presented by: cynthia a. bonnette managing director technology risk assessment services m one, inc....
TRANSCRIPT
Presented by:Presented by:
Cynthia A. Bonnette Cynthia A. Bonnette Managing Director Managing Director
Technology Risk Assessment ServicesTechnology Risk Assessment Services
M ONE, Inc.M ONE, Inc.
ABA WEBCAST BRIEFINGABA WEBCAST BRIEFING
How to Conduct a Technology Risk How to Conduct a Technology Risk AssessmentAssessment
Presentation OverviewPresentation Overview
Why is technology risk management important?Why is technology risk management important?How to conduct a comprehensive technology risk How to conduct a comprehensive technology risk
assessmentassessmentMaintaining an adequate information security Maintaining an adequate information security
programprogramEffective and “not-so-effective” practicesEffective and “not-so-effective” practices
Why is Technology Risk Management Important?Why is Technology Risk Management Important?
The strategic importance of technology to businessThe strategic importance of technology to business– Technology is an enabler of essential business functionsTechnology is an enabler of essential business functions
– Financial assets are essentially information assetsFinancial assets are essentially information assets
– This has created a heightened dependency on information This has created a heightened dependency on information systems and electronic datasystems and electronic data
The growing threat of cyber-crimeThe growing threat of cyber-crimeLegal and regulatory requirements for safeguarding Legal and regulatory requirements for safeguarding
customer informationcustomer information
Risk Assessment and Risk ManagementRisk Assessment and Risk Management
Risk assessmentRisk assessment– Objective is to identify and measure the risk associated Objective is to identify and measure the risk associated
with an activity with an activity
– Measurement can be quantitative or qualitativeMeasurement can be quantitative or qualitative
Risk managementRisk management– Objective is to control the level of risk associated with an Objective is to control the level of risk associated with an
activityactivity
““If you can’t measure it, you can’t manage it.”If you can’t measure it, you can’t manage it.”--Peter Drucker--Peter Drucker
Risk Assessment and Risk ManagementRisk Assessment and Risk Management
Technology permeates the organizationTechnology permeates the organizationRisks must be managed holisticallyRisks must be managed holisticallyNew vulnerabilities and threats result from the New vulnerabilities and threats result from the
networked environmentnetworked environmentTraditional risks are reshapedTraditional risks are reshaped
– Strategic Strategic – Compliance – Compliance
– OperationalOperational – Reputation – Reputation
– Credit Credit – Systemic – Systemic
– LiquidityLiquidity
Vulnerabilities + Threats = TroubleVulnerabilities + Threats = Trouble
Vulnerabilities:Software flaws• CGI scripts• Bad code• Firewall
misconfiguredHardware flaws• Unsecured PCs• Open modemsWeak policies• Poor passwords• E-mail misusePoor physical
security• Uncontrolled accessUntrained staff
Threats:“Hackers”• Script kiddies• Experimenters“Crackers”• Malicious attackers• ExtortionistsInsiders• Employees• ContractorsCompetitorsTerroristsNatural disasters
Outcome:Data/system
destructionSystem intrusion• Data theft• Data alteration• Unauthorized viewingDenial of service• External interruption• Internal interruptionImpersonation• Intellectual property
theft• FraudSystem faults• Errors/inaccuracies
The Growing Threat of Cyber-crimeThe Growing Threat of Cyber-crime
2002 CSI/FBI Computer Crime and Security Survey2002 CSI/FBI Computer Crime and Security Survey– 90% of respondents detected security breaches 90% of respondents detected security breaches
– 80% acknowledged financial losses80% acknowledged financial losses
– 74% cited the Internet as a frequent point of attack74% cited the Internet as a frequent point of attack
– 34% of respondents reported intrusions to law enforcement34% of respondents reported intrusions to law enforcement
– 40% detected system penetration from the outside40% detected system penetration from the outside
– 40% detected denial of service attacks40% detected denial of service attacks
– 85% detected computer viruses in the past year85% detected computer viruses in the past year
503 organizations surveyed--19% financial institutions503 organizations surveyed--19% financial institutions
Standards for Safeguarding InformationStandards for Safeguarding Information
Mandated by GLBA Section 501 (b)Mandated by GLBA Section 501 (b)Regulatory standards became effective July 1, 2001Regulatory standards became effective July 1, 2001Requirements include:Requirements include:
– Each bank must implement a written info-security program Each bank must implement a written info-security program addressing technical, administrative, and physical controlsaddressing technical, administrative, and physical controls
– The board must approve and oversee the programThe board must approve and oversee the program
– The program must be based on a risk assessmentThe program must be based on a risk assessment
– The program must manage and control risks via The program must manage and control risks via appropriate security measures (the regulation lists several)appropriate security measures (the regulation lists several)
– The program must address service provider arrangementsThe program must address service provider arrangements
– The program must be monitored and updated periodicallyThe program must be monitored and updated periodically
Is Your Institution Prepared?Is Your Institution Prepared?
