proprietary & confidential © 2011 fidelity national information services, inc. and its...
TRANSCRIPT
Proprietary & Confidential© 2011 Fidelity National Information Services, Inc. and its subsidiaries.
Risk AssessmentsScott Yoshimura, Risk Management Consultant
Proprietary & Confidential
Background
• FIS Managed IT Services (formerly ProNet Solutions) – Provides outsourced technology platform management solutions to independent community banks.– Virtual Network Management Services– Managed Security Services– Hosted Services
• Advisory Services Group – Provides facilitative solutions for IT related risk management programs and business continuity.
• In 2013 we completed 262 assessments for 66 banks in 13 states
Proprietary & Confidential
Agenda
• Risk Assessment Overview• In Depth Look– GLBA/Information Security– Vendor Management– Online Banking– Business Continuity– New Product Development
• In Depth Look– Facilitative Solution– What Examiners Are Looking For– Questions
Proprietary & Confidential
Purpose of a Risk Assessment
• Quantify risk into a measurable format• Designed to – Evaluate risks
• Impact• Likelihood
– Prioritize risks– Evaluate the effectiveness of controls– Identify gaps
Proprietary & Confidential
Benefits of a Risk Assessment
• Improve decision making– Identifying areas of weakness or concern– Valuation of risk to determine risk/return benefit
• Measure change– Changes in controls– Changes in environment– Changes in risk
• Risk awareness
Proprietary & Confidential
Creating a Risk Assessment
• Board and Executive support– Risk awareness and mitigation within the culture– Leadership and guidance– Understanding and expertise
Proprietary & Confidential
Creating a Risk Assessment
• Knowledge and resources– Develop– Identify– Evaluate– Remediate– Manage
• Research Applicable Regulations and Guidance– FFIEC– OCC– FRB
Proprietary & Confidential
How to create a risk assessment
• What is the driving force?– Your purpose will define the quality and benefit of your assessment
• Do you have the knowledge? Is there new guidance?– Utilize your available resources to ensure you have the
required/recommended criteria
• Have a sound methodology– Ensure your process meets your criteria, but is understandable and
explainable to staff, your board and examiners
Proprietary & Confidential
Creating a Risk Assessment
• Quantitative vs Qualitative– Quantitative: Requires numerical values for both impact and
likelihood using data from a variety of sources– Qualitative: Assessing risk and opportunity according to descriptive
scales
• Inherent vs Residual– Inherent Risk: The risk that an activity would pose if no controls
were in place– Residual Risk: The risk that remains after controls are taken into
account
• Risk Formula– Inherent Risk = Impact x Probability– Residual Risk = Inherent Risk x Control Risk
Proprietary & Confidential
Weak vs Strong Assessment
Asset Impact Likelihood Risk
Servers High High High
Mobile Devices Moderate High Moderate-High
Shred Bin Moderate Moderate Moderate
Appraisals Low Low Low
Asset Confidentiality Integrity Availability Likelihood Inherent Risk
Strength of Controls
Residual Risk
Servers High High High High High High Moderate
Mobile Devices
Moderate – High
Moderate Moderate – Low
High Moderate – High
High Moderate – Low
Shred Bins High Low Low Moderate Moderate Low Moderate – High
Appraisals Low Moderate Moderate Low Moderate – Low
High Low
Proprietary & Confidential
Creating a Risk Assessment
• Does your assessment do the following?– Identify subjects– Identify and evaluate threats– Identify and evaluate controls– Determine impact and likelihood– Determine areas of concern– Prioritize order of importance
Proprietary & Confidential
Tips for Performing a Risk Assessment
• Ensure everyone involved in the process understands the purpose
• Relate it to their line of business• Ensure everyone evaluates based on the same risk appetite
level• Challenge and pose questions
Proprietary & Confidential
Board Reporting
• Understanding of the process• Understanding of the risks• Understanding of the position of the bank and strength of
controls• Understanding of the areas of concern• Understanding of recommendations and action plan
Proprietary & Confidential
What Examiners are Looking For
• Based on guidance• Sound methodology• Management involvement• Clear board communication
Proprietary & Confidential
GLBA/Information Security – Regulatory Guidance• IT Examination Handbook – Financial institutions must maintain an
ongoing information security risk assessment program that effectively– Gathers data regarding the information and technology assets of the
organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;
– Analyzes the probability and impact associated with the known threats and vulnerabilities to their assets; and
– Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and assurance necessary for effective mitigation.
