Risk is defined as “the possibility that something undesirable will occur”. It is always around us. We make decisions about risks every day. Decisions to avoid a risk, reduce a risk, transfer a risk, or take a risk we understand. When we ride a bike or a horse we accept the risk of a fall, but wear a helmet to reduce the effects of the fall should it happen, and we carry health insurance in case we fall and get injured. When we leave our home we lock the doors to reduce the risk of an intruder getting in. Perhaps we also install alarm systems, or don’t plant freakishly huge trees that could come crashing down during a storm. When we get in our cars, we wear our seat belts to reduce the risk of an injury if an accident occurs. Maybe we have backup cameras and driver assist systems, and we may drive defensively, paying attention to the road ahead. But we carry insurance to transfer the risk of something bigger we may not be able to protect from. Think of another example of risks you make take, reduce or transfer every day.
• Where is your biggest risk?• What is most valuable?• Where could you lose the most?
Avoid, Reduce, Transfer, Accept
Presenter
Presentation Notes
At work, risk assessments can make us groan and very seldom make us happy, mostly because there are different types of assessments that can be used to manage different types of risk. For example credit risk in a volatile interest rate market is assessed very differently than operational risk of cybersecurity, system failures or service disruptions. We check the compliance box, but don’t always have a complete picture of the issues that could result in a significant breach at the FI. So, how do we bridge the gap between the business objectives of our FI and their corresponding security risks? FI risks are challenging to assess because we may not fully understand them. You constantly need to think >>> Where is your biggest risk? What is most valuable to your FI? And where do you stand to lose the most? And also,>>> when do we Avoid a risk, Reduce a risk, Transfer a risk or Accept it? These are the common risk strategies that can bridge that gap. Let’s explore some examples…
Sometimes organizations may accept a risk that would be so catastrophic that insuring against it is just not feasible, too costly. An example of accepting risk is any potential losses not covered by insurance or over the insured amount. In locations prone to accidents or natural disasters, businesses may carry insurance, but they still accept the risk of total loss. Accepting risk is when a business acknowledges that the potential loss from a risk is not great enough to warrant spending money to avoid it.
In the financial industry we often choose to Reduce risk, for example, deciding on specific lending practices, avoid bad loans, or loan participation, educating and monitoring your employees, performing periodic audits to reduce monetary Losses to internal fraud: head teller stealing trash cash $20k in 1 yr. Transfer the risk of physical damage or monetary losses due to natural disasters or cyberattacks by retaining insurance. Avoid risk by operating in areas less prone to blizzards or earthquakes, tornado or flooding. Avoid lending risk by extending only certain types of loans.
Roles and Responsibilities• Specific• Measurable• Auditable• Reasonable• Timely
Presenter
Presentation Notes
We need to go back to basics. It is not sufficient to do one-pagers of security roles and responsibilities simply because ‘we know what our job/or their job is’. The primary reason for documenting R&Rs is to ensure proper action and consistency in the tasks we need to perform. We can take a SMART approach to documenting R&Rs: Specific means the difference between, “IT Manager is responsible for file servers” and “IT Manager is responsible for patching servers”, in a very basic example. One big reason is to ensure the responsibility of the business owners is included. IT does not own everything. The other big reason is AUDITs: this goes to the measurable, auditable and reasonable approach to R&Rs. The FFIEC’s Information Security IT Booklet, section I.B Responsibility and Accountability states: “Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program. Information security management responsibilities may be distributed across various lines of business depending on where the risk decisions are made and the institution's size, complexity, culture, nature of operations, or other factors.”
Technology Risk – The risk that information technology processing, security, stability, capacity, and performance jeopardizes core agency operations. This risk is a function of the resilience of the agency’s technology infrastructure against external threats and business resiliency planning and execution. […]
Presenter
Presentation Notes
The OCC has nine general categories of risk in their appetite . Here is their summary representation of each level of risk appetite by general risk category.
Operational Risk – The risk that people, processes, systems, or external events impede the OCC’s ability to meet its objectives. This risk is a function of internal controls, employee conduct, process efficiency, third-party oversight, physical security, and business continuity planning. […]
Presenter
Presentation Notes
The OCC has nine general categories of risk in their appetite . Here is their summary representation of each level of risk appetite by general risk category.
Snapshot of the FFIEC’s CAT User’s Guide, 2017 showing the categories of activities, services and products, along with associated risk levels based on the quality and quantity of the corresponding activity.
Risk Categories1. Technologies and Connection Types2. Delivery Channels3. Online/Mobile Products and Tech Services4. Organizational Characteristics5. External Threats
Risk Levels1. Least2. Minimal3. Moderate4. Significant5. Most
Activities, Services, Products
• ISP connections• Mobile presence• Prepaid cards• Wire transfers
• Mergers/Acquisitions• Changes in IT/IS Staff• Locations• Attempted cyber attacks
Presenter
Presentation Notes
Inherent Risk Profile assessment helps establish the path forward for how to manage your information security program and initiatives. Makes you really look and think about your environment, to find the potential vulnerability that can make the difference between security and publicity.
Maturity strategy example: Domain 1 – Cyber Risk Management and Oversight: Risk Mgmt assessment factor: you might want to plant for higher maturity of your risk management program or practices. Domain 3 – Cybersecurity Controls: Preventative Controls assessment factor: Access and Data management: you might want to plan for multifactor authentication for all critical systems, or third party access to your network.
Identify Key Business Risk Areas Define Security RisksApply Regulatory Lense
Business Risks• Operational
– Internal Fraud– System Failures– Business Disruption– Clients, Products,
Business Practices• Legal/Regulatory• Reputational• Credit• Insurance• Market• Liquidity
• FFIEC• PCI• SOX• GLBA• State Laws
1. Confidentiality-Privacy2. Confidentiality-InfoSec3. Fraud/Theft4. Availability5. Disaster6. Third Party7. Financial Reporting
Integrity8. Regulatory Compliance
Presenter
Presentation Notes
This is an example of a Financial Institution which used this process to establish a common framework of risks and controls they could use consistently to perform their security risk assessments against the FI’s critical assets and business processes.
1. Access Management2. Availability3. Security Awareness Training4. Change/Config Management5. Control Verification and Testing6. Data Management7. Encryption8. Fraud and Theft9. Incident Management/DR10. Legal11. Logging/Monitoring12. Physical Security13. Privacy14. Roles & Responsibilities15. Audits 16. System Defense/Network
Security17. Third Party Management
Controls
Presenter
Presentation Notes
Based on the level of risk, controls can be applied that are commensurate/appropriate to mitigate the risk. This lends itself to a GRC (Governance Risk and Compliance) model which can be automated to reduce the time to complete risk assessments, as well as ensure transparency and consistency.
Consulting organizations can help you assess your risks effectively and consistently, but you must establish the structure to do so in the context of your specific business strategy and culture. Talk with your preferred vendor or trusted advisor about risk assessment services and assistance with managing your information security program.