SlideShare a Scribd company logo

RiskWatch for Financial Institutions™

C
CPaschal

The document provides a detailed overview of risk assessments for financial institutions in compliance with FFIEC and BSA guidelines, highlighting the importance of RiskWatch software for automating the risk assessment process. It emphasizes the need for ongoing information security risk assessments, outlines various compliance regulations, and addresses responsibilities of management in maintaining an effective information security program. Additionally, it showcases the benefits of using RiskWatch, including customizable features, automated reporting, and improved ROI for risk management activities.

1 of 49
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
HOW TO DO RISK ASSESSMENTS AND DEMONSTRATE COMPLIANCE WITH FFIEC & BSA RiskWatch for Financial Institutions
RiskWatch for Financial Institutions Regulator-Approved Software to Self-Assess against FFIEC 2006 Guidelines & Pandemic Flu
Agenda for 45 Minute Webinar 1. Intro to Risk Assessment and RiskWatch 2. Review of Risk Requirements Implication 3. Actual Risk Software at Work 4. Review of Actual Risk Report 5. Inclusion of Detailed Working Papers 6. Conclusion
The Environment Information Technology IT has become the important part of most organizations New federal and international standards require more IT risk. Regulatory Compliance Sarbanes Oxley has increased the accountability of management New regulations for credit unions Pandemic Flu assessments now required.
A comprehensive and integrated enterprise software tool that automates the surveying, data collection, compliance & risk assessment to meet self assessment requirements. R ISK W ATCH ®
RiskWatch Meets & Exceeds the Action Summary from the FFIEC IT Examination Handbook, July 2006 “ Financial institutions must maintain an ongoing Information security risk assessment that: Gathers data regarding the information and technology assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements. Analyzes the probability and impact associated with the known threats and vulnerabilities to its assets; and Prioritizes the risk present due to threats and vulnerabilities to determine appropriate levels of training, controls and testing necessary for mitigation”. FFIEC – July 2006
Compliance Regulations, Standards and Guidelines Information Security/ISO 17799 NIST 800-26, NIST 800-53 ISO/IEC 1779:2005 ISO/IEC 27001 Office of Management and Budget (OMB) A-123, A-124, A-127, and A-130 COBIT 4 Utilities NERC – CIP 002-009 ( North American Electric Reliability Council) Critical Infrastructure Protection Nuclear Power Generators NRC (Nuclear Regulatory Commission) & NEI (Nuclear Energy Institute) Financial & Regulatory Compliance GLBA (Gramm Leach Bliley Act) FFIEC Audit Framework for Information Security and for Risk Analysis California SB 1386 (Identity Theft) Bank Secrecy Act (BSA) PCI Data Security Standard Sarbanes Oxley Act HIPAA Health Insurance Portability and Accountability Act of 1996 Privacy Rule -- April, 2004 - Annual Final Security Rule -- April, 2005
NEW FFIEC Guidance, July 27, 2006
 
