TraceRiskCompliance

Compliance

Risk Inventory

Risk Inventory is a “fourth” dimension of risk that provides insight into embedded elements of risk that are not specifically covered by a Key Risk Indicator. Subtle risks are inventoried in this way so that they can be studied orthographically. What does that mean? Orthographic representations of risk are from made from the front view (Subjects), the top view (Silos), the end view (COSO), and, from the inside out ( which is ‘Risk Inventory’). Examples of risk inventory are Product Development Risk, Customer Relations Risk, Training & Backup Risk and Denial of Service Risk.


Cybersecurity Guide!

cybersecurity
Data breaches resulting in the compromise of personally identifiable information affects of thousands of Americans. Intrusions into financial, corporate and government networks are no longer rare or isolated incidents. Complex financial schemes committed by sophisticated cyber criminals against businesses and the public in general are now commonplace. These are just a few examples of crimes perpetrated online over the past year or so, and part of the reason why FBI Director James Comey, testifying before Congress last week, said that “the pervasiveness of the cyber threat is such that the FBI and other intelligence, military, homeland security, and law enforcement agencies across the government view cyber security and cyber attacks as a top priority.” The FBI, according to Comey, targets the most dangerous malicious cyber activity—high-level intrusions by state-sponsored hackers and global cyber syndicates, and the most prolific botnets. And in doing so, we work collaboratively with our domestic and international partners and the private sector.

Financial institutions, regardless of size, are particularly vulnerable to cyber attacks and that’s why it’s so important to assess your risks in this critical area of your operations. To assist you in this effort TraceRisk has developed a Cyber Security Risk Management Guide. Our clients have found it to be very helpful and, just like we do for our ERM clients, we’re making it available to you FREE OF CHARGE! A copy of the Table of Contents is attached so you can see what is covered.

Guide to Developing a Cyber Security and Risk Mitigation Plan
A Community Bank White Paper from TraceRisk™

Table of Contents
Preface
Purpose
Scope
Target Audience
Introduction
Building a Risk Management Program
Appointing Leadership
Establishing a Risk Management Framework
Defining the System
Cyber Asset Identification and Classification
Identifying Critical Cyber Assets (Additional Guidance URLs)
Classifying Cyber Assets
Personally Identifying Information (PII)
Identifying the Electronic Security Perimeter (ESP) Protecting Cyber Assets
Conducting a Vulnerability Assessment (Additional Guidance URLs)
Assessing and Mitigating Risks
Assessing Impact and Risk Levels
Mitigating Risks with Security Controls (Additional Guidance URLs)
Evaluating and Monitoring Control Effectiveness
Addressing People and Policy Risks
Cyber Security Policy
Security Policy Elements
Security Related Roles and Responsibilities
Policy Implementation and Enforcement
Policy Exceptions (Additional Guidance URLs)
Personnel and Training
Security Awareness and Training (Additional Guidance URLs)
Due Diligence in Hiring
Access Privileges
Operational Risks
Perform Periodic Risk Assessment and Mitigation
Enforce Access Control, Monitoring and Logging
Perform Disposal or Redeployment of Assets (Additional Guidance URLs)
Enforce Change Control and Configuration Management
Conduct Vulnerability Assessments (Additional Guidance URLs)
Control, Monitor and Log all Access to Assets
Configuration and Maintenance (Additional Guidance URLs)
Incident Handling (Additional Guidance URLs)
Contingency Planning (Additional Guidance URLs)
Insecure Software Development Life Cycle (SDLC) Risks
Physical Security Risks
Plan and Protection
Monitoring, Logging and Retention
Maintenance and Testing
Third Party Relationships
Addressing Technology Risks
Network Risks
Platform Risks
Application Layer Risks
Communications Systems
Supervisory Control and Data Acquisition (SCADA)
Identifying and Protecting Private Data (Additional Guidance URLs)
Steps in Vulnerability Assessments
Incident Response Planning Items
Disaster Response Planning Items
Glossary and Appendices


COSO Integrated Framework – SOX 404 & FDICIA 112

Use Case COSO Integrated Framework – SOX 404 & FDICIA 112

Use Case: The New COSO Integrated Framework is an important development as it facilitates efforts by banks to develop cost-effective systems of internal control to achieve business objectives and sustain and improve performance. The new version is the predominant method for reporting on the effectiveness of internal control over financial reporting by public companies as required by Section 404 of the Sarbanes-Oxley Act.

Who Should Assess the Risk? Chief Administrative Officer, Chief Operating Officer, Chief Financial Officer, Internal Auditor

TraceRisk Demo Button


Correspondent Bank Concentrations

Use Case for Assessing Risk on Correspondent Bank Concentrations

Why assess the risk? Financial institutions should implement procedures for identifying correspondent concentrations so that there is no over-reliance on or disproportionate deposit balance at a single depository bank. For prudent risk management purposes, these procedures should encompass the totality of the institution’s aggregate credit and funding concentrations to each correspondent on a standalone basis, as well as taking into account exposures to each correspondent organization as a whole. In addition, the institution should be aware of exposures of its affiliates to the correspondent and its affiliates.

