You are on page 1of 12


A Financial Institution’s Key To Continuous Compliance

Chapter 1
The Driving Force of Information Security

Chapter 2
Assessing IT Security Risk Factors

Chapter 3
Leveraging Your Risk Assessment Data

Chapter 4
IT Security Risk Assessment Solutions

Just about every person who runs and However, most small-to-mid-sized financial
manages businesses will agree that, in institutions lack the internal resources
order to compete in the marketplace, or technical expertise that is necessary
a company must assume a certain to properly identify all of the threats to
amount of risk. information security, making a correct
evaluation of risk extremely difficult if
But they would also agree that risk-based not impossible. To make matters worse,
decisions must be rooted in hard data, organizations often do not even factor in
historical information and some sort of cost- the human component, which is the most
benefit analysis because, in most cases, common sources of breaches.
“leaping before looking” will ultimately
lead to failure. That is why traditional risk Therefore, without knowing where threats
management is founded on maintaining exist, or their potential severity, within their
stability by mitigating risk. But before a information systems, a financial institution is
company can determine how to mitigate ill prepared to combat a threat, mitigate the
the risk, they must identify the specific risk costs of a breach or even face a Federal or
factors and evaluate which risks are to be State examiner’s prying eyes.
managed and which are to be avoided.
This paper will not only illustrate the value
The good news for financial institutions of properly identifying and evaluating
is that the same basic principals used information risk through a comprehensive
to identify and evaluate risk to financial risk assessment by qualified experts, it will
assets can be applied to information assets. also explain how developing a continuous
Analysis can easily determine which risks risk management program, thus “continuous
can be managed and which risks need to be compliance”, can benefit the entire
avoided altogether. organization in a cost-effective manner.


THE DRIVING FORCE OF FFIEC IT Examination Handbook’s
Information Security

Ask the CEO or executive of almost Financial institutions must maintain an

any financial institution why their
The Driving Force of

ongoing information security risk

organization performs information assessment program that effectively:

security risk assessments and the Gathers data regarding the information
answer will most likely be ‘to satisfy
and technology assets of the organiza-
tion, threats to those assets, vulner-
compliance regulations.’ abilities, existing security controls and
processes, and the current security

standards and requirements;

The primary reason C-level executives place
compliance as the driving force behind Analyzes the probability and impact
associated with the known threats and
information security practices stems from an vulnerabilities to their assets;
important piece of legislation: the Gramm-
Leach-Bliley Act of 1999. This legislative
initiative requires the senior management Prioritizes the risks present due to
threats and vulnerabilities to determine
of each financial institution, among other the appropriate level of training, controls,
things, to establish and maintain data and assurance necessary for effective
protection policies and processes. In other mitigation.
words, the executives are directly held Taken from the FFIEC IT Examination Handbook, section entitled

responsible for ensuring the security of the

tion Security Booklet.

institution’s information is within compliance.

In the IT Examination Handbook published institutions that lack the resources and the
by the Federal Financial Institutions expertise to adequately monitor and enforce
Examination Council (FFIEC), it carefully information security policies and deliver
specifies management’s role in maintaining acceptable reports that show compliance
a proper information security program with state and federal regulations.
as well as the steps each institution
needs to take in order to stay in step Bank and Credit Union executives certainly
with regulations. Such detail reinforces have great concerns about protecting their
the GLBA’s intent that institutions should customer/member data because even a
not only adopt stronger security controls minor security breach can potentially have
within their organizations, but also severe repercussions that negatively affect
demonstrate to auditors that those controls the institution’s customers, reputation and
are implemented and maintained as part financial stability. These executives are also
of ongoing business procedures…not just keenly aware that the number and severity
“paper policies” or neglected security tools. of security incidents at financial institutions
continue to escalate over time, leading many
That’s a lot to require from any organization, to become concerned about vulnerabilities in
and especially taxes those financial their own information systems.