RESPONSIBILITY AND ACCOUNTABILITY The board of directors, or an appropriate committee of the board, is responsible for overseeing the development, implementation, and maintenance of the institution’s information security program, and making senior management accountable for its actions. Oversight requires the board to provide management with guidance; approve information security plans, policies and programs; and review reports on the effectiveness of the information security program. The board should provide management with its expectations and requirements and hold management accountable for 􀂃 Central oversight and coordination, 􀂃 Assignment of responsibility, 􀂃 Risk assessment and measurement, 􀂃 Monitoring and testing, 􀂃 Reporting, and 􀂃 Acceptable residual risk.
Federal Reserve Bank Letter December 2007 requires Pandemic Flu Planning The Federal Reserve and the other FFIEC agencies believe the potentially significant effects a pandemic could have on an institution justify establishing plans to address how each institution will manage a pandemic event. Accordingly, an institution’s business continuity plan should include: A preventive program to reduce the likelihood that the institution’s operations will be significantly affected by a pandemic event; A documented strategy that provides for scaling pandemic efforts commensurate with the particular stages of a pandemic outbreak; A comprehensive framework of facilities, systems, or procedures to continue critical operations if large numbers of staff members are unavailable for prolonged periods; A testing program to ensure that the institution’s pandemic planning practices and capabilities are effective and will allow critical operations to continue; and An oversight program to ensure ongoing review and updates to the pandemic plan.
What Is Risk Assessment ? A process used to determine what controls are needed to protect critical or sensitive assets adequately & cost-effectively. The process examines five variable functions: 1. Specific Assets to be protected (value) 2. Potential Threats to the various assets 3. Vulnerabilities that would allow the threats to materialize 4. Kinds of Losses that the threats could cause 5. Safeguards that would reduce the loss or eliminate the threats
WHAT’S RISKWATCH? Since 1993, RiskWatch has been the Leader in Security Risk Assessment Software NIST-CSE Model Builder’s Workshop on Risk Assessment & the NSA Rating Model Workshops 1988 - 1995 Participated in the Working Group to Write DOD Directive on Risk Management under the Office of the Secretary of Defense, 1996-1998. Participated in Dept. of Justice Working Group on Vulnerability Assessment Models for Homeland Security, 2003 ASIS International, ITSC Council - Caroline Hamilton IBM Data Governance Council – Caroline Hamilton
RiskWatch is The First Choice in Security Risk Assessment Software Proven Methodology - Field Tested with Users for over Ten Years and Guaranteed to Meet Federal Risk Assessment Requirements Automated Survey Utility Completely Customizable by Users Favorable Gartner Group Rating First Choice for Top Tier Consultants Based on the latest Federal and Audit Standards
RiskWatch Products 9.3 RiskWatch for Financial Institutions RiskWatch for ISO 17799 & 27001 RiskWatch for HIPAA RiskWatch for Sarbanes Oxley (SOX) RiskWatch for Federal Systems RiskWatch for Electrical Utilities (NERC) RiskWatch for Nuclear Power (NEI-NRC) RiskWatch for Physical & Homeland Security CASEWORKS
From the Gartner Group Report “ RiskWatch, Inc., is positioned as the leading "rescuer" of a massive private and public market constrained by fear of loss in terms of dollars and human life. Its unique form of rescue is in its before-the-fact nature. The RiskWatch tools credibly guide the users through a process to qualify its security situation concerning threats, assets, potential loss, vulnerabilities, and safeguards. The client has the opportunity to establish its own image and foundation of security through RiskWatch's regulatory and quality compliance and accreditation tools and functions . Through its quantitative methods and automated functions, RiskWatch arms the analysts and decision-makers with a solid risk management analysis based on the ALE balanced with the ROI. Once the client establishes the security policies—the plan is deployed and its life cycle managed within the framework of RiskWatch. RiskWatch brings financially realized value to the client and the management vehicle and standards to follow”.
RISKWATCH ® Value Reduces time involved in performing a Risk Analysis by 70% Users are able to customize software to fit their own profile Meets audit requirements for risk assessment Content is frequently updated and shipped to users. Web-based survey process – involves management and user community. Quantifies risk and provides ROI metrics Automated report generation including working papers and complete management-ready case summary report
