Cyber Security Risk AssessmentIntroductionThis document functions as a tool to help you complete your credit union’s IT risk assessment. Beyond this introduction, it includes three major sections, each of which includes some guidance on the section, then asks a series of questions to help you complete the risk assessment.

What is a cyber security risk assessment? The FFIEC says it’s an

… identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. The resulting information should be used to develop strategies to mitigate those risks.

In short, it’s an evaluation of IT assets in relation to threats, and how the credit union prioritizes and manages the risk.

Brace yourselfCompleting an information systems/technology risk assessment is not something one does before breakfast. It will take more work than anyone probably wants to dedicate to it, and will likely require involvement from several people, even at a small credit union.

There are three broad steps to completing the risk assessment:1. Gather data2. Analyze data3. Prioritize and plan

Each of these steps has a section below, with a description of what you’ll be doing in that section, followed by questions to guide you through the process.

You can create a new document to use as your assessment, or you can work right in this document, providing your answers right in line after the questions. There are a few tables built into the appendices, which you may also find useful when completing a few steps.

By way of further explanation, each step can be broken down in the following way:1. Gather data

a. What information do you have?b. What technology assets do you have? What are the systems?c. What are your oversight controls?

2. Analyze dataa. Threatsb. Vulnerabilitiesc. Control effectivenessd. Assign risk rating to information and systems

3. Prioritizea. Given the credit union’s data, threats, vulnerabilities, and controls, determine the credit union’s largest risks b. Develop a risk mitigation strategy

So, settle in, put on your thinking cap, and every now and then step away to take a deep breath and remind yourself that it doesn’t have to be completely done right now. Making progress is the important thing.

About the help provided in this documentTo assist you in conducting this assessment, we’ve gone ahead and completed many sections of the assessment as if we were a small, one-location credit union. This includes several tables in different sections. You might find this sample language useful to either keep or modify. All such sample language is denoted as such. If you modify or keep the sample language, be sure to remove the notes that it’s sample language, and make sure it accurately describes your credit union.

Technical note:Effective use of this document will require that you understand how to use tables in Microsoft Word. If you’re not familiar with how to do that, search Word’s Help Documentation or the Internet, or talk with someone who can give you a little tutorial. Don’t worry. It’s easy stuff.

Gather dataThis, our first step, will consist of gathering information. You may be able to pull some of it out of your brain, but some of it will require gathering (or referencing) other documents. In some cases, you (or someone else) may need to create the documents if you want to do a very thorough risk assessment.

Note that it’s entirely plausible that the first time through this risk assessment, you will leave some items incomplete, with the intention of creating the reference documents later on. Which is fine. After all, something is better than nothing. So get done what you can now, and plan to complete the rest later on.

Here are the broad questions we’re going to address:1. What information do you have?2. What technology assets do you have? What are the systems? This will include hardware, software, and connections.3. What are your oversight controls?

What information does your credit union have?Answer this question with a basic narrative about the information you house at your credit union. Here’s an example:

At XYZ FCU, we retain information about our members, such as their personally identifying information, and information about their personal finances—such as account balances and history. We also keep information about their employment, wages, and credit scores and history. We also keep information about how they access their own information, such as with user names and passwords. This is highly sensitive data.

We also keep information about the credit union. This is broad, far-reaching information, and includes every aspect of our operations. It ranges from internal accounting and transaction information to policies and procedures to security details to general operational information. We also have information about our employees, including personal information, and our vendors, including security practices.

In order to provide more details, list all of the information that your credit union keeps. Below is a sample chart you can use to list your member, credit union, and vendor information.

Member informationWhat member information does your credit union have? Once you have listed all types of applicable information, use the third column to classify the sensitivity of the data, on a scale of 1-5, with 1 being not sensitive at all, and 5 being of the highest degree of sensitivity.