Your next exam will review compliance with the Your next exam will review compliance with the Standards for Safeguarding Customer InformationStandards for Safeguarding Customer Information
FDIC’s recent “informal examiner survey” results:FDIC’s recent “informal examiner survey” results:– Common areas of weakness include lack of policies and lack of Common areas of weakness include lack of policies and lack of
board involvementboard involvement
– Guidance is sought on the risk assessment processGuidance is sought on the risk assessment process
– Confusion exists with respect to privacy and security Confusion exists with respect to privacy and security regulationsregulations
Recommended practice: Conduct an assessment based Recommended practice: Conduct an assessment based on the regulatory exam procedureson the regulatory exam procedures
Steps for Protecting Bank SystemsSteps for Protecting Bank Systems
Conduct a comprehensive risk assessmentConduct a comprehensive risk assessment– Identify and prioritize vulnerabilities and threatsIdentify and prioritize vulnerabilities and threats
– Evaluate existing policies and controlsEvaluate existing policies and controls
Determine the best methods to address risksDetermine the best methods to address risks– Internal controlsInternal controls
– Outsourced servicesOutsourced services
– Insurance coverageInsurance coverage
Formalize security programsFormalize security programs– Board/senior management commitmentBoard/senior management commitment
– Written policies and implementing guidelinesWritten policies and implementing guidelines
– Employee training and awarenessEmployee training and awareness
Test, re-evaluate, and update periodicallyTest, re-evaluate, and update periodically
Conducting a Risk AssessmentConducting a Risk Assessment
The importance of a holistic approachThe importance of a holistic approach– Enterprise-wideEnterprise-wide
– Consider technical, administrative, and physical Consider technical, administrative, and physical elementselements
– Executive support and involvement is essentialExecutive support and involvement is essential
Take stock of what you haveTake stock of what you have– Information classification/prioritizationInformation classification/prioritization
– Identification of critical systems and processesIdentification of critical systems and processes
– How complex/sophisticated are the information systems How complex/sophisticated are the information systems and technologies in place?and technologies in place?
