II.C.6 Mitigating Interconnectivity Risk

Business processes often require institutions to share information with other institutions and third-party service providers that require connectivity. The extent of interconnectivity is a function of network architecture, network complexity, traffic volume, and number of connections. Interconnectivity risk arises from misuse, mismanagement, or compromise of these connections.

To mitigate interconnectivity risk, management should do the following:

  • Identify connections with third parties, including other financial institutions, financial institution intermediaries, and third-party service providers.
  • Identify all access points and connection types that pose risk, such as local area network (LAN) connections to other networks or Internet service providers (ISP), Wi-Fi, and cellular connections.
  • Identify connections between and access across low-risk and high-risk systems.
  • Assess all connections with third parties that provide remote access capability or control over internal systems.
  • Implement and assess the adequacy of controls to ensure the security of connections regardless of criticality or sensitivity.

Management should maintain network and connectivity diagrams and data flow charts to ensure adequacy of layered controls and to facilitate more timely recovery and restoration of systems when incidents occur.

 

Previous Section
II.C.5 Inventory and Classification of Assets
Next Section
II.C.7 User Security Controls