SlideShare une entreprise Scribd logo

Information technology risks

salman butt
salman butt

This document discusses information technology risks in banking, specifically related to internet banking. It outlines two models of internet banking - established banks providing online services and internet-only banks. While regulatory expectations are the same, internet-only banks face unique risks like high marketing costs and low margins. The document also discusses various types of IT risks including financial, operational, and compliance risks. It provides examples of risks from hacking, viruses, and unauthorized access and their potential impacts. Finally, it outlines different supervisory approaches to assessing IT risks.

1  sur  63
Télécharger pour lire hors ligne
Federal Reserve 1 Supervision of IT Risks Information Technology Risks Heidi Richards Federal Reserve Board
Federal Reserve 2 Supervision of IT Risks Overview • Internet Banking: What’s Different? • Information Technology Risks – Financial – Operational – Compliance • Supervisory Approaches
Federal Reserve 3 Supervision of IT Risks Internet Banking Risks • Two Distinct Models: I. Established banks providing services over the Internet II. Internet banks
Federal Reserve 4 Supervision of IT Risks Internet Banking • Established banks – Vast majority of Internet banking activity – Internet typically a small percentage of total retail customers – Corporate customers – “Trade name” banks (Wingspan)
Federal Reserve 5 Supervision of IT Risks Internet Banking Risks • Internet-Only Banks in the United States – E*Trade Bank – NetBank – CompuBank – First Internet Bank • Less than 20 in United States
Federal Reserve 6 Supervision of IT Risks Internet Banking Risks • Internet-Only Banks – Licensing regime is not different – Reporting regime is not different – Supervisory expectations are not different • Management expertise • Business plan • Capital • Compliance
Federal Reserve 7 Supervision of IT Risks Internet Banking Risks • Internet-Only Banks – Unique business model • High marketing/advertising costs • Slim interest margins • Low fees – Key risks are not operational • Profitability has been elusive
Federal Reserve 8 Supervision of IT Risks Supervisory Risks – Credit Risk – Market Risk – Liquidity Risk – Operational Risk – Legal Risk – Reputational Risk
Federal Reserve 9 Supervision of IT Risks Technology Risks • Financial • Operational • Compliance
Federal Reserve 10 Supervision of IT Risks Different Classes of IT Risk l Small banks – Purchase tested technology or outsource – Off the shelf from traditional vendors l Large Banks l Develop technology – Partner with vendors • Often not traditional financial vendors • Controls over relationships
Federal Reserve 11 Supervision of IT Risks Technology Risks: Financial • Impact of technology investments on earnings and capital – Can investments create a direct drag on earnings? – Costs to move processing in-house – Costs to resolve integration problems – Investments in failed ventures or unsuccessful product/services
Federal Reserve 12 Supervision of IT Risks Technology Risks: Financial • Impact of technology activities on credit/market/liquidity risk – Above market rates on Internet deposits – Rate-sensitive deposits – Change in loan demographics – Lending/investment methodology – Rapid growth
Federal Reserve 13 Supervision of IT Risks Technology Risks: Operational • Security • Availability • Integrity
Rerouted transactions Theft of Information Denial of Service Slow Access to Web Site Federal Reserve 14 Supervision of IT Risks Internet Banking Risks Fraud Hacking Web-jacking Spoofing Viruses Unauthorized Access
Federal Reserve 15 Supervision of IT Risks Internet Security A Secure Computer
Federal Reserve 16 Supervision of IT Risks Information-Only Site No connectivity from Internet-site to the internal network
Federal Reserve 17 Supervision of IT Risks Information Exchange Site IEn-tmeranilet Requires a path from the Internet-site to the internal network
Federal Reserve 18 Supervision of IT Risks Information Exchange Site OInn-ltienrenet Applications
Federal Reserve 19 Supervision of IT Risks Transactional Internet-Banking site
Federal Reserve 20 Supervision of IT Risks Hacking Breaches of web sites or internal systems, either to expose security weaknesses cause damage, Hacking in software or hardware, or theft of information or assets.
Federal Reserve 21 Supervision of IT Risks Hacking --> Impact to Bank • Examples • Causes • Damage to reputation • Cost • Down time • Statistics
Federal Reserve 22 Supervision of IT Risks Hacking --> Impact to Bank • Examples • Causes • Damage to reputation • Cost • Down time – Dependent on contract with vendor – Dependent on when bank learns of hack – Statistics
Federal Reserve 23 Supervision of IT Risks Hacking --> Impact to Bank Web site is defaced Weak internal controls Customer confidence Integrity Reputational CAMELS deteriorates? Event Causes Direct Effect IT/Operational Risk Business Risk Regulatory Impact
