Sample "Risk Assessment Form" - California

This fillable "Risk Assessment Form" is a document issued by the California Department of Business Oversight specifically for California residents.

Download the PDF by clicking the link below and complete it directly in your browser or through the Adobe Desktop application.

ADVERTISEMENT
SAMPLE RISK ASSESSMENT
Sample
Risk Assessment for Corporate Account Takeover
Threats and mitigating controls related to Corporate Account Takeovers should be addressed in the institution’s information security (or GLBA) risk assessment. All
reasonably foreseeable threats should be identified along with the likelihood of occurrence and potential impact for each threat.
Below is a sample risk assessment format. Other formats are acceptable as long as the required GLBA components are included. In the sample, the Inherent Risk
rating for each threat is derived from the ratings for Probability of Occurrence and Potential Impact before controls are considered. The Residual Risk is the
remaining risk after controls are considered. The ratings system can use either a (H)igh, (M)edium, (L)ow value or a numeric score. In either case, the ratings used
for each category should be well defined. Ratings can be influenced by many factors including services offered, customer base, and transaction size and volume;
and will change over time, hence annual update is needed.
This risk assessment should be modified to fit your institution's technology capabilities, specific needs, and circumstances.
Mitigating Controls
Potential
Residual
Probability of
Inherent Risk
Potential Threats and
Impact/
Risk
Occurrence
Rating
Admin./Policy
Technical
Physical Security
Comments
Vulnerabilities
Severity
Rating
(H, M, L)
(H, M, L)
(H, M, L)
(H, M, L)
Vendor Management
policies/procedures are in place.
Implementation of technical controls offered
Obtain a SSAE16 (FKA SAS 70)
by the service provider.
Weakness of each third party
M
M
M
report from the vendor.
L, M, or H
service provider
Use of other software to mitigate
Obtained vendor's assessment of their
weaknesses in service provider products.
vulnerabilities, and mitigating services
and controls they offer.
Customer's lack of knowledge of
Provide training or training resources
the risks associated with online
H
H
H
L, M, or H
to customers.
payment systems.
Customer education and training
program.
Manual or automated anomaly detection
Automated "pass-through"
system is in place.
Customer reconciles account daily.
payments sent directly to the wire
H
H
H
L, M, or H
processor or ACH operator.
Use of payee "whitelisting" and/or
Prior out-of-band notice of intent to
"blacklisting."
deliver wire instructions or an ACH file
is required.
IDS/IPS system in place to help thwart man-
in-the-middle attacks.
Customer reconciles account daily.
Customer education and training
Customer can change a
program.
System configuration requires re-
wire/ACH transaction without
M
H
H
authentication before processing a change.
L, M, or H
further authentication.
(Or) Institution policy requires re-
authentication.
Manual or automated anomaly detection
system is in place.
Use of payee "whitelisting" and/or
"blacklisting."
SAMPLE RISK ASSESSMENT
Sample
Risk Assessment for Corporate Account Takeover
Threats and mitigating controls related to Corporate Account Takeovers should be addressed in the institution’s information security (or GLBA) risk assessment. All
reasonably foreseeable threats should be identified along with the likelihood of occurrence and potential impact for each threat.
Below is a sample risk assessment format. Other formats are acceptable as long as the required GLBA components are included. In the sample, the Inherent Risk
rating for each threat is derived from the ratings for Probability of Occurrence and Potential Impact before controls are considered. The Residual Risk is the
remaining risk after controls are considered. The ratings system can use either a (H)igh, (M)edium, (L)ow value or a numeric score. In either case, the ratings used
for each category should be well defined. Ratings can be influenced by many factors including services offered, customer base, and transaction size and volume;
and will change over time, hence annual update is needed.
This risk assessment should be modified to fit your institution's technology capabilities, specific needs, and circumstances.
Mitigating Controls
Potential
Residual
Probability of
Inherent Risk
Potential Threats and
Impact/
Risk
Occurrence
Rating
Admin./Policy
Technical
Physical Security
Comments
Vulnerabilities
Severity
Rating
(H, M, L)
(H, M, L)
(H, M, L)
(H, M, L)
Vendor Management
policies/procedures are in place.
