Welcome » IT Booklets » Information Security » Information Security Risk Assessment » Overview
The quality of security controls can significantly influence all categories of risk.The various FFIEC agencies have different names for the various categories of risk. The Federal Reserve includes six types of risk, which are credit, market, liquidity, operational, legal, and reputational. The OCC includes nine types of risk which are credit, interest rate, liquidity, price, foreign exchange, transaction, compliance, reputation, and strategic. This booklet uses the Federal Reserve categories with the addition of strategic risk and the assumption that market risk includes interest rate risk, price risk, and foreign exchange risk.Traditionally, examiners and institutions recognized the direct impact on operational/transaction risk from incidents related to fraud, theft, or accidental damage. Many security weaknesses, however, can directly increase exposure in other risk areas. For example, the GLBA introduced additional legal/compliance risk due to the potential for regulatory noncompliance in safeguarding customer information. The potential for legal liability related to customer privacy breaches may present additional risk. Effective application access controls can strengthen credit and market risk management by enforcing risk limits on loan officers or traders. For example, if a trader were to exceed the intended trade authority, the institution may unknowingly assume additional market risk exposure.
A strong security program reduces levels of reputation, operational, legal, and strategic risk by limiting the institution's vulnerability to intrusion attempts and maintaining customer confidence and trust in the institution. Security concerns can quickly erode customer confidence and potentially decrease the adoption rate and rate of return on investment for strategically important products or services. Examiners and risk managers should incorporate security issues into their risk assessment process for each risk category. Financial institutions should ensure that security risk assessments adequately consider potential risk in all business lines and risk categories.
Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. In its simplest form, a risk assessment consists of the identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. The resulting information should be used to develop strategies to mitigate those risks.
An adequate assessment identifies the value and sensitivity of information and system components and then balances that knowledge with the exposure from threats and vulnerabilities. A risk assessment is a pre-requisite to the formation of strategies that guide the institution as it develops, implements, tests, and maintains its information systems security posture. An initial risk assessment may involve a significant one-time effort, but the risk assessment process should be an ongoing part of the information security program.
Risk assessments for most industries focus only on the risk to the business entity. Financial institutions must also consider the risk to their customers' information. For example, the 501(b) guidelines require financial institutions to "protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer."