The document provides a detailed overview of risk assessments for financial institutions in compliance with FFIEC and BSA guidelines, highlighting the importance of RiskWatch software for automating the risk assessment process. It emphasizes the need for ongoing information security risk assessments, outlines various compliance regulations, and addresses responsibilities of management in maintaining an effective information security program. Additionally, it showcases the benefits of using RiskWatch, including customizable features, automated reporting, and improved ROI for risk management activities.

1. HOW TO DO RISK ASSESSMENTS AND DEMONSTRATE COMPLIANCE WITH FFIEC & BSA RiskWatch for Financial Institutions

2. RiskWatch for Financial Institutions Regulator-Approved Software to Self-Assess against FFIEC 2006 Guidelines & Pandemic Flu

3. Agenda for 45 Minute Webinar 1. Intro to Risk Assessment and RiskWatch 2. Review of Risk Requirements Implication 3. Actual Risk Software at Work 4. Review of Actual Risk Report 5. Inclusion of Detailed Working Papers 6. Conclusion

4. The Environment Information Technology IT has become the important part of most organizations New federal and international standards require more IT risk. Regulatory Compliance Sarbanes Oxley has increased the accountability of management New regulations for credit unions Pandemic Flu assessments now required.

5. A comprehensive and integrated enterprise software tool that automates the surveying, data collection, compliance & risk assessment to meet self assessment requirements. R ISK W ATCH ®

6. RiskWatch Meets & Exceeds the Action Summary from the FFIEC IT Examination Handbook, July 2006 “ Financial institutions must maintain an ongoing Information security risk assessment that: Gathers data regarding the information and technology assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements. Analyzes the probability and impact associated with the known threats and vulnerabilities to its assets; and Prioritizes the risk present due to threats and vulnerabilities to determine appropriate levels of training, controls and testing necessary for mitigation”. FFIEC – July 2006

7. Compliance Regulations, Standards and Guidelines Information Security/ISO 17799 NIST 800-26, NIST 800-53 ISO/IEC 1779:2005 ISO/IEC 27001 Office of Management and Budget (OMB) A-123, A-124, A-127, and A-130 COBIT 4 Utilities NERC – CIP 002-009 ( North American Electric Reliability Council) Critical Infrastructure Protection Nuclear Power Generators NRC (Nuclear Regulatory Commission) & NEI (Nuclear Energy Institute) Financial & Regulatory Compliance GLBA (Gramm Leach Bliley Act) FFIEC Audit Framework for Information Security and for Risk Analysis California SB 1386 (Identity Theft) Bank Secrecy Act (BSA) PCI Data Security Standard Sarbanes Oxley Act HIPAA Health Insurance Portability and Accountability Act of 1996 Privacy Rule -- April, 2004 - Annual Final Security Rule -- April, 2005

8. NEW FFIEC Guidance, July 27, 2006

10. RESPONSIBILITY AND ACCOUNTABILITY The board of directors, or an appropriate committee of the board, is responsible for overseeing the development, implementation, and maintenance of the institution’s information security program, and making senior management accountable for its actions. Oversight requires the board to provide management with guidance; approve information security plans, policies and programs; and review reports on the effectiveness of the information security program. The board should provide management with its expectations and requirements and hold management accountable for 􀂃 Central oversight and coordination, 􀂃 Assignment of responsibility, 􀂃 Risk assessment and measurement, 􀂃 Monitoring and testing, 􀂃 Reporting, and 􀂃 Acceptable residual risk.

11. Federal Reserve Bank Letter December 2007 requires Pandemic Flu Planning The Federal Reserve and the other FFIEC agencies believe the potentially significant effects a pandemic could have on an institution justify establishing plans to address how each institution will manage a pandemic event. Accordingly, an institution’s business continuity plan should include: A preventive program to reduce the likelihood that the institution’s operations will be significantly affected by a pandemic event; A documented strategy that provides for scaling pandemic efforts commensurate with the particular stages of a pandemic outbreak; A comprehensive framework of facilities, systems, or procedures to continue critical operations if large numbers of staff members are unavailable for prolonged periods; A testing program to ensure that the institution’s pandemic planning practices and capabilities are effective and will allow critical operations to continue; and An oversight program to ensure ongoing review and updates to the pandemic plan.