Member Information Description SensitivityAccount information Balances, history, transactions, numbers, meta information, 5Nonpublic personal information Birth dates, SSNs, addresses, phone numbers, email addresses,

employment data, pay/salary data5

Credit history Scores, history, details of credit reports 5Loan Opening dates, opening balances, payment due dates, payment

history,5

Generated information Internal risk score, online or mobile banking history, passwords 4

Credit union informationWhat information about your credit union does your credit union have? Once you have listed all types of applicable information, use the third column to classify the sensitivity of the data, on a scale of 1-5, with 1 being not sensitive at all, and 5 being of the highest degree of sensitivity.

Credit Union Information Description SensitivityAccounting information Internal account info, GLs, internal accounting practices, expenses,

balance sheet, income statement, ALM, ALCO3

Investment information Balances, start date, end date, rate of return, 2Employee information Pay, history, nonpublic personal, disciplinary, direct deposit, 5Network architecture End-user devices, network devices, port settings, connection setup 5System access control information User names and passwords, privileges, activity logs, 5Practices Procedures, policies, combinations, codes, strategy, facilities,

training, internal security, robbery procedures, pricing methodology and history for rates and fees, marketing, collections,

4

Vendor What information do you have about vendors? Once you have listed all types of applicable information, use the third column to classify the sensitivity of the data, on a scale of 1-5, with 1 being not sensitive at all, and 5 being of the highest degree of sensitivity.

Vendor Information Description SensitivityAccount information Log-in information, account numbers, contacts on account 5Security practices Log-in information, event timing, 5Policies and practices 3

What connections does the credit union have?Describe the network connections inside the credit union, as well as those to outside the credit union.

The credit union has multiple connections to outside the credit union. The primary connection is an Internet connection through Comcast Business Services. This connection is managed through a cable router that connects to a firewall that filters and directs all Internet traffic. Other external connections take place via this Internet connection: connection to our home banking provider, to our service bureau provider, to our credit report provider, to our backup service, and many many more. All of these connections are encrypted. General connection to the Internet is encrypted only when websites (such as our corporate credit union and batch processing provider) or specific services encrypt data.

We also have external connections through phone lines. We have a T1 connection that connects to our PBX system, which directs and manages phone calls. In addition, we have a phone line dedicate to our security

system, as well as company cell phones used by a few employees. We have one direct, dial in connection to some archaic third-party provider.

Internally, all of our computers (desktop PCs, servers, etc.) are connected to each other via a local area network managed by a router. Most of the devices on this network are also connected to the Internet through the router and firewall.

List your connections. Connections can include physical connections, such as phone lines or Internet connections, and virtual connections through the Internet to business partners, such as always-on access to an external resource. Include VPNs, Telnet, etc.

In the first and second column, name and describe the connection.

In the third column, assess the importance of the connection based on the function of the connection, the criticality of the data it supports, and the sensitivity of the data it transmits. Rank the importance on a scale of 1-5, with 5 being the most important. More than one connection can be ranked 5.

Connection Description ImportanceLandline into office Provided by: XXXXXX. This is a T1 with XXXXX lines and we have a

PBX system administered by XXXXXX.4

Internet into branch Provided by Century Link. 5Cell phone Provided by Verizon. We have X employees with cell phones. 4WiFi A wireless router 5Direct-connection to core processor Through the Internet, to our data processor, which houses all of our

data and storage. This connection is on constantly.5

Direct dial connection to home banking

This connection comes IN to our server, through the Internet, from our home banking provider.

5

Mobile app connection This comes into our server from our app provider, via the Internet. 5Alarm system line A phone line directly to the alarm company 5Internal network connections Each PC, server, and printer is connected to the network via a CAT 5 5

network cable. Also, all router devices are connected via a CAT 5 cable.

In addition, it would be great to provide a network map detailing internal and external connectivity, and their interconnections. This chart should show routers, access points, firewalls, intrusion detection systems, servers, and backup systems.

What hardware does the credit union use?List all of the hardware that comprises your system. Be as specific and comprehensive as possible. In the first and second column, name and describe the hardware. In the third column, assess the importance of the hardware based on the function of the hardware, the criticality of the data it supports, and the sensitivity of the data it transmits. Rank the importance on a scale of 1-5, with 5 being the most important. More than one piece of hardware can be ranked 5.