Implementation of technical controls offered
Obtain a SSAE16 (FKA SAS 70)
by the service provider.
Weakness of each third party
M
M
M
report from the vendor.
L, M, or H
service provider
Use of other software to mitigate
Obtained vendor's assessment of their
weaknesses in service provider products.
vulnerabilities, and mitigating services
and controls they offer.
Customer's lack of knowledge of
Provide training or training resources
the risks associated with online
H
H
H
L, M, or H
to customers.
payment systems.
Customer education and training
program.
Manual or automated anomaly detection
Automated "pass-through"
system is in place.
Customer reconciles account daily.
payments sent directly to the wire
H
H
H
L, M, or H
processor or ACH operator.
Use of payee "whitelisting" and/or
Prior out-of-band notice of intent to
"blacklisting."
deliver wire instructions or an ACH file
is required.
IDS/IPS system in place to help thwart man-
in-the-middle attacks.
Customer reconciles account daily.
Customer education and training
Customer can change a
program.
System configuration requires re-
wire/ACH transaction without
M
H
H
authentication before processing a change.
L, M, or H
further authentication.
(Or) Institution policy requires re-
authentication.
Manual or automated anomaly detection
system is in place.
Use of payee "whitelisting" and/or
"blacklisting."
SAMPLE RISK ASSESSMENT
Mitigating Controls
Potential
Residual
Probability of
Inherent Risk
Potential Threats and
Impact/
Risk
Occurrence
Rating
Admin./Policy
Technical
Physical Security
Comments
Vulnerabilities
Severity
Rating
(H, M, L)
(H, M, L)
(H, M, L)
(H, M, L)
Periodic review of activity levels and
Inadequate institution staffing and
trends.
Generation of automated reports for activity
M
H
H
L, M, or H
risk awareness.
level and trends.
Staff training.
Involvement of management from all
functional areas in the risk
management process.
Resources are used to stay abreast of
emerging issues.
Inadequate risk management
Consultation with service and security
M
H
H
L, M, or H
practices
providers and auditors.
Periodic review and revision of the risk
assessment.
Policies/procedures are periodically
reviewed, revised, and Board
approved.
Electronic theft coverage has been
Inadequate insurance coverage
M
M
M
purchased and is reviewed
L, M, or H
periodically.
Each commercial customer is
evaluated based on type of business,
financial strength, institution history,
security measures in place, and type
and volume of transactions.
Monitoring system generates reports on
Inadequate customer evaluations
M
H
H
L, M, or H
usage and trends,
Policies with appropriate criteria for
evaluating customers risk profile
(beyond rating them as simply
consumer or commercial risks).
Policy requires and system enforces
Passwords are not stored on the access
strict password rules.
device for the wire transfer system.
Inadequate password policies for
M
H
H
L, M, or H
the institution
Employee training enforces
System requires password changes every
importance of password security.
90 days.
Policy requires and system enforces
Passwords are not stored on the access
strict password rules.
devices for online banking.
Inadequate password policies for
H
H
H
L, M, or H
the customer
Employee training enforces
System requires password changes every
importance of password security.
90 days.
SAMPLE RISK ASSESSMENT
Mitigating Controls
Potential
Residual
Probability of
Inherent Risk
Potential Threats and
Impact/
Risk
Occurrence
Rating
Admin./Policy
Technical
Physical Security
Comments
Vulnerabilities
Severity
Rating
(H, M, L)
(H, M, L)
(H, M, L)
(H, M, L)
Policies and procedures outline dual
System requires two individuals to
control and segregation of duties
authenticate and approve a transaction.
Lack of dual controls at the
requirements, and the consequences
M
H
H
L, M, or H
business
for non-compliance.
The two approvals must be performed from
separate dedicated and isolated devices.
Deposit accounts are reconciled daily.
Contact information (including after
A secure database for customer contact
Inadequate contact information if
M
H
H
hours) is incorporated in contracts and
information is maintained to prevent
L, M, or H
an incident occurs
training materials.
unauthorized changes.
The FDIC, IRS, NACHA, and many
other entities do not contact business
customers to request software
installation or provide access
credentials.