z A program that can “infect” other programs by modifying them to include a, possibly evolved, copy of itself. z Types of Viruses: Federal Reserve 24 Supervision of IT Risks Viruses Viruses z Worm: a virus that replicates itself from machine to machine across networks/Internet connections often clogging networks and destroying data. z Others - Rabbits, Trojan horses, & etc.
Federal Reserve 25 Supervision of IT Risks Viruses --> Impact to Bank • Examples – LoveBug Virus – Melissa Virus • Damage to reputation • Cost • Down time • Statistics
Viruses --> Impact to Bank Federal Reserve 26 Supervision of IT Risks • Examples • Damage to reputation – Bank can be innocent bystander – Bank’s server can be used as “slave” or “zombie” • Cost • Down time • Statistics
Viruses --> Impact to Bank Federal Reserve 27 Supervision of IT Risks • Examples • Damage to reputation • Cost – Clean-up – Legal expense • Down time • Statistics Melissa cost between $93 million and $385 million LoveBug $5 to $10 billion
Viruses --> Impact to Bank Federal Reserve 28 Supervision of IT Risks • Examples • Damage to reputation • Cost • Down time – If not caught in time can require re-formatting and re-installing all applications and data • Statistics
Federal Reserve 29 Supervision of IT Risks Viruses --> Impact to Bank Bank Site Used as “slave” Weak internal controls Legal liability Security Liquidity/Legal CAMELS deteriorates? Event Causes Direct Effect IT/Operational Risk Business Risk Regulatory Impact
Unauthorized Access --> Impact to Bank Federal Reserve 30 Supervision of IT Risks Fraudulent transaction Weak internal controls Transaction loss Security Operational/ Reputational CAMELS deteriorates? Event Causes Direct Effect IT/Operational Risk Business Risk Regulatory Impact
Federal Reserve 31 Supervision of IT Risks IT Risks • Major risks have been related to systems integration – Integrity of information – Availability of systems to customers • Examples: – Wells Fargo/First Interstate merger – Fleet/BankBoston merger
Federal Reserve 32 Supervision of IT Risks Compliance Risks • Consumer protection rules – Unique to each country – Often involve disclosure requirements – Electronic environment may pose challenges – United States: ESign Act
Federal Reserve 33 Supervision of IT Risks Supervisory Approaches • IT Audit • IT Examinations/Ratings • Business Line/MIS Approach • Operational Risk
Federal Reserve 34 Supervision of IT Risks IT Audit Approach • IT Auditors – Input ==> Processing ==> Outputs • IT auditors test transactions to ensure input properly translated into outputs – System Development Life Cycle
Federal Reserve 35 Supervision of IT Risks IT Examinations • U.S. banking agencies historically conducted separate IT examinations – 2-3 year frequency – Separate presentation of findings • Federal Reserve recently eliminated separate exams – All examinations now to include risk-focused IT component – Integrated report
Federal Reserve 36 Supervision of IT Risks Supervisory Approaches: Traditional IT Review Methodology • Audit Coverage • Management • Systems & Programming • Quality Assurance • Operations • Information Security • Contingency • Telecommunications • Outsourcing
Federal Reserve 37 Supervision of IT Risks IT Rating System • Used by all federal banking regulators in United States for banks with material in-house processing • Based on COBIT IT Audit model • 4 components and composite rated on 1 to 5 scale
Federal Reserve 38 Supervision of IT Risks IT Rating System • Audit • Management • Development & Acquisition • Support & Delivery
Federal Reserve 39 Supervision of IT Risks IT Rating: Audit • Independence • Adequacy of Risk Analysis • Scope, Frequency, Accuracy, Timeliness of Reports • Audit participation in Application Development, Acquisition and Testing • Auditor Qualifications
Federal Reserve 40 Supervision of IT Risks IT Rating: Management • Director Oversight and Support • Management Depth and Succession • Adequate Strategic Planning • Responsiveness to Changing Business Conditions • IT Plans, Policies, Procedures, and Standards • Performance Reporting, e.g. Operations, MIS
Federal Reserve 41 Supervision of IT Risks IT Rating: Development and Acquisition • Systems Development, Acquisition and Change Management • Identification and Implementation of IT Solutions • Project Management • Testing • Program change controls
Federal Reserve 42 Supervision of IT Risks IT Rating: Support and Delivery • Security Administration • Formal Policy and Awareness Program Communicated and Enforced Enterprise-wide • Logical and Physical Security Closely Monitored, With Incidents Communicated and Resolved • Continuity Planning • Comprehensive DRP and BRP • Provisions Current and Tested • Pre-defined Recovery Time Frames
Federal Reserve 43 Supervision of IT Risks IT Rating: Support and Delivery • Operations Management – Service Level Performance – Adherence to Defined SLA’s • Monitoring of Third Party Relationships
Federal Reserve 44 Supervision of IT Risks Support and Delivery: Outsourcing • Transfer of Direct Managerial Responsibility • Include Use of Affiliates • Activities Include Information Technology, Audit, Loan Review, EFT • Reduced Costs • Access to Expertise
