The Identify function helps establish what your organization must protect. Identify activities include determining what assets—both physical and informational—are present within your institution; how they fit in within the business environment; and the governance in place to manage your organization’s regulatory, legal, and risk environments.
All of these activities make up your risk assessment, an evaluation of the threats faced by your institution, the likelihood they will happen, and the magnitude of harm should they occur. The results of your risk assessment will influence the overall risk management strategy, or how you plan to conduct business operations in such a way to limit risk to an acceptable level.
A risk assessment should be performed at least annually to confirm if an organization’s resources, priorities, or business operations have changed significantly enough to warrant a strategy modification.
A cybersecurity risk assessment should classify critical information assets, identify threats and vulnerabilities, and communicate that risk to necessary personnel, including the Board. Before you can adequately assess risk to your institution, though, you must first identify your Crown Jewels, or your most critical information assets. “Crown jewels” are often highly sensitive and guarded and their loss, destruction, or theft could severely impact your institution.
To identify potential cybersecurity threats, your financial institution may use internal resources, such as audit reports, vulnerability scans, and fraud detection tools; or external resources, such as information sharing networks like the Financial Services – Information Sharing and Analysis Center (FS-ISAC) and the United States Computer Emergency Readiness Team (US-CERT). A tool like a vulnerability scanner is also commonly used to identify weaknesses by scanning your business environment against well-known and previously identified vulnerabilities. You can also test to determine if an identified vulnerability is actually exploitable.
In November 2014, the Federal Financial Institutions Examination Council (FFIEC) issued a statement recommending that financial institutions of all sizes participate in the FS-ISAC as part of their process to identify, respond to, and mitigate cybersecurity threats and vulnerabilities. Additionally, two publicly available reports that can provide current threat intelligence are Verizon’s Data Breach Investigations Report and Symantec’s Internet Security Threat Report. Both reports are updated annually.
Threat identification should occur continuously throughout the year and not only during the annual risk assessment. When news of a fraud, breach, or other incident emerges, consider whether your organization is also vulnerable. Could the same thing happen to your institution? What controls are in place to help protect against the threat?
FS-ISAC for Financial Institutions
FS-ISAC offers a basic membership for community banks with less than $1 billion in assets which includes the “must-have” services shown below. Nonbanks can also obtain FS-ISAC membership. To receive only the most critical public alerts, the smallest community-based institutions may elect to register as a Critical Notification Only Participant (CNOP). This service is offered free-of-charge but only provides notification of public urgent and crisis alerts. Learn more at https://www.fsisac.com/join.
FS-ISAC’s Services for Community Banks:
- FS-ISAC established the Community Institution Council (CIC) to provide a forum for community banks to share information. All new community banks/credit union members are added to this group.
- FS-ISAC distributes weekly Risk Summary Reports to all community bank members. These reports help explain how the latest risks affect banks and their customers, and how these risks can be mitigated.
- Community Bank FS-ISAC members have access to the FS-ISAC Security Tool Kit, a 72-page document developed collaboratively with community institutions designed to provide a set of security practices to help strengthen banks’ information security programs in light of increasing threats.
- FS-ISAC disseminates actionable threat, vulnerability and incident data to all members.
To effectively measure your organization’s level of risk, a method for measuring risk must be developed. One approach is to give each asset a value of high, medium, or low. The rating can be financial but should also factor in how critical the asset is to your business. The risk level of those information assets is also given a rating of high, medium, or low. The final level of risk depends on remediation actions taken by your institution; mitigating controls can reduce the overall level of risk. For example, if backups are routinely performed, the risk posed by the loss of an electronic file may be low.
Confidentiality, Integrity, and Availability (CIA) form the information security triad. Information security programs should be set up to ensure the CIA of all information assets, from data to hardware to networks.
Information Security Triad
- Confidentiality means information is protected from unauthorized access or disclosure.
- Integrity confirms information is trustworthy, accurate, and protected from unauthorized modifications.
- Availability guarantees reliable access to and use of information and information systems.
It is vital to establish a process that informs senior management and the Board of Directors about cyber risks to your organization, how your organization currently manages and mitigates those risks, and who is accountable for doing so. Once the risk assessment is developed, adopted, and approved, it should be reviewed and updated at least annually to ensure new risks are identified.
The risk assessment is one element of a larger cyber risk management process that each organization should have in place. CEOs should strive to create and implement an effective and resilient risk-management process that enables proper oversight and ensures effective management of cybersecurity risk. Key elements of a risk management process include the initial assessment of new threats; identifying and prioritizing gaps in current policies, procedures, and controls; and updating and testing policies, procedures, and controls as necessary.