Hardware Description ImportanceCore processing system Houses our core system, which has all of the member and credit

union account information5

Desktop PCs (7 of them) One sitting at each employee’s desk, and several shared PCs in the teller line.

5

Receipt printers One connected to each computer on the teller line, and each frontline employee’s computer

3

Check printer One connected to all of the teller computers, another to the accounting office, and a third to the loan officers’ computers

4

General purpose printers One connected to the teller line, another to the loan staff, and a third in the back-office.

3

Copier/scanner Connected to the network directly. Not directly accessible by any single user from any computer.

3

Mobile phone One for the president of the CU. 3Laptop PC The president’s primary PC and workstation. This is taken offsite

every day.5

PBX system server The phone system that directs and manages calls. 3Desk phones/landline phones Connects to a switch 4Phone switch/router Logically, this sits between the PBX system server, and the phones. 5Network switch/router Logically, this sits right inside the firewall. It assigns IP addresses to

all network devices, including servers, PCs, printers, etc.5

Firewall Receives the Internet connection from the Century Link router, and manages traffic in and out of the CU’s internal network.

5

Mail server Manages email 5File server Manages files and network drives 5Backup drive Functions 5Signage PC Manages the outdoor signage. 3Lobby display PC Manages the images and video that splash across the display in the

lobby.3

ATM 5Alarm system Connects 5Internet Router This connects directly to the Internet, and feeds the Internet into the

firewall device.5

Wireless router A connects to the Network switch/router and provides wireless access to the Network

5

Video surveillance PC A computer running the surveillance system 5Surveillance cameras Cameras recording activity around the credit union 5

What software does the credit union use?Make a list of all the software in use at your credit union, including operating systems and firmware of devices that don’t have operating systems. Include:

Operating systems Core data processor Other mission critical software Office software

Web browsers Databases and files that contain critical and/or confidential information Software inventories

In the first and second column, name and describe the software.

In the third column, assess the importance of the software based on its function, the criticality of the data it supports, and the sensitivity of the data it transmits. Rank the importance on a scale of 1-5, with 5 being the most important. More than one connection can be ranked 5.

Software Description ClassificationCore processing system The primary database that manages member account information,

accounting information, etc.5

Core processing system OS: UNIX, Windows XX, or something like that

The operating system of the server that runs our core processor 5

Desktop PC OS Windows XX 5Laptop PC OS Windows XX 5Web browser: Firefox, Internet Explorer, Safari, or Chrome

Sits on each PC, including desktops, Laptop, servers, signage and lobby display PCs

5

Microsoft Office Suite Spreadsheet, word processing, and presentation software. Sits on each PC, including desktops, laptop, signage and lobby display PCs

3

Adobe Acrobat Reader Used for viewing documents. Sits on each PC, including desktops, laptop, signage and lobby display PCs

3

Java Runtime Environment A plug-in used for many programs and web applications. Sits on each PC, including desktops, laptop, signage and lobby display PCs

3

Flash A plug-in used for a lot of web sites. Sits on each PC, including desktops, laptop, signage and lobby display PCs

3

Webex Client For viewing webinars online. Sits on each PC, including desktops, laptop, signage and lobby display PCs

2

Image-editing software 2

Network switch/router firmware Used to run and configure the network switch/router 5Firewall firmware Software running and configuring the firewall. 5Mail server OS: Windows XX OS running the mail server 5File server OS: Windows XX OS running the file server 5Backup software Automatically runs a backup each day to a backup media/device 5Signage PC OS: Windows XX Runs the signage PC 2Signage PC software Software that runs the signage 2Lobby display software Runs the images and videos splashing across the lobby marketing

display2

Lobby display PC OS: Windows XX Runs the lobby display PC 2ATM software Used to run and configure the ATM 5Alarm system software Used to configure the alarm system 5Internet Router Software The software that runs and configures the internet router. 5Video surveillance software Used to record and review video surveillance 5

Where is the information kept?Here is an example:

At XYZ FCU, we keep information in both physical and electronic formats. Our physical information is kept on papers, files, and books. These are stored in secured rooms, drawers, and cabinets.