Conducting a Risk Assessment (cont’d)Conducting a Risk Assessment (cont’d)
Evaluation of vulnerabilities and threatsEvaluation of vulnerabilities and threats– Identify weaknesses in technical, administrative, and Identify weaknesses in technical, administrative, and
physical processesphysical processes
– Identify potential threat sourcesIdentify potential threat sources
– PrioritizePrioritize
Review of existing programs and controlsReview of existing programs and controls– Use a system diagram to identify system connections, data Use a system diagram to identify system connections, data
entry/exit points, and critical linksentry/exit points, and critical links
– Determine where sensitive/critical data residesDetermine where sensitive/critical data resides
– Ensure that appropriate controls are in place Ensure that appropriate controls are in place
– Test, re-test, and updateTest, re-test, and update
The Risk Assessment ProcessThe Risk Assessment Process
Source: Common Criteria v.1Source: Common Criteria v.1
The Information Security ProgramThe Information Security Program
The information security program should be based The information security program should be based on a comprehensive risk assessmenton a comprehensive risk assessment
The program should include:The program should include:– Policy (high-level corporate objectives)Policy (high-level corporate objectives)
– Procedures (guidelines, standards)Procedures (guidelines, standards)
– People (designate a responsible individual)People (designate a responsible individual)
The program should address:The program should address:– Administrative controlsAdministrative controls
– Physical controlsPhysical controls
– Technical controlsTechnical controls
Key Elements of an Info-Security ProgramKey Elements of an Info-Security Program
Written, board-approved policies Written, board-approved policies Security organization roles and responsibilitiesSecurity organization roles and responsibilities Guidelines and standards for security policy implementationGuidelines and standards for security policy implementation Asset classification and controlsAsset classification and controls Acceptable use of computer equipment, systems, and networksAcceptable use of computer equipment, systems, and networks Personnel securityPersonnel security Physical security controlsPhysical security controls Communications and operations management controlsCommunications and operations management controls Access controlsAccess controls System development and maintenance controlsSystem development and maintenance controls Computing baseline standardsComputing baseline standards Business continuity planningBusiness continuity planning Incident responseIncident response Provisions for regular reviews/updatesProvisions for regular reviews/updates Provisions for independent tests of controlsProvisions for independent tests of controls
Effective and Not-so-Effective PracticesEffective and Not-so-Effective Practices
Effective information security practices in mid-Effective information security practices in mid-sized financial institutions:sized financial institutions:– Support from upper managementSupport from upper management
– Designation of responsibility (ISO)Designation of responsibility (ISO)
– Formation of a cross-department working groupFormation of a cross-department working group
– Centralized control over entire architectureCentralized control over entire architecture
– Organized risk assessment processOrganized risk assessment process
– Formalized policies and proceduresFormalized policies and procedures
– Effective, coordinated testing processesEffective, coordinated testing processes
– User education and awareness trainingUser education and awareness training
Effective and Not-so-Effective PracticesEffective and Not-so-Effective Practices
Not-so-effective information security practices in mid-Not-so-effective information security practices in mid-sized financial institutions:sized financial institutions:– Over-reliance on third parties (vendors, consultants)Over-reliance on third parties (vendors, consultants)
– Undefined or fragmented responsibilityUndefined or fragmented responsibility
– Lack of uniform controls (decentralized environment)Lack of uniform controls (decentralized environment)
– Lack of skilled staff (failure to train, inadequate depth)Lack of skilled staff (failure to train, inadequate depth)
– Weak or non-existent policies and proceduresWeak or non-existent policies and procedures
– Exclusive focus on technical issuesExclusive focus on technical issues
– Failure to review and follow-up on test resultsFailure to review and follow-up on test results
Summing it up...Summing it up...
Technology is revolutionizing the financial services Technology is revolutionizing the financial services industryindustry
New vulnerabilities and threats raise challenges for New vulnerabilities and threats raise challenges for financial institutionsfinancial institutions
To protect your bank, regularly evaluate and To protect your bank, regularly evaluate and update your information security program based update your information security program based on a comprehensive risk-focused assessmenton a comprehensive risk-focused assessment
Time for questions, comments, and Time for questions, comments, and discussion...discussion...
Cynthia A. BonnetteCynthia A. BonnetteManaging DirectorManaging Director
Technology Risk Assessment ServicesTechnology Risk Assessment ServicesM ONE, Inc.M ONE, Inc.
5447 N. Four Mile Run Dr., Arlington, VA 5447 N. Four Mile Run Dr., Arlington, VA 2220522205
Tel: 703-276-6816 Tel: 703-276-6816 http://www.moneinc.comhttp://www.moneinc.com
e-mail: [email protected]: [email protected]