Pub. 1 2010 Issue 3

fall 2010 25 I n the first article we set a framework for later articles which deal with each of the major areas of risk, provid- ing guidance and best practices. In the second article we discussed concepts and requirements for risk management. Now we would like to present material from one of our risk assessment tools to provide you with a better understanding of the process of risk assessment. One of our methodologies focuses on domains as shown in Table 1 . Effective Risk Management By Keith A. Morgan, CISA, CISSP and Chris Joseph, CPA, CISA This is the third of a multi-part series oriented toward risk assessment and the management of your Information Technology (IT) assets We typically see a Bank perform a combination of group and individual assessments. The Bank might ap- point a group to reach a consensus on what assets need protection, what their value is, what risks exist and in what forms they might threaten the Bank. Then each individual would independently try to develop a rating for each risk and a final composite document would be assembled. The results would be compared to the previous assessment and remediation (process improvement) plans would be developed. The Bank would as- sign responsibility and timeframes for completion of remediation and a final report would be developed to be used in the next round of risk assessment. 1. The risk rating could be a simple average of compliance (number of people stating a specific risk was properly addressed divided by the number of people on the team). 2. A second manner of risk rating would be to develop weighted ratings including (as examples): 0 Does not apply 1 Partially implemented 3 Satisfactory 4 Fully implemented Then a weighted average would be com- puted for each of the areas (risk factors) excluding those not applicable. 3. A third option would be to assign a potential for risk being realized ranging from low to high. In addition, the impact (ranging from some impairment to total inability to process) is quantified based upon the impact of realizing the threat and the likelihood of occurrence. Table 2 (page 26) presents a matrix whereby a score is assigned to each risk factor. The method is not as important as the process. The risk assessment should result in consistent ratings when performed by people with similar backgrounds and the Bank must be able Table 1 Domain or Focus Area a. Information Protection b. Policies and Practices c. Physical Security d. Business Continuity e. Logical Security f. Network Security Controls g. Remote Access Security Controls h. Internet Commerce Controls i. Wireless and Mobile Computing Controls j. Regulatory Compliance Q Risk Management — continued on page 26