Four Mile Run Dr., Arlington, VA 5447 N. Four Mile Run Dr., Arlington, VA 2220522205

Tel: 703-276-6816 Tel: 703-276-6816 http://www.moneinc.comhttp://www.moneinc.com

e-mail: cindi@moneinc.come-mail: cindi@moneinc.com