Skip to content
BOL Conferences
Thread Options
#100058 - 07/23/03 08:37 PM Top 10 - Information Technology Risks
Risk Officer Offline
100 Club
Joined: Apr 2001
Posts: 205
Dallas
Between now and the end of the year I hope to do risk assessments for each department and process. As I get to each area, I would like to do a little brainstorming on BOL concerning the most significant risks and the best practice controls that should be in place.

As I work with the department heads here at my bank, I hope to come up with a "Top 10" list representing the most significant risks in their areas. For each risk, I also hope to identify the best controls to put in place.

Assuming that there is interest and participation here on BOL, I'll be glad to share what I compile with anyone that would like it.

With that, I'll throw it out for discussion and feedback...

Some of the top Information Technology risks (and controls) that we've idenfified are (this is by no means all inclusive):

Intentional destruction of data by an insider (sabotage) - Some controls include access restrictions for employees based on job need, robust data backup procedures, knowing your employees, network monitoring, etc.

Internal compromise / defalcation of data, including customer data - Same controls as above

Weak logical access restrictions, including weak or shared passwords - Security policy (network software should be able to mandate robust passwords), training, periodic review of employee access by managers and audit.

External compromise / defalcation of data, including customer data (hacking, social engineering) - Controls include firewalls, intrusion detection, customer identification procedures and social engineering training.

Theft of computer resources - Controls include physical access restrictions, inventory procedures, computer locks.

Key person dependency - Controls include management succession plans, cross training, key person life insurance.

Large scale disaster - Controls include business resumption and disaster recovery plans / testing, insurance, training.

Vendor failure / vendor management - Controls include thorough vendor management procedures, including robust annual reviews and exit strategies.

Compromise of customer information maintained by vendors - Controls include thorough due diligence, contract provisions, monitoring of vendor's information security program, insurance.

Malicious code - Controls include virus protection at all entry points that covers email and internet downloads, training.

Wire transfer / ACH - obviously one of the greatest areas of potential exposure. Controls include strong security policies, independent wire system administrators, dual authorization required on wires, etc.

I know, I listed eleven, but who's counting...there are probably hundreds of risks in our database.
_________________________
My opinions are just that...my opinions.

Return to Top
Audit
#100059 - 07/24/03 07:13 PM Re: Top 10 - Information Technology Risks
Jeff Olejnik Offline
New Poster
Jeff Olejnik
Joined: Jul 2003
Posts: 11
KPMG had done a study in 2000 on the major causes of operational disruption. I thought this might be helpful as you assess your operational risk.

The following results were based on surveys to over 150 financial institutions' answer to the following:

"Has your company been affected by, or at risk for, any of the following business interruptions?"

Power Outage - 75.5%
Hardware Failure - 66.9%
Natural Disaster - 64.9%
Communications Failure - 56.3%
Human Error - 55.6%
Software Failure - 52.3%
Service Provider Failure - 39.1%
Facilities Move - 34.4%
Other - 3.3%

I hope this helps.

Jeff Olejnik
Continuity Solutions, Inc.
www.continuitysolutions.net

Return to Top
#100060 - 07/24/03 10:09 PM Re: Top 10 - Information Technology Risks
111 Offline
Gold Star
111
Joined: Jun 2003
Posts: 484
What about an atom bomb? That's the interesting thing abour risk assessment in this area, you can only take the risk scenarios to a level that you can actually handle, but beyond that level, no viable plan is possible.

Return to Top
#100061 - 07/25/03 01:18 PM Re: Top 10 - Information Technology Risks
Risk Officer Offline
100 Club
Joined: Apr 2001
Posts: 205
Dallas
Quote:

What about an atom bomb? That's the interesting thing abour risk assessment in this area, you can only take the risk scenarios to a level that you can actually handle, but beyond that level, no viable plan is possible.




I've got excellent fire insurance in the event something catastrophic happens...a preventive control, you might say...
_________________________
My opinions are just that...my opinions.

Return to Top
#100062 - 07/29/03 03:32 PM Re: Top 10 - Information Technology Risks
mchenry Offline
New Poster
Joined: Jul 2003
Posts: 1
Flurry of new online security for SA banks

In the wake of last week's online theft from ABSA, South Africa's banks have begun announcing new security and insurance measures seeking to reassure customers.

The country's First National Bank said on Friday that it would reimburse its Internet banking clients for the full loss of any funds as a result of an unauthorised withdrawal from their FNB Internet banking accounts. Roland le Sueur, Head of Internet banking at FNB, said the bank would refund the amount illegally removed, plus charges and lost interest.

"The guarantee reflects the bank's confidence in both its security precautions and the efficiency of its inContact early warning service," said Mr Le Sueur. The guarantee is free of charge but is conditional upon clients registering for FNB's logon and transaction alerting service.

Standard Bank introducing additional Internet banking security measures quickly followed FNB’s announcement. "This has been a very eventful week with the press coverage around Internet fraud. The previous attacks have been on banks, now the attack is on customers and their accounts," said Standard Bank chief executive Jaco Maree.

Herman Singh, who heads up Standard Bank's eCommerce initiatives, said the bank was introducing a "pin pad" data entry screen, which would pop up when customers logged onto the internet banking site, as an additional level of security to the two existing passwords customers already use. "Instead of using keystrokes to type in the pin, customers will click the numbers on the pin pad," he said.

