Cyber Security Risk Assessment - Utah's Credit Unions



Cyber Security Risk AssessmentIntroductionThis document functions as a tool to help you complete your credit union’s IT risk assessment. Beyond this introduction, it includes three major sections, each of which includes some guidance on the section, then asks a series of questions to help you complete the risk assessment. What is a cyber security risk assessment? The FFIEC says it’s an … identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. The resulting information should be used to develop strategies to mitigate those risks.In short, it’s an evaluation of IT assets in relation to threats, and how the credit union prioritizes and manages the risk.Brace yourselfCompleting an information systems/technology risk assessment is not something one does before breakfast. It will take more work than anyone probably wants to dedicate to it, and will likely require involvement from several people, even at a small credit union. There are three broad steps to completing the risk assessment:Gather dataAnalyze dataPrioritize and planEach of these steps has a section below, with a description of what you’ll be doing in that section, followed by questions to guide you through the process. 58451755715Technical note:Effective use of this document will require that you understand how to use tables in Microsoft Word. If you’re not familiar with how to do that, search Word’s Help Documentation or the Internet, or talk with someone who can give you a little tutorial. Don’t worry. It’s easy stuff.00Technical note:Effective use of this document will require that you understand how to use tables in Microsoft Word. If you’re not familiar with how to do that, search Word’s Help Documentation or the Internet, or talk with someone who can give you a little tutorial. Don’t worry. It’s easy stuff.You can create a new document to use as your assessment, or you can work right in this document, providing your answers right in line after the questions. There are a few tables built into the appendices, which you may also find useful when completing a few steps. By way of further explanation, each step can be broken down in the following way:Gather dataWhat information do you have?What technology assets do you have? What are the systems?What are your oversight controls?Analyze dataThreatsVulnerabilitiesControl effectivenessAssign risk rating to information and systemsPrioritizeGiven the credit union’s data, threats, vulnerabilities, and controls, determine the credit union’s largest risks Develop a risk mitigation strategySo, settle in, put on your thinking cap, and every now and then step away to take a deep breath and remind yourself that it doesn’t have to be completely done right now. Making progress is the important thing.About the help provided in this documentTo assist you in conducting this assessment, we’ve gone ahead and completed many sections of the assessment as if we were a small, one-location credit union. This includes several tables in different sections. You might find this sample language useful to either keep or modify. All such sample language is denoted as such. If you modify or keep the sample language, be sure to remove the notes that it’s sample language, and make sure it accurately describes your credit union. Gather dataThis, our first step, will consist of gathering information. You may be able to pull some of it out of your brain, but some of it will require gathering (or referencing) other documents. In some cases, you (or someone else) may need to create the documents if you want to do a very thorough risk assessment.Note that it’s entirely plausible that the first time through this risk assessment, you will leave some items incomplete, with the intention of creating the reference documents later on. Which is fine. After all, something is better than nothing. So get done what you can now, and plan to complete the rest later on.Here are the broad questions we’re going to address:What information do you have?What technology assets do you have? What are the systems? This will include hardware, software, and connections.What are your oversight controls?What information does your credit union have?Answer this question with a basic narrative about the information you house at your credit union. Here’s an example:At XYZ FCU, we retain information about our members, such as their personally identifying information, and information about their personal finances—such as account balances and history. We also keep information about their employment, wages, and credit scores and history. We also keep information about how they access their own information, such as with user names and passwords. This is highly sensitive data.We also keep information about the credit union. This is broad, far-reaching information, and includes every aspect of our operations. It ranges from internal accounting and transaction information to policies and procedures to security details to general operational information. We also have information about our employees, including personal information, and our vendors, including security practices. In order to provide more details, list all of the information that your credit union keeps. Below is a sample chart you can use to list your member, credit union, and vendor information.Member informationWhat member information does your credit union have? Once you have listed all types of applicable information, use the third column to classify the sensitivity of the data, on a scale of 1-5, with 1 being not sensitive at all, and 5 being of the highest degree of sensitivity.Member InformationDescriptionSensitivityAccount informationBalances, history, transactions, numbers, meta information,5Nonpublic personal informationBirth dates, SSNs, addresses, phone numbers, email addresses, employment data, pay/salary