Example: quiz answers

RISK ASSESSMENTRISKASSESSMENT Risk …

The buzzword these days in the creditunion industry is risk assessment . The main focus on risk assessmentmost recently is in four highly visibleareas: Bank Secrecy Act, InformationSecurity Programs, Disaster Recoveryand Business Continuity Planning, andAuditors alike are asking Have youperformed a BSA risk assessment ? Where's your IT risk assessment ?Have you documented your riskanalysis of member information?Third-party vendors? OFAC?Disaster Recovery plan? Businessresumption plan? Where do we start?Let's start by defining risk. TheNational Institute of Standards andTechnology (NIST) in its publicationdefines risk as the net negative impactof the exercise of a vulnerability,considering both the probability andthe impact of occurrence.

The buzzword these days in the credit union industry is “risk assessment.” The main focus on risk assessment most recently is in four highly visible

Tags:

  Assessment, Risks, Risk assessmentriskassessment risk, Assessmentriskassessment

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of RISK ASSESSMENTRISKASSESSMENT Risk …

1 The buzzword these days in the creditunion industry is risk assessment . The main focus on risk assessmentmost recently is in four highly visibleareas: Bank Secrecy Act, InformationSecurity Programs, Disaster Recoveryand Business Continuity Planning, andAuditors alike are asking Have youperformed a BSA risk assessment ? Where's your IT risk assessment ?Have you documented your riskanalysis of member information?Third-party vendors? OFAC?Disaster Recovery plan? Businessresumption plan? Where do we start?Let's start by defining risk. TheNational Institute of Standards andTechnology (NIST) in its publicationdefines risk as the net negative impactof the exercise of a vulnerability,considering both the probability andthe impact of occurrence.

2 Put anotherway, risk is the potential that events(expected or unanticipated) may havean adverse impact on your creditunion's earnings, capital, or uses 7 categories of risk, whichcredit unions have become familiarwith as part of the four categories mostpertinent to the areas of Bank Secrecy,Information Security, DisasterRecovery/Business Continuity, and E-Commerce include:Transactional Risk: Risksassociated with failure to deliverservices or products in the Risk: risks associatedwith negative public Risk: Risksassociated with failure to comply withlaws, regulations, prescribed practices,enforcement actions or Risk: Risk arising fromadverse business decisions orimproper implementation of following sections outline thebasics for a risk assessment in eacharea as well as provide insight as towhat Examiners and Auditors arelooking for when they ask to see yourdocumented risk assessment for theBank Secrecy Act, MemberInformation, Disaster Recovery andBusiness Continuity Plan, and E-Commerce FFIEC published its Bank SecrecyExamination Manual last summer, withan update in July 2006.

3 This manualprovides guidelines in terms of a riskassessment in the Bank Secrecy andOFAC areas. A risk assessment shouldbe performed that takes into accounteach credit union's unique members,products and services, and credit unions, an analysis of themembership base should includeasking some of the following questions:Type of charter - does the creditunion have a community charter,multiple SEG groups, or is it limited toone sponsor group?Are members and branchesgenerally located in one central area ordo they cross multiple state lines? Arebranches and members located inforeign countries?Does the credit union open newaccounts in any areas designated ashigh financial crime or high drugtrafficking areas?What percentage, if any, does themembership consist of non-residentaliens or non-US citizens?

4 Does the credit union have anytransient members or groups such asuniversity students, military personnel, membership limited toindividuals or does the credit union alsooffer business accounts, organizationalaccounts, andother non-individual types ofaccounts?Are any of the credit u n i o n ' sbusiness accounts cash-intensivebusinesses or have the potential to becash-intensive businesses?Can prospective credit unionmembers apply for membership by mailor via the Internet or must they comeinto the credit union to establish anaccount?Once the credit union has identifiedvarious risk groups within themembership, a risk ranking should beassigned to each group (such as low,medium, and high).Then currentprocedures for each risk group shouldbe analyzed to determine if extra duediligence is required for new accountopening and whether ongoingmonitoring for suspicious activity products and services a creditunion offers should also be analyzedand assigned a risk ranking.

