The credit union information security risk assessment is quite arguably the most important process a credit union CIO can undertake. After all, how do you protect against threats you are unaware of or systems you don’t know you have. It makes sense then to have an authoritative source to know exactly what to do right? The FFIEC IT Handbook provides simple yet effective guidelines to methodically take on this important task. In this post we are going to walk you through those steps and also provide valuable insight into current best practices.
Gather Necessary Information
Your risk assessment will require an in depth knowledge of both your operational and technical environments. The FFIEC breaks the two areas down as such:
Relevant technical data: Examples of relevant technical information include network maps detailing internal and external connectivity; hardware and software inventories; databases and files that contain critical and/or confidential information; processing arrangements and interfaces with external entities; hardware and software configurations; and policies, standards, and procedures for the operation, maintenance, upgrading, and monitoring of technical systems.
Non-technical data: Non-technical information that may be necessary includes the policies, standards, and procedures addressing physical security (including facilities as well as information assets that include loan documentation, deposit records and signature cards, and key and access code lists), personnel security (including hiring background checks and behavior monitoring), vendor contracts, personnel security training and expertise, and insurance coverage. Additionally, information regarding control effectiveness should be gathered. Typically, that information comes from security monitoring, including self-assessments, metrics, and independent tests.
OGO INSIGHT:
If you are like me, just reading those two paragraphs above makes me dizzy. I mean, that’s A LOT of information. So where and how do you start?
- One piece at a time – If you attack this as an all/nothing project, you will fail.
- Develop a project plan – And not just for this step either. Prior to jumping in to data gathering, analyzing etc. lay out clear action steps to accomplish each area with appropriate responsibilities identified and assigned.
- Schedule the resources – I’m not a big fan of outsourcing this part of a risk assessment for the shear fact that if you do the work you learn more. With that being said, I realize many credit unions do not have the resources to perform such an in-depth process. Choosing your partner becomes critical at this point. They need to knows your process, systems, vendors .. most importantly they need to know credit unions!
- Use the right tools – Credit unions today have access to better tools than ever to pull inventories for much of this data. Using a tool such as CU Control takes it a step further and also maps the data back to the AIRES exam. Regardless of your tool of choice,
Identification of Information and Information Systems
Say what? I thought that’s what we just covered? If you thought that way too you are not alone. This part is a bit tricky unless you really take time to identify the key point. Fortunately, we’re going to do that for you!
What the FFIEC Handbook says:
“A risk assessment should include an identification of information and the information systems to be protected, including electronic systems and physical components used to access, store, transmit, protect, and eventually dispose of information. Information and information systems can be both paper-based and electronic-based.”
OGO INSIGHT:
I believe the intent here is to push the data gathering to the next level. You are not just randomly tagging systems (or vendors for that matter) for the sake of tagging. You must push further to understand the types of information being shared as well as all stages of its life cycle (access, store, transmit, protect, dispose)
- Start with identifying the type of information you want to protect. – No need for fancy classifications here. A good general rule of thumb is if you wouldn’t boldly hand it over to a member (think marketing materials here) – then treat it as sensitive and protect it.
- Data flow diagrams – I had the coolest job once (besides the one I have now!). I was a computer scientist working with the DoD right when Arpanet and Internet started to come to life. I lived and breathed data packets and often coded in real-time to relief congestion in the PSNs (Packet switch nodes). I came to love and understand the path of my data traffic and while it doesn’t seem very fascinating to some it paved a way of troubleshooting into my brain – Follow the Packet. From origination to end point, collect the systems and transmission paths during your risk assessment.
- Get out from behind your desk and talk to each staff member. – Because you are dealing with both physical and electronic information it is imperative that you NOT rely on simple asset tracking techniques. My most memorable “find” when doing this for my credit union came when interviewing our card services department and found that “print screens” (literal paper copies that is) were a normal part of operations and sensitive data was being stored in a location that we were unaware of (and subsequently were not protecting. Are your employees capturing /storing/transmitting data unknown to you?
- During this step you are also looking at access controls and I feel credit unions do a pretty good job at enforcing “need to know” controls. The one weakness I frequently see in this area is ongoing maintenance – employees change roles, get promoted. Access controls must keep up with this.
- Transmission of data – Knowing what goes in/out of your credit union by way of electronic means requires yet another conversation with your staff. You might be thinking – but we have a DLP (data loss prevention) so we’re good. It is my experience that many DLP implementations fall short of capturing all outgoing leaks. And not because of technology – it is usually because of internal policies that inhibit the full benefits of the software. Blocking is replaced with alerting and certain users are given special privileges that allow them to bypass these appliances. NOT GOOD!
- And lets not forget disposal of information – Dumpster diving isn’t an Olympic sport. All sorts of people do it. Your risk assessment must look at how all the information previously gathered is ultimately disposed of. Is it shredded? How are hard drives disposed of? This “cradle to grave” analysis is necessary to protect your credit union.
Once the data is gathered, you’ll move into Phase II of the Risk Assessment – Analyzing the data. In our next post w will review how to analyze and begin to rank your risks based on your data gathering activities.
The post How Do I Perform A Credit Union Information Security Risk Assessment? [FFIEC IT HANDBOOK] appeared first on Ongoing Operations - Cloudworks.
