II.A.2     Vulnerabilities

A vulnerability is a weakness in an information system, system security procedure, internal control, or implementation that could be exploited by a threat source.Ibid. A technical vulnerability can be a flaw in hardware, firmware, or software that leaves an information system open to potential exploitation. These flaws provide opportunities for hackers to gain access to a computer system, execute commands as another user, or access data contrary to specified access restrictions. Institutions can use automated vulnerability scanners to scan their computer systems for known security exposures, as well as services available from third parties, such as the Mitre Corporation's Common Vulnerability and Exposures (CVE),CVE is a dictionary of publicly known information security vulnerabilities and exposures. The Mitre Corporation maintains the system. CVE is sponsored by the U.S. Computer Emergency Readiness Team in the Office of Cybersecurity and Communications at the U.S. Department of Homeland Security. to track vulnerabilities.

In addition to technology-based vulnerabilities, weaknesses in business operational processes can create security vulnerabilities, exposing financial institutions to unwarranted risk. These vulnerabilities can include weaknesses in security procedures, administrative controls, physical layout, or internal controls that could be exploited to gain unauthorized access to information or to disrupt critical services. For example, an institution's systems architecture may be designed based on management's assumption that manual validation of wire transfers takes place before execution, when in practice the business process does not perform that validation until after transfers have taken place.

In addition to the vulnerabilities within a financial institution's system, vulnerabilities may also arise from interdependent and interconnected systems. Financial institutions connect their systems through mergers and acquisitions and through relationships with third parties. Over time, as these systems become increasingly interdependent and complex, new vulnerabilities may be introduced. Moreover, financial institutions are dependent on a vast array of hardware and services that may result in vulnerabilities from their supply chains, including those found in hardware and software products.

Management should assess whether the institution has processes and procedures in place to identify and maintain a catalogue of relevant vulnerabilities, determine which pose a significant risk to the institution, and effectively mitigate and monitor the risks posed by those vulnerabilities. When management cannot or chooses not to mitigate a vulnerability, management should document the decision to accept the risk, the level of risk associated with the vulnerability, and the person accountable for accepting the risk. Refer to the "Security Operations" section of this booklet for more information.


Previous Section
II.A.1 Threats
Next Section
II.A.3 Supervision of Cybersecurity Risk and Resources