data5Credit historyScores, history, details of credit reports5LoanOpening dates, opening balances, payment due dates, payment history, 5Generated informationInternal risk score, online or mobile banking history, passwords4Credit union informationWhat information about your credit union does your credit union have? Once you have listed all types of applicable information, use the third column to classify the sensitivity of the data, on a scale of 1-5, with 1 being not sensitive at all, and 5 being of the highest degree of sensitivity.Credit Union InformationDescriptionSensitivityAccounting informationInternal account info, GLs, internal accounting practices, expenses, balance sheet, income statement, ALM, ALCO3Investment informationBalances, start date, end date, rate of return,2Employee informationPay, history, nonpublic personal, disciplinary, direct deposit,5Network architectureEnd-user devices, network devices, port settings, connection setup5System access control informationUser names and passwords, privileges, activity logs, 5PracticesProcedures, policies, combinations, codes, strategy, facilities, training, internal security, robbery procedures, pricing methodology and history for rates and fees, marketing, collections,4Vendor What information do you have about vendors? Once you have listed all types of applicable information, use the third column to classify the sensitivity of the data, on a scale of 1-5, with 1 being not sensitive at all, and 5 being of the highest degree of sensitivity.Vendor InformationDescriptionSensitivityAccount informationLog-in information, account numbers, contacts on account5Security practicesLog-in information, event timing, 5Policies and practices3What connections does the credit union have?Describe the network connections inside the credit union, as well as those to outside the credit union. The credit union has multiple connections to outside the credit union. The primary connection is an Internet connection through Comcast Business Services. This connection is managed through a cable router that connects to a firewall that filters and directs all Internet traffic. Other external connections take place via this Internet connection: connection to our home banking provider, to our service bureau provider, to our credit report provider, to our backup service, and many many more. All of these connections are encrypted. General connection to the Internet is encrypted only when websites (such as our corporate credit union and batch processing provider) or specific services encrypt data.We also have external connections through phone lines. We have a T1 connection that connects to our PBX system, which directs and manages phone calls. In addition, we have a phone line dedicate to our security system, as well as company cell phones used by a few employees. We have one direct, dial in connection to some archaic third-party provider.Internally, all of our computers (desktop PCs, servers, etc.) are connected to each other via a local area network managed by a router. Most of the devices on this network are also connected to the Internet through the router and firewall.List your connections. Connections can include physical connections, such as phone lines or Internet connections, and virtual connections through the Internet to business partners, such as always-on access to an external resource. Include VPNs, Telnet, etc.In the first and second column, name and describe the connection.In the third column, assess the importance of the connection based on the function of the connection, the criticality of the data it supports, and the sensitivity of the data it transmits. Rank the importance on a scale of 1-5, with 5 being the most important. More than one connection can be ranked 5.ConnectionDescriptionImportanceLandline into officeProvided by: XXXXXX. This is a T1 with XXXXX lines and we have a PBX system administered by XXXXXX.4Internet into branchProvided by Century Link.5Cell phone Provided by Verizon. We have X employees with cell phones.4WiFiA wireless router 5Direct-connection to core processorThrough the Internet, to our data processor, which houses all of our data and storage. This connection is on constantly.5Direct dial connection to home banking This connection comes IN to our server, through the Internet, from our home banking provider.5Mobile app connectionThis comes into our server from our app provider, via the Internet.5Alarm system lineA phone line directly to the alarm company5Internal network connectionsEach PC, server, and printer is connected to the network via a CAT 5 network cable. Also, all router devices are connected via a CAT 5 cable.5In addition, it would be great to provide a network map detailing internal and external connectivity, and their interconnections. This chart should show routers, access points, firewalls, intrusion detection systems, servers, and backup systems.What hardware does the credit union use?List all of the hardware that comprises your system. Be as specific and comprehensive as possible. In the first and second column, name and describe the hardware. In the third column, assess the importance of the hardware based on the function of the hardware, the criticality of the data it supports, and the sensitivity of the data it transmits. Rank the importance on a scale of 1-5, with 5 being the most important. More than one piece of hardware can be ranked 5.HardwareDescriptionImportanceCore processing systemHouses our core system, which has all of the member and credit union account information5Desktop PCs (7 of them)One sitting at each employee’s desk, and several shared PCs in the teller line.5Receipt printersOne connected to each computer on the teller line, and each frontline employee’s computer3Check printerOne connected to all of the teller computers, another to the accounting office, and a third to the loan officers’ computers4General purpose printersOne connected to the teller line, another to the loan staff, and a third in the back-office.3Copier/scannerConnected to the network directly. Not directly accessible by any single user from any computer. 