Risk Assessment Summary Report

Executive Summary 

Cybersecurity is a critical component of system infrastructure security that ensures an organization is free from threats. It is a shared responsibility that involves people, tools, processes, and technologies that work together to protect organizational assets. The three fundamental goals in organizational protection comprise of confidentiality, availability, and integrity. Confidentiality ensures that information access is only permitted to authorized personnel. On the other hand, integrity ensures that everything remains intact, complete, and free from corruption. Likewise, availability ensures that information and systems are available when the client or the business needs them. This risk assessment report presents organizational threats, vulnerabilities, impacts, probability matrix, mitigation strategies, and recommendations for risk assessment in the financial industry.   

Internal and External Threats  

Vulnerable Assets	Threats
People	Employees	Unauthorized staff	illegal and unauthorized use of software, misuse of resources, industrial action, user error, willful damage, operational staff error
	Authorized staff	Malicious software, misuse of resources, willful damage
Non-employees	Strangers	Eavesdropping, willful damage
	People trusted by the organization	willful damage, masquerading of user identity
Procedures	Sensitive	Transmission errors, software failure,
Standard	user error, willful damage, operational staff error, misuse of resources,
Data	Process	failure of power supply, hardware failure, malicious software, virus
Storage	Deterioration of storage media, unauthorized use of storage media, theft, repudiation, failure of power supply
Transmission	Traffic overloading, transmission errors, communication infiltration, malicious software, virus
Software	Operating System	user error, willful damage, operational staff error, illegal export/import of software, maintenance error
Security Component	Industrial action, maintenance error, willful damage, illegal use of the software.
Application	user error, operational staff error, malicious software, virus, unauthorized users using the software,
Hardware	Network	Communication infiltration, malicious software, virus
System Devices	Airborne particles and dust, theft, power fluctuation, air-conditioning failure, extreme humidity and temperature, environmental contamination

Risk Assessment Summary Report

Organizations need to obtain cyber risk scores and learn that managing cyber risk incorporates managing behavioral risk besides technical flaws and skills gaps. However, there are recommendations based on the observations from scores of businesses on the ABC, FICO, and Chambers. The six cyber risk management recommendations can help financial institutions and organizations improve their security posture as well as securing their sensitive data.

Prioritized Risks and Response Matrix

Vulnerable Assets	Threats	impact	Risk probability	Mitigation strategies
People	Employees	Unauthorized staff	illegal and unauthorized use of software, misuse of resources, industrial action, user error, willful damage, operational staff error	High	Medium	Unauthorized access trialsRegular reviews
	Authorized staff	Malicious software, misuse of resources, willful damage	High	High	Proper trainingUnauthorized access trialsRegular reviewsDesignation of rolesPolicy enforcement
Non-employees	Strangers	Eavesdropping, willful damage	High	Medium	Regular vulnerability assessmentPhysical environment security
	People trusted by the organization	willful damage, masquerading of user identity	High	Medium	Asset managementCyber insuranceCyber policy
Procedures	Sensitive	Transmission errors, software failure,	High	High	Network securityBackup and recoveryInformation system protectionCyber policyAsset management
Standard	user error, willful damage, operational staff error, misuse of resources,	Medium	Medium
Data	Process	failure of power supply, hardware failure, malicious software, virus	Low	Medium	Backup and storageNetwork securityAssessing threats and vulnerabilitiesCybersecurity awareness and trainingPersonal screening and insider threatInformation management and breach reportingRisk management and governance
Storage	Deterioration of storage media, unauthorized use of storage media, theft, repudiation, failure of power supply
Transmission	Traffic overloading, transmission errors, communication infiltration, malicious software, virus	Medium	Low
Software	Operating System	user error, willful damage, operational staff error, illegal export/import of software, maintenance error	Medium	Medium	Network securityAssessing threats and vulnerabilitiesCybersecurity awareness and trainingPersonal screening and insider threatInformation management and breach reportingRisk management and governance
Security Component	Industrial action, maintenance error, willful damage, illegal use of the software.	Low	Low
Application	user error, operational staff error, malicious software, virus, unauthorized users using the software,	Low	Low
Hardware	Network	Communication infiltration, malicious software, virus	Medium	Medium	Information management and breach reportingRisk management and governance
System Devices	Airborne particles and dust, theft, power fluctuation, air-conditioning failure, extreme humidity and temperature, environmental contamination	Low	Low	Network securityAssessing threats and vulnerabilitiesCybersecurity awareness and trainingPersonal screening and insider threatInformation management and breach reportingRisk management and governance

Recommended Risk Management Strategies and Technologies

Governance and risk management

Cybersecurity is not only a technical issue but also a multifaceted concern that needs an approach that is enterprise wide (Haouari et al., 2018). It is important to note that it is impossible to attain total protection from cyber that but having a governance framework and mismanagement structure in an organization helps alleviate the exposure to threats and the extent of damage to the IT infrastructure (Polemi, 2017). 

