IT Risk Assessment
The FFIEC has stated that financial institutions must maintain an ongoing information security risk assessment program that effectively
- Gathers data regarding the information and technology assets of the organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;
- Analyzes the probability and impact associated with the known threats and vulnerabilities to their assets; and
- Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and assurance necessary for effective mitigation.
A sound IT risk assessment helps an organization identify gaps and risks to its information and infrastructure assets. The Secure Guard Consulting IT risk assessment methodology leverages both extensive regulatory and IT experience and expertise to identify gaps and classify the inherent risks that an organization faces
Secure Guard Consulting will develop a comprehensive IT risk assessment. This process will be mostly performed in conjunction with bank personnel in order to facilitate understanding. Additionally, the bank will be able to update, add, and delete data from the risk assessment based on future technology changes.
Generally, the IT risk assessment development process is as follows:
- Identify all information and infrastructure assets (e.g., PCs, Servers, BYOD, Wire Transfer, etc.)
- Identify pertinent risks
- Assign probability
- Assign impact
- Compute inherent risk
- Assign overall GLBA asset value
- Compute composite risk
- Identify general controls
- Cross reference policies and procedures
- Assign residual risk
IT Policy Development
Secure Guard Consulting's approach to policy development is simple; policies should be short, concise, and to the point, yet they should provide ample guidance for the protection of an organization's information and infrastructure assets. Whether an organization is developing new policies and procedures, or enhancing existing ones, Secure Guard Consulting can help.
The scope of the policy development will be to streamline or condense existing policies, or rewrite policies such that they identify security measures and controls for information and infrastructure assets identified in the risk assessment. The developed policies should be easy to read, to the point, and meet both state and FDIC regulatory scrutiny. Sample areas that will be covered include (where applicable):
- Information Security Program
- IT Risk Assessment
- Document security
- Change management
- Audit program
- Operations
- Network remote access
- System logging and monitoring
- Separation of duties
- IT management
- Internet banking (including CATO)
- Web site
- Systems authentication
- Network services
- Electronic funds transfer (EFT)
- Incident response
- Core banking system
- Security awareness training
- IS/IT policies and procedures
- Wire transfer
- Imaging
- Automated Clearing House (ACH)
- Customer identification procedures
- Backup procedures
- Branch/Remote capture
- Information Security Strategy
- Access Controls
- Authentication
- Network Access
- Application Access
- Remote Access
- Physical and Environmental Safeguards
- Encryption
- Patch Management
- Malicious Code Prevention
- Configuration and Change Control
- Personnel Security
- Data Security
- Service Provider Oversight / Vendor Management
- Business Continuity / Disaster Recovery
- Insurance
- Security Monitoring / Firewall Administration
- GLBA Compliance
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Disaster Recovery
Secure Guard Consulting works with you to develop a recovery program tailored to your business that allows you to create, maintain, and execute a business continuation plan effectively. We take a common sense approach to disaster recovery applying industry standards in a way that encourages sound disaster recovery development practices.
Our disaster recovery planning includes the following:
- Disaster Recovery risk assessment.
- Disaster Recovery business impact analysis.
- Disaster Recovery plan.
- Disaster Recovery plan walkthrough and testing.
Vendor Management
Banks should consider adopting a risk management program for all vendors (IT and non-IT) proportionate with the level of risk of the vendors in order to identify and to be able to take the steps necessary to manage those relationships.
Secure Guard Consulting's vendor management services are designed to assist banks develop or enhance their vendor management programs to address increasing risks. Our consulting services help banks address the following areas
- Risk assessment
- Due diligence
- Ongoing monitoring
- Proper documentation and reporting
- Contracts
- Nondisclosure/Confidentiality agreements
Corporate Account Takeover (CATO)
Corporate account takeover is a type of fraud where thieves gain access to a business’ finances to make unauthorized transactions, including transferring funds from the company, creating and adding new fake employees to payroll, and stealing sensitive customer information that may not be recoverable.
Cyber thieves target employees through phishing, phone calls, and even social networks. It is common for thieves to send emails posing as a bank, delivery company, court or the Better Business Bureau. Once the email is opened, malware is loaded on the computer which then records login credentials and passcodes and reports them back to the criminals.
Our CATO consulting involves assisting banks with the following:
- CATO Risk assessment
- CATO Board Reporting
- CATO Incident Response
- Checklists for customer onsite visits