12. What Is Risk Assessment ? A process used to determine what controls are needed to protect critical or sensitive assets adequately & cost-effectively. The process examines five variable functions: 1. Specific Assets to be protected (value) 2. Potential Threats to the various assets 3. Vulnerabilities that would allow the threats to materialize 4. Kinds of Losses that the threats could cause 5. Safeguards that would reduce the loss or eliminate the threats

13. WHAT’S RISKWATCH? Since 1993, RiskWatch has been the Leader in Security Risk Assessment Software NIST-CSE Model Builder’s Workshop on Risk Assessment & the NSA Rating Model Workshops 1988 - 1995 Participated in the Working Group to Write DOD Directive on Risk Management under the Office of the Secretary of Defense, 1996-1998. Participated in Dept. of Justice Working Group on Vulnerability Assessment Models for Homeland Security, 2003 ASIS International, ITSC Council - Caroline Hamilton IBM Data Governance Council – Caroline Hamilton

14. RiskWatch is The First Choice in Security Risk Assessment Software Proven Methodology - Field Tested with Users for over Ten Years and Guaranteed to Meet Federal Risk Assessment Requirements Automated Survey Utility Completely Customizable by Users Favorable Gartner Group Rating First Choice for Top Tier Consultants Based on the latest Federal and Audit Standards

15. RiskWatch Products 9.3 RiskWatch for Financial Institutions RiskWatch for ISO 17799 & 27001 RiskWatch for HIPAA RiskWatch for Sarbanes Oxley (SOX) RiskWatch for Federal Systems RiskWatch for Electrical Utilities (NERC) RiskWatch for Nuclear Power (NEI-NRC) RiskWatch for Physical & Homeland Security CASEWORKS

16. From the Gartner Group Report “ RiskWatch, Inc., is positioned as the leading "rescuer" of a massive private and public market constrained by fear of loss in terms of dollars and human life. Its unique form of rescue is in its before-the-fact nature. The RiskWatch tools credibly guide the users through a process to qualify its security situation concerning threats, assets, potential loss, vulnerabilities, and safeguards. The client has the opportunity to establish its own image and foundation of security through RiskWatch's regulatory and quality compliance and accreditation tools and functions . Through its quantitative methods and automated functions, RiskWatch arms the analysts and decision-makers with a solid risk management analysis based on the ALE balanced with the ROI. Once the client establishes the security policies—the plan is deployed and its life cycle managed within the framework of RiskWatch. RiskWatch brings financially realized value to the client and the management vehicle and standards to follow”.

17. RISKWATCH ® Value Reduces time involved in performing a Risk Analysis by 70% Users are able to customize software to fit their own profile Meets audit requirements for risk assessment Content is frequently updated and shipped to users. Web-based survey process – involves management and user community. Quantifies risk and provides ROI metrics Automated report generation including working papers and complete management-ready case summary report

18. Why RiskWatch Stays Number One “ What sets RiskWatch apart from its competitors is its focus on risk analysis for security management, its ability to handle large volumes of information, and its large number of customizable features”. -- Gartner Group RiskWatch has Hundreds of Users Complete Technical Support – Gold & Platinum Levels of Support Ambassador Program for Extra Support Comprehensive Training Programs Monthly On-Site Training Also Available by Request

19. RiskWatch Clients

20. RISKWATCH ® Risk Assessment Process Automated Survey Management Process Management Data Aggregation & Analysis Content (Rules & Data) Risk Analysis Customization Reporting Respondents Analyst(s)

21. ELEMENTS OF A METRICS-BASED RISK ASSESSMENT APPROACH ASSETS THREATS VULNERABILITIES LOSSES SAFEGUARDS

22. Data Aggregation & Analysis Financial Data Software Automatically Analyses Over 3 Million Linking Relationships Risk = Asset  Loss  Threat  Vulnerability Loss Delays & Denials Fines Disclosure Modification Direct Loss Asset Applications Database Financial Data Hardware System Software Threat Disclosure Hackers Fraud Viruses Network Attack Loss of Data Embezzlement Vulnerability Acceptable Use Disaster Recovery Authentication Network Controls No Security Plan Accountability Privacy Access Control Fines Disclosure Modification Fraud Loss of Data Acceptable Use Authentication Privacy Access Control