Evaluating the Present Condition system configurations or outdated software
patches. Nor can they protect a network
For many organizations, these concerns are from malicious activity that originate behind
Information Security

quite valid. Although senior management the firewall, like infected files loaded to
may realize their institution is constantly the network from portable drives, infected
The Driving Force of

exposed to security risks – and genuinely system assets or even malicious employee
want to reduce the exposure - they simply activity.
may not have enough information available
to determine the way to develop a risk Rarely are organizations equipped internally
management program. For example, to identify and evaluate all the uncommon

organizations that implement security threats that may exist in their information
measures without having the benefit of network. This is why it is crucial for an
a comprehensive risk assessment might organization to obtain expert guidance
be wasting money by applying too many from a qualified third party consultant. An
safeguards, or possibly increasing security independent set of eyes can typically give
risk by having too few safeguards. In other an unbiased and more complete overview
cases, the organization may be providing of risk factors. Moreover, contracting a third
too much protection for low value/low risk party is often considered a best practice
assets, and not offering enough protection method for assessing risk and implementing
to high value/high risk assets. Either remediation plans.
scenario leads to inefficient allocation of
resources and money, yet could be corrected With so many factors to consider – and so
by a proper risk assessment. much at stake – institutions must consider
best practice guidelines and take proactive
Independent research conducted over the steps towards identifying potential threats
past 6 years indicated that over 50% of and vulnerabilities, the likelihood that they
financial institutions will experience some could occur, evaluating their impact to the
sort of malicious attack at least once per organization’s overall security, and the
year. This startling rate has remained safeguards that control them. To do this, an
steady since 2007 and, due to the ever- organization must perform a comprehensive
increasing sophistication of criminal hacing risk assessment and use the results to
and social engineering techniques, is not formulate a plan to improve their security
likely to change anytime soon. measures and mitigate potential risk.

The most common factor that contributes to These fundamental steps will not only
the inaccuracies within an organization’s IT satisfy compliance regulations, but also
risk assessment is that inadequate controls increase confidence in their information
are in place which are not sufficient to security.
prevent exploits. Most standard firewalls
only screen for low-level attacks, but fail to
identify vulnerabilities caused by improper


An Overview of Risk Factors influences like fire/smoke damage, theft of
physical property, or even the effects of dust
Just as having a current, accurate view on equipment.
Information Security

of an institution’s Assets and Liabilities

helps them manage financial risk and
The Driving Force of

mitigate losses, a risk assessment can Defining Security Risk

help determine appropriate strategies for Assessments
managing or remediating risk to data.
When it comes to protecting information, In simple terms, a risk assessment
many institutions have been misguided essentially determines what type of controls

about how effective their basic security are required to protect an institution’s
steps really are. They believe simply assets and resources from threats in order
implementing the standard safety to maintain stability. A comprehensive risk
measures, like firewalls, anti-spam & anti- assessment process measures the individual
virus applications, software-based Intrusion risk level of each information asset as
Detection Systems, etc., will offer adequate they relate to Confidentiality, Integrity
protection for their information. Those and Availability (CIA). These results help
measures are certainly a good first line the organization identify which assets
of defense but are often not sufficient to are the most critical, provides a basis for
prevent many types of exploits. In fact, prioritization and recommends courses of
the defense systems can even add to the action to protect the assets at risk.
vulnerabilities of a network!
The first step in a risk assessment is
Compounding the problems at the IT to identify all of the information and
level is how much value is placed in the physical assets that are integrated into
results of vulnerability assessments and/ the institution’s network. This includes
or penetration tests performed by either everything from computers, applications
internal resources or a third party provider and networks to staff and physical facilities.
that specializes in only the basic tests. The The next step is to identify and classify all
worst-case scenario is when an organization reasonable threats to information that could
relies strictly on the results of these basic result in service interruptions or create a data
testing procedures to determine risk factors breach, like unauthorized disclosure, misuse,
even though they do not fully understand alteration or destruction of confidential
the strengths and weaknesses of the information. The likelihood and potential
procedures. The organizations may not damage of the threats that have been
realize those tests are just a few steps of a identified are then evaluated based on the
security program and provide only a partial CIA. The final step in this phase is to assess
view of the risk landscape. In fact, those the existing safeguards and determine how
self-tests do not account for several key sufficient they would be in controlling the
risk events such as threats originating from identified threats.
environmental sources or other external


