• No results found

Information Security Risk Assessment Methodology

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Information Security Risk Assessment Methodology"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

Information Security Risk Assessment Methodology

An Information security risk assessment should take into account system-level risk (inclusive of

applications and systems) and process-level risk (inclusive of the components of an information security program). Once the risk rating is established for each application and each component of the system, the dimension(s) of risk should be assigned to each. The minimum dimensions of risk should include the following:

Compliance risk. Maintaining legal compliance with various appropriate regulations as well as

compliance with the organization’s various governance guidelines and policies.

Transaction/Financial risk. Impacting earnings, cash flow, revenue or capital due to problems

with or interruptions in service or product delivery.

Operational risk. The risk of loss resulting from inadequate or failed internal processes, people

and systems or from external events.

Reputational risk. Developing and retaining marketplace confidence in handling customers’

financial transactions in an appropriate manner, within an acceptable time frame, as well as meeting the emerging needs of the customer base and community, which are important to protecting the safety and soundness of the Institution.

More than one dimension of risk can apply to an application or process. For example, the lack of a vendor management program can result in Operational and Compliance Risk. It could also potentially result in Reputational risk if the vendor is breached and Financial/Transaction Risk if the service that the vendor provides is interrupted for a significant amount of time and prohibits the bank from account generating revenue (account opening, loan products, wire transfers, etc.)

System-level Risk Definitions

Technologies identified as having high levels of aggregate risk typically require immediate attention while those with moderate or low aggregate risk require continued execution of current risk management practices.

Threat Index is based on the threats and vulnerabilities facing the system. A threat does not present a risk when there is no vulnerability that can be exercised (think of a standalone system used for a

specific application that is not connected to the bank’s network or internet.) Threat is defined as a potential to exercise a specific vulnerability.

Vulnerability is defined as a flaw or weakness in system security procedures, design,

implementation, or internal controls that could be exercised (accidentally triggered or

(2)

When NPPI (non-public personal information) or PII (personally identifiable information) is present within an application or processed or transmitted by or through a system or data transport, it carries a higher inherent risk rating due to the nature of the data and the fact that it becomes a target for hackers. In these types of applications and systems, controls should typically be stronger, more complex and multi-layered.

An outsourced application or system is typically lower risk than the same application that is

managed inhouse because the vendor that provides the outsourced service or product typically has a larger number of staff with more specialized skillsets to operate/monitor the service and the controls required to protect it.

Ratings for Threat Level

Low The risk of attack to this system is very Low. Factors affecting this rating could be limited access to the system in question, minor value of stored data or due to technical

obscurity which limits the number of potential attackers with an understanding of the system. Vulnerabilities are not trivial and require an expert level of technology and exploit practices to compromise.

Moderate The risk of attack to this system is Moderate. Factors affecting this rating could be remote accessibility of the system over the organization’s internal network and uses well known technology for which there are readily available attack tools. Knowledge of the system is widespread and as a result there is a large pool of potential attackers. The vulnerabilities are not trivial however and will require a deeper knowledge of

technology and exploit practices to compromise.

High The risk of attack to this system is extremely High. Factors affecting the rating could be that the system is publicly accessible from the Internet or other public networks and uses well known technology for which there are readily available attack tools. Security controls are extremely weak and can the vulnerabilities can definitely be compromised by an attacker with limited skill or knowledge.

Ratings for Impact Level

These ratings are based on the business impact to the organization resulting from a breach in security. This breach could allow unauthorized access to information on the system. A security breach, or act of nature, could damage or destroy the system so that it cannot perform its intended functions.

Low A security breach on this system would cause minimal impact to the organization or its customers. It would affect a small number of persons or would impact a non-essential business process.

(3)

Moderate A security breach on this system would cause moderate impact to the organization or its

customers. It would affect a moderate number of persons or would impact an essential business process.

High A security breach on this system would cause significant impact to the organization or its customers. It would affect a large number of persons or would impact a critical business process.

Criticality

This defines the overall criticality of the system to the bank’s operations. A system may be categorized at a High, Medium or a Low level based on its importance to the bank. This takes into account if NPPI resides or processed through the system and how critical a system is to the bank’s normal day-to-day business.

Low A loss or interruption of services has minimal or no effect on the operations of the bank

Moderate A loss or interruption of services for an extended period of time limits the functions or

services that the bank can provide to its employees and/or members and might cause financial loss.

High A loss of the system or interruption of services for an extended period of time is mission critical and may require a business continuity plan to be activated

Controls Risk

Security controls inhibit the attempts to violate security policy and provide protection against system compromises. These controls encompass the use of technical and non-technical methods including identification and authentication mechanisms, security policies, operational procedures, audit facilities and encryption methods. Further, controls can be Preventative or Detective in nature. The risks facing the bank due to the effectiveness (or ineffectiveness) of the control framework is defined as Controls Risk

Low The defined control framework is appropriate for the bank in light of the Threat Index and the overall risk to the bank is sufficiently controlled. Further, the defined controls are in existence and working properly.