3Mobile phoneOne for the president of the CU.3Laptop PCThe president’s primary PC and workstation. This is taken offsite every day.5PBX system serverThe phone system that directs and manages calls.3Desk phones/landline phonesConnects to a switch4Phone switch/routerLogically, this sits between the PBX system server, and the phones.5Network switch/routerLogically, this sits right inside the firewall. It assigns IP addresses to all network devices, including servers, PCs, printers, etc.5FirewallReceives the Internet connection from the Century Link router, and manages traffic in and out of the CU’s internal network.5Mail serverManages email5File serverManages files and network drives5Backup driveFunctions 5Signage PCManages the outdoor signage.3Lobby display PCManages the images and video that splash across the display in the lobby.3ATM5Alarm system Connects5Internet RouterThis connects directly to the Internet, and feeds the Internet into the firewall device.5Wireless routerA connects to the Network switch/router and provides wireless access to the Network5Video surveillance PCA computer running the surveillance system5Surveillance camerasCameras recording activity around the credit union5What software does the credit union use?Make a list of all the software in use at your credit union, including operating systems and firmware of devices that don’t have operating systems. Include:Operating systemsCore data processor Other mission critical softwareOffice softwareWeb browsersDatabases and files that contain critical and/or confidential informationSoftware inventoriesIn the first and second column, name and describe the software.In the third column, assess the importance of the software based on its function, the criticality of the data it supports, and the sensitivity of the data it transmits. Rank the importance on a scale of 1-5, with 5 being the most important. More than one connection can be ranked 5.SoftwareDescriptionClassificationCore processing systemThe primary database that manages member account information, accounting information, etc.5Core processing system OS: UNIX, Windows XX, or something like thatThe operating system of the server that runs our core processor5Desktop PC OSWindows XX5Laptop PC OSWindows XX5Web browser: Firefox, Internet Explorer, Safari, or ChromeSits on each PC, including desktops, Laptop, servers, signage and lobby display PCs5Microsoft Office SuiteSpreadsheet, word processing, and presentation software. Sits on each PC, including desktops, laptop, signage and lobby display PCs3Adobe Acrobat ReaderUsed for viewing documents. Sits on each PC, including desktops, laptop, signage and lobby display PCs3Java Runtime EnvironmentA plug-in used for many programs and web applications. Sits on each PC, including desktops, laptop, signage and lobby display PCs3FlashA plug-in used for a lot of web sites. Sits on each PC, including desktops, laptop, signage and lobby display PCs3Webex ClientFor viewing webinars online. Sits on each PC, including desktops, laptop, signage and lobby display PCs2Image-editing software2Network switch/router firmwareUsed to run and configure the network switch/router5Firewall firmwareSoftware running and configuring the firewall.5Mail server OS: Windows XXOS running the mail server5File server OS: Windows XXOS running the file server5Backup softwareAutomatically runs a backup each day to a backup media/device5Signage PC OS: Windows XXRuns the signage PC2Signage PC softwareSoftware that runs the signage2Lobby display softwareRuns the images and videos splashing across the lobby marketing display2Lobby display PC OS: Windows XXRuns the lobby display PC2ATM softwareUsed to run and configure the ATM5Alarm system softwareUsed to configure the alarm system5Internet Router SoftwareThe software that runs and configures the internet router. 5Video surveillance softwareUsed to record and review video surveillance5Where is the information kept?Here is an example:At XYZ FCU, we keep information in both physical and electronic formats. Our physical information is kept on papers, files, and books. These are stored in secured rooms, drawers, and cabinets. We keep member transaction information in our core processing system’s database. Much of the credit union information is kept on a system of shared network drives, with access given to employees based on their job function and security clearance level. This electronic information is generally kept on network servers, but some job-specific information is kept on desktop PCs and backed-up to a cloud storage service. Each night, information is also backed up to servers at a remote, secure location.How is access to information controlled? Describe how information is accessed, stored, transmitted, protected, and eventually disposed of. Here is a basic example:Information kept in a physical form (on paper) is always stored behind a locked door or drawer. Accessing it requires having the key to open the lock. Within the credit union, it is always hand-delivered, so that it is never out in the open, or placed in a sealed envelope. It is always shredded when we are done with the information. Electronic information is accessed on computers. To access a computer, a user must authenticate using a username and password. Access to information is given as needed based on the access level assigned to the user. Within our internal network, data is not encrypted in transit, but when sent outside the network, data is encrypted. It is stored in an encrypted format. When storage devices have reached the end of their lives. Items such