Why RiskWatch Stays Number One “ What sets RiskWatch apart from its competitors is its focus on risk analysis for security management, its ability to handle large volumes of information, and its large number of customizable features”. -- Gartner Group RiskWatch has Hundreds of Users Complete Technical Support – Gold & Platinum Levels of Support Ambassador Program for Extra Support Comprehensive Training Programs Monthly On-Site Training Also Available by Request
RiskWatch Clients
RISKWATCH ® Risk Assessment Process Automated Survey Management Process Management Data Aggregation & Analysis Content (Rules & Data) Risk Analysis Customization Reporting Respondents Analyst(s)
ELEMENTS OF A METRICS-BASED RISK ASSESSMENT APPROACH ASSETS THREATS VULNERABILITIES LOSSES SAFEGUARDS
Data Aggregation & Analysis Financial Data Software Automatically Analyses Over 3 Million Linking Relationships Risk = Asset  Loss  Threat  Vulnerability Loss Delays & Denials Fines Disclosure Modification Direct Loss Asset Applications Database Financial Data Hardware System Software Threat Disclosure Hackers Fraud Viruses Network Attack Loss of Data Embezzlement Vulnerability Acceptable Use Disaster Recovery Authentication Network Controls No Security Plan Accountability Privacy Access Control Fines Disclosure Modification Fraud Loss of Data Acceptable Use Authentication Privacy Access Control
Progress at a Glance – Tracks the Case
Valuing Assets – RiskWatch Auto- Populates Asset Values
RISKWATCH PROVIDES AGGREGATED THREAT DATA OR YOU CAN OVERWRITE STANDARD AVERAGES WITH YOUR OWN ORGANIZATIONAL DATA Quantified threat data is hard to find . Categories of Threats: Natural Disasters, Criminal Activity Terrorism, Theft, Systems Failures Collect data from Web Sources, government data, weather data, crime casts, global info services, access control systems, incident logs. Use data from internally collected sources
THREAT FREQUENCIES ARE PROVIDED AND CAN ALSO BE TAILORED WITH CUSTOMER DATA SUCH AS PENETRATION TEST DATA
Web-Based Surveys Facilitate Respondent Answers Automated Survey Management
YOU CAN SELECT QUESTIONS THAT MAP EXACTLY TO THE FFIEC, ISO-17799, GLBA or SB 1386 STANDARD
Each question uses actual security regulations as control standards and is linked to appropriate Functional Areas
Respondents Can Answer Questions over the Web with full ASP functionality
Fully Automated Web-based Surveys make it Easy to Involve Key Employees Over the web, via ASP link Questionnaire Diskettes E-mail Attach File On a laptop with analyst present With Paper Questionnaires USERS DON’T HAVE TO HAVE RISKWATCH TO ANSWER ELECTRONIC SURVEYS
Pre-selects Appropriate Loss Categories Delays and Denials of Service Disclosure Direct Loss (Data Loss) Modification of Data Indirect Loss Intangibles (Reputation)
INCLUDES ALL IT-REQUIRED SAFEGUARD CATEGORIES
EACH POTENTIAL SAFEGUARD INCLUDES DEFAULT VALUES FOR COST, MAINTENANCE AND LIFE CYCLE
Reports Results From Dozens Of Employees Are Instantly Aggregated And Analyzed.
RESULTS FROM THE RISK ASSESSMENTS Measurable data which can be benchmarked Prove validity of findings with full audit trails Standardized methodology meets regulator’s standards Writes a variety of fully automated management reports, including working papers.
MITIGATION STRATEGIES 1. Accept Risk 2. Transfer Risk 2. Mitigate Risk 3. Better Risk Reactions 5. Dealing with Residual Risk
The Case Summary Report Is Pre-Written for Management
EASY TO UNDERSTAND GRAPHS ILLUSTRATE OVERALL COMPLIANCE VS. NON-COMPLIANCE
Vulnerability Distribution Report Shows the Weak Compliance/ Security Areas
Vulnerability Distribution Report Shows the Weak Compliance/ Security Areas
Track Compliance by Individual
Vulnerability reports include complete audit trails and powerful analysis tools
Looking at Loss Expectancy by Type of Loss
RiskWatch Calculates the Return on Investment & Recommends Cost Effective Security Controls. In this example, finishing and updating the Disaster Recovery Plan had a 2000-1 ROI – that means for every dollar spent on updating the plan (estimated at $1000)– the organization saves $2,000,000 Finish Disaster Recovery Plan 2000:1 Finish the Security Plan 1200:1 Complete Security Training 943:1
SAFEGUARD REPORT -- RECOMMENDED CONTROLS BY RETURN ON INVESTMENT
Demonstrates Reduction in Loss Expectancy by Applying Overlapping Layers of Protection from Implementing Top Recommended Controls
THE BOTTOM LINE Regulators are going to continue to push for more risk assessments to be performed annually. A RiskWatch risk assessment is the foundation of the IT security program, and Governance, Risk and Compliance program. RiskWatch is the best way to meet NCUA risk analysis requirements, and self-assess compliance by requirement. 4. Get Special Pricing and Free Training in Annapolis by emailing [email_address] .
www.riskwatch.com

