Pub. 1 2010 Issue 3

www.wvbankers.org 26 to quantify their risk position, while identifying areas that require remedia- tion. Not all risk can be removed and there is nothing wrong with perform- ing more than one risk assessment a year to show significant improvement and monitor progress. What is gener- ally not acceptable is to not identify all significant risks or to not develop some PLAN for improvement. A domain by domain approach might look like the following: Physical Security – Natural disasters, emergency situations and man-made threats can all affect physical security. Countermeasures might include cameras, sensors, alarms, and controls over physi- cal access. Risk factors could be affected by one or more of the following items: • Logging and badges for visitors • Smart card controls over restricted facilities (data center) • Periodic audits of work areas • Magnetic media storage practices • Fire suppression system (with evidence of current inspection) • Document destruction practices • Encryption of laptop hard drives for traveling employees Logical Security – Threats could in- clude disgruntled employees, unethical hackers, employees who do not practice good security principles, among others. Countermeasures might include strong passwords, two factor authentication, Intrusion Prevention Systems (IPS), and periodic security training. Risk factors could include one or more of the follow- ing items: • Screensavers and timeouts for unattended workstations • Thorough implementation of anti- virus software • Password strength and rotation of passwords • Allow employees access that is job based and only allows access to required data • Security articles in newsletter • Periodic updates on threat activity in other areas/business sectors • Strong personnel review practices Business Continuity – Threats in- clude anything discussed above; the principle of Business Continuity is the demonstrated ability to process, perhaps in a diminished capacity, when the organization does not have access to all of its assets. For example, an Inter- net line could be severed by unrelated construction activities across town. A countermeasure might be a dial-up backup capability. Business continuity is effective when the organization knows how to failover. We recently saw an organization that had a backup power supply for the data center but the only employee who knew how to activate it was not present when it was needed; in that case business continuity was not ef- fective. Risk factors could be affected by one or more of the following items: Q Risk Management — continued from page 25 Keith A. Morgan is a P.L.L.C. Member of Arnett & Foster, P.L.L.C., Certified Public Accountants, in Charleston, West Virginia. A Certified Information System Auditor and Certified Information System Security Professional, Mr. Morgan has over thirty years experience in informa- tion technology audit and security services in multiple industries including financial institutions. Chris Joseph is a P.L.L.C. Member of Arnett & Foster, P.L.L.C., Certified Public Accountants, in Charleston, West Virginia. A Certified Public Accountant and Certified Information System Auditor, Mr. Joseph has over twenty-five years experience in information technology audit and security services in the financial institutions industry. Mr. Morgan and Mr. Joseph can be contacted at 800- 642-3601 or through email: keith.morgan@afnetwork. com or chris.joseph@afnetwork.com . • Mission critical data, supporting programs and other required items have been identified • Periodic training sessions are conducted • Plans are reviewed and updated as changes in technology, products and delivery mechanisms occur • Lead times for communication lines, servers and other key equipment are part of the plan • Insurance coverage is reviewed and is consistent with assets in place • Single points of failure have been identified, i.e. the Internet line discussed above We hope this gives you a better under- standing of the process. While you cannot allocate enough money, time, and personnel to eliminate all risk, the key is to identify risks, quantify the potential for them being realized and develop plans for remediation of what is considered the most significant risk. Most regulators will agree that planning has to be formalized and documented and the process of risk as- sessment is no different. A several page Excel document that has no supporting documentation and no action plans for remediation is a potential for a low rating and an increased probability of realizing identified risk without proper controls to mitigate the risk event. Risk Assessment must follow a framework and include all potential risk areas, the output needs to be a formal assessment accompanied by remediation plans. Q Threat Likelihood Impact Low (10) Medium (50) High (100) High (1) Low 10 X 1.0 = 10 Medium 50 X 1.0 = 50 High 100 X 1.0 = 100 Medium (.5) Low 10 X 0.5 = 5 Medium 50 X 0.5 = 25 Medium 100 X 0.5 = 50 Low (.1) Low 10 X 0.1 = 1 Low 50 X 0.1 = 5 Low 100 X 0.1 = 10 Table 2