as flash drives and removable drives are only allowed to be used in rare circumstances by select employees. Only brand new devices can be connected to a computer; devices that have been previously connected to their computers cannot be connected to any credit union computers.In addition, describe the oversight controls in place. For example, what policies and procedures do you have in place to manage your IT system? There’s no need to provide great detail here, but at least mention what policies and procedures you have, and describe them a little. Also include information about training and other cultural controls.ControlDescriptionComputer security and controlOutlines the general guidelines for running the IT program.User access agreementAn agreement that each user must sign, outlining duties and responsibilities in relation to system access.Security trainingMandatory annual training about social engineering, and computer, email, Internet, and other securityPatch Management PolicyOutlines proper ways to manage software patches Firewall policyOutlines proper way to configure the firewallComputer software and hardware acquisition policyOutlines the process for adding additional software or hardware to the systemRemote access policyOutlines requirements for remotely accessing system resourcesCloud computing policyOutlines requirements for utilizing cloud servicesSecurity policyOutlines general physical facility and physical information practicesInformation security policyThe primary IT policy, outlining general practices and guidelines for maintaining a secure environmentIncident response policyPractices for responding to an IT security incidentIntrusion detection systemMonitors for intrusion throughout the system continuouslyIT AuditCompleted annually to ensure our IT program is working the way it should workPersonnel security policyPolicy outlining background checks and behavior monitoringVendor contractsSpecify security, service levels, and other requirements for partnersCyber security insuranceProvides a benefit in the case of an incident, provided we are following our policies and proceduresThe credit union utilizes policies to set general practices in place. These policies control everything from firewall configuration to destruction of unneeded storage devices to user access and to password requirements to configuration of the network. The policies require controls such as training and evaluation of employees, an annual IT audit, vendor contract management, and more.In addition, it would be great to provide detailed hardware and software configurations. For example, how are desktop PCs and servers configured? How are their user accounts set up, and their access to network drives?Another useful document is a system architecture diagram. It should provide: service provider relationships, where and how data is passed between systems, and the relevant controls in place. This may be part of the network map provided under the “Connections” section, above. AnalysisIn this section of the risk assessment, we will analyze the information we have gathered. The goal is to determine what risk we have, where, and the adequacy of our controls it mitigating that risk. We will complete this in several steps:Analyze the sensitivity of data and systemsAnalyze threats, threat agents, and vulnerabilitiesAnalyze control effectivenessAnalyze the sensitivity of data and systemsUsing the tables in the section above, you should have already evaluated the sensitivity and importance of data, connections, hardware, and software.About threats and vulnerabilitiesIt’s time to analyze threats and vulnerabilities. The point is to determine which threats or vulnerabilities deserve priority attention relative to the value of the information or information systems being protected. Although threats and vulnerabilities need to be considered simultaneously, it is important to distinguish threats from vulnerabilities. Threats are events that could cause harm to the confidentiality, integrity, or availability of information or information systems. They can be characterized as the potential for agents exploiting a vulnerability to cause harm through the unauthorized disclosure, misuse, alteration, or destruction of information or information systems. Threats can arise from a wide variety of sources, called threat agents.Identify threatsIn this section, we want to identify threats. In other sections, we will identify threats’ potential impact, and evaluate their probability of happening. Below, a series of specific questions is designed to help you eat this elephant one bite at a time. Examples of how you might answer these questions are provided after each question, indented.What are the threats to your data?As you answer this question, do not think in terms of threat agents. We’ll get there. For now, simply think of “what could happen to our data?” If necessary, provide an explanation of the threat.Our data could be:Copied without permissionDisclosed to people who have no right to know itDeletedCorrupted en masseHeld hostageModified selectively: for example, small amounts—hardly noticeable—changed on many accounts. Or, one account modified. Or contact information on an account modified.What are the threats to your connections?Think in general terms about your connections. If necessary, provide an explanation of the threat.Our connections could be:Shut down: for example, completely turned off. Perhaps physical wires could be cut.Overloaded. Perhaps too much traffic could be sent through a connection, so that nothing of importance could get through.