More Related Content

PPT
RiskWatch for Physical & Homeland Security™
CPaschal
 
PPT
RiskWatch for Credit Unions™
CPaschal
 
PPT
RiskWatch for HIPAA Compliance™
CPaschal
 
PPTX
Elements of security risk assessment and risk management
healthpoint
 
PDF
EHR meaningful use security risk assessment sample document
data brackets
 
PPTX
Meaningful Use and Security Risk Analysis
Evan Francen
 
PDF
SuprTEK Continuous Monitoring
Tieu Luu
 
PPTX
The IT Analysis Paralysis
PYA, P.C.
 
RiskWatch for Physical & Homeland Security™
CPaschal
 
RiskWatch for Credit Unions™
CPaschal
 
RiskWatch for HIPAA Compliance™
CPaschal
 
Elements of security risk assessment and risk management
healthpoint
 
EHR meaningful use security risk assessment sample document
data brackets
 
Meaningful Use and Security Risk Analysis
Evan Francen
 
SuprTEK Continuous Monitoring
Tieu Luu
 
The IT Analysis Paralysis
PYA, P.C.
 

What's hot (20)

PPT
HIPAA security risk assessments
Jose Ivan Delgado, Ph.D.
 
PPTX
HITRUST CSF in the Cloud
OnRamp
 
PPTX
Massachusetts data privacy rules v6.0
stevemeltzer
 
PDF
Information Security Risk Management Overview
Wesley Moore
 
PDF
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
PPSX
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NetLockSmith
 
PDF
Vskills Certified Network Security Professional Sample Material
Vskills
 
PPT
It Audit Expectations High Detail
ecarrow
 
PDF
UoF - HITRUST & Risk Analysis v1
Bryan Cline, Ph.D.
 
DOCX
Common Security Framework Summary
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
PPT
Risk Assessment And Management
vikasraina
 
PPTX
Risk Management Methodology - Copy
Rabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
PDF
Hipaa Gap Assessment.Sanitized Report
tbeckwith
 
PPTX
Its time to rethink everything a governance risk compliance primer
EnclaveSecurity
 
PPTX
The Fundamentals of HIPAA Privacy & Security Risk Management
KeySys Health
 
PDF
Clinical Risk Management
Medigate
 
PPT
IT Security management and risk assessment
CAS
 
DOC
Redspin HIPAA Security Risk Analysis RFP Template
Redspin, Inc.
 
PPTX
Information Security Risk Management
Nikhil Soni
 
DOCX
Cyb 690 cybersecurity program template directions the foll
AISHA232980
 
HIPAA security risk assessments
Jose Ivan Delgado, Ph.D.
 
HITRUST CSF in the Cloud
OnRamp
 
Massachusetts data privacy rules v6.0
stevemeltzer
 
Information Security Risk Management Overview
Wesley Moore
 
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NetLockSmith
 
Vskills Certified Network Security Professional Sample Material
Vskills
 
It Audit Expectations High Detail
ecarrow
 
UoF - HITRUST & Risk Analysis v1
Bryan Cline, Ph.D.
 
Common Security Framework Summary
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
Risk Assessment And Management
vikasraina
 
Risk Management Methodology - Copy
Rabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
Hipaa Gap Assessment.Sanitized Report
tbeckwith
 
Its time to rethink everything a governance risk compliance primer
EnclaveSecurity
 
The Fundamentals of HIPAA Privacy & Security Risk Management
KeySys Health
 
Clinical Risk Management
Medigate
 
IT Security management and risk assessment
CAS
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin, Inc.
 