We keep member transaction information in our core processing system’s database. Much of the credit union information is kept on a system of shared network drives, with access given to employees based on their job function and security clearance level. This electronic information is generally kept on network servers, but some job-specific information is kept on desktop PCs and backed-up to a cloud storage service. Each night, information is also backed up to servers at a remote, secure location.

How is access to information controlled? Describe how information is accessed, stored, transmitted, protected, and eventually disposed of. Here is a basic example:

Information kept in a physical form (on paper) is always stored behind a locked door or drawer. Accessing it requires having the key to open the lock. Within the credit union, it is always hand-delivered, so that it is never out in the open, or placed in a sealed envelope. It is always shredded when we are done with the information.

Electronic information is accessed on computers. To access a computer, a user must authenticate using a username and password. Access to information is given as needed based on the access level assigned to the user. Within our internal network, data is not encrypted in transit, but when sent outside the network, data is encrypted. It is stored in an encrypted format. When storage devices have reached the end of their lives. Items such as flash drives and removable drives are only allowed to be used in rare circumstances by select employees. Only brand new devices can be connected to a computer; devices that have been previously connected to their computers cannot be connected to any credit union computers.

In addition, describe the oversight controls in place. For example, what policies and procedures do you have in place to manage your IT system? There’s no need to provide great detail here, but at least mention what policies and procedures you have, and describe them a little. Also include information about training and other cultural controls.

Control DescriptionComputer security and control

Outlines the general guidelines for running the IT program.

User access agreement An agreement that each user must sign, outlining duties and responsibilities in relation to system access.

Security training Mandatory annual training about social engineering, and computer, email, Internet, and other security

Patch Management Policy

Outlines proper ways to manage software patches

Firewall policy Outlines proper way to configure the firewallComputer software and hardware acquisition policy

Outlines the process for adding additional software or hardware to the system

Remote access policy Outlines requirements for remotely accessing system resourcesCloud computing policy Outlines requirements for utilizing cloud servicesSecurity policy Outlines general physical facility and physical information practicesInformation security policy

The primary IT policy, outlining general practices and guidelines for maintaining a secure environment

Incident response policy Practices for responding to an IT security incidentIntrusion detection system

Monitors for intrusion throughout the system continuously

IT Audit Completed annually to ensure our IT program is working the way it should workPersonnel security policy

Policy outlining background checks and behavior monitoring

Vendor contracts Specify security, service levels, and other requirements for partnersCyber security insurance

Provides a benefit in the case of an incident, provided we are following our policies and procedures

The credit union utilizes policies to set general practices in place. These policies control everything from firewall configuration to destruction of unneeded storage devices to user access and to password requirements to configuration of the network. The policies require controls such as training and evaluation of employees, an annual IT audit, vendor contract management, and more.

In addition, it would be great to provide detailed hardware and software configurations. For example, how are desktop PCs and servers configured? How are their user accounts set up, and their access to network drives?

Another useful document is a system architecture diagram. It should provide: service provider relationships, where and how data is passed between systems, and the relevant controls in place. This may be part of the network map provided under the “Connections” section, above.

AnalysisIn this section of the risk assessment, we will analyze the information we have gathered. The goal is to determine what risk we have, where, and the adequacy of our controls it mitigating that risk. We will complete this in several steps:

1. Analyze the sensitivity of data and systems2. Analyze threats, threat agents, and vulnerabilities3. Analyze control effectiveness

Analyze the sensitivity of data and systemsUsing the tables in the section above, you should have already evaluated the sensitivity and importance of data, connections, hardware, and software.

About threats and vulnerabilitiesIt’s time to analyze threats and vulnerabilities. The point is to determine which threats or vulnerabilities deserve priority attention relative to the value of the information or information systems being protected. Although threats and vulnerabilities need to be considered simultaneously, it is important to distinguish threats from vulnerabilities.

