This blog posting is meant to help individuals who need to conduct or update their online banking risk assessment in compliance with the new FFIEC guidance that is expected to be released soon, and maybe need a framework or a place to start. This article will walk through how the FFIEC’s framework for an Information Security Risk Assessment, available from the FFIEC handbook at http://ithandbook.ffiec.gov/it-booklets/information-security/information-security-risk-assessment.aspx, could be used as a basis for an online banking risk assessment.

Step 1: Gather Necessary Information

The first step in the FFIEC risk assessment framework is to “Gather Necessary Information”. The risk assessment should be based on current and detailed knowledge of the financial institution’s operating and business environment. For your online banking risk assessment, relevant information may include:

• A list of the web services provided by your financial institution and their capabilities
• Network diagrams, data flow diagrams, and authentication documentation for relevant in-house systems.
• Contracts, diagrams, and other documentation for outsourced online banking services.
• Reports of prior online fraud incidents
• Current and past audit findings related to online services
• Documentation related to current online fraud trends and techniques. (Our next blog posting in this series will provide an outline of the current state of online banking fraud.)
• List of available security enhancements or the road-map for new enhancements from your online platform software vendor or service provider.

Step 2: Inventory Systems and Data

The next step in the FFIEC framework is to Inventory systems and data. For your online banking risk assessment you may want to consider including the following information in your inventory for each of your web services:

• Website name/URL
• Purpose and target audience
• Does it allow for viewing of balances or other sensitive customer information?
• Does it allow for internal transfers between accounts within the system?
• Does it permit transactions that send funds out of the system?
• Does it permit high-risk transactions such as ACH or Wire Transfers that send funds immediately out of the account.
• Current authentication method(s) utilized
• Current password reset/lockout method utilized
• Any fraud detection or other security layers employed
• What is the impact of an outage

Also consider the scope of your risk assessment. Will it only include services available to customers, or will you also perform a risk assessment of services available only to your institution’s employees? Will it only include web services, or will it also include items such as your telephone banking automated voice response, merchant capture services, or mobile banking applications. An appropriate scope may be any automated/electronic service that is utilized by customers of your institution.

Step 3: Data Classification

Once your inventory is complete, the next step is to classify and rank the systems based on their data and capabilities. To come up with this initial risk rating, consider the impact to your customers or your institution if an account was breached. Websites that contain general information, such as a listing of your locations and the products and services you have available, would likely be a lower risk in terms of client impact. A system that allows a client to view account balances and perhaps transfer funds between related accounts may be a medium initial risk. If the system allows transactions that can send funds out, such as an online bill pay service, it is likely a high initial risk for fraud. Systems that allow high risk transactions such as ACH and Wire would be a very high initial risk.

Step 4: Assess Threats and Vulnerabilities

Next you need to assess the threats and vulnerabilities impacting each of your online services. A good way to approach this may be to brainstorm a list of the threats and vulnerabilities that may impact your online services, and then go through your list of online services and consider/document if that service is vulnerable to each threat.

Some of the threats and vulnerabilities to consider include:

• Passwords stolen by malware on customer machines
• Weak passwords/password guessing or cracking by hackers
• Creation of unauthorized “money mule” fund recipients
• Creation of unauthorized transactions
• Creation of unauthorized login ID’s or accounts
• Man in the browser Trojan attacks
• Man in the middle network attacks
• Denial of service attacks
• Account sharing by customers
• Insider fraud at your FI
• Web application vulnerabilities (SQL injection, Cross site scripting, etc.)

Step 5: Evaluate Control Effectiveness

The next step in the FFIEC framework is to identify controls that will reduce the likelihood or impact of the threats and vulnerabilities. Controls are generally categorized as preventative, detective or corrective. When evaluating control effectiveness, you need to measure or judge how reliable the control is at preventing or detecting the event that it was designed to protect against.

Some Preventative controls to consider for your online banking risk assessment include:

• Multifactor authentication
• Any IP blocking or whitelisting
• Transaction limits
• Intrusion Prevention systems
• Password policies
• Client education
• Account access controls/rights assignment

Some Detective and Corrective controls to consider include:

• Hueristic monitoring or other fraud detection systems
• Transaction approval processes
• Report review
• Intrusion Detection systems
• Email alerts
• Incident response and escalation procedures

Step 6: Assign Risk Ratings

The next step is to assign a residual risk rating for each identified system. There are many ways to determine this residual risk rating. One possible approach could be to look at each identified threat or vulnerability and assign a control adequancy rating to it (“controls are strong”, “controls are adequate”, “controls are weak”) . You could then pull the control adequacy ratings together with your initial risk ratings to determine a residual risk. For example, if you had a system with high initial risk, but all the controls are at least adequate, then that system may have a medium residual risk. However, if you have a high initial risk and weak controls, you likely have a high or very high residual risk. The ratings and logic is something you’ll want to map out in a way that fits your organization.

Step 7: Develop response plan for unacceptable risks

Through your assignment of risk ratings, your risk assessment process should highlight areas where your controls are weak or inadequate. The final step in your risk assessment should be to assess and report these unacceptable risks and develop and plan of action to reduce the risk. In traditional risk management practice, there are four main categories for the actions you might take in response to an identified risk:

1. Avoid – means to not perform the activity if it could carry risk. It is unlikely you would stop providing online banking services, but you may consider disabling high-risk transactions if they cannot be adequately secured.
2. Reduce – means to make changes to the system to reduce the likelihood or impact of an identified risk. For your online banking platform this may involve adding transaction limits, additional authentication, additional fraud monitoring or blocking, or many other enhancements.
3. Transfer – means to share with another party the burden of a loss or a benefit of a gain. The common example is buying insurance against an identified risk. It is not likely that you will be able to choose to transfer many of your identified online banking risks – especially since the associated regulations generally oblige a Financial Institution to protect their customers and oversee and take responsibility for outsourced technology service providers.
4. Accept – means to accept the chance that a risk will occur and retain the impact if it does. In many instances, the cost to reduce a risk will be more costly than the probable losses from that risk. Many banks choose to accept the risk of not having strong multifactor authentication available for their retail online banking customers because the strong authentication mechanisms can be too costly or burdensome for retail customers, who generally choose cost and convenience over strong security.

Conducting a risk assessment like the one outlined above does not need to be burdensome. A key to consider, depending on the opinions of your regulatory body, is what scope and depth is most appropriate to allow you to get the necessary meaning and value out of your risk assessment. If you inventory and document everything plus the kitchen sink, your real risks may get lost in the noise. Depending on what your regulator’s expectations are, you may get more value focusing your risk assessment on the likely, real world risks that are happening today and doing a thoughtful assessment of the adequacy of your controls against those highest risks.