INFORMATION SYSTEM SECURITY: RISK ASSESSMENT TOOLS AND PRACTICES

I.        INTRODUCTION

Financial institutions should have a sound information security program that identifies, measures, monitors and manages potential risk exposure and plans for responding to an information security incident. 

The FDIC released a paper entitled Risk Assessment Tools and Practices for Information System Security (FIL-68-99; July 7, 1999). In 1997, the FDIC issued safety and soundness electronic banking examination procedures and a guidance on security risks associated with the Internet that could possibility result in financial loss and reputational harm. As a result, financial institution management is responsible for ensuring that systems and data are protected against risks associated with emerging technology, including the Internet and computer networks. As information security issues arise, the FDIC indicated the need for timely additional guidance on information system security issues.

FIL-68-99 emphasized three main components of a financial institution’s information security program: prevention, detection and response. While an institution's information security program depends on the nature of its activities and is based on a comprehensive risk assessment, the guidance described several tools to facilitate the risk assessment process, but did not recommend which tools and practices an institution should use. Appropriate tools would be chosen as a result of an institution's risk assessment and identification of potential threats to and vulnerabilities of its information systems.

For financial institutions that contract with third-party providers for information system services, a sound vendor management program that generally incorporates the items discussed in the guidance is recommended. Third-party providers are broadly defined in the guidance to include entities that provide: system design, development, administration and maintenance services; data processing services; and hardware or software solutions. Financial institution management must generally understand the provider's information security program to effectively evaluate the security system's ability to protect both institution and customer data.

The guidance served to supplement FIL 131-97 (December 18, 1997), “Security Risks Associated With the Internet” and complement FDIC’s safety and soundness electronic banking examination procedures. A related guidance is found in the FFIEC Information Systems Examination Handbook. The appendix to the guidance provides specific information on certain risk assessment tools and practices that may be part of an institution's information security program.

II.       INFORMATION SECURITY PROGRAM

A financial institution should first perform an information security risk assessment to determine which risk assessment tools and practices discussed in the FDIC guidelines are appropriate. According to the FDIC, a financial institution's board of directors and senior management should be aware of information security issues and be involved in developing an appropriate, comprehensive, proactive and ongoing information security program incorporating three components:

  • Prevention – measures include vulnerability assessment tools and penetration analyses, sound security policies, well-designed system architecture, properly configured firewalls, strong authentication programs. Vulnerability assessment tools generally involve running scans on a system to proactively detect known vulnerabilities, e.g., security flaws and bugs in software and hardware, to detect holes allowing unauthorized access to a network or insiders to misuse the system. Penetration analysis involves an independent party (internal or external) testing an institution's information system security to identify (and possibly exploit) vulnerabilities in the system and surrounding processes.
     
  • Detection – measures involve analyzing available information to determine if an information system has been compromised, misused or accessed by unauthorized individuals, which may be enhanced by the use of intrusion detection systems (IDSs) that act as a burglar alarm, alerting the bank or service provider to potential external break-ins or internal misuse of the system(s) being monitored.
     
  • Response– measures involve the handling of suspected intrusions and system misuse once detected. The response program should be outlined in a security policy that prioritizes incidents, discusses appropriate responses to incidents and establishes reporting requirements.

Based on the three components, a financial institutional should develop a written information security policy, sound security policy guidelines and well-designed system architecture, as well as provide for physical security, employee education and testing, as part of an effective program.

III.       RISK ASSESSMENT AND MANAGEMENT

While risk assessment is the first step in establishing a sound security program, it should be considered an ongoing process to evaluate threats and vulnerabilities and to establish an appropriate risk management program. In turn, the extent of an information security program depends upon the degree of risk associated with a financial institution's systems, networks and information assets. The FDIC gives, as examples: institutions offering an information-only web site compared to institutions offering transactional Internet banking activities; institutions offering real-time funds transfers compared to delayed or batch-processed transactions; and the extent to which an institution contracts with third-party vendors.

A.        Performing Risk Assessment and Determining Vulnerabilities

Sound risk assessment is critical in providing a framework for establishing policy guidelines and identifying risk assessment tools and practices appropriate for a financial institution. The FDIC advises that when financial institutions contract with third-party providers for information system services, they should have a sound oversight program. In addition, the security-related clauses of a written contract should define, at a minimum the responsibilities of both parties with respect to data confidentiality, system security and notification procedures in the event of data or system compromise. An institution must conduct a sufficient analysis of the provider's security program (including how the provider uses available risk assessment tools and practices) and should obtain copies of independent penetration tests run against the provider's system.