Services That Complement a protection) should be audited and verified at
Security Program least quarterly.
Information Security

Two fundamental tests that yield qualitative In 2011, the FFIEC released a supplement
data for the risk assessment are a to its original guidance Authentication in
The Driving Force of

vulnerability assessment and a penetration an Online Banking Environment, which

test. During a typical vulnerability effectively established a new set of best
assessment, software “scans” a system practice standards for conducting IT security
and automatically identifies vulnerabilities risk assessments. The guidance sets the
and issues. This test is used primarily expectation that periodic risk assessments

as a tool to identify different assets that should be able to determine new threats
are connected to the network, discover and respond to such threats. The guidance
outdated or unpatched software and find recommends that risk assessments be
poorly configured applications. conducted with the introduction of each new
products, and at least every 12 months. The
However, this software-based scan does document also spelled out the factors to
not simulate the processes a real hacker consider while performing and/or updating IT
would use. In order to discover additional risk assessments, including:
threats to a system, a penetration test must
be performed. This test targets the security • Changes in the internal and external
holes found in the vulnerability assessment, threat environment
mimicking a real hacker’s processes to • Changes in consumer base adopting
exploit vulnerabilities and gain entry to the online services
institution’s network.
• Changes in customer functionality offered
through online services
Of course, no matter how detailed or
complete the tests are, the results only • Actual incidents of security breaches,
capture one moment in time. It is unrealistic identity theft, or fraud experienced by
to believe that the tests would generate the industry (or the institution.)
those same results again in 6 months.
People change, training programs change, While performing basic security tests may
and even system configurations change. satisfy regulations, they will not protect an
Therefore, the results of this one-time-only organization from ongoing threats. The
test are fallible on many levels. best practice is to develop an ongoing,
multifaceted security program which will
Best practices suggest that the institution’s not only ensure your institution maintains
risk assessment determine the frequency compliance and looks favorable to an
of testing. High-risk systems should be examiner, but also helps to increase the level
tested frequently by an independent party of protection against security breaches and
and policies addressing internal security thwart malicious attacks.
measures (firewalls and inter-network


ASSESSING IT SECURITY all threats, risks, concerns and issues related
to the information assets are identified and
RISK FACTORS documented. This phase of the process
often must include performing penetration
The logical question when assessing risk and vulnerability tests upon the system to
Assessing IT Security

is ‘exactly what is at risk?’ With regards properly discover any previously unknown
to information assets, the answer is any threats. Without an adequate testing
data that can be accessed by an alternative
Risk Factors

process, an institution will not be able to

method. This is certainly a very broad correctly identify all existing threats to their
answer, but it holds quite true. From hard information system.
drives and company email to hard copies and

outgoing mail, almost all data is subject to a Evaluating risk depends on

certain level of security risk. Unfortunately, the risk elements that are
many institutions fail to catalog many risk relevant to your organization.
events associated with their information
network simply because they lack the
resources or expertise to identify all the Evaluating Potential Threats
vulnerabilities that may exist. and Vulnerabilities

Although many organizations attempt While there are various methods to perform
to classify each risk event like these risk evaluations, there are specific factors
into a series of silos according to their that each element of risk can be compared
compliance procedures, they may not against to evaluate the potential level of risk.
have the expertise to accurately evaluate
the risk events, and thus determine their
Identification of Common
actual exposure and risk tolerance. For
that reason, many companies find it Threats and Vulnerabilities
advantageous to have a third party provide • Employee Misconduct
independent and expert guidance to • Criminals
properly evaluate specific risk factors. • Email attacks
• Environmental events
• Virus/worm outbreaks
Establishing the Baseline • Excessive privileges
• Unidentified security holes
Because there is no “One Size Fits All” • Malware / Spyware
• Unpatched software
method of evaluating risk events for • Zombie Networks
every financial institution, a baseline of • Phishing/Pharming
risk factors specific to the organization • Physical security threats
• Wireless network breaches
must first be identified. Typically, all of • Accidental breaches
the information assets within the data • Social Engineering
infrastructure are classified based on • Insufficient monitoring activities
the type of asset (software applications, • Failure to manage security
databases, website, intranets, etc.). Then