Threats are events that could cause harm to the confidentiality, integrity, or availability of information or information systems. They can be characterized as the potential for agents exploiting a vulnerability to cause harm through the unauthorized disclosure, misuse, alteration, or destruction of information or information systems. Threats can arise from a wide variety of sources, called threat agents.

Identify threatsIn this section, we want to identify threats. In other sections, we will identify threats’ potential impact, and evaluate their probability of happening.

Below, a series of specific questions is designed to help you eat this elephant one bite at a time. Examples of how you might answer these questions are provided after each question, indented.

What are the threats to your data?As you answer this question, do not think in terms of threat agents. We’ll get there. For now, simply think of “what could happen to our data?” If necessary, provide an explanation of the threat.

Our data could be: Copied without permission Disclosed to people who have no right to know it Deleted Corrupted en masse Held hostage Modified selectively: for example, small amounts—hardly noticeable—changed on many accounts. Or,

one account modified. Or contact information on an account modified.

What are the threats to your connections?Think in general terms about your connections. If necessary, provide an explanation of the threat.

Our connections could be: Shut down: for example, completely turned off. Perhaps physical wires could be cut. Overloaded. Perhaps too much traffic could be sent through a connection, so that nothing of importance

could get through. “Eavesdropped” on. Someone might access, monitor, copy, or selectively modify traffic on a connection. Used for inappropriate purposes: authorized persons use the connection for inappropriate purposes. Piggybacked on: unauthorized persons use our connection for their own purposes.

What are the threats to your hardware?Think in general terms about your hardware. If necessary, provide an explanation of the threat.

Failure: hard drives, power supplies, system boards, memory, etc. could fail, thereby rendering the hardware useless.

Theft: hardware might be stolen Modification: for example, a key-logger added to a device. Damage or destruction: someone might purposefully destroy or damage hardware.

What are the threats to your software?Think in general terms about your software. If necessary, provide an explanation of the threat.

Reconfiguration: software may be reconfigured in unauthorized ways so that it does things not meant to do, or so that it allows access in ways it should not

Modification: Modification changes what software does or how it works Deletion/uninstallation Installation: unauthorized software may be installed on hardware

Identify threat impactHere, we want to identify what the impact could be if a threat were realized. This will likely be tedious. Hang in there. This table will be large.

To do this, take each of the threats identified in the previous section, and plug them into the table below. The table asks you to evaluate the potential impact in the following aspects:

Data integrity, confidentiality, and availability of information; Costs associated with finding, fixing, repairing, and restoring a system; Lost productivity; Financial losses; and Other issues affecting the institution's operations, and reputation.

If you wanted to get crazy, you could consider each type of data, connection, hardware, and software in conjunction with each of the threats. That’s really, probably what would happen in an ideal world. Maybe the second or third or fourth time you do this risk assessment, you should do that. However, to simplify this effort, the first time you do this risk assessment, consider all of your data, connections, hardware, and software as a whole, as if all of them were of the utmost sensitivity and importance.

In each square of the grid, assign a number value for the potential impact, with 1 being low and 5 being high. Then, provide an explanation where it makes sense.

Threat Impact on data integrity, confidentiality, and availability of information

Costs associated with finding, fixing, repairing, and restoring a system

Impact on productivity

Financial losses Other issues affecting operations and reputation

Data: copied without permission

1 1This would cost, just not for the reasons listed in the column header.

3This could impact management’s productivity as it copes with the potential problems that arise from someone getting our data.

4The copying of data, itself, is not the problem. The problem is what is then done with that data, and correcting it. There would be significant costs both in staff time and financial resources in correcting problems.

5If our data were copied by an unauthorized party, they could use that data for any number of purposes that would damage our operations and cause us to spend significant resources correcting the problem. Of particular concern: the reputation hit that our credit union would take.

Data: disclosed to people who have no right to know it

5By definition, if the data were disclosed to unauthorized persons, it is no longer confidential.