Federal Reserve 45 Supervision of IT Risks Outsourcing Arrangements • Third-party Service Provider • Affiliated Service Provider • Facilities Management • Turnkey Application • Service Bureau • Independent Data Center
Federal Reserve 46 Supervision of IT Risks Outsourcing Vendors • Core Bank Processing – FiServ – EDS – Alltel – Jack Henry & Associates • Internet Banking – S1 – Digital Insight – Corillian – Netzee
Federal Reserve 47 Supervision of IT Risks Outsourcing Risk Management • Risk Assessment • Selection of Service Provider • Contracts • Controls • Ongoing Monitoring • Information Access • Audit
Federal Reserve 48 Supervision of IT Risks Outsourcing Risk Management • Reliability of Service • Third Party Vendor’s Access to Confidential Information • Adequacy of Vendor’s Audit Program • Extent Vendor Uses Sub-contractors or Other Third-parties to Perform Services
Federal Reserve 49 Supervision of IT Risks Most Common IT Examination Findings • Inadequate/No IT Audit Program • Poor Systems Integration Management • No Testing of Disaster Recovery Plan • Monitoring of Outsourced Vendor • Inadequate Security (e.g. password control)
Federal Reserve 50 Supervision of IT Risks Most Common Internet Banking Examination Findings • Policies and Procedures not Updated • No Board Approval, Strategic Plan, or Impact Assessment of Internet Banking • Internet Banking not included in Contingency Plan • No Monitoring of Outsourced Vendor • No Audit Coverage of Internet Banking
Federal Reserve 51 Supervision of IT Risks Supervisory Approaches Separate IT examinations – Increased specialist attention to technology risks – Risk: divergence of IT view from safety and soundness view – Safety and soundness examiners generally do not understand IT hIT examiners generally do not understand business risks
Federal Reserve 52 Supervision of IT Risks Supervisory Approaches Point in time IT examination may be increasingly less relevant – Business strategic risk drives IT actions – Need business knowledge to identify risk – IT examiner often not equipped to address – Separate IT rating may not always be incorporated in overall risk assessment
Federal Reserve 53 Supervision of IT Risks Supervisory Approaches New IT models are very different – Centralized “standards” with local business ownership of IT resources – Decentralized business ownership with some centralized support services – Business ownership with outsourced infrastructure – Internet Banking requires integrated approach
Federal Reserve 54 Supervision of IT Risks Supervisory Approaches: Business Line Approach IT business model has changed – IT rarely centralized in large organizations – Business owns IT – Who does the IT examiner talk to? – How does supervisor judge IT risks in businesses without assessing the business?
Federal Reserve 55 Supervision of IT Risks Business Line Approach • Identify key business lines that rely heavily on automated systems • Review integrity of MIS, including risk management, in conjunction with business line review • Availability of systems that support real-time functions
Federal Reserve 56 Supervision of IT Risks Supervisory Approaches: Operational Risk • What is Operational Risk? – Early definition – “Everything other than market and credit risk” – Direct or indirect losses – Loss events may be traced back to weaknesses in processes or people • Information Technology is one component • Industry sound practices beginning to emerge
Federal Reserve 57 Supervision of IT Risks Operational Risk • Rapid Change and Consolidation • Enterprise-Wide Risk Management • Realization that Operational Risk is on par with Traditional Banking Risks • Basel Committee Study on Capital Requirements
Federal Reserve 58 Supervision of IT Risks Operational Risk: Examples • Settlement snafus • Back-office mistakes • Audit oversights • Risk control lapses • Other failures associated with the daily running of different business lines
Federal Reserve 59 Supervision of IT Risks Questions for Supervisors l How do IT risks impact the organization’s key business functions? l What specific IT issues need special attention at this institution because of the risks they pose?
Federal Reserve 60 Supervision of IT Risks Questions for Supervisors l How has/is the institution handling change in its IT activities and operations? l New activities: Internet banking l Which (if any) merit supervisory review? l Has the bank implemented IT audit and controls appropriate for its level of complexity?
Federal Reserve 61 Supervision of IT Risks Questions for Supervisors l Are you comfortable with core aspects of the institution’s operations: l Reliability of service provider l Reliability of risk management and reporting systems l Security of data l Integrity of systems through mergers, etc.
Federal Reserve 62 Supervision of IT Risks Information Resources • US Banking Agencies web sites • Consulting firms • Industry IT audit associations – ITaudit.org – ISACA
Federal Reserve 63 Supervision of IT Risks Questions?