23. Progress at a Glance – Tracks the Case

24. Valuing Assets – RiskWatch Auto- Populates Asset Values

25. RISKWATCH PROVIDES AGGREGATED THREAT DATA OR YOU CAN OVERWRITE STANDARD AVERAGES WITH YOUR OWN ORGANIZATIONAL DATA Quantified threat data is hard to find . Categories of Threats: Natural Disasters, Criminal Activity Terrorism, Theft, Systems Failures Collect data from Web Sources, government data, weather data, crime casts, global info services, access control systems, incident logs. Use data from internally collected sources

26. THREAT FREQUENCIES ARE PROVIDED AND CAN ALSO BE TAILORED WITH CUSTOMER DATA SUCH AS PENETRATION TEST DATA

27. Web-Based Surveys Facilitate Respondent Answers Automated Survey Management

28. YOU CAN SELECT QUESTIONS THAT MAP EXACTLY TO THE FFIEC, ISO-17799, GLBA or SB 1386 STANDARD

29. Each question uses actual security regulations as control standards and is linked to appropriate Functional Areas

30. Respondents Can Answer Questions over the Web with full ASP functionality

31. Fully Automated Web-based Surveys make it Easy to Involve Key Employees Over the web, via ASP link Questionnaire Diskettes E-mail Attach File On a laptop with analyst present With Paper Questionnaires USERS DON’T HAVE TO HAVE RISKWATCH TO ANSWER ELECTRONIC SURVEYS

32. Pre-selects Appropriate Loss Categories Delays and Denials of Service Disclosure Direct Loss (Data Loss) Modification of Data Indirect Loss Intangibles (Reputation)

33. INCLUDES ALL IT-REQUIRED SAFEGUARD CATEGORIES

34. EACH POTENTIAL SAFEGUARD INCLUDES DEFAULT VALUES FOR COST, MAINTENANCE AND LIFE CYCLE

35. Reports Results From Dozens Of Employees Are Instantly Aggregated And Analyzed.

36. RESULTS FROM THE RISK ASSESSMENTS Measurable data which can be benchmarked Prove validity of findings with full audit trails Standardized methodology meets regulator’s standards Writes a variety of fully automated management reports, including working papers.

37. MITIGATION STRATEGIES 1. Accept Risk 2. Transfer Risk 2. Mitigate Risk 3. Better Risk Reactions 5. Dealing with Residual Risk

38. The Case Summary Report Is Pre-Written for Management

39. EASY TO UNDERSTAND GRAPHS ILLUSTRATE OVERALL COMPLIANCE VS. NON-COMPLIANCE

40. Vulnerability Distribution Report Shows the Weak Compliance/ Security Areas

41. Vulnerability Distribution Report Shows the Weak Compliance/ Security Areas

42. Track Compliance by Individual

43. Vulnerability reports include complete audit trails and powerful analysis tools

44. Looking at Loss Expectancy by Type of Loss

45. RiskWatch Calculates the Return on Investment & Recommends Cost Effective Security Controls. In this example, finishing and updating the Disaster Recovery Plan had a 2000-1 ROI – that means for every dollar spent on updating the plan (estimated at $1000)– the organization saves $2,000,000 Finish Disaster Recovery Plan 2000:1 Finish the Security Plan 1200:1 Complete Security Training 943:1

46. SAFEGUARD REPORT -- RECOMMENDED CONTROLS BY RETURN ON INVESTMENT

47. Demonstrates Reduction in Loss Expectancy by Applying Overlapping Layers of Protection from Implementing Top Recommended Controls

48. THE BOTTOM LINE Regulators are going to continue to push for more risk assessments to be performed annually. A RiskWatch risk assessment is the foundation of the IT security program, and Governance, Risk and Compliance program. RiskWatch is the best way to meet NCUA risk analysis requirements, and self-assess compliance by requirement. 4. Get Special Pricing and Free Training in Annapolis by emailing [email_address] .

49. www.riskwatch.com