Successfully reported this slideshow.

RiskWatch for Financial Institutions™

1,371 views

Published on

RiskWatch for Financial Institutions™ creates a comprehensive compliance risk assessment (the required self-assessment) to match the FFIEC guidelines: IT, FFIEC, Information Technology (IT) Examination Handbook, RED FLAG, GLBA and more. The software includes the risk assessment compliance template, including role-based compliance questions, directly based on requirements, as well as web-based survey programs, and a complete written report, augmented by working papers that explain how each element was generated.

FINISH YOUR RED FLAG ASSESSMENT with Easy to Use, Affordable Software. It includes complete assessment versions for GLBA (Gramm Leach Bliley), the Red Flag Identity Theft Standard and Bank Secrecy Act (BSA) assessment standards. Sarbanes Oxley (SOX) is also available upon request. Web-based or server-based online questionnaires make it easy to gather role-based data, and generate management reports with working papers and complete audit trails.

The only fully standardized way to meet the new Red Flag and risk assessment requirements, RiskWatch for Financial Institutions is used by banks, insurance companies, trusts and savings banks other technical service providers such as payment processors.

  • Be the first to comment

RiskWatch for Financial Institutions™

  1. 1. HOW TO DO RISK ASSESSMENTS AND DEMONSTRATE COMPLIANCE WITH FFIEC & BSA RiskWatch for Financial Institutions
  2. 2. RiskWatch for Financial Institutions Regulator-Approved Software to Self-Assess against FFIEC 2006 Guidelines & Pandemic Flu
  3. 3. Agenda for 45 Minute Webinar <ul><li>1. Intro to Risk Assessment and RiskWatch </li></ul><ul><li>2. Review of Risk Requirements Implication </li></ul><ul><li>3. Actual Risk Software at Work </li></ul><ul><li>4. Review of Actual Risk Report </li></ul><ul><li>5. Inclusion of Detailed Working Papers </li></ul><ul><li>6. Conclusion </li></ul>
  4. 4. The Environment <ul><ul><li>Information Technology </li></ul></ul><ul><ul><li>IT has become the important part of most organizations </li></ul></ul><ul><ul><li>New federal and international standards require more IT risk. </li></ul></ul><ul><li>Regulatory Compliance </li></ul><ul><ul><li>Sarbanes Oxley has increased the accountability of management </li></ul></ul><ul><ul><li>New regulations for credit unions </li></ul></ul><ul><ul><li>Pandemic Flu assessments now required. </li></ul></ul>
  5. 5. <ul><li>A comprehensive and integrated enterprise software tool that automates the surveying, data collection, compliance & risk assessment to meet self assessment requirements. </li></ul>R ISK W ATCH ®
  6. 6. RiskWatch Meets & Exceeds the Action Summary from the FFIEC IT Examination Handbook, July 2006 <ul><li>“ Financial institutions must maintain an ongoing </li></ul><ul><li>Information security risk assessment that: </li></ul><ul><li>Gathers data regarding the information and technology assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements. </li></ul><ul><li>Analyzes the probability and impact associated with the known threats and vulnerabilities to its assets; and </li></ul><ul><li>Prioritizes the risk present due to threats and vulnerabilities to determine appropriate levels of training, controls and testing necessary for mitigation”. </li></ul>FFIEC – July 2006
  7. 7. Compliance Regulations, Standards and Guidelines <ul><li>Information Security/ISO 17799 </li></ul><ul><li>NIST 800-26, NIST 800-53 </li></ul><ul><li>ISO/IEC 1779:2005 </li></ul><ul><li>ISO/IEC 27001 </li></ul><ul><li>Office of Management and Budget (OMB) A-123, A-124, A-127, and A-130 </li></ul><ul><li>COBIT 4 </li></ul><ul><li>Utilities </li></ul><ul><li>NERC – CIP 002-009 ( North American Electric Reliability Council) Critical Infrastructure Protection </li></ul><ul><li>Nuclear Power Generators NRC (Nuclear Regulatory Commission) & NEI (Nuclear Energy Institute) </li></ul><ul><li>Financial & Regulatory Compliance </li></ul><ul><li>GLBA (Gramm Leach Bliley Act) </li></ul><ul><li>FFIEC Audit Framework for Information Security and for Risk Analysis </li></ul><ul><li>California SB 1386 (Identity Theft) </li></ul><ul><li>Bank Secrecy Act (BSA) </li></ul><ul><li>PCI Data Security Standard </li></ul><ul><li>Sarbanes Oxley Act </li></ul><ul><li>HIPAA </li></ul><ul><li>Health Insurance Portability and Accountability Act of 1996 </li></ul><ul><li>Privacy Rule -- April, 2004 - Annual </li></ul><ul><li>Final Security Rule -- April, 2005 </li></ul>