Recommandé

IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
Tudor Damian
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Smart Assessment
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
Goutama Bachtiar
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
Imran Ahmed
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
PECB
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 

Recommandé

IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
Tudor Damian
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Smart Assessment
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
Goutama Bachtiar
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
Imran Ahmed
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
PECB
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
Coso erm
Coso ermCoso erm
Coso erm
Humberto Omar Valverde Taborga
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
CAS
 
Risk management
Risk managementRisk management
Risk management
Babasab Patil
 
Third-Party Oversight & Governance
Third-Party Oversight & GovernanceThird-Party Oversight & Governance
Third-Party Oversight & Governance
EDR
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
seanpizzy
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and compliance
Magdalena Matell
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
FireEye, Inc.
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
Alex Rudie
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
PECB Webinar: The importance of business impact analysis
PECB Webinar: The importance of business impact analysisPECB Webinar: The importance of business impact analysis
PECB Webinar: The importance of business impact analysis
PECB
 
Governance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionGovernance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management Solution
Rishabh Software
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Isms
IsmsIsms
Isms
penetration Tester
 
Compliance framework
Compliance frameworkCompliance framework
Compliance framework
Manoj Agarwal
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Gtag 1 information risk and control
Gtag 1 information risk and controlGtag 1 information risk and control
Gtag 1 information risk and control
Yulias Sihombing, Ak, MAk, CIA
 
Qaip yulias c sihombing
Qaip yulias c sihombingQaip yulias c sihombing
Qaip yulias c sihombing
Yulias Sihombing, Ak, MAk, CIA
 

Contenu connexe

Tendances

Governance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionGovernance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management Solution
Rishabh Software
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 

Tendances (20)

Coso erm
Coso ermCoso erm
Coso erm
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
Risk management
Risk managementRisk management
Risk management
 
Third-Party Oversight & Governance
Third-Party Oversight & GovernanceThird-Party Oversight & Governance
Third-Party Oversight & Governance
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and compliance
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
PECB Webinar: The importance of business impact analysis
PECB Webinar: The importance of business impact analysisPECB Webinar: The importance of business impact analysis
PECB Webinar: The importance of business impact analysis
 
Governance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionGovernance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management Solution
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Isms
IsmsIsms
Isms
 
Compliance framework
Compliance frameworkCompliance framework
Compliance framework
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 

En vedette

Ict In Disaster Risk Reduction India Case
Ict In Disaster Risk Reduction India CaseIct In Disaster Risk Reduction India Case
Ict In Disaster Risk Reduction India Case
Sujit Mohanty
 

En vedette (8)

Gtag 1 information risk and control
Gtag 1 information risk and controlGtag 1 information risk and control
Gtag 1 information risk and control
 
Qaip yulias c sihombing
Qaip yulias c sihombingQaip yulias c sihombing
Qaip yulias c sihombing
 
Ifrs fin accounting quick review
Ifrs fin accounting quick reviewIfrs fin accounting quick review
Ifrs fin accounting quick review
 