Moderate There is evidence of control practices that appear to mitigate some of the technology

risks. Factors affecting the rating could be the fact that some controls are effective, while other controls are not or are missing.

(4)

High The defined control framework is ineffective in light of the Threat Index on a particular system. There is little or no evidence of control practices. The control framework does not provide the requisite protection against the identified threats and vulnerabilities.

Residual Risk

This defines the overall Vulnerability of the bank’s systems and applications to Threats after

assessing the controls. A system may be categorized at a High, Moderate or a Low level based upon the profile of the system including whether NPPI resides on or is processed through the system, whether that system is outsourced, the threat to the system (is it internet-facing), how critical a system is to the bank’s normal day-to-day business and the impact of a breach or interruption in service.

Low: controls meet Best Practices or exceed minimum requirements based upon the

combination of Existence of NPPI, whether it’s outsourced, the Threat level, Criticality and Impact to the bank and its members

Moderate: controls meet minimum requirements based upon the combination of Existence of NPPI, Threat level, Criticality and Impact to the bank and its members

High: controls are lacking or highly insufficient based upon the combination of Existence of

NPPI, Threat level, Criticality and Impact to the bank and its members

Example:

Conducting a risk assessment on a web-based payroll system would produce the result in the table. Assume that the application is internet-facing, outsourced, NPPI is transmitted to and stored at the service provider. Criticality is MODERATE since the pay cycle is twice monthly and the bank can write physical checks for the employees or pay via ACH if the vendor’s system is unavailable.

Controls that are in place include the following:

 Only 2 staff members from the bank’s HR dept have access to the application.  It requires multifactor authentication.

 It requires a token.

 Password is complex & strong requiring 10 characters, 1 Uppercase, 1 Numeric and 1 Special character.

 Data is transmitted via a secure VPN. Application Name Outsourced Y/N NPPI Y/N Threat Index

Criticality Impact Controls Risk Residual Risk Web-based Payroll Y Y H M H L L

(5)

Here’s the same scenario with a different set of controls:

Conducting a risk assessment on a web-based payroll system would produce the result in the table. Assume that the application is internet-facing, outsourced, NPPI is transmitted to and stored at the service provider. Criticality is MODERATE since the pay cycle is twice monthly and the bank can write physical checks for the employees or pay via ACH if the vendor’s system is unavailable.

Controls that are in place include the following:

 Only 2 staff members from the bank’s HR dept have access to the application.  Password is strong, requiring 8 characters including 1 Uppercase & 1 numeric.  Data is transmitted via a spreadsheet attached to encrypted email

The Residual Risk is listed as MODERATE but could possibly be considered HIGH Application Name Outsourced Y/N NPPI Y/N Threat Index

Criticality Impact Controls Risk Residual Risk Web-based Payroll Y Y H M H M M

References

Download now ( PDF - 5 Page - 700.94 KB )

Related documents

ADMINISTRATION AND FINANCE POLICIES AND PROCEDURES. STUDENT ACCOUNTING Revision Date: 10/22/07 TABLE OF CONTENTS

The Federal Regulations regarding National Direct/Federal Perkins Student Loans are strictly adhered to so that loan advances, payment processing, delinquent account

Bullying-like Behaviours in South Korea: Terms used, Origins in Early Childhood, and Links to Moral Reasoning

Verb: Verbal, Phy.In: Physical Individual, Exclu: Social Exclusion, Rumour: Rumour spreading, Phy.grp: Physical group, Break: Breaking belongings, Mobile: sending a nasty text

Deep learning for detecting multiple space-time action tubes in videos

In this paper, we presented a novel human action recognition approach which addresses in a coherent framework the challenges involved in concurrent multiple human action recogni-

The impact of electrode resistance on the biogalvanic characterisation technique

Figures 5 (a) and (b), shows the data from a biogalvanic measurement on healthy and diseased human colon tissue with corresponding model fits using the numerical model. Figures  5

An Adaptive Clustering MAP Algorithm to Filter Speckle in Multilook SAR Images

The model used to describe the speckle is given in terms of a multiplicative noise given by equation (1), where z A describes the amplitude SAR noisy image, x is the original

RBS MBA Study Tour: Rotterdam-Brussels- Rotterdam

· The study tour gave me insights about how the European Commission works and how CSR can be of positive influence on the growth of companies.

are grateful for feedback from participants of seminars and conferences

Also the en- trepreneurs without investment opportunity …nd equity less attractive than money as means of saving (if the expected rate of returns were unchanged), because he can