Information Security Risk Management
Nikhil Soni
 
Cyb 690 cybersecurity program template directions the foll
AISHA232980
 
Ad

Viewers also liked (10)

PPT
Operation Risk Management 03
Institute of Mgt. and Information Science
 
PDF
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Zanders Treasury, Risk and Finance
 
PPS
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Eric Campbell
 
PPTX
Assessing Your Risk Appetite
Franklin Templeton India
 
PDF
Risk appetite
Michel Rochette
 
PPS
Control Self Assessment
Manoj Agarwal
 
DOCX
Operational Risk Management Framework in Soneri Bank
Imtiaz Hanfi
 
PPTX
internal control and control self assessment
Manoj Agarwal
 
PDF
Internal Control Checklist for Multi Purpose Cooperative
jo bitonio
 
DOCX
Internal Control Questionnaires (ICQs)
Ahmad Tariq Bhatti
 
Operation Risk Management 03
Institute of Mgt. and Information Science
 
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Zanders Treasury, Risk and Finance
 
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Eric Campbell
 
Assessing Your Risk Appetite
Franklin Templeton India
 
Risk appetite
Michel Rochette
 
Control Self Assessment
Manoj Agarwal
 
Operational Risk Management Framework in Soneri Bank
Imtiaz Hanfi
 
internal control and control self assessment
Manoj Agarwal
 
Internal Control Checklist for Multi Purpose Cooperative
jo bitonio
 
Internal Control Questionnaires (ICQs)
Ahmad Tariq Bhatti
 
Ad

Similar to RiskWatch for Financial Institutions™ (20)

PDF
Cyber Security Risk Mitigation Checklist
timsnp
 
DOCX
Risk Assessment Famework
lneut03
 
PDF
File000170
Desmond Devendran
 
PPT
Convergence innovative integration of security
ciso_insights
 
PPTX
Risk Management Approach to Cyber Security
Ernest Staats
 
PPT
Forging Partnerships Between Auditors and Security Managers
amiable_indian
 
PDF
Auditing-Cybersecurity in the enterprise
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PPT
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
PDF
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
cveiga12
 
PDF
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
cveiga12
 
PDF
SBIC Report : Transforming Information Security: Future-Proofing Processes
EMC
 
PPTX
crisc Domain1 Governance PPT Slide shows
AjazMemon4
 
PPT
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
 
PDF
ProCern Technology Solutions -Tailored Cyber Health Plans for Comprehensive S...
ProCern
 
PPTX
A Framework for Developing and Operationalizing Security Use Cases
Ryan Faircloth
 
PPTX
325838924-Splunk-Use-Case-Framework-Introduction-Session
Ryan Faircloth
 
PDF
Standards & Framework.pdf
karthikvcyber
 
PPTX
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
PDF
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
PPTX
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
robbiesamuel
 
Cyber Security Risk Mitigation Checklist
timsnp
 
Risk Assessment Famework
lneut03
 
File000170
Desmond Devendran
 
Convergence innovative integration of security
ciso_insights
 
Risk Management Approach to Cyber Security
Ernest Staats
 
Forging Partnerships Between Auditors and Security Managers
amiable_indian
 
Auditing-Cybersecurity in the enterprise
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
cveiga12
 
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
cveiga12
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
EMC
 
crisc Domain1 Governance PPT Slide shows
AjazMemon4
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
 
ProCern Technology Solutions -Tailored Cyber Health Plans for Comprehensive S...
ProCern
 
A Framework for Developing and Operationalizing Security Use Cases
Ryan Faircloth
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
Ryan Faircloth
 
