How Are You Managing Technology Risk?

by Cynthia A. Bonnette, Managing Director, Technology Risk Assessment Services

Risk management is fundamental to banking and a familiar practice to all experienced bankers. However, risk management generally takes the form of compartmentalized processes that focus on particular areas. For example, credit risk management concentrates on the loan portfolio and origination process; investment risk management centers on the composition and controls surrounding the securities portfolio, and so forth. Unfortunately, this approach fails when it comes to technology risk.

What's different about technology?

Technology effectively permeates the operations of the entire institution and therefore defies compartmentalization. Technology enables key processes that the bank uses to develop, deliver, and manage its products, services, and support operations. So what, then, is the proper approach to technology risk management?

First, as once stated by the famous writer, educator, and management consultant, Peter Drucker, "If you can't measure it, you can't manage it." The process of effective technology risk management begins with risk identification in the context of the bank's overall business strategy. Understanding the role that technology plays in enabling core business operations establishes the framework for understanding where relevant risks lie.

The importance of looking at technology risks in the context of the bank's business strategy is underscored by recent lessons learned from the tragedies of September 11th. While the vast majority of information systems recovered well and demonstrated the effectiveness of disaster planning measures, significant gaps in the continuity of key business process were experienced. The point is that technology risks are woven throughout the business and must be addressed holistically.

Looking at the big picture
A technology risk assessment begins with the bank's strategic plan, recognizing the role that technology plays, and the critical systems that gather, process, and store information. The next step involves assessing the relative importance of the various systems, databases, and applications based on the nature of their function, the criticality of data that they support, and their importance to core business operations. At this point, it is also necessary to look at the architecture of the bank's systems and networks to determine their interconnections with other internal and external systems. This process will reveal system access points and other critical junctures where security mechanisms will need to be in place.

By understanding the role that technology plays in supporting various business functions, bank management is in a better position to determine the relative importance of these functions and prioritize the systems, applications, and data involved. The process of understanding how information flows through the bank, and where data is entered, transferred, and stored will also reveal areas of potential vulnerability. This is where system and network diagrams can be particularly helpful; however, they must be up-to-date and comprehensive.

An information >
The bank's outsourcing strategy must also be taken into account. In the process of identifying relevant data flows and information processing activities, relationships with service providers must be evaluated for the roles and responsibilities of each party. The bank's system diagram should incorporate service provider relationships, identify where data is passed between systems, and document the relevant controls that are in place. When conducting an overall assessment of technology risk, the bank must consider outsourced systems as extensions of its own.

Identifying the gaps
With a comprehensive understanding of what information exists, its relative importance, and where it travels in the bank's own system and those of service providers and partners, bank management is now ready to identify potential gaps. By mapping existing security programs to the system diagram, controls and procedures can be evaluated for adequacy.

This process begins with the bank's existing security program, including both physical and information technology components. For each system that enters, processes, stores, or transfers data that the bank has >
Information technology introduces a new dimension to vulnerability assessment, however. The dynamics of technology represented by the speed that new hardware, software, and services are introduced, adds complexity. In order to evaluate the controls surrounding systems that host critical data, bank management must have the tools and expertise to assess the technology that enables them. With each new release of an operating system, software application, or device, a variety of security holes may be introduced.

Furthermore, as changes and enhancements are made to a system, they, in turn, affect its configuration and overall security posture. Therefore, part of the vulnerability assessment needs to look at how the bank is keeping up with vulnerabilities in the technology that it directly or indirectly employs. This includes the process for updating systems when new patches are released and also when system re-configurations occur.

Bank management also needs to consider the processes in place at its service providers and partners to identify and address their vulnerabilities. Particularly in situations where multiple service providers are involved, controls and responsibilities for enforcing them may be unclear or undefined. Bank management should carefully review controls over data transfer points and also ensure that the operators of all linked systems are undertaking comprehensive vulnerability assessments. Service provider contracts should include a requirement to this effect and also provide that timely action be taken to address identified vulnerabilities that affect >
Vulnerabilities and threats
It is important to distinguish vulnerabilities-which have been characterized above as gaps in the bank's existing controls and security processes-from threats. Simply defined, vulnerabilities are weaknesses that are present in a system or an environment that, if attacked, could result in significant harm. Threats represent the agents that can act on the vulnerabilities, to exploit them, and thereby cause harm. Generally, vulnerabilities alone will not result in a problem, but require the action of a threat-malicious or accidental-to be exploited.

