Vulnerability Assessment Report: A critical step in risk management

Have you ever wondered how banks manage the risk of computer data breach or loss? Well, you are not alone. One of the first things a bank should do is to develop a vulnerability assessment report. This report would allow management ascertain systems that are vulnerable to identified security threats. Usually, banks manage multiple retail branches; operation units, corporate buildings; and contractual partners across a broad geographical boundary. They typically provide financial and banking services to tens of thousands of customers/consumers across geographical boundaries. To fulfill its mission, a bank would employ the services of thousands of internal employees, and external contractors.; it would manage multiple – online, mobile, and onsite – platforms to satisfy consumer and customer needs.

Basically, the security needs of a financial institution include protecting the confidentiality, integrity, and availability of data pertinent to the delivering of its business missions and operations. Now, this security need becomes complex because a financial institution faces threats that are not only limited to the risk associated with individual platforms; operating systems, networks; internal employees, physical structures; or independent controls, to mention a few. Rather, there is a considerable threat to consider because of the inter-dependency and inter-operability of these elements. A Vulnerability Assessment Report typically breaks down this complexity and establishes controls for dealing with each identified threat, if and when they arise.

How should it be structured?

The primary purpose of a Vulnerability Assessment Report is to identify threats, risks, and vulnerabilities necessary to achieve the enterprise-wide security need. A typical report is structured under the following general headings;

• Internal and External Risks (People, Policies, and Technology)
• Risks associated with individual platforms, systems, or processes as well as those of a systemic nature;
• The quality and quantity of controls, and
• Compliance requirements: legal aspects (federal, state, and local), contractual demands up and down the supply chain

Prioritizing threats and vulnerabilities.

Obviously, a financial institution faces numerous security challenges. To optimize available resources, management must adequately prioritize the threats and risks. To manage risk effectively, management must prioritize threat based on the business importance of the systems associated with the risk, the probability of its occurrence, and the financial implications of executing appropriate countermeasures. The first step of prioritizing the numerous technology threats and vulnerability is the development of an environmental survey and technology inventory. This would provide the foundation for risk identification and assessment. Management can explore a variety of techniques and tools to identify and assess these risks, including;

• conducting a threat modelling process (TMP);
• performing self-assessment;
• analyzing audit reports; and
• Tracking third-party outsourcing issues.

How do banks model threat?

A vulnerability assessment report details issues around threats and risk, however, it is critical to identify threats before a comprehensive vulnerability analysis can be justified. Management should have a Threat Modeling Process (TPM) in place for the organization. I will discuss the types and approaches to TMPs and make the case for a hybrid modelling. According to Hardy (2012) the three types of cyber threat modelling are asset-based; software-based; and attacker-base. A very important attribute of these modelling is that they require continuous implementation monitoring and reporting. Asset-based modelling generates an understanding of the vulnerability of an asset to the threat by conducting continuous monitoring on the asset, e.g., on a system file configuration. Software-based modelling is likewise a vulnerability analysis, based on software application scanning. Attacker-based threat modelling attempts to understand the mind and motivation of attackers and figure out how they might attack.

These models are all important for a successful risk management framework. As we all know, financial institutions implements numerous software and Web Applications to carry out their business. Due to the financial management nature of a bank’s business, it is also a big attraction to cyber based attackers. Considering these factors, a combination of the three models would promote a holistic enterprise risk management framework.

Why would a bank outsource to a third party?

Third-Party Outsourcing (TPO) is critical due to the business nature of a financial institution. I understand that – apart from being a way to secure enterprise asset and business process – a benefit of TPO is that federal regulations ensure that providers comply with standards and guidelines aimed at mitigating residual risk. For example, according to the Federal Risk and Authorization Management Program (FedRAMP), authorized cloud providers must offer a strictly standardized set of security controls and binding memorandum of agreement (MOA). Financial institutions often contract for the services of a cyber-based resource data management provider between the organization and its customers. They are mostly called Cloud Services Providers, and they make up today’s third-party outsourcing solutions, and there is a strong business case for their use. The benefit of using a cloud provider includes reduced equipment and personnel costs; more flexibility in customization services offered, predictable cash flows; and increased security.

However, they are some problematic issues with the use of cloud providers including unpredictable data location; shared services, and cloud provider certification. Since processing, storage and administration are not location-specific, jurisdictional legal issues are also common issues to consider. Thus, management has to consider the vulnerabilities of the use of TPO in the report to ensure that the risk thereof is adequately mitigated

After the vulnerability assessment what next?

The development of a vulnerability assessment report is just one of the critical steps of risk management. Management must continuously monitor the systems assessed in order to keep the report updated. According to NIST SP 800-137A, continuous monitoring (CM) is defined as ‘determining the security impact of proposed or actual changes to the information system and its environment of operation’. CM on cyber and technological risk countermeasures should continually evaluate risks to the information system and it involves detecting changes in threats and vulnerabilities and continuously assessing their impact. A financial institution’s CM strategy should include periodic, as well as real-time, monitoring of selected controls across all operation unit as appropriate to the management of risks to the information system, business operations, and the organization as a whole.