“Eavesdropped” on. Someone might access, monitor, copy, or selectively modify traffic on a connection.Used for inappropriate purposes: authorized persons use the connection for inappropriate purposes.Piggybacked on: unauthorized persons use our connection for their own purposes.What are the threats to your hardware?Think in general terms about your hardware. If necessary, provide an explanation of the threat.Failure: hard drives, power supplies, system boards, memory, etc. could fail, thereby rendering the hardware useless. Theft: hardware might be stolenModification: for example, a key-logger added to a device.Damage or destruction: someone might purposefully destroy or damage hardware.What are the threats to your software?Think in general terms about your software. If necessary, provide an explanation of the threat.Reconfiguration: software may be reconfigured in unauthorized ways so that it does things not meant to do, or so that it allows access in ways it should notModification: Modification changes what software does or how it worksDeletion/uninstallationInstallation: unauthorized software may be installed on hardwareIdentify threat impactHere, we want to identify what the impact could be if a threat were realized. This will likely be tedious. Hang in there. This table will be large.To do this, take each of the threats identified in the previous section, and plug them into the table below. The table asks you to evaluate the potential impact in the following aspects: Data integrity, confidentiality, and availability of information; Costs associated with finding, fixing, repairing, and restoring a system;Lost productivity; Financial losses; and Other issues affecting the institution's operations, and reputation. If you wanted to get crazy, you could consider each type of data, connection, hardware, and software in conjunction with each of the threats. That’s really, probably what would happen in an ideal world. Maybe the second or third or fourth time you do this risk assessment, you should do that. However, to simplify this effort, the first time you do this risk assessment, consider all of your data, connections, hardware, and software as a whole, as if all of them were of the utmost sensitivity and importance. In each square of the grid, assign a number value for the potential impact, with 1 being low and 5 being high. Then, provide an explanation where it makes sense.ThreatImpact on data integrity, confidentiality, and availability of informationCosts associated with finding, fixing, repairing, and restoring a systemImpact on productivityFinancial lossesOther issues affecting operations and reputationData: copied without permission11This would cost, just not for the reasons listed in the column header.3This could impact management’s productivity as it copes with the potential problems that arise from someone getting our data.4The copying of data, itself, is not the problem. The problem is what is then done with that data, and correcting it. There would be significant costs both in staff time and financial resources in correcting problems. 5If our data were copied by an unauthorized party, they could use that data for any number of purposes that would damage our operations and cause us to spend significant resources correcting the problem. Of particular concern: the reputation hit that our credit union would take.Data: disclosed to people who have no right to know it5By definition, if the data were disclosed to unauthorized persons, it is no longer confidential.1This would cost, but not for the reasons listed above3This could impact management’s productivity as it copes with the potential problems that arise from someone getting our data.4The copying of data, itself, is not the problem. The problem is what is then done with that data, and correcting it. There would be significant costs both in staff time and financial resources in correcting problems. 5If our data were copied by an unauthorized party, they could use that data for any number of purposes that would damage our operations and cause us to spend significant resources correcting the problem. Of particular concern: the reputation hit that our credit union would take.Data: deleted5If our data were deleted, it would not be accessible. We would need to restore it. If the backup were also deleted, this could be crippling, and perhaps destroy the credit union. Imagine: all of our members’ history, balances, etc.—gone. 3Under normal circumstances, with a backup working properly, costs should be minimal to restore data. Until it is restored, however, our operations would be interrupted, which would mean lost opportunities, and potential increases in staff time to manually do some things.5Significant hits in productivity across the credit union. Some activities would grind to a complete halt. Depending on the type of data deletion, some activities might continue relatively unharmed. But if it is member data, impact is very high.3With a backup working properly, financial losses will mostly take the shape of lost opportunities and staff time.5Again, depending on the data deleted, some areas will be drastically affected, while others not so much. Some operations could continue in a manual mode, but others would be completely shut down. Either way, our reputation would take big hits.Data: corrupted en masse5This is the epitome of data not having integrity. At this point, we cannot rely on any of the data, and will need to restore a backup. 4Under normal circumstances, with a backup working properly, costs should be minimal to restore data. Until it is restored, however, our operations would be interrupted, which would mean lost opportunities, and potential increases in staff time to manually do some things.5Significant hits in productivity across the credit union. Some activities would grind to a complete halt. Depending on the type of data corruption, some activities might continue relatively unharmed. But if it is member data, impact is very high.3With a backup working properly, financial losses will mostly take the shape of lost opportunities and staff time.5Again, depending on the data corrupted, some areas will be drastically affected, while others not so much. Some operations could continue in a manual mode, but others would be completely shut down. Either way, our reputation would take big hits, especially if information about the threat went public.Data: held hostage5Data being held has many potential problems. Suddenly its integrity, confidentiality, and availability are all called into question. Even if data remained available, what is the guarantee that it’s confidential and accurate? 