Likelihood of the threat of information security, these are the
This factor varies wildly because of the information assets like data systems,
nature of many threats. A simple example networks, websites, etc.
is that financial institutions in the Gulf
Coast have a great likelihood of being Maintaining Control
Assessing IT Security

threatened by a hurricane. A more subtle

example would be that institutions who An important step in evaluating threats is to
Risk Factors

hire numerous temporary employees to factor in the safety measures an institution

supplement their workforce have a greater currently has in place. These safety
chance of security incidents occurring measures, or controls, are key elements

with those ranks simply because temp in evaluating the risk level of specific
employees typically receive much less assets. Controls come in many forms:
security training than regular part time or physical security measures (firewalls, virus
full time employees. protection), security policies and procedures,
even locks on internal doors!
Origination of Threat
One of the primary factors in evaluating the Unfortunately, many companies lack
origination of a threat is to determine if it comprehensive knowledge of all the specific
is classified as External or Internal. Simply types of threats and vulnerabilities – as well
put, is the threat originating from a hacker as their relative severity – which makes
or from an employee? On the employee evaluating the risk into usable data quite
side, this factor can be affected by things difficult. Moreover, risk events change over
like security awareness training programs, time: systems are upgraded, staff turns
network access levels given to workers, and over, new scams are generated. So the
even issues as basic as which employees evaluations calculated today may be very
have access to rooms containing sensitive different next year. It is important to have
information. a continuous engagement with a qualified
service provider that can offer the expertise
Impact to the Organization and knowledge needed to maintain a
This factor takes into account how a breach proper balance of identifying and evaluating
could affect easily identifiable issues threats to information security.
like the reputation of the institution, the
costs associated with damage control and The most effective method for identifying
remediation of a breach. It also accounts and evaluating risk factors is to continuously
for potential future financial losses incurred monitor an information system through
as a result of certain types of breaches, standard, repeatable processes that are
including any fines and penalties imposed easily automated and produce verifiable
by regulatory bodies. documentation. A wise approach is to
implement a Software-as-a-service (SaaS)
Organizational Assets solution through cloud-based technology
For the purposes of a risk assessment which gives the organization the flexibility


to perform risk assessments and other information systems, the best course of
compliance processes in a cost-effective action is to conduct a comprehensive risk
Assessment Data
manner. assessment.
Leveraging Risk Your

Like traditional in-house software methods, Once an institution obtains the status of
SaaS or cloud-based applications document their information security, the results can
the entire audit process and procedures, be leveraged to provide several additional
ensuring consistent and complete advantages.
actions and proof of accountability. This
documentation also provides a basis for Improve Internal Functions and

future assessments, reducing the efforts Procedures

required to perform the process. The knowledge gained in correctly
identifying risk factors also leads many
But a key advantage cloud-based institutions to establishing better internal
applications offer is the ability to reduce functions, such as:
IT expenses. Adopting a solution where Awareness programs for both employees
softwar is delivered through cloud and customers/members
computing eliminates the need to install or Policy training programs for staff
maintain the software on the organization’s An increase in internal security
system because the audit process is More effective Disaster Recovery program
administered through a web browser
interface. This helps reduces the amount of Gain A Competitive Advantage
time IT personnel spend working on audit Through the eyes of a consumer, the issue
processes, reduces or eliminates additional of privacy plays a major role when choosing
vendor costs, and allows users to access a financial institution. The media stories
applications from virtually any computer. about privacy breaches, identity thefts and
loss of account information have sparked
LEVERAGING YOUR RISK awareness to consumers like never before.
And in light of the recent high-profile
ASSESSMENT DATA failings in the financial industry, the typical
consumer tends to hold business executives
The goal of an institution’s efforts in to a much higher standard of accountability
identifying and evaluating information risk for their personal and business holdings.
should be to not only satisfy compliance, but
to also protect the data of your company and Organizations that have a strong security
customers/members. This is done by having policy, backed up with ongoing security
a clear view of where potential threats exist, tests, have a prime opportunity to leverage
the likelihood those threats could affect their commitment to consumer protection
the organization, and how to eliminate to gain a significant marketing advantage
or mitigate the risk. In order to correctly and, thus increasing their market share,
identify and evaluate risks to an institution’s reputation, and profitability.


