The Risk Assessment System is a tool used for internal supervisory purposes and it provides a useful aid to the

supervisor/head to carry out a structured and practical step by step application of the Supervisory Review and Evaluation Process (SREP) under the pillar of the capital requirements directive.

as Risk Assessment System

Submitted By:AmanKhatri Div:- A PnR:- 11030241043

Aman

Risk Assessment System

The Risk Assessment System is a tool used for internal supervisory purposes and it provides a useful aid to the supervisor/head to carry out a structured and practical step by step application of the Supervisory Review and Evaluation Process (SREP) under the pillar of the capital requirements directive.

Risk Assessment and Mitigation Approach for Financial Institute.

CASE STUDY:
CIO of a public sector scheduled commercial bank (having discrete IT setup) wants to perform a risk assessment of his banks overall IT Infrastructure. The bank uses many critical applications which are hosted from a data centre in Mumbai. Bank is head quartered in the same city and has branches pan India. Being the trusted lieutenant of the CIO, he wants you to give him an approach to perform the assessment (of course in a language he understands)

Steps for assessing the risks:Step 1: Asset Valuation

Every bank has assets, there are generally two types of assets i.e Tangible and Intangible. Tangible assets are the ones which you can touch and feel where as intangible assets can not be physically felt. In the case of banks, Intangiblle assets are of more values these can be :1. Information Servers/data servers. These may involve 1.1. Customers database 1.2. Employee database 1.3. Branch Information 1.4. Credit card information data servers 1.5. Online accounting passwords 2. Backup Servers, these are generally used for the data backup processes and sometimes for false servers during late night hours as that is the major time for attack by the hacker. This may include:2.1. Data backup 2.2. Disaster recovery

Step 2: Threat Description

Threats that may occur in the banking institutions must first be descripted, there threats may be as follows:1. Hackers /attackers can hack the data servers of the bank and misuse the sensitive information for their personal use. 2. Fraud and theft- In this case the systems directly protect the assignment of funds to accounts which could be risky as the data contained in the servers are very sensitive and can be used for many purposes including electronic thefts. 3. Malicious code-such as virus, worms, Trojans or other software that may enter into the data servers and can harm the entire working of the organization. 4. Natural calamities or other physical threats.

Step 3: Threat Likelihood

To measure the vulnerabilities, the threat likelihoods should be analysed and understood. The likelihood of a threat that can occur in a banking institution can be as follows: 1. Hacking of Servers, for misuse of the informations of users and banks. 2. Evasion to the data through the network perimeter, by hacking into the n/w and then further into the data server. 3. Employee threats, the employees of the bank may be involved in the stealing of data and then later selling/misuing it. Host computers should be secure to avoid these types of data loss.

Step 4: Threat Intensity

After the analysis of the types of threats is done and the likelihood of the occurrence of the threat is measured in the terms of intensity and their impact on the bank.The intensity of the threat that can occur in these banking institutions can be very high as the data contained by the banks is very crucial and important. Even a single loss of data or leakage of any information can have a great impact on the organization. So the level of intensity of threat to occur and effect in these institutions is very high.

Step 5: Vulnerability Assess

The vulnerability of a risk or a threat to occur differs at different times, this can be analysed by the process of vulnerability assessment. The vulnerability that can exist in the banking institutions with respect to the IT infrastructure can be seen as follows: 1. 2. 3. 4. Gaps in the logical controls in the organizations system Misconfigured routers Default access points configured but are not secured Backdoors/loopholes in programs

5. Weak passwords of system users

Step 6: Risk Analysis

Risk = V x T x Bi Risk($) = Vulnerabilities(#) x Threats(%) x Business Impact After having analysed all the threats and vulnerabilities and assets of the bank we can analyse the risks as follows: 1. We need more security to controls to protect the data servers. 2. A simple security design is not effective in an organization like banks. 3. The number of risks related to networking devices should be more secured and password protected by using various encryption techniques. 4. The Host Pcs should be more protected by providing training to the employees to ensure basic security provisions.

Step 7: Total Risk Value

After having noted down the risk analysis and seeing the existing controls within the organization we can conclude that the Total Risk Value of the organization is VERY HIGH as the organization only has the basic security controls in place. So we need to add more security controls within the infrastructure to reduce the total risk value of the bank.

Step 8: Risk Analysis Report

In this step, we can finally conclude by summarizing the security measures of the organization.We can measure them qualitatively as follows: 1. 2. 3. 4. Threats High, medium, low. Likelihood of a Threat Low, Medium, high. Vulnerabilities High, medium, low Impacts depends on the threat and the attack may be major or minor.

Step 9: Risk Mitigation

After the risk is analysed and its total values are known we try to mitigate/minimise the risk before we apply any other security mechanism. We can mitigate these risks by following various control measures within the organization:1. 2. 3. 4. 5. 6. Security awareness training Security testing Intrusion and Detection Systems Firewalls implementation File Recovery systems Data filtering techniques for optimisation of the network.

# Assumptions:The main focus of the case is on Information technology and intangible assets.
Organization has a hierarchical structure with access rights and duties well distributed at each level.