Carrying Out a Successful IT Risk Assessment
Integration in Overall Risk Management
Such data security breaches serve as a compelling argument for adopting a rigorous IT Risk Management program. Costs can be significant when considering actual losses, reputational damage and outside fees to help resolve issues. In the past few years, however, damages incurred from data breaches have considerably decreased; this improvement can be largely attributed to more stringent controls and more robust reactionary measures. According to studies, organizations bearing lower costs of data breaches share in common the existence of a Chief Information Security Officer function and benefit from enlisting the help of experts to classify data, educate employees and establish access controls.
Due in part to the recognition of the detrimental cost of security breaches, company management recognize more and more the fundamental role that IT plays in the overall performance of a financial organization. Whereas in the past, IT Risk was treated as an area isolated to external audit support, it has evolved to increasingly become an integrated part of a company's enterprise-wide risk management and corporate governance program. This is reflected in the rising preponderance of IT and security functions during the examination process as reported in surveys querying Internal Auditors' priorities.
A Newly Defined Tool
As a result, IT departments face the challenge of setting up efficient and adequate IT governance that includes processes and information requirements, while aligning the IT organizational structure, role and responsibilities with the firm’s investments, strategies and objectives. Nevertheless, proper IT governance helps facilitate the strategic positioning of IT assets and systems within the overall business objectives of the institution, demonstrating its contribution to creating value for the portfolio of activities. For a financial institution, the integration of IT Risk into the general risk oversight process requires improved IT risk management and reporting tools to track and measure the performance of all aspects of IT operations. IT resource utilization and allocation monitoring enable the identification and mitigation of risks that could impact the firm’s operations, including those of its revenue-generating business. As a result, many institutions have collaboratively decided to develop IT governance frameworks and establish industry standards that could be broadly used and recognized. One of these privately-funded initiatives, COBIT (Control Objectives for Information and Related Technology), which was developed by ISACA, is widely used and recognized within the financial industry. ISACA, which was formally known as the Information Systems Audit and Control Association, is a professional association with an international presence.
For their part, U.S. financial regulators published guidelines through the Federal Financial Institution Examination Council (FFIEC) to establish a cohesive set of standards and principles by which to regulate the IT practices of the financial industry. The FFIEC emphasizes the importance of an IT Risk Assessment as a “key driver in the information security process,” touting its ability to “increase management’s knowledge of the institution’s mechanisms for storing, processing, and communicating information, [which] allows management to respond more rapidly to changes in the environment.” Such an assessment should extend to each area of the organization, and the FFIEC advocates that, “At least once a year, senior management should review the entire risk assessment to ensure relevant information is appropriately considered.” However, companies are encountering a challenge deciphering the necessary requirements, particularly as the FFIEC examination handbooks do not always outline the guidelines in a clear and comprehensible manner. Institutions should therefore be prepared to demonstrate a robust IT Risk Assessment process in advance of a regulatory examination.
A formal IT Risk Assessment should consist of a systematic process that thoroughly examines all areas bearing the possibility of IT risk or an IS breach. A formal methodology should be formulated in advance of the assessment, establishing the tools to be used and the procedure to be followed. Tools, such as a Risk Control Matrix, serve as the foundation for the IT Risk Assessment, and should be both widespread and in-depth in the coverage of IT related activities. These tools should be tailored and specifically designed to meet the specificities of each institution, while addressing the recommendations of the regulators and complying with industry standards. Everything from Risk and Asset Management to Compliance, Data Privacy and Physical Infrastructure should be explored in detail in order to obtain a comprehensive understanding of the IT environment. Several rounds of interviews with key personnel, not only in the IT department, but also staff members from areas such as Human Resources, Legal & Compliance, Operations and Senior Management, are a crucial component of ascertaining the scope and interdependency of the IT-related risks.
Once the risks are identified, the next phase of the IT Risk Assessment should entail the assignment of risk ratings according to severity and priority, as well as recommendations for how to remediate issues. IT management should be involved in the process by which the organization decides how to address the flagged risks, either through risk acceptance or risk mitigation procedures.
Regulatory Hot Topics
While a thorough IT Risk Assessment of all affected areas is expected, regulators have particularly focused on several current high-risk domains. These represent the IT and IS controls most likely to be closely examined during an examination; as a result, organizations are best served by making sure the following risks are closely analyzed and addressed.
Financial institutions are relying more and more on third party vendors to perform many of their required IT functions and services, especially with the advent of the Cloud Services model. In this extended enterprise model, vendors and service providers are responsible for continuous operations of key business IT processes and proper handling of sensitive data. In the event of a service disruption or information security breach, the financial or reputational costs can be significant. Therefore, institutions should manage vendor relationships by necessitating the enforcement of the same controls that are applied internally, particularly in the case in which a dependent service provider is responsible for assessing, processing or storing production data. This can include monitoring the vendor’s information security and data-handling procedures as well as mandating adherence to and acknowledgment of an Acceptable Use Policy. Moreover, companies should maintain a policy whereby due diligence is conducted on vendors prior to engagement, and on a periodic (annual) basis.
Business critical applications, hosted either internally or externally, require adequate access controls which allow sufficient restriction to production data and information processing systems along with strong security monitoring controls. As business IT processes become increasingly complex, open to the Internet, and moved to external vendors, the need for effective security monitoring solutions is essential for all access to business sensitive data.
In the wake of 9/11, Business Continuity (BC) and Disaster Recovery (DR) became two of the areas most closely scrutinized by examiners. Financial institutions are encouraged to ensure inclusion of business continuity considerations into the overall design of the business model in order reduce the risk of service disruptions. The BC and DR Plans are expected to be robust, detailed, regularly updated, tested and approved by a bank’s Executive Management, as well as include everything from pandemic crisis management to media communication. The institution’s management is encouraged to closely follow and analyze the results of BC and DR Plan testing to identify areas that require special attention and personnel that could benefit from additional training.
The heightened reliance on the Internet to communicate and store data, as well as the importance of network and connectivity to conducting business, introduces the possibility of data leakage—both intentionally and unintentionally. Financial institutions are therefore advised to strive toward achieving a secured IT environment by taking measures to prevent the unauthorized disclosure of sensitive data. This includes identifying potential leakage channels, implementing a data classification system, and setting up controls and monitoring solutions to manage the company’s sensitive information. Organizations should consider all data leakage channels including unauthorized websites, social media, USB ports, memory sticks, email, wireless networks and smart devices.
Given the complexity of the IT universe and the lack of clarity of the documentation published by the regulators, many institutions find that they are best served by enlisting the help of a subject matter expert possessing prior experience with the practice of conducting an IT Risk Assessment or designing a tailored Risk Assessment framework. A third party can introduce independence into the analysis, offering the opportunity to objectively point out control issues that management may be too entrenched to identify. For small and medium-sized companies, employing an outside party can serve a capacity need, as in many cases fulltime resources are not available to dedicate the attention required for such an assessment.
With its proficiency in both the regulatory expectations and private industry standards, Sia Partners has developed specific methodologies and custom-made tools that allow clients to exercise strong control over their IT operations. The New York team, which recently invested in an IT audit and risk management subject matter expert, has recent expertise conducting IT Risk Assessments for corporate and investment banks. Therefore, Sia Partners is able to help clients prepare for regulatory examinations by providing them with a better understanding of examiners’ expectations and allowing them to identify and strengthen IT and IS controls within their organization.