4Under normal circumstances, with a backup working properly, costs should be minimal to restore data. Until it is restored, however, our operations would be interrupted, which would mean lost opportunities, and potential increases in staff time to manually do some things.5Significant hits in productivity across the credit union. Some activities would grind to a complete halt. Depending what is held for ransom, some activities might continue relatively unharmed. But if it is member data, impact is very high.5Financial loss could be very high if we pay a ransom for our data, and especially if we pay and then lose our data. The cost to regain it could be drastic, especially if our backup is not working.5Again, depending on the data held hostage, some areas will be drastically affected, while others not so much. Some operations could continue in a manual mode, but others would be completely shut down. Either way, our reputation would take big hits, especially if information about the threat went public.Data: modified selectively 5This is a particularly insidious threat, because it may go unnoticed for a long time, and would compromise integrity and confidentiality of all data.5This would require significant resources and effort.Connections: shut downConnections: OverloadedConnections: eavesdropped onConnections: inappropriate useConnections: piggybacked onHardware: failureHardware: theftHardware: modificationHardware: damage or destructionSoftware: reconfiguredSoftware: modifiedSoftware: deleted/uninstalledSoftware: installation Threat agentsThreats can arise from a wide variety of sources, called threat agents. Traditionally, the agents have been categorized as internal or external. You’ll need to identify threat agents. Each one identified may have different capabilities and motivations, which may require the use of different risk mitigation and control techniques and the focus on different information elements or systems. Natural and man-made disasters should also be considered as agents. List your threat agents and describe the threats they pose.Internal threat agents: all of our internal threat agents could cause security incidents on purpose or accident. All internal threat agents have varying degrees of access to our data, systems, connections, and software. Internal threat agents are a common weak link across all industries. Any of the following internal threat agents may cause incidents due to malicious intent, incompetence, carelessness, or any number of reasons. EmployeesVolunteersThird-party service providers: Our providers have different access than our employees—they may not (but some may) have access to our member data, but may have access to how our systems are set up, and some would even have the ability to change system settings. They may even make recommendations for changes to our settings, and due to a lack of expertise in technical matters, we may agree with the need for the change. Former insiders: these people leave our organization with knowledge of our systems, practices, and policies. They may have information about how to access systems, or how to get around controls. If their user accounts are not removed, they may retain access into our systems. As with other internal threat agents, they may cause security incidents on purpose, or on accident.External threat agents: motives of external threat agents vary, as do capabilities. Their goals may also vary, from stealing information to modifying data, to just having fun. Some may want to cause destruction or disruption. All of these agents, however, could potentially realize any of the threats listed above. External threat agents include:CriminalsRecreational hackers Competitors TerroristsNatural and man-made disasters: these agents include things like earthquakes, floods, terrorist attacks, man-made accidents (vehicle or airplane crashes), and more. Basically, anything that could cause widespread or local destruction. These threat agents have significant potential to disrupt operations. They may destroy hardware and connections. They may cause significant distraction that would allow for more social engineering. Identifying vulnerabilitiesVulnerabilities can be characterized as weaknesses in a system, or control gaps that, if exploited by a threat agent, could result in the realization of a threat. In other words, threat agents exploit the vulnerability. The vulnerability is the means by which the threat agent accomplishes something.The challenge in identifying vulnerabilities is that many of them are technical in nature, and very specific. There’s a super good chance that you, the person doing this assessment, aren’t a technical person and that you can’t identify the specific (and maybe even general) technical vulnerabilities. The good news is that you’ve just identified a vulnerability. It should be part of the risk assessment. The bad news is that this particular vulnerability often translates into intimidation and confusion, and could lead to a lack of action. Don’t let that vulnerability stop you from proceeding. Do what you can. Seek input from others. And improve your assessment as you go along. In the end, as you complete this risk assessment multiple times, as your institution becomes more aware in more specific ways, you will be able to add more detail