Standard Bank also plans to distribute specially configured versions of McAfee's personal Internet firewall and anti-virus software to its online banking customers. The bank will be providing the software free of charge for the first year after which customers will need to pay for annual updates.

FNB ‘guarantees' e-banking safety

[Tracy Burrows]- First National Bank (FNB) has offered its e-banking clients a “money-back” guarantee that their transactions will be safe, following the recent Absa e-banking fraud. ÆInternet

FNB says it will now notify an additional 180 000 Internet banking clients via free SMS or e-mail of every logon to their account, so alerting them immediately to any unauthorised access.
This feature has been added to FNB's free inContact SMS and e-mail service, which already notifies more than 280 000 FNB Internet and other banking customers of every transaction made on any of their FNB bank accounts.

FNB says it will also reimburse its Internet banking clients for any money they lose as a result of an unauthorised withdrawal from their FNB Internet banking accounts. The bank will refund the amount illegally removed, plus charges and lost interest.

This guarantee is available to clients who register for the inContact service. However, refunds will not be made if clients are found to have failed to take adequate security precautions to protect their computer and Internet banking account access information.

Roland Le Sueur, FNB's head of Internet banking, says client interest in this free service has been soaring. More than 30 000 clients have registered in the past 14 days. They have the choice of receiving their notifications via SMS or e-mail when they log on to their account via eBucks.com. Most clients have chosen SMS as their preferred source of contact.

The always-on inContact service was introduced by FNB in 2002. FNB customers can register for the service on the FNB Internet banking Web site, at 0860 442211 or at an FNB branch.

















Return to Top
#100063 - 07/29/03 03:37 PM Re: Top 10 - Information Technology Risks
111 Offline
Gold Star
111
Joined: Jun 2003
Posts: 484
Quote:

Quote:

What about an atom bomb? That's the interesting thing abour risk assessment in this area, you can only take the risk scenarios to a level that you can actually handle, but beyond that level, no viable plan is possible.




I've got excellent fire insurance in the event something catastrophic happens...a preventive control, you might say...




Fire Insurance covers an atom bomb? What about the other elements, e.g. your facilities are gone, your entire staff is gone, you are gone, your BOD is gone, the fire insurance company is gone - what's the back up plan for that scenario?

Return to Top
#100064 - 07/29/03 06:39 PM Re: Top 10 - Information Technology Risks
Risk Officer Offline
100 Club
Joined: Apr 2001
Posts: 205
Dallas
Quote:

Quote:

Quote:

What about an atom bomb? That's the interesting thing abour risk assessment in this area, you can only take the risk scenarios to a level that you can actually handle, but beyond that level, no viable plan is possible.




I've got excellent fire insurance in the event something catastrophic happens...a preventive control, you might say...




Fire Insurance covers an atom bomb? What about the other elements, e.g. your facilities are gone, your entire staff is gone, you are gone, your BOD is gone, the fire insurance company is gone - what's the back up plan for that scenario?




Sorry Tenacious, I wasn't speaking literally...and you're right, I will be gone, to a far better place.
_________________________
My opinions are just that...my opinions.

Return to Top
#100065 - 08/11/03 09:24 PM Re: Top 10 - Information Technology Risks
Anonymous
Unregistered

Looks good to me. I have just completed such an exercise at my bank. The one risk that you had that I overlooked was keyperson. That was a good one. I did not have anything in addition to the other ten. But, I do have a question for you surrounding due diligence and the "robust" reviews. What do you do when the company you contract with does not have a SAS 70? How far do you go to make sure there is adequate controls in place? Thanks. I'm a risk officer, too.

Return to Top
#100066 - 08/11/03 09:49 PM Re: Top 10 - Information Technology Risks
Risk Officer Offline
100 Club
Joined: Apr 2001
Posts: 205
Dallas
We haven't had a problem with getting SAS 70s from our service providers (i.e. Internet banking, trust accounting, debit card driver, etc.). Other vendors (i.e. software providers or other vendors that have access to customer information but do not "process" for us) would not normally have a SAS 70.

I guess for a service provider that did not provide a SAS 70, you would have to start with your contract to see if you have the right to audit. Then, depending upon how critical the service is and the level of risk associated with the provider, you might decide to either perform your own audit or have them make certain representations to you concerning their controls (possibly a questionnaire format).

The area I am currently struggling with is in the area of Information Security. What is the best approach to validate the effectiveness of any of our vendor's information security program???
Last edited by Risk Officer; 08/11/03 09:50 PM.
_________________________
My opinions are just that...my opinions.

Return to Top
#100067 - 08/12/03 02:22 PM Re: Top 10 - Information Technology Risks
Red Offline
Gold Star
Red
Joined: Dec 2002
Posts: 345
New England
I don't know. It feels silly to be looking at what the vendor states they are doing on their end. You can't test it. Perhaps if you are a REALLY big bank you could but at our current size it is definately out of the question. Sometimes I feel like I am just holding my breath relying on the information that was provided to me. Thanks for the input on the SAS 70's.
_________________________
Its risky business, but someone has to do it.

Return to Top

Moderator:  Andy_Z