1This would cost, but not for the reasons listed above

3This could impact management’s productivity as it copes with the potential problems that arise from someone getting our data.

4The copying of data, itself, is not the problem. The problem is what is then done with that data, and correcting it. There would be significant costs both in staff time and financial resources in correcting problems.

5If our data were copied by an unauthorized party, they could use that data for any number of purposes that would damage our operations and cause us to spend significant resources correcting the problem. Of particular concern: the reputation hit that

Threat agentsThreats can arise from a wide variety of sources, called threat agents. Traditionally, the agents have been categorized as internal or external. You’ll need to identify threat agents. Each one identified may have different capabilities and motivations, which may require the use of different risk mitigation and control techniques and the focus on different information elements or systems. Natural and man-made disasters should also be considered as agents.

List your threat agents and describe the threats they pose. Internal threat agents: all of our internal threat agents could cause security incidents on purpose or

accident. All internal threat agents have varying degrees of access to our data, systems, connections, and software. Internal threat agents are a common weak link across all industries. Any of the following internal threat agents may cause incidents due to malicious intent, incompetence, carelessness, or any number of reasons.

o Employeeso Volunteerso Third-party service providers: Our providers have different access than our employees—they

may not (but some may) have access to our member data, but may have access to how our systems are set up, and some would even have the ability to change system settings. They may even make recommendations for changes to our settings, and due to a lack of expertise in technical matters, we may agree with the need for the change.

o Former insiders: these people leave our organization with knowledge of our systems, practices, and policies. They may have information about how to access systems, or how to get around controls. If their user accounts are not removed, they may retain access into our systems. As with other internal threat agents, they may cause security incidents on purpose, or on accident.

External threat agents: motives of external threat agents vary, as do capabilities. Their goals may also vary, from stealing information to modifying data, to just having fun. Some may want to cause destruction or disruption. All of these agents, however, could potentially realize any of the threats listed above. External threat agents include:

o Criminalso Recreational hackers

o Competitors o Terrorists

Natural and man-made disasters: these agents include things like earthquakes, floods, terrorist attacks, man-made accidents (vehicle or airplane crashes), and more. Basically, anything that could cause widespread or local destruction. These threat agents have significant potential to disrupt operations. They may destroy hardware and connections. They may cause significant distraction that would allow for more social engineering.

Identifying vulnerabilitiesVulnerabilities can be characterized as weaknesses in a system, or control gaps that, if exploited by a threat agent, could result in the realization of a threat. In other words, threat agents exploit the vulnerability. The vulnerability is the means by which the threat agent accomplishes something.

The challenge in identifying vulnerabilities is that many of them are technical in nature, and very specific. There’s a super good chance that you, the person doing this assessment, aren’t a technical person and that you can’t identify the specific (and maybe even general) technical vulnerabilities. The good news is that you’ve just identified a vulnerability. It should be part of the risk assessment. The bad news is that this particular vulnerability often translates into intimidation and confusion, and could lead to a lack of action.

Don’t let that vulnerability stop you from proceeding. Do what you can. Seek input from others. And improve your assessment as you go along. In the end, as you complete this risk assessment multiple times, as your institution becomes more aware in more specific ways, you will be able to add more detail into the vulnerabilities.

Identify the vulnerabilities in your IT system?What parts of your system could be exploited? How might they be weak? Be as specific or general as you feel appropriate. Address all aspects of the system: hardware, software, controls, connections.

We have connections to the outside world that could be exploited. Our data that needs to be accessed by a wide range of people, and could be intercepted at any point.

We have people involved in the system; they may not follow established procedures and processes for any number of reasons: deception, dishonesty, laziness, forgetfulness, incompetence, etc.

We have hardware that exists in physical space. This hardware could be destroyed or compromised. We must have some ports on our firewall open so traffic can get through. We have very little technical knowledge on staff. This is a vulnerability because we rely on one person (or one

outside group) for technical expertise. The work of that one person is not checked or verified by anyone inside our institution. We have no idea if they are doing what they’re supposed to be doing.