Standards & Framework.pdf
karthikvcyber
 
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
robbiesamuel
 

RiskWatch for Financial Institutions™

  • 1. HOW TO DO RISK ASSESSMENTS AND DEMONSTRATE COMPLIANCE WITH FFIEC & BSA RiskWatch for Financial Institutions
  • 2. RiskWatch for Financial Institutions Regulator-Approved Software to Self-Assess against FFIEC 2006 Guidelines & Pandemic Flu
  • 3. Agenda for 45 Minute Webinar 1. Intro to Risk Assessment and RiskWatch 2. Review of Risk Requirements Implication 3. Actual Risk Software at Work 4. Review of Actual Risk Report 5. Inclusion of Detailed Working Papers 6. Conclusion
  • 4. The Environment Information Technology IT has become the important part of most organizations New federal and international standards require more IT risk. Regulatory Compliance Sarbanes Oxley has increased the accountability of management New regulations for credit unions Pandemic Flu assessments now required.
  • 5. A comprehensive and integrated enterprise software tool that automates the surveying, data collection, compliance & risk assessment to meet self assessment requirements. R ISK W ATCH ®
  • 6. RiskWatch Meets & Exceeds the Action Summary from the FFIEC IT Examination Handbook, July 2006 “ Financial institutions must maintain an ongoing Information security risk assessment that: Gathers data regarding the information and technology assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements. Analyzes the probability and impact associated with the known threats and vulnerabilities to its assets; and Prioritizes the risk present due to threats and vulnerabilities to determine appropriate levels of training, controls and testing necessary for mitigation”. FFIEC – July 2006
  • 7. Compliance Regulations, Standards and Guidelines Information Security/ISO 17799 NIST 800-26, NIST 800-53 ISO/IEC 1779:2005 ISO/IEC 27001 Office of Management and Budget (OMB) A-123, A-124, A-127, and A-130 COBIT 4 Utilities NERC – CIP 002-009 ( North American Electric Reliability Council) Critical Infrastructure Protection Nuclear Power Generators NRC (Nuclear Regulatory Commission) & NEI (Nuclear Energy Institute) Financial & Regulatory Compliance GLBA (Gramm Leach Bliley Act) FFIEC Audit Framework for Information Security and for Risk Analysis California SB 1386 (Identity Theft) Bank Secrecy Act (BSA) PCI Data Security Standard Sarbanes Oxley Act HIPAA Health Insurance Portability and Accountability Act of 1996 Privacy Rule -- April, 2004 - Annual Final Security Rule -- April, 2005
  • 8. NEW FFIEC Guidance, July 27, 2006
  • 9.  
  • 10. RESPONSIBILITY AND ACCOUNTABILITY The board of directors, or an appropriate committee of the board, is responsible for overseeing the development, implementation, and maintenance of the institution’s information security program, and making senior management accountable for its actions. Oversight requires the board to provide management with guidance; approve information security plans, policies and programs; and review reports on the effectiveness of the information security program. The board should provide management with its expectations and requirements and hold management accountable for 􀂃 Central oversight and coordination, 􀂃 Assignment of responsibility, 􀂃 Risk assessment and measurement, 􀂃 Monitoring and testing, 􀂃 Reporting, and 􀂃 Acceptable residual risk.
  • 11. Federal Reserve Bank Letter December 2007 requires Pandemic Flu Planning The Federal Reserve and the other FFIEC agencies believe the potentially significant effects a pandemic could have on an institution justify establishing plans to address how each institution will manage a pandemic event. Accordingly, an institution’s business continuity plan should include: A preventive program to reduce the likelihood that the institution’s operations will be significantly affected by a pandemic event; A documented strategy that provides for scaling pandemic efforts commensurate with the particular stages of a pandemic outbreak; A comprehensive framework of facilities, systems, or procedures to continue critical operations if large numbers of staff members are unavailable for prolonged periods; A testing program to ensure that the institution’s pandemic planning practices and capabilities are effective and will allow critical operations to continue; and An oversight program to ensure ongoing review and updates to the pandemic plan.
