Wipfli LLP - CPAs and Consultants
Affiliates Contact Us Careers Events About Wipfli
 
subscribe
Rate Content

 
View all Financial Institutions articles

Are You At Risk? Assessing and Managing Information Security
December 01, 2006

Second in a three-part series on effective information technology management.

Information is one of a financial institution’s most significant assets, and protecting it should be a top priority. Many organizations mistakenly perceive information security to be an occasional or intermittent occurrence—something to tackle once on a broad scale and afterwards just every now and then.

The truth is that risk management can never be effective if it’s only a one-time event or simply addressed periodically. Information security must be an ongoing process, and it requires active involvement from management and the board of directors, as well as engagement by all employees.

The foundation of any strong risk management effort is the need for a formalized information security program.

What’s in your program?

Creating, implementing, and maintaining an information security program require several key components. First, the overall program must be well documented, including detailed written policies and procedures that are used to control and protect information.

Second, the institution should appoint an information security officer. This person oversees, manages, and is accountable for the entire program. That includes directing the necessary training for all employees so that they understand their roles in protecting the institution’s information assets.

Third, risk assessments and the testing of controls must be part of the program. Any business partners that have access to or custody of the institution’s information must also be held to the same level of risk management responsibility.

Finally, the program should ultimately receive management and board approval, and communication about the ongoing status of the program must be regularly presented to the board.

Keep in mind that your information security program should be appropriate to the size and complexity of your institution and the nature and scope of its activities.

Where’s the risk?

To build a reliable program, an institution must first identify its information and technology assets and assess the risks that may threaten them.

Through a risk assessment, an institution gathers information by identifying data in all its locations, whether on paper, in systems, or within Web sites. It then determines the value of this data. Such value depends on the type of data, why and how it’s used, the likelihood that threats will be realized, and the impact to the organization should those threats transpire. 

An institution must thoroughly identify potential threats to the confidentiality, integrity, and availability of its information. These vulnerabilities can be internal or external and can include both human and technical threats.

Documenting the controls that are currently in place to ward off threats is also part of this process. Basic controls can include network topologies, logging of system activities, configuration standards for systems, formal change management processes, patch management, anti-virus and anti-spyware programs, intrusion detection systems, vulnerability testing, incident response plans, vendor management, security awareness and training, and the inclusion of information security discussions as part of the strategic planning process.

How does it rate?

Once all information is collected, it’s time to analyze it. Based on possible threats and current controls, an institution can assign risk ratings to reflect the degree of any threat in light of its mitigating controls.

The risk rating score determines which controls are tested and allows the institution to prioritize its responses. The higher the risk rating, the more often the control should be tested. In addition, an institution’s audit plan will be derived from the risk assessment. High-risk items should be audited annually, medium risk items every other year, and low risk, perhaps every three years.

The testing procedures, along with the frequency of testing and the person responsible for testing, should be documented. With testing results in hand, an institution can further evaluate the effectiveness of the controls and determine whether any additional controls are needed.

What’s the timing?

Completing a risk assessment annually is part of the ongoing risk management obligation. This not only ensures that implementation is effective, but also makes certain that adjustments have been made to account for changes in technology, in customer information sensitivity, and in internal or external threats to information security.