into the vulnerabilities. Identify the vulnerabilities in your IT system?What parts of your system could be exploited? How might they be weak? Be as specific or general as you feel appropriate. Address all aspects of the system: hardware, software, controls, connections. We have connections to the outside world that could be exploited.Our data that needs to be accessed by a wide range of people, and could be intercepted at any point.We have people involved in the system; they may not follow established procedures and processes for any number of reasons: deception, dishonesty, laziness, forgetfulness, incompetence, etc.We have hardware that exists in physical space. This hardware could be destroyed or compromised. We must have some ports on our firewall open so traffic can get through.We have very little technical knowledge on staff. This is a vulnerability because we rely on one person (or one outside group) for technical expertise. The work of that one person is not checked or verified by anyone inside our institution. We have no idea if they are doing what they’re supposed to be doing.We have not catalogued or established requirements for all of our controls.We have policies and controls specified in place, but do not audit to make sure the policies are followed.Our policies tend to focus on controls for employee procedures, rather than technical configuration of equipment and software. So, our technical controls may not be as strong as they need to be. We do not audit our employees for compliance with security procedures, and we do not formally review their performance.We do not filter web content; employees can access any website and click on any link.We do not have virus protection on all our machines.Our email program does not scan attachments for malware.Any of our employees can install software on the workstations computers. We do not run continuous penetration detection.We do not monitor and log all activity on the servers and through connections.We have no way to audit our third-party service providers’ security practices.Some of our contracts with third-party providers do not specify security service levels.We do not have redundancy built into our security devices (firewall). Our penetration testing is done only once a year, leaving us open to potential issues for long periods of time.In addition, we have many of the usual expected vulnerabilities, which can reasonably be anticipated to arise in the future:Unpatched software, New and unique attack methodologies that bypass current controls, Employee and contractor failures to perform security duties satisfactorily, Personnel turnover resulting in less experienced and knowledgeable staff, New technology introduced with security flaws, and Failure to comply with policies and procedures.Control effectivenessIt’s time to identify controls that mitigate the impact or likelihood of each identified threat agent exploiting a specific vulnerability. Controls are generally categorized by timing (preventive, detective, or corrective) or nature (administrative, technical, or physical). We also need to measure their effectiveness and compliance with controls, which may be done via self-assessments, metrics, independent tests, etc.What preventative controls are in place?Preventive controls act to limit the likelihood of a threat agent succeeding.ControlControl descriptionHow effectiveness of control is measuredEffectiveness level (high, moderate, low)FirewallRestricts and directs all traffic into the network from outside the network. Denies all unauthorized traffic.Periodic penetration testing is completed.HighNetwork intrusion prevention systemsMonitors the system for unauthorized access. Logs all activityAntivirus softwareEnsures that malicious software is not installed on computersUser access controlsSpecifies which resources each user has the rights to access, during what hoursRemoval of default accountsDefault admin and guest accounts are removedPassword controlsSpecifies the length and complexity of passwordsWhat detective controls are in place?Detective controls identify harmful actions as they occur. ControlControl descriptionHow effectiveness of control is measuredEffectiveness level (high, moderate, low)Intrusion detection systemMonitors all network traffic to determine if it is normal or not. Non-normal activity is halted and reported immediately.Access monitoringMonitors all folders and logs all activity into folders, and notifies administrators of unusual activityHoneypotFunctions as a relatively target for hackers to hit, but serves no business purpose. This is the trap to catch hackers.What corrective controls are in place?Corrective controls facilitate the termination of harmful actions, and reduce damage. ControlControl descriptionHow effectiveness of control is measuredEffectiveness level (high, moderate, low)Fail safe policiesRequires that if resources fail, they fail to a safe and protected modeWorkstation images/restorationAn image is made of each workstation once it is properly configured, so that if something goes wrong with the workstation, it can easily be restored to a clean state. Backups Backups of all critical data allow for restoration of key data. What administrative controls are in place?ControlControl descriptionHow effectiveness of control is measuredEffectiveness level (high, moderate, low)Contracts with providersContracts with providers specify duties of providers related to security, and allow for auditing and reporting of their security measuresTraining on securityEmployees are trained annually on security practices.End-user agreementsEmployees are required to sign agreements to how they are allowed and will use credit union resources.What technical controls are in place?ControlControl descriptionHow effectiveness of control is measuredEffectiveness level (high, moderate, low)User