By identifying and prioritizing the gaps in the bank's information architecture where controls fail to adequately protect important information, management has defined its vulnerabilities. However, an understanding of internal and external threats is necessary in order to put these vulnerabilities into perspective.

Threats can come from a wide variety of sources. Traditionally, threats have been categorized as internal (malicious or incompetent employees, contractors, service providers, and former insiders that retained information or access privileges) and external (malicious hackers, recreational hackers, competitors, terrorists). Furthermore, natural and man-made disasters should also be considered as external sources of attack.

While the statistic is often cited that 80% of attacks come from within an organization and 20% come from the outside, recent surveys of information security professionals reveal that this is rapidly shifting. The Annual Computer Crime and Security Survey conducted by the Computer Security Institute and the Federal Bureau of Investigation, found that in 2001, 70% of 538 respondents (17% were financial institutions) cited their Internet connection as a frequent point of attack. However, this does not mean that the threat from insiders has lessened. Rather, it shows that threat sources are multiple and varied.

Each of the threat sources noted above has different capabilities, motivations, and likelihood of engaging in an attack. So how might a bank assess these factors and develop a meaningful assessment of potential threats? Presently, there is a lack of historical data to evaluate and develop statistical probabilities. However, each bank can develop a threat assessment based on its environment, competitive strategy, marketplace, geographic location, and other characteristics that evaluates the likelihood of occurrence. It is equally important to consider the magnitude of impact that would result from each threat scenario. The recent terrorist attacks have clearly taught us that we must be prepared for certain events, which were previously thought to be unlikely, due to their potentially catastrophic impact.

Threat analyses are a mixture of facts, forecasts, estimates, and judgement. The end goal is not precision, but a better understanding of what the bank is up against and which threats deserve priority attention, given the known vulnerabilities. The process of identifying threats must occur in the context of the bank's business strategy in order to differentiate significant threats from those that are less significant. That, of course, begs the question, "what is significant"? And the answer will vary from bank to bank based on its risk tolerance and its ability to mitigate and manage its vulnerabilities and threats.

Managing technology risk
Identifying vulnerabilities and threats provides bank management with a view of the risks faced by the bank given the enabling role of information technology. Once these risks have been identified, an appropriate risk management strategy can be developed and implemented. Bank management has a choice in its approach to managing these risks. Generally, there are three alternatives that can be used individually and in combination: risk management via internal processes and controls, risk management via outsourcing or contracting out the activity; and risk transfer via the purchase of insurance coverage.

Each alternative offers advantages and disadvantages in terms of cost and control. Bank management must evaluate these options in order to devise a strategy that provides maximum benefit to the bank. Generally, the benchmark question involves the extent of the bank's internal resources and ability to develop and administer the necessary controls in-house. Absent these resources, the bank can evaluate options for hiring temporary contractors or outsourcing the activity to a service provider that has the necessary infrastructure. Risk transfer via insurance represents a relatively new alternative for technology; however, a number of new policies addressing "cyber-insurance" are now available.

The most appropriate strategy generally involves a mix of risk management techniques that are driven by the bank's internal capabilities and risk tolerance. The bank's technology risk management process will be intertwined with other risk management processes and overall business strategy. As such, it will continue to be revisited and refined.

M ONE, Inc. is a bank technology consulting firm that specializes in helping mid-size financial institutions develop strategic technology solutions to interact more effectively with customers and business partners. M ONE also offers technology risk assessment services that assist banks in evaluating their information security programs and addressing relevant vulnerabilities and threats. Information security education programs and materials for bank directors, management, and employees are also available. Visit www.moneinc.com for further information.

First published on BankersOnline.com 4/15/02