Iso 31000 summary 2
Iso 31000 summary 2Iso 31000 summary 2
Iso 31000 summary 2
 
Cobit 41 framework
Cobit 41 frameworkCobit 41 framework
Cobit 41 framework
 
Overview ippf
Overview ippfOverview ippf
Overview ippf
 
Ict In Disaster Risk Reduction India Case
Ict In Disaster Risk Reduction India CaseIct In Disaster Risk Reduction India Case
Ict In Disaster Risk Reduction India Case
 
Information Technology Risk Management
Information Technology Risk ManagementInformation Technology Risk Management
Information Technology Risk Management
 

Similaire à Information technology risks

Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
AkramAlqadasi1
 
Binghamton Bank Analysis
Binghamton Bank AnalysisBinghamton Bank Analysis
Binghamton Bank Analysis
Alex Cai
 
CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15
E Andrew Keeney
 
Presentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferencePresentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 Conference
Bill Despo
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
NCC Group
 
Binghamton Bank Risk Analysis
Binghamton Bank Risk Analysis Binghamton Bank Risk Analysis
Binghamton Bank Risk Analysis
Sharon Han
 

Similaire à Information technology risks (20)

Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
 
Binghamton Bank Analysis
Binghamton Bank AnalysisBinghamton Bank Analysis
Binghamton Bank Analysis
 
Cybersecurity Workshop
Cybersecurity Workshop Cybersecurity Workshop
Cybersecurity Workshop
 
CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15
 
Cyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to KnowCyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to Know
 
Presentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferencePresentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 Conference
 
Binghamton Bank Risk Analysis.pptx
Binghamton Bank Risk Analysis.pptxBinghamton Bank Risk Analysis.pptx
Binghamton Bank Risk Analysis.pptx
 
Fraud and Security in Uncharted Territory: Considerations in the Age of COVID-19
Fraud and Security in Uncharted Territory: Considerations in the Age of COVID-19Fraud and Security in Uncharted Territory: Considerations in the Age of COVID-19
Fraud and Security in Uncharted Territory: Considerations in the Age of COVID-19
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
 
NextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive BriefingNextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive Briefing
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA Presentation
 
IT Security Essentials
IT Security EssentialsIT Security Essentials
IT Security Essentials
 
Using Threat Intelligence to Address Your Growing Digital Risk
Using Threat Intelligence to Address Your Growing Digital RiskUsing Threat Intelligence to Address Your Growing Digital Risk
Using Threat Intelligence to Address Your Growing Digital Risk
 
ciso-platform-annual-summit-2013-IT risk as business risk
ciso-platform-annual-summit-2013-IT risk as business riskciso-platform-annual-summit-2013-IT risk as business risk
ciso-platform-annual-summit-2013-IT risk as business risk
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
 
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019 PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
 
Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
 
Binghamton Bank Risk Analysis
Binghamton Bank Risk Analysis Binghamton Bank Risk Analysis
Binghamton Bank Risk Analysis
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
 