We have not catalogued or established requirements for all of our controls. We have policies and controls specified in place, but do not audit to make sure the policies are followed. Our policies tend to focus on controls for employee procedures, rather than technical configuration of

equipment and software. So, our technical controls may not be as strong as they need to be. We do not audit our employees for compliance with security procedures, and we do not formally review their

performance. We do not filter web content; employees can access any website and click on any link. We do not have virus protection on all our machines. Our email program does not scan attachments for malware. Any of our employees can install software on the workstations computers. We do not run continuous penetration detection. We do not monitor and log all activity on the servers and through connections. We have no way to audit our third-party service providers’ security practices. Some of our contracts with third-party providers do not specify security service levels. We do not have redundancy built into our security devices (firewall). Our penetration testing is done only once a year, leaving us open to potential issues for long periods of time.

In addition, we have many of the usual expected vulnerabilities, which can reasonably be anticipated to arise in the future:

Unpatched software, New and unique attack methodologies that bypass current controls, Employee and contractor failures to perform security duties satisfactorily, Personnel turnover resulting in less experienced and knowledgeable staff,

New technology introduced with security flaws, and Failure to comply with policies and procedures.

Control effectivenessIt’s time to identify controls that mitigate the impact or likelihood of each identified threat agent exploiting a specific vulnerability. Controls are generally categorized by timing (preventive, detective, or corrective) or nature (administrative, technical, or physical). We also need to measure their effectiveness and compliance with controls, which may be done via self-assessments, metrics, independent tests, etc.

What preventative controls are in place?Preventive controls act to limit the likelihood of a threat agent succeeding.Control Control description How effectiveness of

control is measuredEffectiveness level (high, moderate, low)

Firewall Restricts and directs all traffic into the network from outside the network. Denies all unauthorized traffic.

Periodic penetration testing is completed.

High

Network intrusion prevention systems

Monitors the system for unauthorized access. Logs all activity

Antivirus software Ensures that malicious software is not installed on computers

User access controls Specifies which resources each user has the rights to access, during what hours

Removal of default accounts

Default admin and guest accounts are removed

Password controls Specifies the length and complexity of passwords

What detective controls are in place?Detective controls identify harmful actions as they occur. Control Control description How effectiveness of

control is measuredEffectiveness level (high, moderate, low)

Intrusion detection system Monitors all network traffic to determine if it is normal or not. Non-normal activity is halted and reported immediately.

Access monitoring Monitors all folders and logs all activity into folders, and notifies administrators of unusual activity

Honeypot Functions as a relatively target for hackers to hit, but serves no business purpose. This is the trap to catch hackers.

What corrective controls are in place?Corrective controls facilitate the termination of harmful actions, and reduce damage. Control Control description How effectiveness of

control is measuredEffectiveness level (high, moderate, low)

Fail safe policies Requires that if resources fail, they fail to a safe and protected mode

Workstation An image is made of each

images/restoration workstation once it is properly configured, so that if something goes wrong with the workstation, it can easily be restored to a clean state.

Backups Backups of all critical data allow for restoration of key data.

What administrative controls are in place?Control Control description How effectiveness of

control is measuredEffectiveness level (high, moderate, low)

Contracts with providers Contracts with providers specify duties of providers related to security, and allow for auditing and reporting of their security measures

Training on security Employees are trained annually on security practices.

End-user agreements Employees are required to sign agreements to how they are allowed and will use credit union resources.

What technical controls are in place?Control Control description How effectiveness of

control is measuredEffectiveness level (high, moderate, low)

User permissionsPort filteringDNS placementUser account authenticationData encryption

What physical controls are in place?Control Control description How effectiveness of

control is measuredEffectiveness level (high, moderate, low)

Locks on doors Doors with servers and networking equipment behind them are always locked. Offices not being used are have doors closed and locked.

Cabinets for computers All desktop computers are kept in locked cabinets at desks.