  8. 8. NEW FFIEC Guidance, July 27, 2006
  9. 10. <ul><li>RESPONSIBILITY AND ACCOUNTABILITY </li></ul><ul><li>The board of directors, or an appropriate committee of the board, is responsible for overseeing the development, implementation, and maintenance of the institution’s information security program, and making senior management accountable for its actions. Oversight requires the board to provide management with guidance; approve information security plans, policies and programs; and review reports on the effectiveness of the information </li></ul><ul><li>security program. The board should provide management with its expectations and requirements and hold management accountable for </li></ul><ul><li>􀂃 Central oversight and coordination, </li></ul><ul><li>􀂃 Assignment of responsibility, </li></ul><ul><li>􀂃 Risk assessment and measurement, </li></ul><ul><li>􀂃 Monitoring and testing, </li></ul><ul><li>􀂃 Reporting, and </li></ul><ul><li>􀂃 Acceptable residual risk. </li></ul>
  10. 11. Federal Reserve Bank Letter December 2007 requires Pandemic Flu Planning <ul><li>The Federal Reserve and the other FFIEC agencies believe the potentially significant effects a pandemic could have on an institution justify establishing plans to address how each institution will manage a pandemic event. </li></ul><ul><li>Accordingly, an institution’s business continuity plan should include: </li></ul><ul><li>A preventive program to reduce the likelihood that the institution’s operations will be significantly affected by a pandemic event; </li></ul><ul><li>A documented strategy that provides for scaling pandemic efforts commensurate with the particular stages of a pandemic outbreak; </li></ul><ul><li>A comprehensive framework of facilities, systems, or procedures to continue critical operations if large numbers of staff members are unavailable for prolonged periods; </li></ul><ul><li>A testing program to ensure that the institution’s pandemic planning practices and capabilities are effective and will allow critical operations to continue; and </li></ul><ul><li>An oversight program to ensure ongoing review and updates to the pandemic plan. </li></ul>
  11. 12. What Is Risk Assessment ? <ul><li>A process used to determine what controls are needed to protect critical or sensitive assets adequately & cost-effectively. </li></ul><ul><li>The process examines five variable functions: </li></ul><ul><ul><li>1. Specific Assets to be protected (value) </li></ul></ul><ul><ul><li>2. Potential Threats to the various assets </li></ul></ul><ul><ul><li>3. Vulnerabilities that would allow the threats to materialize </li></ul></ul><ul><ul><li>4. Kinds of Losses that the threats could cause </li></ul></ul><ul><ul><li>5. Safeguards that would reduce the loss or eliminate the threats </li></ul></ul>
  12. 13. WHAT’S RISKWATCH? <ul><li>Since 1993, RiskWatch has been the Leader in Security Risk Assessment Software </li></ul><ul><li>NIST-CSE Model Builder’s Workshop on Risk Assessment & the NSA Rating Model Workshops 1988 - 1995 </li></ul><ul><li>Participated in the Working Group to Write DOD Directive on Risk Management under the Office of the Secretary of Defense, 1996-1998. </li></ul><ul><li>Participated in Dept. of Justice Working Group on Vulnerability Assessment Models for Homeland Security, 2003 </li></ul><ul><li>ASIS International, ITSC Council - Caroline Hamilton </li></ul><ul><li>IBM Data Governance Council – Caroline Hamilton </li></ul>