5 This partof the assessment could be broken intocategories such as ATM/Debit CardServices, Share Products, LoanProducts, Credit Cards, ElectronicBanking Services, MonetaryInstruments, Wire Transfer Services,Safe Deposit Boxes, etc. In each area orcategory, consideration should be givento the types of transactions that can beconducted, the ease in which money canbe moved from one account to another,the dollar amounts of the transactions,and the geographic location of thebeneficiary of the transaction. Non-member transactions should also beconsidered; for example, nonmemberscashing on us checks; nonmemberssigning as cosigners or guarantors on aloan; nonmember cash advances;nonmembers as account beneficiariesor signers on safe deposit boxes, , once a risk ranking has beenassigned, current procedures for eachproduct and service should be analyzedto determine if extra due diligence isrequired for transactions identified ashigh risk or if ongoing monitoring forsuspicious activity is Management Guide forInformation Technology Systems>>>>>>>>>>>>Bank Secrecy Act/OFAC RiskAssessmentContinued on page 3 RISK ASSESSMENTRISKASSESSMENTPage 2 Page2 Risk assessment And Your Credit UnionRisk assessment And YourCreditUnionRISK assessment .

6 R isk is the potential thatevents (expected orunanticipated) may have anadverse impact on your creditunion's earnings, capital, 3 Page3 Continued from page 2 Member Information RiskAssessmentAs part of each credit union'sinformation security program, NCUAR egulation 748 requires credit unions toassess the risk to member informationand member information systems toidentify reasonably foreseeableinternal and external threats that couldresult in unauthorized disclosure,misuse, alteration, or destruction ofthat information or system. Memberinformation systems are defined as anymethod used to access, collect, store,use, transmit, protect, or dispose ofmemberinformation. An initial risk assessment serves as abaseline for credit union initiatives andfor forming a basis for determining howthe risks should be managed to anacceptable level.

7 The process shouldprovide for risk assessment at both theglobal level and system specific should occur period-ically whenever new products, services,and vendors are added or when existingsystems or vendors are changed. Therisk assessment provides a point to referback to when making modifications toexisting systems to determine if amodification will require a change toexisting controls. The risk assessmentinformation should also be updated withresults of audits, inspections, risk assessment should encompasselectronic, physical, and verbal risks tomember information and memberinformation systems. Obviously thescale and complexity of a credit union'soperations and the nature of productsand services offered will determinewhat threats may exist for that creditunion. The risk assessment shouldidentify the threats, their probability ofoccurrence, and the potential impact onthe Credit Union if the threat did Management should determinewhat, if any, safeguards or internalcontrols are currently in place to reducethe risk of the threat from occurring, aswell as the adequacy of those safeguardsor controls.

8 The table below outlines anexample of an electronic, physical, andverbalrisk tomemberinformation:RISK assessment CON ImpactL=LowM=MediumH=HighSafeguards/Inte rnal ControlsData storedon serversElectronic:Avirus,ormalwareapplic ation, if able todeploy on the systemcould destroy, corrupt,or disclose data tounauthorized loss,data integrity andconfidentialityloss, reputationloss1. Enterprise level anti-virus softwareemployed with automatic updates2. External drives limited to specificemployees3. Networkpolicyinplace4. Employees must acknowledgereading the Internet Acceptable Usepolicy5. Periodic training on Internet andemail useData storedin paperformatPhysical:Unauthorized physicalaccess to files ordocuments containingconfidential memberinformationLHPossibleeconomic loss,data integrity andconfidentialityloss, reputationloss1.

9 Monitored alarm system to thebuilding2. Badge entry key card accesssystem with restricted access based onjob function3. Video cameras monitor certainsensitive areas4. Receptionist at front door5. Visitors required to sign log6. Visitors escorted in restricted areasData givenover thetelephoneVerbal:Sensitive orconfidentialinformation may begiven verbally tounauthorized personsLMPossibleeconomic loss,data integrity andconfidentialityloss, reputationloss1. Confidentiality agreement signedby all employees2. New hire orientation trainingcovers confidentiality3. Annual policy review coversconfidentiality4. Telephone procedures prohibitgiving account or social securitynumbers5. Telephone member identityverification procedures in placeContinued on page 4 Page 4 Page4 Continued from page 3 Continued on page 5 Once the threats and safeguards tomitigate those threats have beenidentified, the safeguards and internalcontrols should be tested.

10 Testing willhelp determine the adequacy of thesafeguards and how effectively they areworking to mitigate the credit union'srisks. Additional controls or changes tocurrent procedures may be identifiedduring the testing, and the results of thetesting should be used to update thedocumented risk Letter 01-CU-21, DisasterRecovery and Business ContingencyPlans and the FFIEC IT Booklet, Business Continuity Handbook outline the steps necessary todeveloping a comprehensive plan thatcovers the entire credit union'soperations rather than just informationsystems or data processing first step in developing a plan is toconduct a business impact analysis. Thebusiness impact analysis identifies all ofthe critical systems, products, andservices at the credit union andestablishes minimum allowabledowntime for each critical service alongwith personnel, equipment, vendors,etc.


Related search queries