III.A.1 Ongoing Data Collection
Understanding an institution's environment is the first step in any risk identification process. In identifying risks, management should collect and compile the following information regarding the institution's IT environment:
- IT systems inventories: These are critical to understanding the institution's IT infrastructure, as well as identifying the access and storage points for confidential customer and institution information.
- IT strategic plan: Such a plan can provide insight into the institution's planning process. Review and analysis of the strategic plan as part of the risk identification process may highlight developing risk exposures or other deficiencies that limit the institution's ability to implement strategic priorities.
- Interconnectivity: This term refers to the connections between networks that are owned and operated by different entities. Management should comprehensively identify connections with third-party providers, including other financial institutions and financial institution intermediaries, because of the potential for significant operational risk through these interdependencies. In addition, management should identify all access points and connection types that pose risk, such as local or wide area network (LAN/WAN) connections to other networks or Internet service providers, cloud services, Wi-Fi, and cellular connections.
- Information flow: Management should document the flows of information throughout the institution, including flows of sensitive customer information. This documentation is critical to understanding what information assets the institution owns, where they are stored and transmitted, and who has access to them.
- Business continuity and disaster recovery plans: These plans prioritize the availability of various lines of business and often encompass restoration and provision of control and customer service and support. These plans can offer insight into the institution's critical operations and control environment.
- Third-party management program: Due diligence and monitoring present valuable information on the third-party provider's control environment. This information is necessary to identify the risks in an institution's IT environment.
- Call center: Issue tracking reports can often indicate potential performance or control issues if the problem reports are aggregated and analyzed for repetitive or common issues.
- Self-assessments: Assessments specifically on IT-related controls can provide early identification of policy noncompliance or weaknesses in controls.
- IT audit findings: These findings provide insight into the effectiveness of internal controls and staff and management's commitment to policy compliance.
- Threat intelligence information: By working with industry forums and groups, institutions can obtain information about emerging threats and the ways other organizations manage those threats.
In the process of collecting and compiling this information, management should include the potential cybersecurity risks associated with these areas of the financial institution's IT environment.
III.A Risk Identification
III.B Risk Measurement