  13. 14. RiskWatch is The First Choice in Security Risk Assessment Software <ul><li>Proven Methodology - Field Tested with Users for over Ten Years and Guaranteed to Meet Federal Risk Assessment Requirements </li></ul><ul><li>Automated Survey Utility </li></ul><ul><li>Completely Customizable by Users </li></ul><ul><li>Favorable Gartner Group Rating </li></ul><ul><li>First Choice for Top Tier Consultants </li></ul><ul><li>Based on the latest Federal and Audit Standards </li></ul>
  14. 15. RiskWatch Products 9.3 <ul><li>RiskWatch for Financial Institutions </li></ul><ul><li>RiskWatch for ISO 17799 & 27001 </li></ul><ul><li>RiskWatch for HIPAA </li></ul><ul><li>RiskWatch for Sarbanes Oxley (SOX) </li></ul><ul><li>RiskWatch for Federal Systems </li></ul><ul><li>RiskWatch for Electrical Utilities (NERC) </li></ul><ul><li>RiskWatch for Nuclear Power (NEI-NRC) </li></ul><ul><li>RiskWatch for Physical & Homeland Security </li></ul><ul><li>CASEWORKS </li></ul>
  15. 16. From the Gartner Group Report “ RiskWatch, Inc., is positioned as the leading &quot;rescuer&quot; of a massive private and public market constrained by fear of loss in terms of dollars and human life. Its unique form of rescue is in its before-the-fact nature. The RiskWatch tools credibly guide the users through a process to qualify its security situation concerning threats, assets, potential loss, vulnerabilities, and safeguards. The client has the opportunity to establish its own image and foundation of security through RiskWatch's regulatory and quality compliance and accreditation tools and functions . Through its quantitative methods and automated functions, RiskWatch arms the analysts and decision-makers with a solid risk management analysis based on the ALE balanced with the ROI. Once the client establishes the security policies—the plan is deployed and its life cycle managed within the framework of RiskWatch. RiskWatch brings financially realized value to the client and the management vehicle and standards to follow”.
  16. 17. RISKWATCH ® Value <ul><li>Reduces time involved in performing a Risk Analysis by 70% </li></ul><ul><li>Users are able to customize software to fit their own profile </li></ul><ul><li>Meets audit requirements for risk assessment </li></ul><ul><li>Content is frequently updated and shipped to users. </li></ul><ul><li>Web-based survey process – involves management and user community. </li></ul><ul><li>Quantifies risk and provides ROI metrics </li></ul><ul><li>Automated report generation including working papers and complete management-ready case summary report </li></ul>
  17. 18. Why RiskWatch Stays Number One <ul><li>“ What sets RiskWatch apart from its competitors is its focus on risk analysis for security management, its ability to handle large volumes of information, and its large number of customizable features”. -- Gartner Group </li></ul><ul><li>RiskWatch has Hundreds of Users </li></ul><ul><li>Complete Technical Support – Gold & Platinum Levels of Support </li></ul><ul><li>Ambassador Program for Extra Support </li></ul><ul><li>Comprehensive Training Programs Monthly </li></ul><ul><li>On-Site Training Also Available by Request </li></ul>
  18. 19. RiskWatch Clients
  19. 20. RISKWATCH ® Risk Assessment Process Automated Survey Management Process Management Data Aggregation & Analysis Content (Rules & Data) Risk Analysis Customization Reporting Respondents Analyst(s)
  20. 21. ELEMENTS OF A METRICS-BASED RISK ASSESSMENT APPROACH ASSETS THREATS VULNERABILITIES LOSSES SAFEGUARDS
  21. 22. Data Aggregation & Analysis Financial Data Software Automatically Analyses Over 3 Million Linking Relationships Risk = Asset  Loss  Threat  Vulnerability Loss Delays & Denials Fines Disclosure Modification Direct Loss Asset Applications Database Financial Data Hardware System Software Threat Disclosure Hackers Fraud Viruses Network Attack Loss of Data Embezzlement Vulnerability Acceptable Use Disaster Recovery Authentication Network Controls No Security Plan Accountability Privacy Access Control Fines Disclosure Modification Fraud Loss of Data Acceptable Use Authentication Privacy Access Control
  22. 23. Progress at a Glance – Tracks the Case
  23. 24. Valuing Assets – RiskWatch Auto- Populates Asset Values
