In a recent survey, Security Spending and Preparedness in the Financial Sector, SANS polled various organizations within this sector to better understand their outlook on risks facing the organization. As a result, SANS made some suggestions that align with the Financial Institutions Examination Council (FFIEC) in regards to critical steps in performing a risk assessment. In this post, I’ll discuss each step in more consideration, provide some tips and tricks and also review some other considerations not outlined by SANS or FFIEC. Remember, it’s best to validate any audit considerations with your internal or external audit body.
Ongoing data collection
When we discuss ongoing data collection relating to the organization’s environment and threats facing the environment, a key aspect is the frequency for which data is collected and assessments are performed. Most compliance mandates, at a minimum, require an annual risk assessment to be performed against the organization’s environment (both electronic and physical), business processes and third-party interactions.
However, consider that the organization’s environment and threats facing the organization are ever changing. As changes occur, whether a new risk facing the industry or new systems or processes being brought into scope, the organization must implement these new risk vectors into the risk assessment and update as they become live in their environment. Waiting for the annual risk assessment is not sufficient as this presents a period where controls are not implemented to mitigate new risks.
Similar to annual risk assessment requirements in most compliance mandates, organizations traditionally must perform an annual vulnerability assessment that includes penetration testing of both the physical environment and overall network. Very much like the risk assessment as changes or new systems come into play, the organization should apply vulnerability testing and validation, accordingly.
Vulnerability assessments can provide valuable data relating to risk exposure, but must be communicated up to the audit committee, executive board of directors, and management to prioritize remediation efforts.
Traditionally performed by an internal audit body, periodic walkthroughs are a vital component in understanding business processes and how the employees interact with those business processes or involved systems. Regardless of your industry, you must always consider the human risk factors. The organization can implement high-end security solutions, such as next-generation firewalls or controls, but as soon as a human risk factor is exploited, all mitigation efforts could be bypassed or made ineffective. Walkthroughs should be performed at least annually or as needed for new business processes, personnel, or systems being brought into scope. Always consider human risk factors!
Risk analysis regarding the potential impact of the risks
The importance of communicating findings as a result of audits, vulnerability assessments and other methods of data collection is vital for mitigating risks to reduce the overall impact. Most mitigation efforts or control implementation requires budget and resource allocation. To gain traction and momentum in these remediation efforts to reduce impact, audit committees, boards of directors and management must be kept in the loop. The objective is to provide them with the knowledge and data (results) to make educated and strategic decisions for remediation efforts.
These executive level groups can assist the organization in prioritizing remediation efforts to address those vulnerabilities that could have significant and detrimental impacts to the organization. Don’t stop at the initial communication. Periodic updates and status updates on remediation objectives should be given at least quarterly, if not more frequently.
When discussing the impacts of a given risk, organizations tend to focus specifically on related financial service compliance impacts. However; organizations must also take into consideration impacts beyond compliance such as reputation, trust, accountability, clean-up efforts, business continuity and so forth. Take a step back from specific compliance requirements and look at overall impacts to the organization.
Prioritization of controls and mitigating actions
There is no exact science to prioritization of controls or mitigation actions, but it is important for the organization to perform due diligence to understand how these relate to the organization. As a potential starting point, the organization must:
- Identify the risks facing the industry and organization specifically
- Determine the likelihood or probability of that risk being exploited
- Evaluate the impact both financially and other non-compliance related impacts such as business continuity
Keep in mind that impact can expand beyond financial reporting and should include public image (accountability & trust), other compliance implications, business continuity, remediation and clean up (such as Incident Response within PCI-DSS).
Again, work with the audit committee, board of directors and management to prioritize controls and determine which objectives are undertaken first. Provide details, research and findings to allow these individuals to make an educated decision on prioritization. Walk them through the above formula to confirm assigned values for the three components.
This should bring to light those high-risk items for which mitigating action should be applied. As mentioned before, it always helps to have backing from the higher-ups. As an internal audit or IT security function, it is the responsibility to provide the higher-ups with enough detail, research and evidence to make informed and calculated decisions when it comes to mitigating risks.
Ongoing monitoring of risk-mitigation activities
Establish an internal audit department that monitors the health of compliance programs. IT security or the compliance department should leverage internal audit assessments in conjunction with risk assessments to ensure identified control gaps are addressed or risk rating reduced to an acceptable level. Internal audit assessments can be focused on at-risk controls to ensure mitigation activities are operating effectively. As the organization’s environment and threat landscape continuously change, ongoing monitoring of risk and controls contribute to an adaptive compliance or security program.
An organization may have specific risk assessment requirements within GLBA, SOX and PCI-DSS, but risk assessments expand beyond these financial service compliance mandates into other industries and compliance areas. Risk assessments allow an organization to better understand their environment and consider threat vectors facing the organization.
Again, it’s important to use available resources as mentioned above (vulnerability assessments, audit findings, etc.), as well as publication of common vulnerabilities and exposures that could be facing the industry and organization specifically. Incorporate into risk assessments accordingly.
Educate and involve the audit committee, board of directors and management
Implementing controls can be a big task for any organization to pursue and adhere to. Success is driven from the top and it is vital to have the audit committee, board of directors and management involved throughout the process. These parties can serve as the champion of this objective and promote it throughout the organization. Further, these parties can provide guidance and determine risk tolerance to ensure efforts align with business objectives.
Take a step back from a specific compliance mandate to see the overall picture
Look at commonalities between various compliance mandates for which the organization must adhere to:
- Continuously manage risks (this is a fundamental component and starting point of most compliance mandates)
- Determine material events (SOX,GLBA, PCI-DSS)
- Protect customer data (GLBA, HIPAA, PCI-DSS)
- Build trust and accountability (consideration in most compliance mandates)
- Provide detailed, adaptive audit and forensic trails (consideration in most compliance mandates)
- Enable cyber security compliance (NIST Cybersecurity Framework)
Consider third-party management and risk ownership
You cannot outsource risk ownership. For example, suppose a bank is breached by way of third-party processing. Consider the stakeholders and customers of that bank. Legally, the breach may affect the guilty third party (and this party may be bound by contractual agreements as a responsible party), but what the customers and stakeholders fall back to his that the bank did not meet their expectations. Trust and accountability are lost. The overall impact of such a breach can be detrimental to the public image of a financial institution in which people entrust their life savings and finances.
In order to validate third-party controls, use Service Organization Controls (SOC 1 & SOC 2). You’ll find that SOC 2 is a more in-depth control set for assessment. That being said, go beyond just looking at the report. Discuss findings, determine the impacts of the findings/control failures to the organization’s environment and discuss IR between the third-party and the organization.
Next, examine the change control and incident response between third-party processes or personnel that interact with the organization’s environment (e.g., business processes, interfaces, third-party account/access provisioning, etc.).
It’s important to note that you should use these compliance requirements as guidelines—not an end-all-be-all. Consider looking into NIST Cyber Security Framework (CSF) for additional cyber-related security controls guidance that may not be covered by existing compliance mandates the organization is adhering to. Core compliance programs are beginning to incorporate cyber-based risks, but they still maintain their primary focus.
Risk assessments must involve parties within your company to determine acceptable risk levels and where mitigation efforts should focus. Risk facing your industry or organization will continue to change, and with that, your organization must periodically reassess risks.
Implementing mitigating controls is not enough. There should be ongoing assessments to determine the operating effectiveness of controls and to identify any control gaps. With any compliance mandate, the first step of assessing risk is a fundamental and cost-effective approach to implementing controls.
For more information, download “Security Spending and Preparedness in the Financial Sector: A SANS Survey.”