TraceRiskData Security

Data Security

Risk Inventory

Risk Inventory is a “fourth” dimension of risk that provides insight into embedded elements of risk that are not specifically covered by a Key Risk Indicator. Subtle risks are inventoried in this way so that they can be studied orthographically. What does that mean? Orthographic representations of risk are from made from the front view (Subjects), the top view (Silos), the end view (COSO), and, from the inside out ( which is ‘Risk Inventory’). Examples of risk inventory are Product Development Risk, Customer Relations Risk, Training & Backup Risk and Denial of Service Risk.


Cybersecurity Guide!

cybersecurity
Data breaches resulting in the compromise of personally identifiable information affects of thousands of Americans. Intrusions into financial, corporate and government networks are no longer rare or isolated incidents. Complex financial schemes committed by sophisticated cyber criminals against businesses and the public in general are now commonplace. These are just a few examples of crimes perpetrated online over the past year or so, and part of the reason why FBI Director James Comey, testifying before Congress last week, said that “the pervasiveness of the cyber threat is such that the FBI and other intelligence, military, homeland security, and law enforcement agencies across the government view cyber security and cyber attacks as a top priority.” The FBI, according to Comey, targets the most dangerous malicious cyber activity—high-level intrusions by state-sponsored hackers and global cyber syndicates, and the most prolific botnets. And in doing so, we work collaboratively with our domestic and international partners and the private sector.

Financial institutions, regardless of size, are particularly vulnerable to cyber attacks and that’s why it’s so important to assess your risks in this critical area of your operations. To assist you in this effort TraceRisk has developed a Cyber Security Risk Management Guide. Our clients have found it to be very helpful and, just like we do for our ERM clients, we’re making it available to you FREE OF CHARGE! A copy of the Table of Contents is attached so you can see what is covered.

Guide to Developing a Cyber Security and Risk Mitigation Plan
A Community Bank White Paper from TraceRisk™

Table of Contents
Preface
Purpose
Scope
Target Audience
Introduction
Building a Risk Management Program
Appointing Leadership
Establishing a Risk Management Framework
Defining the System
Cyber Asset Identification and Classification
Identifying Critical Cyber Assets (Additional Guidance URLs)
Classifying Cyber Assets
Personally Identifying Information (PII)
Identifying the Electronic Security Perimeter (ESP) Protecting Cyber Assets
Conducting a Vulnerability Assessment (Additional Guidance URLs)
Assessing and Mitigating Risks
Assessing Impact and Risk Levels
Mitigating Risks with Security Controls (Additional Guidance URLs)
Evaluating and Monitoring Control Effectiveness
Addressing People and Policy Risks
Cyber Security Policy
Security Policy Elements
Security Related Roles and Responsibilities
Policy Implementation and Enforcement
Policy Exceptions (Additional Guidance URLs)
Personnel and Training
Security Awareness and Training (Additional Guidance URLs)
Due Diligence in Hiring
Access Privileges
Operational Risks
Perform Periodic Risk Assessment and Mitigation
Enforce Access Control, Monitoring and Logging
Perform Disposal or Redeployment of Assets (Additional Guidance URLs)
Enforce Change Control and Configuration Management
Conduct Vulnerability Assessments (Additional Guidance URLs)
Control, Monitor and Log all Access to Assets
Configuration and Maintenance (Additional Guidance URLs)
Incident Handling (Additional Guidance URLs)
Contingency Planning (Additional Guidance URLs)
Insecure Software Development Life Cycle (SDLC) Risks
Physical Security Risks
Plan and Protection
Monitoring, Logging and Retention
Maintenance and Testing
Third Party Relationships
Addressing Technology Risks
Network Risks
Platform Risks
Application Layer Risks
Communications Systems
Supervisory Control and Data Acquisition (SCADA)
Identifying and Protecting Private Data (Additional Guidance URLs)
Steps in Vulnerability Assessments
Incident Response Planning Items
Disaster Response Planning Items
Glossary and Appendices


Deposit Accounts

Use Case for Assessing Risk on Deposit Accounts

Why assess the risk? Deposits are funds that customers place with the bank and that the bank is obligated to repay on demand or after a specific period of time or after the expiration of some required notice period (e.g. certificate of deposit). Deposits are the primary funding source for most banks and, as a result, have a significant effect on the bank’s liquidity. Errors and omissions and fraudulent alteration of the amount or account number to which funds are to be deposited could result in a loss to the bank. Additionally, uncollected overdrafts, returned items, kiting and other check schemes and frauds can result in losses on deposit accounts.

Who should assess the risks? Chief Operating Officer, Chief Financial Officer, BSA Officer, Compliance Officer

How to assess the risk: Rate the KRIs to determine if a threat would successfully exploit a vulnerability and to justify expenditures to implement countermeasures to protect the bank’s assets or reputation. Use the “Focus Risk Assessment” tool for in-depth analysis of risks and mitigation techniques.

 

TraceRisk Demo Button

Debit Cards

Use Case for Assessing Risk on Debit Cards

Why assess the risk?   Online debit cards use a PIN for customer authentication and online access to account balance information. At present, financial institutions authenticate customers by matching the PIN with the account number directly through a merchant’s terminal. Banks engaged in retail payment systems should establish an appropriate risk management process that identifies, measures, monitors, and limits risks. Management and the board should manage and mitigate the identified risks through effective internal and external audit, physical and logical information security, business continuity planning, vendor management, operational controls, and legal measures. Risk management strategies should reflect the nature and complexity of the institution’s participation in retail payment systems, including any support they offer to clearing and settlement systems. Management should develop risk management processes that capture not only operational risks, but also credit, liquidity, strategic, reputational, legal, and compliance risks, particularly as they engage in new retail payment products and systems.  Management should also develop an enterprise wide view of retail payment activities due to cross-channel risk. These risk management processes should consider the risks posed by third-party service providers.
Who should assess the risks? Electronic Banking Officer, Operations Administrator, Cash Management/ACH Officer, Chief Financial Officer, Information Technology Officer, Data Security Officer

How to assess the risk: Rate the KRIs to determine if a threat would successfully exploit a vulnerability and to justify expenditures to implement countermeasures to protect the bank’s assets or reputation. Use the “Focus Risk Assessment” tool for in-depth analysis of risks and mitigation techniques.

 

TraceRisk Demo Button

COSO Integrated Framework – SOX 404 & FDICIA 112

Use Case COSO Integrated Framework – SOX 404 & FDICIA 112

Use Case: The New COSO Integrated Framework is an important development as it facilitates efforts by banks to develop cost-effective systems of internal control to achieve business objectives and sustain and improve performance. The new version is the predominant method for reporting on the effectiveness of internal control over financial reporting by public companies as required by Section 404 of the Sarbanes-Oxley Act.

Who Should Assess the Risk? Chief Administrative Officer, Chief Operating Officer, Chief Financial Officer, Internal Auditor

TraceRisk Demo Button


Correspondent Bank Concentrations

Use Case for Assessing Risk on Correspondent Bank Concentrations

Why assess the risk? Financial institutions should implement procedures for identifying correspondent concentrations so that there is no over-reliance on or disproportionate deposit balance at a single depository bank. For prudent risk management purposes, these procedures should encompass the totality of the institution’s aggregate credit and funding concentrations to each correspondent on a standalone basis, as well as taking into account exposures to each correspondent organization as a whole. In addition, the institution should be aware of exposures of its affiliates to the correspondent and its affiliates.

Who should assess the risks? Chief Financial Officer, Controller, Accounting Mgr., Chief Operating Officer, ALCO

How to assess the risk: Rate the KRIs to determine if a threat would successfully exploit a vulnerability and to justify expenditures to implement countermeasures to protect the bank’s assets or reputation. Use the “Focus Risk Assessment” tool for in-depth analysis of risks and mitigation techniques.
TraceRisk Demo Button


Core Compliance

Use Case for Assessing Risk on Outsourced Core Processing

Why assess the risk? Outsourced IT services can contribute to operational risks (also referred to as transaction risks). Operational risk may arise from fraud, error or the inability to deliver products or services, maintain a competitive position or manage information. It exists in each process involved in the delivery of the bank’s products or services. Operational risk not only includes operations and transaction processing, but also areas such as customer service, systems development and support, internal control processes and capacity and contingency planning. Operational risk also may affect other risks such as interest rate, compliance, liquidity, price, strategic or reputation risk.

Who should assess the risks? Information Technology Officer, Data Security Officer, Chief Operating Officer

How to assess the risk: Rate the KRIs to determine if a threat would successfully exploit a vulnerability and to justify expenditures to implement countermeasures to protect the bank’s assets or reputation. Use the “Focus Risk Assessment” tool for in-depth analysis of risks and mitigation techniques.

TraceRisk Demo Button