When assessing information security products, many products offer a combination of risk assessment features and can cover single or multiple operating systems. Several organizations provide independent assessments and certifications of the adequacy of computer security products (e.g., firewalls). While the underlying product may be certified, the manner in which the products are configured and ultimately used is an integral part of the products' effectiveness. When relying on a certification, management should understand the certification process used by the organization. Other considerations in the risk assessment process might include:

  • Identifying mission-critical information systems and determining the effectiveness of current information security programs (e.g., a vulnerability might involve critical systems that are not reasonably isolated from the Internet and external access via modem and therefore up-to-date inventory listings of hardware and software, as well as system topologies, is important).
     
  • Assessing the importance and sensitivity of information and the likelihood of outside break-ins (e.g., by hackers) and insider misuse of information (e.g., if a large depositor list were made public, such disclosure could expose the institution to reputational risk and potential loss of deposits or if human resource data, such as salaries and personnel Files were disclosed, the institution could be harmed).  The assessment should identify systems that allow the transfer of funds, other assets or sensitive data/confidential information and review the appropriateness of access controls and other security policy settings.
     
  • Assessing the risks of electronic connections with business partners where the other entity may have poor access controls that could potentially lead to an indirect compromise of the institution’s system (e.g., a vendor allowed access to an institution’s system without proper security safeguards, such as firewalls, resulting in open access to critical information).
     
  • Determining legal implications and contingent liability concerns associated with items discussed above (e.g., if hackers access an institution’s system and use it to subsequently attack others, it could be held liable for damages incurred by the party attacked).

B.        Potential Threats

Hackers, computer novices, dishonest vendors or competitors, disgruntled current or former employees, organized crime or espionage agents pose potential computer security threats. Using almost any Internet search engine, Internet users can find information describing how to break into various systems by exploiting known security flaws and software bugs. Hackers may breach security by misusing vulnerability assessment tools to probe a network system and exploit weaknesses to gain unauthorized access to it. Internal misuse of information systems is also a threat. Inadequate maintenance and improper system design also allow hackers to exploit a system. New security risks arise from evolving attack methods or newly-detected holes and bugs in existing software and hardware. Risks may be introduced as systems are altered or upgraded or through the improper setup of available security-related tools. To be current on new security threats and vulnerabilities, it is important to keep up to date on the latest security patches and version upgrades available to fix security flaws and bugs.  

The misuse or theft of passwords is another threat. Hackers may use password cracking programs to figure out poorly selected passwords. And unauthorized users can steal unencrypted passwords. Password theft is more difficult if they are encrypted. Employees or hackers may attempt to compromise system administrator access (root access), tamper with critical Files, read confidential e-mail or initiate unauthorized e-mails or transactions.

Hackers may claim to be someone authorized to access the system, e.g., an employee, vendor or contractor, and then get a real employee to reveal user names or passwords, or even set up new computer accounts. Another threat involves the practice in which hackers use a program that automatically dials telephone numbers and searches for modem lines that bypass network firewalls and other security measures. Other forms of system attack include:

  • Denial of service (system failure) – any action that prevents a system from operating as intended, including the unauthorized destruction, modification, or delay of service (e.g., in a “SYN Flood” attack, a system can be flooded with requests to establish a connection, leaving the system with more open connections than it can support while legitimate users of the system being attacked are not allowed to connect until the open connections are closed or can time out.
     
  • Internet Protocol (IP) spoofing – an Internet intruder, in an attempt to gain access to a system, impersonates a local system’s IP address. If other local systems perform session authentication based on a connection’s IP address, those systems may misinterpret incoming connections from the intruder as originating from a local trusted host and not require a password.
     
  • Trojan horses – programs containing additional (hidden) functions that usually allow malicious or unintended activities, replacing programs or collecting, falsifying or destroying data. Trojan horses can be attached to e-mails and may create a “back door” that allows unrestricted access to a system. The programs may automatically exclude logging and other information that would allow the intruder to be traced.
     
  • Viruses – programs that may be embedded in other code and can self-replicate so that once activated, the viruses may take unwanted and unexpected actions that are nondestructive or destructive in the host computer programs. A virus may move into multiple platforms, data file, or devices on a system and spread through multiple systems in a network. Virus programs may also be found in e-mail attachments and become active when the attachments are opened.

IV.       CONCLUSION

Financial institutions are to develop and implement appropriate information security programs, taking into account whether their systems are maintained in-house or by third-party vendors must be employed. A security program includes effective security policies that identify prevention, detection and response measures and system architecture, which may be supported by risk assessment tools and proactive practices, appropriate security controls, risk management techniques and countermeasures to information security threats and vulnerabilities.

Compliance Handbook Search

STAY CONNECTED

Nebraska Bankers Association

233 South 13th Street, Suite 700
Lincoln, NE 68508
402-474-1555
​Digital Millennium Copyright Act Policy