  • 12. What Is Risk Assessment ? A process used to determine what controls are needed to protect critical or sensitive assets adequately & cost-effectively. The process examines five variable functions: 1. Specific Assets to be protected (value) 2. Potential Threats to the various assets 3. Vulnerabilities that would allow the threats to materialize 4. Kinds of Losses that the threats could cause 5. Safeguards that would reduce the loss or eliminate the threats
  • 13. WHAT’S RISKWATCH? Since 1993, RiskWatch has been the Leader in Security Risk Assessment Software NIST-CSE Model Builder’s Workshop on Risk Assessment & the NSA Rating Model Workshops 1988 - 1995 Participated in the Working Group to Write DOD Directive on Risk Management under the Office of the Secretary of Defense, 1996-1998. Participated in Dept. of Justice Working Group on Vulnerability Assessment Models for Homeland Security, 2003 ASIS International, ITSC Council - Caroline Hamilton IBM Data Governance Council – Caroline Hamilton
  • 14. RiskWatch is The First Choice in Security Risk Assessment Software Proven Methodology - Field Tested with Users for over Ten Years and Guaranteed to Meet Federal Risk Assessment Requirements Automated Survey Utility Completely Customizable by Users Favorable Gartner Group Rating First Choice for Top Tier Consultants Based on the latest Federal and Audit Standards
  • 15. RiskWatch Products 9.3 RiskWatch for Financial Institutions RiskWatch for ISO 17799 & 27001 RiskWatch for HIPAA RiskWatch for Sarbanes Oxley (SOX) RiskWatch for Federal Systems RiskWatch for Electrical Utilities (NERC) RiskWatch for Nuclear Power (NEI-NRC) RiskWatch for Physical & Homeland Security CASEWORKS
  • 16. From the Gartner Group Report “ RiskWatch, Inc., is positioned as the leading "rescuer" of a massive private and public market constrained by fear of loss in terms of dollars and human life. Its unique form of rescue is in its before-the-fact nature. The RiskWatch tools credibly guide the users through a process to qualify its security situation concerning threats, assets, potential loss, vulnerabilities, and safeguards. The client has the opportunity to establish its own image and foundation of security through RiskWatch's regulatory and quality compliance and accreditation tools and functions . Through its quantitative methods and automated functions, RiskWatch arms the analysts and decision-makers with a solid risk management analysis based on the ALE balanced with the ROI. Once the client establishes the security policies—the plan is deployed and its life cycle managed within the framework of RiskWatch. RiskWatch brings financially realized value to the client and the management vehicle and standards to follow”.
  • 17. RISKWATCH ® Value Reduces time involved in performing a Risk Analysis by 70% Users are able to customize software to fit their own profile Meets audit requirements for risk assessment Content is frequently updated and shipped to users. Web-based survey process – involves management and user community. Quantifies risk and provides ROI metrics Automated report generation including working papers and complete management-ready case summary report
  • 18. Why RiskWatch Stays Number One “ What sets RiskWatch apart from its competitors is its focus on risk analysis for security management, its ability to handle large volumes of information, and its large number of customizable features”. -- Gartner Group RiskWatch has Hundreds of Users Complete Technical Support – Gold & Platinum Levels of Support Ambassador Program for Extra Support Comprehensive Training Programs Monthly On-Site Training Also Available by Request
  • 20. RISKWATCH ® Risk Assessment Process Automated Survey Management Process Management Data Aggregation & Analysis Content (Rules & Data) Risk Analysis Customization Reporting Respondents Analyst(s)
  • 21. ELEMENTS OF A METRICS-BASED RISK ASSESSMENT APPROACH ASSETS THREATS VULNERABILITIES LOSSES SAFEGUARDS