Phishing attempts and phone
H
M
M
Institution and customer staff training.
Spam email filters are in place.
L, M, or H
calls
Institution staff will not request account
holders to click on links, install
software, or require changes to
established procedures without
securely communicated notification.
Institution must approve addition of
new Admin.
Changes require additional authentication
and out-of-band verification before changes
Unauthorized changes using the
Institution will suspend the Admin
are implemented.
Admin account (users, password
H
H
H
account if the customer fails to adhere
L, M, or H
resets, device registration, time of
to minimum standards.
The account holder is automatically sent a
day restrictions, etc.)
notice immediately after the changes are
Out-of-bank verification is performed
made.
prior to changes taking effect.
SAMPLE RISK ASSESSMENT
Mitigating Controls
Potential
Residual
Probability of
Inherent Risk
Potential Threats and
Impact/
Risk
Occurrence
Rating
Admin./Policy
Technical
Physical Security
Comments
Vulnerabilities
Severity
Rating
(H, M, L)
(H, M, L)
(H, M, L)
(H, M, L)
Fraud detection and monitoring systems
are in place. Manual or automated
anomaly detection system is in place.
Dual authorization required from separate
isolated devices.
Software or other techniques are used to
Dual controls implemented.
restrict transactions to approved limits.
Daily reconcilement.
Transactions are approved only from
Out-of-band verification required.
authorized IP addresses, or IP addresses
associated with fraud are blocked.
Institution policies and procedures for
dealing with customers with
Complex device identification: One-time
Fraudulent transaction has been
H
H
H
compromised equipment.
cookies are used that detect the PC's
L, M, or H
initiated.
configuration, IP address, geo-location, and
Staff will identify potential “suspicious
other factors.
activity” and flag the transactions for
further review.
Enhanced challenge questions.
High risk customers may utilize a
Pattern recognition software to detect
restricted funds transfer recipient list.
unusual activity.
Transaction aggregation and monitoring
system.
Transaction limits within the system are
appropriate that reduce the risk.
Use of payee "whitelisting" and/or
The customer's access logs are periodically
Computer is in a secured area with
The customer's Acceptable Use Policy
reviewed.
restricted access.
is reviewed and signed annually.
Unauthorized physical access to
M
H
H
Administrative rights are restricted.
USB ports and optical drives are
L, M, or H
customer's computer system
Information security and social
disabled.
engineering training are performed.
Manual or automated anomaly detection
system is in place.
Security cameras are installed.
SAMPLE RISK ASSESSMENT
Mitigating Controls
Potential
Residual
Probability of
Inherent Risk
Potential Threats and
Impact/
Risk
Occurrence
Rating
Admin./Policy
Technical
Physical Security
Comments
Vulnerabilities
Severity
Rating
(H, M, L)
(H, M, L)
(H, M, L)
(H, M, L)
Using dedicated/isolated workstations.
Hardware and software firewalls are in
place.
Commercial anti-virus and malware
products are installed and automatically
updated.
Customer has Firewall, Patch
OS and peripheral software is regularly
Management, Anti-Virus, and
patched.
Unauthorized external access to
Acceptable Use Policies.
H
H
H
Modems are disabled.
L, M, or H
the customer's computer system
An intrusion detection/prevention system is
Staff trained on Phishing and Social
in place.
Engineering techniques.
Multi-layered and multi-factor authentication
controls are in place.
Manual or automated anomaly detection
system is in place.
Use of payee "whitelisting" and/or
"blacklisting."
The customer's dual control procedure
requires two individuals to authenticate a
transaction.
Multi-factor authentication and multi-layered
controls are in place.
Strong password requirements are in place.
Call-backs or out-of-band verifications are
required on all or certain transactions.
Fraudulent transfer of customer
Institution policies and procedures are
funds via the online wire/ACH
M
H
H
L, M, or H
in place.
Transmission of wire or ACH instructions
system.
must come from two separate isolated
devices.
Manual or automated anomaly detection
system is in place.
Transaction limits within the system are
appropriate that reduce the risk.
Use of payee "whitelisting" and/or
"blacklisting."
ADVERTISEMENT
Page of 8