A Practical Guide to Conducting an Enterprise-wide Information Security Risk Assessment Copyright 2008 this presentation may not be reproduced without the express written consent of
Why Conduct an Enterprise-wide Information Security Risk Assessment? Copyright 2008 this presentation may not be reproduced without the express written consent of
1999: Gramm-Leach-Bliley Act Section 501(b) 2001: You Must Comply!!!! Protect the Institution Protect your Customers Smart Business Copyright 2008 this presentation may not be reproduced without the express written consent of
A Bank Must: Identify & assess risks to customer information Design & implement a program to control risks Board review & approval required Test key controls Train personnel Adjust the plan on a continuing basis to account for changes in technology, the sensitivity of customer information, and internal/external threats to information security. Copyright 2008 this presentation may not be reproduced without the express written consent of
I. PROTECTION Five Key Points of GLBA 2) Evaluation of the Risk Assessment Process - Multiple Criteria & Dimensions - Enterprise-wide Copyright 2008 this presentation may not be reproduced without the express written consent of
2 Types of Risk to Assess Process-level Risk System-level Risk Copyright 2008 this presentation may not be reproduced without the express written consent of
Process-level Risk Policy DR Plan BCP with BIA Incident Response Plan IT General Controls Audit Security Awareness Training Data Classification Information Minimization Data/Media Destruction Location of NPPI Technology Acquisition IT Asset Inventory Staffing Segregation of Duties Red Flags ID Theft Program DR Test & Results Pen Test/Vuln. Assmt/Soc Eng Vendor Management INVOLVEMENT OF THE BOARD Copyright 2008 this presentation may not be reproduced without the express written consent of
System-level Risk Critical Applications & Systems Core Banking Telephone Banking Online Banking Accounts Payable Payroll Fedline/Advantage/FedWire HR IS Lending Benefits Perimeter Protection Web/Surf Control Network (password strength) Internal Protection (SEIM) Copyright 2008 this presentation may not be reproduced without the express written consent of
Process-level Risk Definitions High Risk: documentation and/or program and/or process and/or policy and/or procedure is non-existent or highly lacking in sufficient detail to ensure that the process controls protect sensitive data and critical systems. Moderate Risk: documentation and/or program and/or process and/or policy and/or procedure might be incomplete or meet minimum requirements but could be improved to reduce the bank s risk. Procedures may be lacking sufficient detail. Low Risk: documentation, program, process, policy and procedure are well defined and show due diligence in understanding and managing risk. Copyright 2008 this presentation may not be reproduced without the express written consent of
System-level Risk Definitions High Risk: controls are lacking or highly insufficient based upon the combination of Existence of NPPI, Threat level, Criticality and Impact to the bank and its customers Moderate Risk: controls meet minimum requirements based upon the combination of Existence of NPPI, Threat level, Criticality and Impact to the bank and its customers Low Risk: controls meet Best Practices or exceed minimum requirements based upon the combination of Existence of NPPI, Threat level, Criticality and Impact to the bank and its customers Copyright 2008 this presentation may not be reproduced without the express written consent of
Dimensions of Risk Compliance risk. Maintaining legal compliance with various appropriate regulations as well as compliance with the organization s various governance guidelines and policies. Transaction/Financial risk. Impacting earnings, cash flow, revenue or capital due to problems with or interruptions in service or product delivery. Operational risk. The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Reputational risk. Developing and retaining marketplace confidence in handling customers financial transactions in an appropriate manner, within an acceptable time frame, as well as meeting the emerging needs of the customer base and community, which are important to protecting the safety and soundness of the Institution. Copyright 2008 this presentation may not be reproduced without the express written consent of
Annual Requirements DR Plan Review Policy Review Incident Response Plan Review Security Awareness Training DR Test & Results Pen Test/Vuln. Assmt/Soc Eng BCP with BIA Review IT General Controls Audit Copyright 2008 this presentation may not be reproduced without the express written consent of
Administrative Issues Segregation of Duties Technology Acquisition IT Asset Inventory Information Minimization Data Classification Data/Media Destruction Location of NPPI Red Flags ID Theft Program Vendor Management Staffing Involvement of the Board Copyright 2008 this presentation may not be reproduced without the express written consent of
Incident Response Plan Monitor Analyze Investigate Incident Definition Forms Internal Contact Legal Contact Respond Copyright 2008 this presentation may not be reproduced without the express written consent of
See DR TOC Copyright 2008 this presentation may not be reproduced without the express written consent of
See BCP/BIA Copyright 2008 this presentation may not be reproduced without the express written consent of
Vendor Management Program Due Diligence Risk Rating Contract Review Periodic Review Policy Contract Tracking Ongoing Monitoring Reporting Vendor Inventory Copyright 2008 this presentation may not be reproduced without the express written consent of
QUIZ!!!!!!!! Copyright 2008 this presentation may not be reproduced without the express written consent of
Internet-based Consumer Lending System Threat? NPPI: Yes Criticality Impact H H H H Controls: 3 people with access, complex PW + Token L Residual Risk? Copyright 2008 this presentation may not be reproduced without the express written consent of
In-house Consumer Lending System Threat? NPPI: No Criticality Impact L L H M Controls: 5 people with access, strong PW M/L Residual Risk? Copyright 2008 this presentation may not be reproduced without the express written consent of
Regulatory Specialists Domain Expertise Regulatory Expertise: GLBA 501(b), NCUA Part 748, SOX, HIPAA, PCI Information Security Expertise Technical Expertise Copyright 2008 this presentation may not be reproduced without the express written consent of