Information technology risks

  • 1. Federal Reserve 1 Supervision of IT Risks Information Technology Risks Heidi Richards Federal Reserve Board
  • 2. Federal Reserve 2 Supervision of IT Risks Overview • Internet Banking: What’s Different? • Information Technology Risks – Financial – Operational – Compliance • Supervisory Approaches
  • 3. Federal Reserve 3 Supervision of IT Risks Internet Banking Risks • Two Distinct Models: I. Established banks providing services over the Internet II. Internet banks
  • 4. Federal Reserve 4 Supervision of IT Risks Internet Banking • Established banks – Vast majority of Internet banking activity – Internet typically a small percentage of total retail customers – Corporate customers – “Trade name” banks (Wingspan)
  • 5. Federal Reserve 5 Supervision of IT Risks Internet Banking Risks • Internet-Only Banks in the United States – E*Trade Bank – NetBank – CompuBank – First Internet Bank • Less than 20 in United States
  • 6. Federal Reserve 6 Supervision of IT Risks Internet Banking Risks • Internet-Only Banks – Licensing regime is not different – Reporting regime is not different – Supervisory expectations are not different • Management expertise • Business plan • Capital • Compliance
  • 7. Federal Reserve 7 Supervision of IT Risks Internet Banking Risks • Internet-Only Banks – Unique business model • High marketing/advertising costs • Slim interest margins • Low fees – Key risks are not operational • Profitability has been elusive
  • 8. Federal Reserve 8 Supervision of IT Risks Supervisory Risks – Credit Risk – Market Risk – Liquidity Risk – Operational Risk – Legal Risk – Reputational Risk
  • 9. Federal Reserve 9 Supervision of IT Risks Technology Risks • Financial • Operational • Compliance
  • 10. Federal Reserve 10 Supervision of IT Risks Different Classes of IT Risk l Small banks – Purchase tested technology or outsource – Off the shelf from traditional vendors l Large Banks l Develop technology – Partner with vendors • Often not traditional financial vendors • Controls over relationships
  • 11. Federal Reserve 11 Supervision of IT Risks Technology Risks: Financial • Impact of technology investments on earnings and capital – Can investments create a direct drag on earnings? – Costs to move processing in-house – Costs to resolve integration problems – Investments in failed ventures or unsuccessful product/services
  • 12. Federal Reserve 12 Supervision of IT Risks Technology Risks: Financial • Impact of technology activities on credit/market/liquidity risk – Above market rates on Internet deposits – Rate-sensitive deposits – Change in loan demographics – Lending/investment methodology – Rapid growth
  • 13. Federal Reserve 13 Supervision of IT Risks Technology Risks: Operational • Security • Availability • Integrity
  • 14. Rerouted transactions Theft of Information Denial of Service Slow Access to Web Site Federal Reserve 14 Supervision of IT Risks Internet Banking Risks Fraud Hacking Web-jacking Spoofing Viruses Unauthorized Access
  • 15. Federal Reserve 15 Supervision of IT Risks Internet Security A Secure Computer
  • 16. Federal Reserve 16 Supervision of IT Risks Information-Only Site No connectivity from Internet-site to the internal network
  • 17. Federal Reserve 17 Supervision of IT Risks Information Exchange Site IEn-tmeranilet Requires a path from the Internet-site to the internal network
  • 18. Federal Reserve 18 Supervision of IT Risks Information Exchange Site OInn-ltienrenet Applications
  • 19. Federal Reserve 19 Supervision of IT Risks Transactional Internet-Banking site
  • 20. Federal Reserve 20 Supervision of IT Risks Hacking Breaches of web sites or internal systems, either to expose security weaknesses cause damage, Hacking in software or hardware, or theft of information or assets.
  • 21. Federal Reserve 21 Supervision of IT Risks Hacking --> Impact to Bank • Examples • Causes • Damage to reputation • Cost • Down time • Statistics
  • 22. Federal Reserve 22 Supervision of IT Risks Hacking --> Impact to Bank • Examples • Causes • Damage to reputation • Cost • Down time – Dependent on contract with vendor – Dependent on when bank learns of hack – Statistics
  • 23. Federal Reserve 23 Supervision of IT Risks Hacking --> Impact to Bank Web site is defaced Weak internal controls Customer confidence Integrity Reputational CAMELS deteriorates? Event Causes Direct Effect IT/Operational Risk Business Risk Regulatory Impact
  • 24. z A program that can “infect” other programs by modifying them to include a, possibly evolved, copy of itself. z Types of Viruses: Federal Reserve 24 Supervision of IT Risks Viruses Viruses z Worm: a virus that replicates itself from machine to machine across networks/Internet connections often clogging networks and destroying data. z Others - Rabbits, Trojan horses, & etc.
  • 25. Federal Reserve 25 Supervision of IT Risks Viruses --> Impact to Bank • Examples – LoveBug Virus – Melissa Virus • Damage to reputation • Cost • Down time • Statistics
