FIPCO® can address an institution’s IT Risk Assessment needs in multiple ways.
FIPCO offers RiskOptix™ for institutions to purchase in order to better manage risk across their organization. RiskOptix™ provides a continuous, consistent risk assessment process and works for more than just IT Risk Assessments. The continuous risk assessment process leverages information gathered throughout the year in a variety of ways to provide formal ongoing management of risk. As a multi-user, web based solution RiskOptix™ is available wherever the Internet is accessible and institutions no longer are limited to the difficulties of managing complex spreadsheets.
FIPCO offers IT Risk Assessment consulting by security professionals who will work with an institution’s Information Technology and Business team to assess the risk to critical computing assets using a consistent methodology called PUSH™ to document and analyze the institution’s risk profile. FIPCO security professionals will use the RiskOptix® solution to deliver your risk assessment in order to ensure a consistent high quality assessment. There will be an Executive Summary along with several detail reports and supporting documentation provided in the final deliverable.
For more information on IT Risk Assessment Consulting or a personalized demonstration of RiskOptix® contact FIPCO® Sales at 800-722-3498 or via email.
In theory, Information Technology Risk Assessment should be easy. Identify critical IT assets, consider potential risks and evaluate controls. In practice, institutions often struggle with the basic terms and concepts in selecting a methodology that is of the right size and complexity to make them successful. Institutions are seldom able to consistently document the methodology or the risk management decision process.
Multiple frameworks and methodologies exist to support security, auditing and risk assessment. These resources are valuable for assisting in the design and testing of a security program. FIPCO IT Services has adopted the Risk Assessment methodology presented as "A Practical and Effective Approach to Risk Assessment" at the 2007 and 2008 Federal Financial Institutions Examination Council (FFIEC) Technology Conferences.
Preparation activities include defining the purpose and audience of a Risk Assessment. Audit Planning, Budgeting, Compliance, Disaster Planning, Policy Writing, Remediation, Vendor Selection are typical purposes for a Risk Assessment.
Universe definition includes the identification and characterization of the most critical Assets, Risks and Controls. Assets are the valuable information processing platforms, procedures and policies. Risks are the potential “bad things” that could happen to assets. Controls are the mitigating factors to protect the Assets from the potential Risks.
Some of the typical Information technology risk factors can include:
Scoring consists of choosing a consistent scale by which to rate the importance of Assets, the potential impact of Risks and the effectiveness of Controls. Additional activities include the association of Assets to Risks to Controls.
Here are some sample questions to show scoring relationships:
“Hitting the mark” activities ensure that the Risk Assessment serves its intended purpose as defined during the Preparation stage. Hitting the mark means managing risk to the size and complexity of the institution using a documented and proven methodology.
PUSH™ and RiskOptix® are trademarks of the Chapman Technology Group Inc., a FIPCO® preferred Service Partners.