IT Risk Assessment

FIPCO® can address an institution’s IT Risk Assessment needs in multiple ways.

RiskOptix – One Stop, One Source, One Solution
FIPCO offers RiskOptix™ for institutions to purchase in order to better manage risk across their organization. RiskOptix™ provides a continuous, consistent risk assessment process and works for more than just IT Risk Assessments. The continuous risk assessment process leverages information gathered throughout the year in a variety of ways to provide formal ongoing management of risk. As a multi-user, web based solution RiskOptix™ is available wherever the Internet is accessible and institutions no longer are limited to the difficulties of managing complex spreadsheets.

FIPCO IT Risk Assessment Consulting
FIPCO offers IT Risk Assessment consulting by security professionals who will work with an institution’s Information Technology and Business team to assess the risk to critical computing assets using a consistent methodology called PUSH™ to document and analyze the institution’s risk profile. FIPCO security professionals will use the RiskOptix® solution to deliver your risk assessment in order to ensure a consistent high quality assessment. There will be an Executive Summary along with several detail reports and supporting documentation provided in the final deliverable.

For more information on IT Risk Assessment Consulting or a personalized demonstration of RiskOptix® contact your FIPCO® account executive at 1-800/722-3498 (Ex. 254 or 258) or FIPCO Sales.

Risk Assessment Methodology:
In theory, Information Technology Risk Assessment should be easy. Identify critical IT assets, consider potential risks and evaluate controls. In practice, institutions often struggle with the basic terms and concepts in selecting a methodology that is of the right size and complexity to make them successful. Institutions are seldom able to consistently document the methodology or the risk management decision process.

Multiple frameworks and methodologies exist to support security, auditing and risk assessment. These resources are valuable for assisting in the design and testing of a security program. FIPCO IT Services has adopted the Risk Assessment methodology presented as "A Practical and Effective Approach to Risk Assessment" at the 2007 and 2008 Federal Financial Institutions Examination Council (FFIEC) Technology Conferences.

  • Preparation
  • Universe Definition
  • Scoring
  • Hitting the Mark

 

Preparation activities include defining the purpose and audience of a Risk Assessment. Audit Planning, Budgeting, Compliance, Disaster Planning, Policy Writing, Remediation, Vendor Selection are typical purposes for a Risk Assessment.

Universe definition includes the identification and characterization of the most critical Assets, Risks and Controls. Assets are the valuable information processing platforms, procedures and policies. Risks are the potential “bad things” that could happen to assets. Controls are the mitigating factors to protect the Assets from the potential Risks.

 Some of the typical Information technology risk factors can include:

  • Character of System
  • System Complexity
  • System Maturity
  • System Cost
  • Sensitivity
  • Criticality
  • Integrity
  • Continuity or Recovery Plans

Scoring consists of choosing a consistent scale by which to rate the importance of Assets, the potential impact of Risks and the effectiveness of Controls. Additional activities include the association of Assets to Risks to Controls.

Here are some sample questions to show scoring relationships:

  • What could happen if an Asset such as your internet connection fails?
  • What is the Risk of your internet service provider going out of business and how critical will the impact be?
  • What is the Likelihood that the service provider will go out of business?
  • What Controls have been put in place if a vendor does fail? (i.e., Contracts, due diligence in vendor selection) and what is the impact of those controls on minimizing damage? (i.e. low – not much help, High – we have an alternate vendor)

Hitting the mark” activities ensure that the Risk Assessment serves its intended purpose as defined during the Preparation stage. Hitting the mark means managing risk to the size and complexity of the institution using a documented and proven methodology.

PUSH™ and RiskOptix® are trademarks of the Chapman Technology Group Inc., a FIPCO® endorsed Vendor.

"You are the easiest 3rd party vendor to work with. The quality of the logo that we received was outstanding and your help made our job much easier."

- Jayne Adams, State Bank of Reeseville

IT Security Newsbytes

Stay current between FIPCO IT Audit Round Table Discussions by subscribing to the IT Services InfoSecmsg e-publication! This FREE weekly update provides the latest on the information security landscape and its impact on your organization.

Register to receive this critical e-publication today!