  • 26. Viruses --> Impact to Bank Federal Reserve 26 Supervision of IT Risks • Examples • Damage to reputation – Bank can be innocent bystander – Bank’s server can be used as “slave” or “zombie” • Cost • Down time • Statistics
  • 27. Viruses --> Impact to Bank Federal Reserve 27 Supervision of IT Risks • Examples • Damage to reputation • Cost – Clean-up – Legal expense • Down time • Statistics Melissa cost between $93 million and $385 million LoveBug $5 to $10 billion
  • 28. Viruses --> Impact to Bank Federal Reserve 28 Supervision of IT Risks • Examples • Damage to reputation • Cost • Down time – If not caught in time can require re-formatting and re-installing all applications and data • Statistics
  • 29. Federal Reserve 29 Supervision of IT Risks Viruses --> Impact to Bank Bank Site Used as “slave” Weak internal controls Legal liability Security Liquidity/Legal CAMELS deteriorates? Event Causes Direct Effect IT/Operational Risk Business Risk Regulatory Impact
  • 30. Unauthorized Access --> Impact to Bank Federal Reserve 30 Supervision of IT Risks Fraudulent transaction Weak internal controls Transaction loss Security Operational/ Reputational CAMELS deteriorates? Event Causes Direct Effect IT/Operational Risk Business Risk Regulatory Impact
  • 31. Federal Reserve 31 Supervision of IT Risks IT Risks • Major risks have been related to systems integration – Integrity of information – Availability of systems to customers • Examples: – Wells Fargo/First Interstate merger – Fleet/BankBoston merger
  • 32. Federal Reserve 32 Supervision of IT Risks Compliance Risks • Consumer protection rules – Unique to each country – Often involve disclosure requirements – Electronic environment may pose challenges – United States: ESign Act
  • 33. Federal Reserve 33 Supervision of IT Risks Supervisory Approaches • IT Audit • IT Examinations/Ratings • Business Line/MIS Approach • Operational Risk
  • 34. Federal Reserve 34 Supervision of IT Risks IT Audit Approach • IT Auditors – Input ==> Processing ==> Outputs • IT auditors test transactions to ensure input properly translated into outputs – System Development Life Cycle
  • 35. Federal Reserve 35 Supervision of IT Risks IT Examinations • U.S. banking agencies historically conducted separate IT examinations – 2-3 year frequency – Separate presentation of findings • Federal Reserve recently eliminated separate exams – All examinations now to include risk-focused IT component – Integrated report
  • 36. Federal Reserve 36 Supervision of IT Risks Supervisory Approaches: Traditional IT Review Methodology • Audit Coverage • Management • Systems & Programming • Quality Assurance • Operations • Information Security • Contingency • Telecommunications • Outsourcing
  • 37. Federal Reserve 37 Supervision of IT Risks IT Rating System • Used by all federal banking regulators in United States for banks with material in-house processing • Based on COBIT IT Audit model • 4 components and composite rated on 1 to 5 scale
  • 38. Federal Reserve 38 Supervision of IT Risks IT Rating System • Audit • Management • Development & Acquisition • Support & Delivery
  • 39. Federal Reserve 39 Supervision of IT Risks IT Rating: Audit • Independence • Adequacy of Risk Analysis • Scope, Frequency, Accuracy, Timeliness of Reports • Audit participation in Application Development, Acquisition and Testing • Auditor Qualifications
  • 40. Federal Reserve 40 Supervision of IT Risks IT Rating: Management • Director Oversight and Support • Management Depth and Succession • Adequate Strategic Planning • Responsiveness to Changing Business Conditions • IT Plans, Policies, Procedures, and Standards • Performance Reporting, e.g. Operations, MIS
  • 41. Federal Reserve 41 Supervision of IT Risks IT Rating: Development and Acquisition • Systems Development, Acquisition and Change Management • Identification and Implementation of IT Solutions • Project Management • Testing • Program change controls
  • 42. Federal Reserve 42 Supervision of IT Risks IT Rating: Support and Delivery • Security Administration • Formal Policy and Awareness Program Communicated and Enforced Enterprise-wide • Logical and Physical Security Closely Monitored, With Incidents Communicated and Resolved • Continuity Planning • Comprehensive DRP and BRP • Provisions Current and Tested • Pre-defined Recovery Time Frames
  • 43. Federal Reserve 43 Supervision of IT Risks IT Rating: Support and Delivery • Operations Management – Service Level Performance – Adherence to Defined SLA’s • Monitoring of Third Party Relationships
  • 44. Federal Reserve 44 Supervision of IT Risks Support and Delivery: Outsourcing • Transfer of Direct Managerial Responsibility • Include Use of Affiliates • Activities Include Information Technology, Audit, Loan Review, EFT • Reduced Costs • Access to Expertise
  • 45. Federal Reserve 45 Supervision of IT Risks Outsourcing Arrangements • Third-party Service Provider • Affiliated Service Provider • Facilities Management • Turnkey Application • Service Bureau • Independent Data Center
