Pub. 9 2014-2015 Issue 5

www.nebankers.org 20 Extraordinary Service for Extraordinary Members. I NFORMATION SECURITY, AND REALLY security of any kind, always starts with a risk assessment. This may not be a formal process—you prob- ably didn’t bust out an Excel spread- sheet prior to installing an alarm system at your house, but I’d be willing to bet that you’ve informally assessed the risk of someone robbing your home. If you’re me, you decided the secondhand furni- ture you own didn’t warrant paying an alarm fee every month. Someone living in a city with a high-rate who owns nice things, however, would assess the risk differently and probably come to a dif- ferent conclusion. Assessing risk is an integral part of decision making. As an information se- curity consultant, I see many banks that don’t think of a risk assessment that way. They think of it as a chore that must be done annually so theywon’t get in trouble with an examiner—compliance for com- pliance sake. I’m on a mission to change TECH TALK that perception, so I’mhighlighting a few options or items you can add to your risk assessment tomake it your own and give it meaning and value for your bank. Threat-Based Versus Asset- Based Risk Assessments One question I hear a lot is, “Which of these risk assessments is better?” My answer is both! Threat-based and asset-based risk assessments (RAs) are both valuable in different ways. A threat- based RA is going to list multiple threats to information security and include risk levels and other details for each threat. It can give you a big picture of where your institution stands on information security threats and how adequate your controls are. An asset-based RA will start with an information asset (any machine, cabinet, or person holding in- formation). Each threat to information, threat details, and risk levels would then be listed within the context of that one asset. It can give you a more detailed look at a smaller piece of your informa- tion security puzzle. Most institutions can benefit from a hybrid approach to risk assessment. One big snapshot RA and more detailed RAs as needed. Inherent Versus Residual Risk Most people are familiar with re- sidual, or overall, risk ratings. It means you’ve thought about the likelihood that something bad could happen, the poten- tial damage if it did happen, and all the controls you have in place to prevent it from happening or to at least make it less painful. With all this in mind, you arrive at an overall risk rating. Inher- ent risk is the initial risk—the risk you come to without thinking of your con- trols, when you’re only considering the likelihood of this threat occurring and the damage it could cause if it did. An inherent risk rating is not a universal re- quirement for information security risk assessments, but some examiners have been known to “encourage” it. Looking at the difference between inherent and residual risk ratings can help from an auditing perspective. If you look at an asset that started out with a high inher- Creating a Risk Assessment You Can Use Stephanie Chaumont , CISSP, CISA, Security+, CoNetrix