Who should assess the risks? Chief Financial Officer, Controller, Accounting Mgr., Chief Operating Officer, ALCO

How to assess the risk: Rate the KRIs to determine if a threat would successfully exploit a vulnerability and to justify expenditures to implement countermeasures to protect the bank’s assets or reputation. Use the “Focus Risk Assessment” tool for in-depth analysis of risks and mitigation techniques.
TraceRisk Demo Button


Corporate Governance & Ethics

Use Case for Assessing Corporate Governance & Ethics Risk
Why assess the risk? Given the important financial intermediation role of banks in the economy, the public and the market have a high degree of sensitivity to any difficulties potentially arising from any corporate governance shortcomings in banks. Poor corporate governance can contribute to a bank’s failure and can lead to markets losing confidence in the ability of the bank to properly manage its assets and liabilities, including deposits, which could in turn trigger a bank run or a liquidity crisis. In addition to its responsibilities to shareholders, the bank also has a responsibility to its depositors and to other recognized stakeholders. The presence of an effective corporate governance system helps to provide a degree of confidence that is necessary for the proper functioning of a community bank.

Who should assess the risks? Board Chairperson, Board Members, Chief Executive Officer / President, Legal Counsel
How to assess the risk: Rate the KRIs to determine if a threat would successfully exploit a vulnerability and to justify expenditures to implement countermeasures to protect the bank’s assets or reputation.
TraceRisk Demo Button

Core Compliance

Use Case for Assessing Risk on Outsourced Core Processing

Why assess the risk? Outsourced IT services can contribute to operational risks (also referred to as transaction risks). Operational risk may arise from fraud, error or the inability to deliver products or services, maintain a competitive position or manage information. It exists in each process involved in the delivery of the bank’s products or services. Operational risk not only includes operations and transaction processing, but also areas such as customer service, systems development and support, internal control processes and capacity and contingency planning. Operational risk also may affect other risks such as interest rate, compliance, liquidity, price, strategic or reputation risk.

Who should assess the risks? Information Technology Officer, Data Security Officer, Chief Operating Officer

How to assess the risk: Rate the KRIs to determine if a threat would successfully exploit a vulnerability and to justify expenditures to implement countermeasures to protect the bank’s assets or reputation. Use the “Focus Risk Assessment” tool for in-depth analysis of risks and mitigation techniques.

TraceRisk Demo Button

Consumer Compliance

Use Case for Assessing Risk on Consumer Compliance

Why assess the risk?  In all banks, the board of directors and management are required to monitor compliance with all applicable consumer protection laws and regulations. The board is responsible for creating a strong compliance culture within the bank that includes management accountability. Management should create a compliance program based on an evaluation of the bank’s organization and structure, size, resources, diversity and complexity of operations and delivery channels for its various products and services, including Internet and electronic banking. The compliance program should cover all consumer laws and regulations and incorporate all areas of the bank that present risk. Risk management processes should be included in the compliance program to ensure that necessary systems and controls are in place.

Who should assess the risks? Compliance Officer, BSA Officer, Chief Operating Officer

How to assess the risk: Rate the KRIs to determine if a threat would successfully exploit a vulnerability and to justify expenditures to implement countermeasures to protect the bank’s assets or reputation. Use the “Focus Risk Assessment” tool for in-depth analysis of risks and mitigation techniques.

TraceRisk Demo Button

Compliance Management

Use Case for Assessing Risk on Compliance Management

Why assess the risk? A compliance management system is the method by which the bank manages the entire consumer compliance process. It includes the compliance program and the compliance audit function, sometimes referred to as compliance review or self-assessment (fair lending). The compliance program consists of the policies and procedures which guide employees’ adherence to laws and regulations. The compliance audit function is independent testing of an institution’s transactions to determine its level of compliance with consumer protection laws, as well as the effectiveness of, and adherence with, policies and procedures. Non-compliance with law and regulation weakens the bank and exposes it to dollar losses, regulatory censure (including civil money penalties levied against directors), customer complaints, inaccurate reporting and potential lawsuits.

Who should assess the risks? Compliance Officer, BSA Officer, Chief Operating Officer

How to assess the risk: Rate the KRIs to determine if a threat would successfully exploit a vulnerability and to justify expenditures to implement countermeasures to protect the bank’s assets or reputation. Use the “Focus Risk Assessment” tool for in-depth analysis of risks and mitigation techniques.

 

button

Community Reinvestment Act

Use Case for Assessing Risk on Community Reinvestment Act (CRA)

Why assess the risk? It has always been in a bank’s best interests to reinvest in the communities it serves, regardless of the size and orientation of the institution. The FFIEC provides some guidance for achieving goals and objectives that are explicitly and implicitly set forth in CRA regulations. Examiners will consider the responsiveness to credit and community development needs as well as the innovativeness and complexity of the bank’s community development lending, qualified investments and community development services. To avoid regulatory criticism and attain and hold the status of being a good corporate citizen, a bank should objectively assess its risk profile regarding CRA.

