By Sam | April 28, 2015
FFIEC IT Handbook – The Credit Union Information Security Risk Assessment (Part 1)

Credit Union information security risk assessmentI’m not a gamer but I live with two. And on any occasion that I happen to pass by their consoles I can be assured I’ll see two meticulously outfitted warriors ready to fend off whatever WOW (World of Warcraft) threat is imminent.  In most cases, my crew is successful due to preparedness and a clear understanding of the risks.

Now I realize that Credit Union Information Security Risk Assessment preparation isn’t nearly as exciting but with the right preparation and tools, you CAN make it impactful (and yea, sneak in a bit of warrior skills as well).  The FFIEC IT Handbook provides a sound basis for performing the work.

What is an information security risk assessment?

The Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. In its simplest form, a risk assessment consists of the identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. The resulting information should be used to develop strategies to mitigate those risks.

OGO INTEL

In the space of a few sentences the FFIEC succinctly wraps up both the intent and the complexity involved in performing an information security risk assessment. Let’s break down a few of these key terms:

  • “is the process” – meaning it is not a once and done type situation. The expectation is that your Credit Union has an ongoing PROGRAM that addresses all IT security related areas.
  • “identify and understand” – Don’t make the mistake of having the wrong person/group perform your risk assessment. The skills needed are independent of normal everyday operational IT work. Attempting this in-house can also lead to a possible “miss” of an insider type threat. Keep in mind, it is your role as a leader to remove all perception of possible wrong-doing from your staff (aka dual control). Protecting your “information” assets is no different and requires non-IT resources to assist in oversight.

The process is simplistic!

  • Identify and assign a value  to your information assets – How do you assign a value? Look at it this way – would you put that information – whatever that might be(member name, GL entries, account data) on your Credit Union Facebook page? If not, secure it! You have to protect your members sensitive data (PII) anyway so the cost is irrelevant. No need for extravagant security classifications – just protect what you wouldn’t otherwise make public.
  •  Analyze the information assets in relation to potential threats and vulnerabilities – Many Credit Unions get this part backwards. They’ll look at one or perhaps two obvious risks to their operations (hurricane and perhaps data breach) and mistakenly feel they’ve eliminated/mitigated as best as they can. I hate to be the bearer of bad news but the old “worst case” scenario approach can leave you completely exposed in MANY cases. Credit unions must expand their analysis to include several scenarios to include: catastrophic loss, key system failures, key vendor failures, data breach/loss, cyber-threat and insider threat. I may have missed a few but I think I’ve made my point.
  • End result is a list of  “ranked” risks to mitigate – One of the easiest ways to rank risk is by likelihood and impact scores. Assigning values based on a scale of 1-5 for each category will give you a solid picture of your exposure.
  • Develop strategies to mitigate the risks based on ranking – For each risk that you’ve identified during your Credit Union information security risk assessment a plan should be developed that addresses that specific threat/risk. Action plans must be included for quick response and control. Without a plan, your Credit Union remains exposed even if you know and understand your threats. Without a plan, all you get are sleepless nights.

In our next post, we’ll look at the key steps for performing your Credit Union information security risk assessment:

Want to learn more about the services that Ongoing Operations provides? Click here.

Interested in what OGO is up to? Subscribe to our blog today!

Posted in Business Continuity Planning, Cloud Topics, P3 - Plan, Prepare, Protect and tagged , ,

Cost-Effective Solutions for Your Credit Union

Simply fill out this form and select the topic(s) that you would like more information for, and our team will reach out shortly.

Medium

Role
I agree to receive marketing communications from Ongoing Operations regarding news, updates, products, etc.(Required)

modal close button

Welcome to the Ongoing Operations blog archive.

For our most up-to-date information, please visit ongoingoperations.com.

HOME