Check list: 10 important steps in assessing the bank's IB risks

Understanding the need

Do not downplay the business value of IB risks

Information security risk is associated with loss of confidentiality, integrity or availability of company information assets. It can create risks in other areas, for example, in the field of quality, ecology, labor protection or industrial safety.

Шаблон:Quote 'author = Tatyana Stramous, expert at the consulting department of the Information Security Center of Infosystems Jet

Integrate IS risks into the Bank-wide approach to risk management

ISO 31000 defines risk assessment as part of the risk management process. This process represents systematic actions to apply policies, procedures and approaches to establishing communications, consulting, establishing context and identification, analyzing, evaluating, processing, and monitoring risks.

Place of risk assessment in the risk management process. ISO 31000 Risk Management. Guidelines

The inclusion of IB risks in the bank-wide risk management system will achieve two goals:

speed up the response to the risk event, as there are areas that are extremely sensitive to the reaction time;

Avoid duplication of functions: financial institutions often consider the concept of "cyber risk" as part of the term "operational risk," but in many banks different departments are responsible for these types of risks that do not interact with each other - as a result, the same risks are estimated at least twice, and the bank loses on excessive operating expenses.

Take into account the different rate of occurrence of consequences from realization of different risks of IB

Financial institutions, and not only them, rarely take into account that different events have different offensive speeds. The materialization of the same IB risk in the bank will have a different rate of consequences in different processes, divisions or systems. That is, some areas will be more sensitive than others to such a risk, primarily in terms of restrictions on the response time to a risk event.

Take into account regulatory requirements of the Russian Federation

Financial institutions should take into account the provisions of legislative and regulatory acts of the Russian Federation applicable to the banking sector when assessing the risks of the IB:

Provisions of legislative and regulatory acts of the Russian Federation applicable to the banking sector:
• Federal Law of June 27, 2011 No. 161-FZ "On the National Payment System" (FZ-161); •
GOST R 57580.1-2017 Security of financial (banking) operations. Protecting the information of financial institutions. Basic composition of organizational and technical measures; •
Regulation of the Bank of Russia dated January 9, 2019 No. 672-P "On requirements for the protection of information in the payment system of the Bank of Russia"; •
Regulation of the Bank of Russia dated April 17, 2019 No. 683-P "On the establishment of mandatory for credit organizations requirements for the protection of information when carrying out banking activities in order to prevent the implementation of money transfers without the consent of the client";
• Regulation on the implementation of Money on the implementation of information

Bank of Russia standards, such as:
• "Ensuring information security of organizations of the banking system of the Russian Federation. Methodology for assessing risks of violation of information security "(RS BR IBBS-2.2-2009)"; •
"Ensuring information security of organizations of the banking system of the Russian Federation. Management of risk information security during outsourcing "(STO BR IBBS-1.4-2018).

Consider best practices

Often they are neglected in favor of local requirements. However, in order to correctly build the IB risk assessment process, including developing a methodology, you should pay attention to the best world practices set forth in the following standards:

ISO 31000:2018 «Risk management — Guidelines»; IEC 31010:2019 «Risk management — Risk assessment techniques»; ISO/IEC 27005:2018 «Information technology — Security techniques — Information security risk management».

Preparation for evaluation

Choose a common risk assessment methodology

There are several critical criteria:

The evaluation should be a comprehensive and consistent methodology. The latter, in turn, should take into account the needs and expectations of all interested parties, including shareholders, managers, employees, customers and suppliers of the bank. The evaluation must be dynamic. Most often, a discrete method (at certain time intervals) is used to assess the risks of the IB, which does not allow taking into account the dynamics of changes in internal and external factors. In practice, the process starts once a year, but the need may arise much more often, for example, when significant changes occur, that is, events that affect the ability of the company to achieve its business goals. Each company determines for itself what is a significant change for it. For example, these could be global changes in industry legislation, restructuring in the company, upgrading the IT infrastructure or one of the key information systems of the company, etc. The results of the assessment should be clear to the business.

The large bank did not have a formalized methodology for assessing the risk of IB, while approaches were developed to the formation of an assessment report in a form quite understandable to the business, "says Tatyana Stramous. - We suggested establishing evaluation criteria, including scales to assess the likelihood of risk implementation scenarios. After agreeing these criteria with the bank's internal stakeholders, the rate of carrying out the IB risk assessment doubled and its results became comparable. In fact, we helped the bank increase the effectiveness of the risk assessment process and made it possible to develop in the direction of forming a dynamic risk assessment of the IB instead of the previously accepted discrete one.

Identify Risk Owner

The owner of the risk shall be determined for each risk of the IB at the stage of their identification. Otherwise, it will be difficult to implement and monitor the implementation of risk management measures. The process of appointing IB risk owners must be approved at the level of the bank's management board. The absence of a formal procedure may lead to delays in funding.

{{quote 'In one of the Russian banks there was a problem with determining the source of financing for measures to process the risks of IB, "comments Tatyana Stramous. - Each time there were long discussions, from the budget of which division funds should be allocated for the implementation of the project on risk assessment of IB. Our team suggested that the bank improve the IB risk assessment methodology used and harmonize it with the provisions of the ISO 31000:2018 standard, and then approve it at the management level. According to our proposal, the position of the risk owner should have been taken by the heads of those business departments whose activities could be most affected by the implementation of one or another IS risk. }}

Select Performer

Risk assessment is usually initiated by specialists of the bank's IB service. You can conduct it:

By the bank itself. In this case, the process involves specialists of both IT departments and departments involved in operational risk assessment, lawyers, representatives of the personnel service and business departments.

With the involvement of third-party specialists. Such services are provided by consulting companies and integrators specializing in information security. At the same time, it is important that external specialists involved work on the project in close connection with the above bank divisions.

Assessment

Meet Risk Assessment Milestones

According to ISO 31000:2018, risk assessment involves three stages:

1. Identification

The Bank, based on the knowledge of its IB context (internal and external factors relevant to the IB of the Bank), forms a list of IB risks that may be relevant. Experts recommend describing every identified risk of IB associated with its causes and possible consequences from implementation.

2. Analysis

Each risk is considered in terms of its source, implementation scenarios, bank assets exposed to these scenarios, likelihood of realization and impact on the bank's goals. The scales established in the risk assessment methodology are used for the analysis. Such scales can be both qualitative and quantitative, taking into account the effects of risk in terms of financial and legal aspects, business continuity and other factors. The results of this stage determine the level of each risk of IB, that is, the magnitude of the risk expressed in the form of a combination of its consequences (impacts) and their probability.

3. Formal ranking (or risk assessment)

Comparing the results of the analysis with the risk criteria to establish the acceptability or admissibility of each risk (and/or its magnitude), that is, to determine their significance in terms of the bank's risk appetite.

Document Results

It is recommended that documented evidence be produced to support the risk assessment process and its results.

More information about the bank's IB risk assessment can be found from experts of the company "Infosystems Jet".

See also

• Information security in banks
• Bank losses from cybercrime
• Central Bank policy in the field of information protection (cybersecurity)