Most credit unions know that IT risk assessments are required elements of regulatory compliance. While this is true, IT risk assessments can provide a great deal of business value by helping credit unions to improve their security posture over time. Let’s first explore the regulatory perspective.
The FFIEC Information Technology Examiner’s Handbook specifies that conducting an IT risk assessment is a requirement for all banks and credit unions. While the handbook does not determine a precise process for performing this assessment, this guide, and supplemental publications from NCUA and FDIC, do point to aspects that must be covered within the assessment.
What Is an IT Risk Assessment?
The FFIEC handbook defines a risk assessment as “a prioritization of potential business disruptions based on severity and likelihood of occurrence. The risk assessment includes an analysis of threats based on the impact to the institution, its customers, and financial markets, rather than the nature of the threat.”
This is where many of the in-house risk assessments we’ve seen over the years fall short. Often, an institution will download a template from the internet, enter basic information about their IT systems, and the likelihood of various threats to those systems from their perspective.
While basic templates are reasonable starts, they do not meet the intention of the risk assessment process. Per the NCUA IT Security Compliance Guide, the intent is to “continually review their current policies and procedures to make certain they are adequate to safeguard member information and member information systems, ensure the proper disposal of member information, and include in their written information security program both their review and their findings.”
The FFIEC Examiner’s Handbook specifies the need for information security that promotes the commonly accepted objectives of:
- Availability of information
The NCUA and other examination agencies also call out the need to examine security guideline risks beyond what we commonly think of as IT risks, such as risks to records maintained in paper form. Most in-house IT staff at SMB banks and credit unions do not have the time or experience to go past a basic list of systems, potential threats, and the controls they have in place. They generally simply don’t have the bandwidth to delve deeply enough to satisfy the intent of a full IT risk assessment.
Here to Help – SilverSky’s IT Risk Assessment Approach
The gap between what most internal IT staff’s understanding of a risk assessment and the expectations of federal examiners is a great opportunity for SilverSky to help. Over many years of direct work with SMB banks and credit unions, SilverSky has developed a comprehensive risk assessment program that:
- Identifies information assets that contain or process customer information. This includes hardware like servers and NAS, workstations, systems (tellers servers, mail service, imaging systems, etc.) and physical items such as loan documents, signature cards, and backup tapes.
- Rates the sensitivity of the information on the listed devices in relation to confidentiality, integrity, and availability.
- Identifies and rates the likelihood of various internal and external threats to the assets.
- Identifies the technical and administrative control in place for issues such as antivirus, firewall, formal scheduled review of audit logs, and more.
- Produces a residual risk score for all assets.
- Make suggestions for additional controls or actions for items with high residual risk.
At the end of the assessment, the customer is provided both a detailed report containing lists of threats and controls for IT staff and an executive report with colored bar graphs representing residual risk levels and simply stated recommendations.
Our risk assessment process goes well beyond simply satisfying GLBA compliance for examiners. Rather, it becomes a tool for internal staff to see areas for improvement in their intuition’s risk posture and is a great point of entry for SilverSky to offer assistance to meet identified improvement goals through our managed and consulting services.
Finally, it should be noted that an IT risk assessment should not be considered static. It is an ongoing process to identify new risks as they arise and to assess the risk status of systems as they are added.
If you need help, SilverSky is here for you. Don’t hesitate to reach out to us at 1-800-234-2175 or firstname.lastname@example.org.