Who should assess the risks? Board of Directors, Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, CRA Officer, Compliance Officer

How to assess the risk: Rate the KRIs to determine if a threat would successfully exploit a vulnerability and to justify expenditures to implement countermeasures to protect the bank’s assets or reputation. Use the “Focus Risk Assessment” tool for in-depth analysis of risks and mitigation techniques.

 

button

 


Assessing Risk on Cybersecurity

Use Case for Assessing Risk on Cybersecurity

Why assess the risk? Banks must create, provision, and operate a formal incident response capability and report all incidents consistent with an incident response policy. Establishing an incident response capability should include the following actions:

  • Creating a cybersecurity incident response policy and plan
  • Developing procedures for performing incident handling and reporting
  • Setting guidelines for communicating with outside parties regarding incidents
  • Selecting a team structure and staffing model
  • Establishing relationships and lines of communication between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies)
  • Determining what services the incident response team should provide
  • Staffing and training the incident response team

Banks should reduce the frequency of incidents by effectively securing networks, systems and applications.Preventing problems is often less costly and more effective than reacting to them after they occur. Thus, incident prevention is an important complement to an incident response capability. If security controls are insufficient, high volumes of incidents may occur. This could overwhelm the resources and capacity for response, which would result in delayed or incomplete recovery and possibly more extensive damage and longer periods of service and data unavailability. Incident handling can be performed more effectively if organizations complement their incident response capability with adequate resources to actively maintain the security of networks, systems, and applications. This includes training IT staff on complying with the bank’s security standards and making users aware of policies and procedures regarding appropriate use of networks, systems, and applications.

Banks should document their guidelines for interactions with other organizations regarding incidents. During incident handling, the bank will need to communicate with outside parties, such as other incident response teams, law enforcement, the media, vendors, and victim organizations. Because these communications often need to occur quickly, banks should predetermine communication guidelines so that only the appropriate information is shared with the right parties.

Banks should be generally prepared to handle any incident but should focus on being prepared to handle incidents that use common attack vectors. Incidents can occur in countless ways, so it is not feasible to develop step-by-step instructions for handling every incident. Different types of incidents merit different response strategies. The attack vectors are:

  • External/Removable Media: An attack executed from removable media (e.g., flash drive, CD) or a peripheral device
  • Attrition: An attack that employs brute force methods to compromise, degrade, or destroy systems, networks or services
  • Web: An attack executed from a website or web-based application
  • Email: An attack executed via an email message or attachment
  • Improper Usage: Any incident resulting from violation of a bank’s acceptable usage policies by an authorized user, excluding the above categories
  • Loss or Theft of Equipment: The loss or theft of a computing device or media used by the organization, such as a laptop or smartphone.
  • Other: An attack that does not fit into any of the other categories.

Banks should emphasize the importance of incident detection and analysis throughout the organization. In a bank, millions of possible signs of incidents may occur each day, recorded mainly by logging and computer security software. Automation is needed to perform an initial analysis of the data and select events of interest for human review. Event correlation software can be of great value in automating the analysis process. However, the effectiveness of the process depends on the quality of the data that goes into it. Banks should establish logging standards and procedures to ensure that adequate information is collected by logs and security software and that the data is reviewed regularly.

Banks should create written guidelines for prioritizing incidents. Prioritizing the handling of individual incidents is a critical decision point in the incident response process. Effective information sharing can help an organization identify situations that are of greater severity and demand immediate attention. Incidents should be prioritized based on the relevant factors, such as the functional impact of the incident (e.g., current and likely future negative impact to business functions), the information impact of the incident (e.g., effect on the confidentiality, integrity, and availability of the bank’s information), and the recoverability from the incident (e.g., the time and types of resources that must be spent on recovering from the incident).

Banks should use the lessons learned process to gain value from incidents. After a major incident has been handled, the bank should hold a lessons learned meeting to review the effectiveness of the incident handling process and identify necessary improvements to existing security controls and practices. Lessons learned meetings can also be held periodically for lesser incidents as time and resources permit. The information accumulated from all lessons learned meetings should be used to identify and correct systemic weaknesses and deficiencies in policies and procedures. Follow-up reports generated for each resolved incident can be important not only for evidentiary purposes but also for reference in handling future incidents and in training new team members.

Who should assess the risks? Information Technology Officer, Data Security Officer, Electronic Banking Officer, Operations Administrator, Cash Management/ACH Officer

How to assess the risk: Rate the KRIs to determine if a threat would successfully exploit a vulnerability and to justify expenditures to implement countermeasures to protect the bank’s assets or reputation. Use the “Focus Risk Assessment” tool for in-depth analysis of risks and mitigation techniques.

Schedule a Demo