permissionsPort filteringDNS placementUser account authenticationData encryptionWhat physical controls are in place?ControlControl descriptionHow effectiveness of control is measuredEffectiveness level (high, moderate, low)Locks on doorsDoors with servers and networking equipment behind them are always locked. Offices not being used are have doors closed and locked. Cabinets for computersAll desktop computers are kept in locked cabinets at desks.Probability of threat agents exploiting vulnerabilities to realize a threat, given controls in placeUsing scenarios, analyze the probability of different threat agents causing damage. These scenarios should consider your credit union’s:Business strategy, Quality of its control environment, and Its own experience, or the experience of other institutions and entities, with respect to information security failures.You cannot possibly review all possible scenarios. Instead, select general scenarios, or those most likely to happen, and review them in the chart below. Start with 10 the first time. Edit them next time, and add others. In the probability, simply assign a value of probable, highly possible, possible, and unlikely, and then explain why that probability is assigned, especially considering all of the controls in place.Threat agentVulnerabilityDescriptionProbabilityEmployeeFalls victim to social engineering (spear phishing attack)This could happen online, in email, over the phone, or in person. In this case, a person tricks an employee into disclosing information or otherwise bypassing controls.Probable. Even given all of the controls in place, our employees are generally trusting and well-intentioned, and want to help people. Plus, training is not a guarantee of compliance with policies. Neither is evaluating people on following the policies and practices. EmployeeExploits trust and purposefully ignores or violates proceduresAn employee purposefully ignores or bypasses controls for whatever reason.Highly possible. Despite all our controls, training, and hiring practices, someone may decide to be dishonest. This is common across all industries, no matter what controls are in place. Intimate knowledge of controls makes it possible to manipulate or circumvent them.Third-party service providerFails to properly configure systemsThe “computer guy” fails no follow some procedure, and leaves our system vulnerable. Possible. We don’t actually know how good the abilities of our network people are, because we don’t evaluate and measure that. We also don’t have anyone checking their work, to make sure it’s accurate and according to procedures. This leaves us vulnerable. We basically rely on his competence, but have no way of verifying or checking that.Third-party service providerExploits trust The “computer guy” purposefully does something to allow himself or someone else access to sensitive information.Possible. We do not have controls in place to double check that all the systems are configured and monitored and logged properly. This means that someone who knows what they’re doing could conceivable set up the system for his benefit. External malicious party (hacker)Holds our data hostageAn outside party hacks into our system, accesses our data, and holds it hostage in exchange for ransom. They may or may not restore data once ransom is paid.Possible. While we do penetration testing, and our system is fairly secure and doesn’t change often (change could lead to holes), there are new exploits discovered all the time. We could fall victim to one of those.Outside malicious party (hacker)Penetrate our system via the Internet and accesses member informationWhile our system is relatively secure and tested annually, it’s still possible that there could be an exploit or new hack that would penetrate our system. Or, during a system modification, something could be left open, thus giving access to a bad actor.Probable. If someone is determined to get into our system, they will probably find a way, even if it includes a combination of social engineering and technical penetration.Outside malicious party (hacker)Penetrates our system and modifies critical dataWhile our system is relatively secure and tested annually, it’s still possible that there could be an exploit or new hack that would penetrate our system. Or, during a system modification, something could be left open, thus giving access to a bad actor.Highly possible. If someone is determined to get into our system, they will probably find a way, even if it includes a combination of social engineering and technical penetration.HackerTakes advantage of unpatched softwareHighly possibleTerrorist attackDisrupts communication linesPossibleEarthquakeDamage to connection or hardwareHighly PossiblePrioritize and planHere is the culmination of all our effort. Here we identify where are our largest risks, and how we will take steps to mitigate those risks. Most of the hard work is done. So go get a drink and relax while you finish this bad boy up.In the table below, list your risks and assign them a risk rating of "High," "Medium," or "Low". In the third column, indicate steps to take to mitigate those risks.RiskRisk RatingMitigation plansThird party vendor makes a mistake or purposefully causes harm HighWe will plan for an audit of our IT security system, which we will not inform our network guy about beforehand. We will hold this each year.Employee falls victim to social engineeringHighAdd quarterly security training for all employees, as well as testing to ensure they comply with appropriate rules, then incorporate training and testing into performance evaluations.Our system is hacked and someone gets inside our secure perimeterHighImplement intrusion detection systems with failsafe controls; implement a honeypot to catch bad actors. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download