  24. 25. RISKWATCH PROVIDES AGGREGATED THREAT DATA OR YOU CAN OVERWRITE STANDARD AVERAGES WITH YOUR OWN ORGANIZATIONAL DATA <ul><li>Quantified threat data is hard to find . </li></ul><ul><li>Categories of Threats: </li></ul><ul><li>Natural Disasters, Criminal Activity </li></ul><ul><li>Terrorism, Theft, Systems Failures </li></ul><ul><li>Collect data from Web Sources, government data, weather data, crime casts, global info services, access control systems, incident logs. </li></ul><ul><li>Use data from internally collected sources </li></ul>
  25. 26. THREAT FREQUENCIES ARE PROVIDED AND CAN ALSO BE TAILORED WITH CUSTOMER DATA SUCH AS PENETRATION TEST DATA
  26. 27. Web-Based Surveys Facilitate Respondent Answers Automated Survey Management
  27. 28. YOU CAN SELECT QUESTIONS THAT MAP EXACTLY TO THE FFIEC, ISO-17799, GLBA or SB 1386 STANDARD
  28. 29. Each question uses actual security regulations as control standards and is linked to appropriate Functional Areas
  29. 30. Respondents Can Answer Questions over the Web with full ASP functionality
  30. 31. Fully Automated Web-based Surveys make it Easy to Involve Key Employees <ul><li>Over the web, via ASP link </li></ul><ul><li>Questionnaire Diskettes </li></ul><ul><li>E-mail Attach File </li></ul><ul><li>On a laptop with analyst present </li></ul><ul><li>With Paper Questionnaires </li></ul>USERS DON’T HAVE TO HAVE RISKWATCH TO ANSWER ELECTRONIC SURVEYS
  31. 32. Pre-selects Appropriate Loss Categories <ul><li>Delays and Denials of Service </li></ul><ul><li>Disclosure </li></ul><ul><li>Direct Loss (Data Loss) </li></ul><ul><li>Modification of Data </li></ul><ul><li>Indirect Loss </li></ul><ul><li>Intangibles (Reputation) </li></ul>
  32. 33. INCLUDES ALL IT-REQUIRED SAFEGUARD CATEGORIES
  33. 34. EACH POTENTIAL SAFEGUARD INCLUDES DEFAULT VALUES FOR COST, MAINTENANCE AND LIFE CYCLE
  34. 35. Reports Results From Dozens Of Employees Are Instantly Aggregated And Analyzed.
  35. 36. RESULTS FROM THE RISK ASSESSMENTS <ul><li>Measurable data which can be benchmarked </li></ul><ul><li>Prove validity of findings with full audit trails </li></ul><ul><li>Standardized methodology meets regulator’s standards </li></ul><ul><li>Writes a variety of fully automated management reports, including working papers. </li></ul>
  36. 37. MITIGATION STRATEGIES 1. Accept Risk 2. Transfer Risk 2. Mitigate Risk 3. Better Risk Reactions 5. Dealing with Residual Risk
  37. 38. The Case Summary Report Is Pre-Written for Management
  38. 39. EASY TO UNDERSTAND GRAPHS ILLUSTRATE OVERALL COMPLIANCE VS. NON-COMPLIANCE
  39. 40. Vulnerability Distribution Report Shows the Weak Compliance/ Security Areas
  40. 41. Vulnerability Distribution Report Shows the Weak Compliance/ Security Areas
  41. 42. Track Compliance by Individual
  42. 43. Vulnerability reports include complete audit trails and powerful analysis tools
  43. 44. Looking at Loss Expectancy by Type of Loss
  44. 45. RiskWatch Calculates the Return on Investment & Recommends Cost Effective Security Controls. In this example, finishing and updating the Disaster Recovery Plan had a 2000-1 ROI – that means for every dollar spent on updating the plan (estimated at $1000)– the organization saves $2,000,000 <ul><li>Finish Disaster Recovery Plan 2000:1 </li></ul><ul><li>Finish the Security Plan 1200:1 </li></ul><ul><li>Complete Security Training 943:1 </li></ul>
  45. 46. SAFEGUARD REPORT -- RECOMMENDED CONTROLS BY RETURN ON INVESTMENT
  46. 47. Demonstrates Reduction in Loss Expectancy by Applying Overlapping Layers of Protection from Implementing Top Recommended Controls
  47. 48. THE BOTTOM LINE <ul><li>Regulators are going to continue to push for more risk assessments to be performed annually. </li></ul><ul><li>A RiskWatch risk assessment is the foundation of the IT security program, and Governance, Risk and Compliance program. </li></ul><ul><li>RiskWatch is the best way to meet NCUA risk analysis requirements, and self-assess compliance by requirement. </li></ul><ul><li>4. Get Special Pricing and Free Training in Annapolis by emailing [email_address] . </li></ul>
  48. 49. www.riskwatch.com

×