Reduce Costs through Continuous conventional installation model where an
Compliance organization assumes several layers of costs
Assessment Data
like purchasing dedicated servers, deploying
Leveraging Risk Your

Historically, financial institutions have been additional controls to secure the physical
primarily motivated to implement steps to servers, and manpower to maintain the
protect information because of compliance software and hardware, the cloud method
regulations. But recent FFIEC guidance eliminates unnecessary costs.
has made it clear that institutions of all
sizes must adopt a strategy of “continuous Because the software within a cloud can
compliance” and constantly be aware of be housed and accessed on an institution’s

potential risks and emerging threats. These existing computers, the solution greatly
trends have resulted in a growing need for a lowers both initial capital expenditures and
solution that will help develop and maintain ongoing costs of ownership.
an ongoing solution in a cost-effective
manner. Investing in the right solution Universal access to applications
leads to an overall reduction in the costs The ability to use web-based applications
associated with performing all the repetitive frees administrators from being tied down
tasks required by regulators, redundant to a single workstation or network server
vendors, unnecessary procedures, and the when performing risk assessment and
amount of manpower costs needed to not security compliance processes because the
only perform security tests, but also compile applications can be accessed by virtually
the data for compliance reporting. any computer. Plus, cloud computing allows
for group collaboration so that compliance
TraceSecurity believes that efforts can easily be delegated to multiple
the key to helping financial users, thus increasing the chance that
essential compliance administrators can
institutions maintain a strategy
have an uninterrupted holiday!
of continuous compliance is by
delivering it’s services through Rapid and cost-effective response
cloud-based technology that Personnel changes, new business
leverages the expertise of their ventures, changes to internal policies and
security analysts. procedures, and amendments to regulatory
requirements are just a few factors that
Delivering services via cloud-based trigger a need for adjusting the way risk
technology offers significant advantages is identified and evaluated, and most
over the traditional approach to maintaining companies demand a solution that can
a security risk assessment strategy, including: respond rapidly to change without adding
huge costs. Addressing changes with
Lower cost of deployment and conventional software can be slow and
ongoing ownership cumbersome. Software updates need to
Unlike when licensing software under a be obtained from the vendor, installed, and


tested before implementation. However,
Assessment Data cloud-based solutions allow content or Choose a Partner, not just
functionality to be changed or created another Vendor
Leveraging Risk Your

quickly and deployed right away, enabling

companies to respond to evolving risks
Most compliance software vendors
without sacrificing time or money.
are only equipped to fulfill their
clients’ compliance needs by
Streamlined processes and resources
One of the most beneficial advantages of providing a one time snap-shot
cloud-based technology is the ability to of the organization’s security

have access to all the necessary tools to posture. After the vendor’s initial
identify, evaluate and remediate security obligation is complete, it is up to
issues within one comprehensive portal. the client to figure out how to use
This streamlined method ensures that the information. This scenario is
each step is performed according to best quite frustrating for organizations
practice standards and adheres to the because they require a wealth
appropriate compliance regulations. Using of expertise and insight about
a comprehensive tool also consolidates common security risk elements and
resources by eliminating the need to find regulatory developments in order
several different vendors to perform each to properly maintain an effective
individual function. This saves time in due
security strategy.
diligence research and reduces expenses
when duties of separate vendors overlap
In stark contrast to those
and duplicate repetitive processes.
types of conventional vendors,
Delivering applications through TraceSecurity strives to become
the cloud helps mitigate the most a partner rather than a vendor by
common risk element: the human remaining continually engaged
component. with clients to focus on achieving
actual, measurable business
Conventional methods rely on human results…instead of just the sale
resources of the institution to configure of a software program or a one
the software, define test parameters and time service. In addition to
procedures, and maintain the software on offering comprehensive software
in-house servers. solutions, TraceSecurity has a
pool of expert security analysts
The resulting data of tests performed on dedicated to helping organizations
the information systems typically must be
maximize their compliance and risk
manipulated by human efforts in order to
management programs throughout
produce readable and useable reports. This
the lifecycle of the engagement.
human interaction greatly increases the
chance for errors and tainted results.


