Red Flag Assessment Testing
BOL user "Rizzo" was preparing for the Red Flags rules and created a Red Flags risk assessment testing document that she has shared here. Rizzo participated in BOL Learning Connect webinars about the new Red Flag rules and developed this workbook based on what she learned. The file, "Red Flags Testing Menu - rfworksheet", is a component of the larger "Red Flags Assessment Testing Workbook - rftestmenu", and is provided here individually, and is blank. The "Red Flags Assessment Testing Workbook" contains the Risk Assessment Matrix and Red Flags Testing Menu.
The process charts were used for each covered product. The bank marked different ways the product could be obtained, accessed, identified possible threats and then listed controls that were in place addressing the red flags. The matrix is a summary page of the process charts.
The bank rated risks from 1-5 starting with selecting what the impact would be to the bank. From there, what is the inherent likelihood that breach would happen, yielding the inherent risk. For example:
- Impact = 5,
- Inherent Likelihood = 4
- (5x4) yields an inherent risk a 20.
- Residual likelihood (taking controls into consideration) = 3,
- times the impact (5)
- provides a residual risk of 15.
Rizzo's Board approved an acceptable rating of 10 for each product (yours may vary), so if the residual risk was more than that, it gets placed on a watch list, or the bank tries to figure out how to lower the score to an acceptable level. The "Red Flags Assessment Testing Workbook" has sample data included in it. You will have to delete and replace the sample data with your own assessments and may edit the products as well.
The bank then tested the controls and this is where the testing menu comes in to play (the smaller component file "Red Flags Testing Menu"). The bank then reviews the controls listed in the risk assessment to address each Red Flag and marks the worksheet to show if the Red Flag is indeed addressed (all 3 parts: Detection, Mitigation and Response). If it was addressed, the location of the coverage from policies and procedures is listed. If not, comments were made in the Gap Analysis column and the responsible party for that product was instructed to correct the deficiency.
Red Flags Assessment Testing Workbook, w/sample data, .xls format (This file is not provided in PDF due to hyperlinks and page layout design. The Workbook is intended for use on a PC.)
First published on 05/01/2009