  • 46. Federal Reserve 46 Supervision of IT Risks Outsourcing Vendors • Core Bank Processing – FiServ – EDS – Alltel – Jack Henry & Associates • Internet Banking – S1 – Digital Insight – Corillian – Netzee
  • 47. Federal Reserve 47 Supervision of IT Risks Outsourcing Risk Management • Risk Assessment • Selection of Service Provider • Contracts • Controls • Ongoing Monitoring • Information Access • Audit
  • 48. Federal Reserve 48 Supervision of IT Risks Outsourcing Risk Management • Reliability of Service • Third Party Vendor’s Access to Confidential Information • Adequacy of Vendor’s Audit Program • Extent Vendor Uses Sub-contractors or Other Third-parties to Perform Services
  • 49. Federal Reserve 49 Supervision of IT Risks Most Common IT Examination Findings • Inadequate/No IT Audit Program • Poor Systems Integration Management • No Testing of Disaster Recovery Plan • Monitoring of Outsourced Vendor • Inadequate Security (e.g. password control)
  • 50. Federal Reserve 50 Supervision of IT Risks Most Common Internet Banking Examination Findings • Policies and Procedures not Updated • No Board Approval, Strategic Plan, or Impact Assessment of Internet Banking • Internet Banking not included in Contingency Plan • No Monitoring of Outsourced Vendor • No Audit Coverage of Internet Banking
  • 51. Federal Reserve 51 Supervision of IT Risks Supervisory Approaches Separate IT examinations – Increased specialist attention to technology risks – Risk: divergence of IT view from safety and soundness view – Safety and soundness examiners generally do not understand IT hIT examiners generally do not understand business risks
  • 52. Federal Reserve 52 Supervision of IT Risks Supervisory Approaches Point in time IT examination may be increasingly less relevant – Business strategic risk drives IT actions – Need business knowledge to identify risk – IT examiner often not equipped to address – Separate IT rating may not always be incorporated in overall risk assessment
  • 53. Federal Reserve 53 Supervision of IT Risks Supervisory Approaches New IT models are very different – Centralized “standards” with local business ownership of IT resources – Decentralized business ownership with some centralized support services – Business ownership with outsourced infrastructure – Internet Banking requires integrated approach
  • 54. Federal Reserve 54 Supervision of IT Risks Supervisory Approaches: Business Line Approach IT business model has changed – IT rarely centralized in large organizations – Business owns IT – Who does the IT examiner talk to? – How does supervisor judge IT risks in businesses without assessing the business?
  • 55. Federal Reserve 55 Supervision of IT Risks Business Line Approach • Identify key business lines that rely heavily on automated systems • Review integrity of MIS, including risk management, in conjunction with business line review • Availability of systems that support real-time functions
  • 56. Federal Reserve 56 Supervision of IT Risks Supervisory Approaches: Operational Risk • What is Operational Risk? – Early definition – “Everything other than market and credit risk” – Direct or indirect losses – Loss events may be traced back to weaknesses in processes or people • Information Technology is one component • Industry sound practices beginning to emerge
  • 57. Federal Reserve 57 Supervision of IT Risks Operational Risk • Rapid Change and Consolidation • Enterprise-Wide Risk Management • Realization that Operational Risk is on par with Traditional Banking Risks • Basel Committee Study on Capital Requirements
  • 58. Federal Reserve 58 Supervision of IT Risks Operational Risk: Examples • Settlement snafus • Back-office mistakes • Audit oversights • Risk control lapses • Other failures associated with the daily running of different business lines
  • 59. Federal Reserve 59 Supervision of IT Risks Questions for Supervisors l How do IT risks impact the organization’s key business functions? l What specific IT issues need special attention at this institution because of the risks they pose?
  • 60. Federal Reserve 60 Supervision of IT Risks Questions for Supervisors l How has/is the institution handling change in its IT activities and operations? l New activities: Internet banking l Which (if any) merit supervisory review? l Has the bank implemented IT audit and controls appropriate for its level of complexity?
  • 61. Federal Reserve 61 Supervision of IT Risks Questions for Supervisors l Are you comfortable with core aspects of the institution’s operations: l Reliability of service provider l Reliability of risk management and reporting systems l Security of data l Integrity of systems through mergers, etc.
  • 62. Federal Reserve 62 Supervision of IT Risks Information Resources • US Banking Agencies web sites • Consulting firms • Industry IT audit associations – ITaudit.org – ISACA
  • 63. Federal Reserve 63 Supervision of IT Risks Questions?