Proprietary & Confidential
Information Security Risk Assessment – Valuation Table
Proprietary & Confidential
Information Security Risk Assessment – Asset Analysis
Proprietary & Confidential
Information Security Risk Assessment – Asset Analysis
Proprietary & Confidential
Information Security Risk Assessment – Asset Analysis
Proprietary & Confidential
Information Security Risk Assessment – Risks & Controls Worksheet
Proprietary & Confidential
Information Security Risk Assessment – Vendor Analysis
Proprietary & Confidential
What Examiners Are Looking For
• Inherent vs Residual Risk• Evaluation of threats• Evaluation of controls• Identification of key controls• Testing of controls
Proprietary & Confidential
Information Security Risk Assessment – Controls Analysis
Proprietary & Confidential
Vendor Management – Regulatory Guidance• FIL-44-2008 – Guidance for Managing Third Party Risk– This guidance outlines the potential risks that may arise from the
use of third parties and addresses the following four basic elements of an effective third-party risk management program: •Risk assessment •Due diligence in selecting a third party •Contract structuring and review •Oversight
• OCC Bulletin 2013-29 – Third Party Relationships, Risk Management Guidance
• Federal Reserve SR 13-19/CA 13-21 – Guidance on Managing Outsourcing Risk
Proprietary & Confidential
Vendor Management – Program Review
• Oversight• New Vendor
Selection & Due Diligence
• Ongoing Monitoring & Due Diligence
Proprietary & Confidential
Vendor Management – Valuation Table
Proprietary & Confidential
Vendor Management – GLBA Analysis
Proprietary & Confidential
Vendor Management – Significant Vendor Rating
Proprietary & Confidential
Vendor Management – Significant Vendor Rating
Proprietary & Confidential
Vendor Management – Significant Vendor Rating
Proprietary & Confidential
Vendor Management – Critical Vendor Review
• Risk Assessment• Strategic Review• Due Diligence• Contingency
Planning• Contract
Structuring and Review
• Audit Requirements
• Monitoring & Oversight
Proprietary & Confidential
Vendor Management – User Controls Considerations
Proprietary & Confidential
Vendor Management – New Vendor Review
• Risk Assessment• Due Diligence• Contingency
Planning• Contract
Structuring and Review
• Monitoring & Oversight
Proprietary & Confidential
What Examiners Are Looking For
• Risk assessment and proper due diligence prior to the selection of a vendor
• Consumer protection– Risk third party poses regarding consumer complaints– UDAAP/Fair Lending risks
• Ensure completion of enhanced due diligence (SSAE16)• Review and documentation of compliance with User Control
Considerations
Proprietary & Confidential
Vendor Management – Consumer Protection
Proprietary & Confidential
Online Banking – Regulatory Guidance
• 2005 FFIEC – Authentication in an Internet Banking Environment– The 2005 Guidance provided a risk management framework for
financial institutions offering Internet-based products and services to their customers.
• 2011 FFIEC – Supplement to Authentication in an Internet Banking Environment– The purpose of this Supplement to the 2005 Guidance (Supplement)
is to reinforce the Guidance’s risk management framework and update the Agencies’ expectations regarding customer authentication, layered security, or other controls in the increasingly hostile online environment.
Proprietary & Confidential
Online Banking Risk Assessment – Program Review• Website Review• Vendor Due Diligence &
Suitability• Contracts &
Agreements• Customer Eligibility &
Review• Risk Assessments• Account Origination &
Customer Verification• Layered Security
Programs• Effectiveness of Certain
Authentication Techniques
• Monitoring & Reporting• Customer Awareness &
Education
Proprietary & Confidential
Online Banking Risk Assessment – Valuation Table
Proprietary & Confidential
Online Banking Risk Assessment – Transaction Analysis
Proprietary & Confidential
Online Banking Risk Assessment – Transaction Analysis
Proprietary & Confidential
Online Banking Risk Assessment – Transaction Analysis
Proprietary & Confidential
Online Banking Risk Assessment – Risks & Controls Worksheet
Proprietary & Confidential
What Examiners Are Looking For
• Consumer protection– UDAAP– GLBA
• Other considerations– Distributed Denial-of-Service (DDoS) Attacks– Corporate Account Takeover (CATO)
Proprietary & Confidential
Business Continuity – Regulatory Guidance• FFIEC IT Examination Handbook
– A business impact analysis (BIA) is the first step in the business continuity planning process and should include the:• Assessment and prioritization of all business functions and processes, including
their interdependencies, as part of a work flow analysis;• Identification of the potential impact of business disruptions resulting from
uncontrolled, non-specific events on the institution's business functions and processes;
• Identification of the legal and regulatory requirements for the institution's business functions and processes;
• Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and
• Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path.
Proprietary & Confidential
Business Continuity – Business Impact Analysis
Proprietary & Confidential
Business Continuity – Business Impact Analysis
Proprietary & Confidential
What Examiners Are Looking For
• Impact to the bank• Recovery Time Objectives (RTOs)• Recovery Point Objectives (RPOs)
Proprietary & Confidential
New Product Assessment – Regulatory Guidance• OCC Bulletin 2004-20 – Risk Management of New, Expanded, or
Modified Bank Products and Services– An effective risk management process includes (1) performing adequate
due diligence prior to introducing the product, (2) developing and implementing controls and processes to ensure risks are properly measured, monitored, and controlled, and (3) developing and implementing appropriate performance monitoring and review systems
Proprietary & Confidential
New Product Risk Assessment
• Strategic Review• Personnel• Risk Management
Review• Regulatory
Compliance• Information Security• Vendor Due
Diligence• Business Continuity• Policies &
Procedures• Reporting• Performance
Monitoring
Proprietary & Confidential
New Product Risk Assessment
Proprietary & Confidential
What Examiners Are Looking For
• Risk assessment on all new products/services• Third Party involvement• Consumer protection
– Consumer complaints– UDAAP/Fair Lending
Scott Yoshimura, Risk Management ConsultantAdvisory Services [email protected]
Thank You