IT SECURITY RISK Regardless of a financial institution’s size,
Assessment Solutions TraceSecurity offers a solution designed to
ASSESSMENT SOLUTIONS improve and streamline its risk assessment
efforts. We provide a full range of
TraceSecurity’s software solutions are solutions that not only satisfies compliance
designed to reduce the risk tendencies regulations, but more importantly, supports
IT Security Risk

caused by human actions. These features the far-reaching goals of most financial
include: institutions. We enable organizations the
ability to drive the risk assessment process
Pre-configured software: For clients who themselves, or have the TraceSecurity team
choose to administer the risk assessment

administer the assessment.

themselves, TraceSecurity’s software
includes a pre-configured matrix of options Designed to be cost-effective for our
in easy-to-navigate menus. This reduces clients, TraceSecurity’s solutions help
the amount of custom configuration and eliminate or reduce costs of managing
helps eliminates errors. multiple technology vendors, purchasing
unnecessary hardware, paying for software
Independent of institution’s network: support, and expenses associated with
Since the core of TraceSecurity’s software deploying in-house IT resources. And
solution is maintained and secured TraceSecurity’s solutions are scalable. As
independent of the organization’s network, the security needs of a financial institution
there is no need for their IT department to mature, our solutions can be modified and
perform physical updates or maintenance enhanced to meet the changing landscape
on the server, reducing any unnecessary risk of the organization.
to the information or databases.
TraceSecurity’s risk assessment procedures
Customizable and integrated reports: follow standard methodologies designed
A big disadvantage for organizations that to meet regulatory requirements and best
perform their risk assessments in-house is practices. Our solutions enable organizations
the lack of comprehensive documentation to efficiently perform their own, on-
of the assessment processes and the demand Risk Assessment and generate
ability to generate the required reports for comprehensive documentation for use in
examiners or management. TraceSecurity’s compliance reporting, thus reducing the
software has the ability to integrate results time needed to prepare for an audit.
from several processes in order to generate
customizable, easy to read reports. Having The Risk Assessment process is managed
clear and concise documentation not only through TraceSecurity’s proprietary cloud-
helps an organization obtain an accurate based software platform which are also
overview of their security posture, but it offered as a stand-alone product.
also helps streamline the audit process by
providing examiners with all the required
compliance documentation in one report.


We encourage all financial institutions to perform their due diligence before choosing any
Assessment Solutions vendor, and invite all interested parties to contact a TraceSecurity expert to answer any
questions or discuss options for your organization.

TraceSecurity, Inc.
6300 Corporate Blvd.
IT Security Risk

Suite 200
Baton Rouge, LA 70809
Phone: (225) 612-2121
Fax: (225) 612-2115

Contact the Sales Department:

Contact Support:
(877) 79TRACE (798-7223)

Visit to download other white papers, schedule a demo of our

solutions or request data sheets of our services.

About TraceSecurity
As the leading pioneer in cloud-based security solutions, TraceSecurity provides risk management and
compliance solutions for organizations that need to protect critical data or meet IT security mandates.

With a unique combination of people, processes and technology, we give decision-makers a holistic
view of their security posture and enable them to achieve effective data protection and automatic
compliance. By streamlining and assuring effective IT GRC management in this way, we dramatically
reduce the complexities of ever-changing threats and technology—and empower organizations to
better pursue their strategic objectives.

For more information about TraceSecurity products and services, call 877-275-3009, or visit online at