  • 22. Data Aggregation & Analysis Financial Data Software Automatically Analyses Over 3 Million Linking Relationships Risk = Asset  Loss  Threat  Vulnerability Loss Delays & Denials Fines Disclosure Modification Direct Loss Asset Applications Database Financial Data Hardware System Software Threat Disclosure Hackers Fraud Viruses Network Attack Loss of Data Embezzlement Vulnerability Acceptable Use Disaster Recovery Authentication Network Controls No Security Plan Accountability Privacy Access Control Fines Disclosure Modification Fraud Loss of Data Acceptable Use Authentication Privacy Access Control
  • 23. Progress at a Glance – Tracks the Case
  • 24. Valuing Assets – RiskWatch Auto- Populates Asset Values
  • 25. RISKWATCH PROVIDES AGGREGATED THREAT DATA OR YOU CAN OVERWRITE STANDARD AVERAGES WITH YOUR OWN ORGANIZATIONAL DATA Quantified threat data is hard to find . Categories of Threats: Natural Disasters, Criminal Activity Terrorism, Theft, Systems Failures Collect data from Web Sources, government data, weather data, crime casts, global info services, access control systems, incident logs. Use data from internally collected sources
  • 26. THREAT FREQUENCIES ARE PROVIDED AND CAN ALSO BE TAILORED WITH CUSTOMER DATA SUCH AS PENETRATION TEST DATA
  • 27. Web-Based Surveys Facilitate Respondent Answers Automated Survey Management
  • 28. YOU CAN SELECT QUESTIONS THAT MAP EXACTLY TO THE FFIEC, ISO-17799, GLBA or SB 1386 STANDARD
  • 29. Each question uses actual security regulations as control standards and is linked to appropriate Functional Areas
  • 30. Respondents Can Answer Questions over the Web with full ASP functionality
  • 31. Fully Automated Web-based Surveys make it Easy to Involve Key Employees Over the web, via ASP link Questionnaire Diskettes E-mail Attach File On a laptop with analyst present With Paper Questionnaires USERS DON’T HAVE TO HAVE RISKWATCH TO ANSWER ELECTRONIC SURVEYS
  • 32. Pre-selects Appropriate Loss Categories Delays and Denials of Service Disclosure Direct Loss (Data Loss) Modification of Data Indirect Loss Intangibles (Reputation)
  • 33. INCLUDES ALL IT-REQUIRED SAFEGUARD CATEGORIES
  • 34. EACH POTENTIAL SAFEGUARD INCLUDES DEFAULT VALUES FOR COST, MAINTENANCE AND LIFE CYCLE
  • 35. Reports Results From Dozens Of Employees Are Instantly Aggregated And Analyzed.
  • 36. RESULTS FROM THE RISK ASSESSMENTS Measurable data which can be benchmarked Prove validity of findings with full audit trails Standardized methodology meets regulator’s standards Writes a variety of fully automated management reports, including working papers.
  • 37. MITIGATION STRATEGIES 1. Accept Risk 2. Transfer Risk 2. Mitigate Risk 3. Better Risk Reactions 5. Dealing with Residual Risk
  • 38. The Case Summary Report Is Pre-Written for Management
  • 39. EASY TO UNDERSTAND GRAPHS ILLUSTRATE OVERALL COMPLIANCE VS. NON-COMPLIANCE
  • 40. Vulnerability Distribution Report Shows the Weak Compliance/ Security Areas
  • 41. Vulnerability Distribution Report Shows the Weak Compliance/ Security Areas
  • 42. Track Compliance by Individual
  • 43. Vulnerability reports include complete audit trails and powerful analysis tools
  • 44. Looking at Loss Expectancy by Type of Loss
  • 45. RiskWatch Calculates the Return on Investment & Recommends Cost Effective Security Controls. In this example, finishing and updating the Disaster Recovery Plan had a 2000-1 ROI – that means for every dollar spent on updating the plan (estimated at $1000)– the organization saves $2,000,000 Finish Disaster Recovery Plan 2000:1 Finish the Security Plan 1200:1 Complete Security Training 943:1
  • 46. SAFEGUARD REPORT -- RECOMMENDED CONTROLS BY RETURN ON INVESTMENT
  • 47. Demonstrates Reduction in Loss Expectancy by Applying Overlapping Layers of Protection from Implementing Top Recommended Controls
  • 48. THE BOTTOM LINE Regulators are going to continue to push for more risk assessments to be performed annually. A RiskWatch risk assessment is the foundation of the IT security program, and Governance, Risk and Compliance program. RiskWatch is the best way to meet NCUA risk analysis requirements, and self-assess compliance by requirement. 4. Get Special Pricing and Free Training in Annapolis by emailing [email_address] .