Probability of threat agents exploiting vulnerabilities to realize a threat, given controls in placeUsing scenarios, analyze the probability of different threat agents causing damage. These scenarios should consider your credit union’s:

Business strategy, Quality of its control environment, and Its own experience, or the experience of other institutions and entities, with respect to information security failures.

You cannot possibly review all possible scenarios. Instead, select general scenarios, or those most likely to happen, and review them in the chart below. Start with 10 the first time. Edit them next time, and add others. In the probability, simply assign a value of probable, highly possible, possible, and unlikely, and then explain why that probability is assigned, especially considering all of the controls in place.

Threat agent Vulnerability Description ProbabilityEmployee Falls victim to social

engineering (spear phishing attack)

This could happen online, in email, over the phone, or in person. In this case, a person tricks an employee into disclosing information or otherwise bypassing controls.

Probable. Even given all of the controls in place, our employees are generally trusting and well-intentioned, and want to help people. Plus, training is not a guarantee of compliance with policies. Neither is evaluating people on following the policies and practices.

Employee Exploits trust and purposefully ignores or violates procedures

An employee purposefully ignores or bypasses controls for whatever reason.

Highly possible. Despite all our controls, training, and hiring practices, someone may decide to be dishonest. This is common across all industries, no matter what controls are in place. Intimate knowledge of controls makes it possible to manipulate or circumvent them.

Third-party service provider

Fails to properly configure systems

The “computer guy” fails no follow some procedure, and leaves our system vulnerable.

Possible. We don’t actually know how good the abilities of our network people are, because we don’t evaluate

and measure that. We also don’t have anyone checking their work, to make sure it’s accurate and according to procedures. This leaves us vulnerable. We basically rely on his competence, but have no way of verifying or checking that.

Third-party service provider

Exploits trust The “computer guy” purposefully does something to allow himself or someone else access to sensitive information.

Possible. We do not have controls in place to double check that all the systems are configured and monitored and logged properly. This means that someone who knows what they’re doing could conceivable set up the system for his benefit.

External malicious party (hacker)

Holds our data hostage An outside party hacks into our system, accesses our data, and holds it hostage in exchange for ransom. They may or may not restore data once ransom is paid.

Possible. While we do penetration testing, and our system is fairly secure and doesn’t change often (change could lead to holes), there are new exploits discovered all the time. We could fall victim to one of those.

Outside malicious party (hacker)

Penetrate our system via the Internet and accesses member information

While our system is relatively secure and tested annually, it’s still possible that there could be an exploit or new

Probable. If someone is determined to get into our system, they will probably find a way, even if it includes

hack that would penetrate our system. Or, during a system modification, something could be left open, thus giving access to a bad actor.

a combination of social engineering and technical penetration.

Outside malicious party (hacker)

Penetrates our system and modifies critical data

While our system is relatively secure and tested annually, it’s still possible that there could be an exploit or new hack that would penetrate our system. Or, during a system modification, something could be left open, thus giving access to a bad actor.

Highly possible. If someone is determined to get into our system, they will probably find a way, even if it includes a combination of social engineering and technical penetration.

Hacker Takes advantage of unpatched software

Highly possible

Terrorist attack Disrupts communication lines PossibleEarthquake Damage to connection or

hardwareHighly Possible

Prioritize and planHere is the culmination of all our effort. Here we identify where are our largest risks, and how we will take steps to mitigate those risks. Most of the hard work is done. So go get a drink and relax while you finish this bad boy up.

In the table below, list your risks and assign them a risk rating of "High," "Medium," or "Low". In the third column, indicate steps to take to mitigate those risks.

Risk Risk Rating Mitigation plansThird party vendor makes a mistake or purposefully causes harm

High We will plan for an audit of our IT security system, which we will not inform our network guy about beforehand. We will hold this each year.

Employee falls victim to social engineering

High Add quarterly security training for all employees, as well as testing to ensure they comply with appropriate rules, then incorporate training and testing into performance evaluations.

Our system is hacked and someone gets inside our secure perimeter

High Implement intrusion detection systems with failsafe controls; implement a honeypot to catch bad actors.