Personal screening and insider threat

About 71% of IT professionals believe that insider threat is a critical concern in cybersecurity. Insides are considered employees (current and former), contractors, vendors, or any person authorized to access the system (Haouari et al., 2018). Thus, it is essential to build a multidisciplinary team, understand and solve organizational issues, the examine-pre-employment process of screening, conduct training, develop practices and policies, and enforce separation of duties to facilitate personal screening and manage insider threat.

Physical environment security

Organizations should ensure defensive mechanisms to human threats, supply system threats, and environmental threats to ensure that it’s IT infrastructure is secure (Haouari et al., 2018).

Cybersecurity awareness and training

Organizations should ensure mandatory cybersecurity awareness and training for all personnel and the training can be carried out classes, online, videos, and seminars (Haouari et al., 2018; Mirzaei et al., 2018). Making all personnel understand their roles in the organizations alleviates internal threats to the IT infrastructure. 

Assessment of threats and vulnerabilities

Organizations should run automated vulnerability assessment tools against all systems on the network regularly and deliver the most critical vulnerabilities to each system administrator (Haouari et al., 2018). Besides, the tools vulnerability assessment tools should be updated regularly.

When the organizations ensure and implement the best practices, it stands high chances of minimizing threats and risks to its IT infrastructure.

Asset	Threats	Risk probability	Mitigation strategies	Potential response	Prioritization of Responses
Unauthorized staff	illegal and unauthorized use of software, misuse of resources, industrial action, user error, willful damage, operational staff error	Medium	Unauthorized access trials	Security policy	Involve stakeholders Create a financial impact assessment scale
Regular reviews
Authorized staff	Malicious software, misuse of resources, willful damage	High	Proper training	Third-party access security
Unauthorized access trials
Regular reviews
Designation of roles
Policy enforcement
Strangers	Eavesdropping, willful damage	Medium	Regular vulnerability assessment	Information security infrastructure
Physical environment security
People trusted by the organization	willful damage, masquerading of user identity	Medium	Asset management	Information security infrastructure
Cyber insurance
Cyber policy
	Transmission errors, software failure,	High	Network security	Information classification	Define ace acceptable and unacceptable riskCreate a probability scale
Backup and recovery
Information system protection
Cyber policy
	user error, willful damage, operational staff error, misuse of resources,	Medium	Asset management	Security policy
	Failure of power supply, hardware failure, malicious software, virus	Medium	Backup and storage	Monitoring access and use of the systemUser responsibility	Involve business stakeholders
Network security
Assessing threats and vulnerabilities
Cybersecurity awareness and training
Personal screening and insider threat
	Deterioration of storage media, unauthorized use of storage media, theft, repudiation, failure of power supply		Information management and breach reporting	Operational procedures and responsibilities	Identify cybersecurity threat
	Traffic overloading, transmission errors, communication infiltration, malicious software, virus	Low	Risk management and governance	Business requirement access control User access management
	User error, willful damage, operational staff error, illegal export/import of software, maintenance error	Medium	Network security	Application access control	Access severity levels
Assessing threats and vulnerabilities
Cybersecurity awareness and training
Personal screening and insider threat
	Industrial action, maintenance error, willful damage, illegal use of the software.	Low	Information management and breach reporting	Business continuity management	Involve business stakeholders
	user error, operational staff error, malicious software, virus, unauthorized users using the software,	Low	Risk management and governance	Monitoring	Set ermine the proximity of the threat event
	Communication infiltration, malicious software, virus	Medium	Information management and breach reporting	Security of system filesSecurity application system
Risk management and governance
	Airborne particles and dust, theft, power fluctuation, air-conditioning failure, extreme humidity and temperature, environmental contamination	Low	Network security	Monitoring Housekeeping	Assess levels of severity
Assessing threats and vulnerabilities
Cybersecurity awareness and training
Personal screening and insider threat
Information management and breach reporting
Risk management and governance

Risk Management Implementation Recommendations

The first cyber risk recommendation is the use of the National Institute of Standards and Technology (NIST) Cybersecurity Framework when it comes to developing information security programs. The CFC deters malicious cyber actors and reduces network weakness (Kohnke et al., 2017). Moreover, it offers voluntary guidance as per the existing practices, guidelines, and standards for better management and reduces risk in the five core functions in organizations: Identifying, Protecting, Detecting, Responding, and Recovering. Adoption of best practices in all the five areas will help financial institutions in aligning and prorating in cybersecurity activities as per its business mission, resources, and risk tolerance (the United States, 2017). However, organizations should not be limited to NIST only; they can go for other risk management frameworks like NIST. 

Secondly, organizations should obtain and maintain a reliable understanding of the network they are using. Also, they should identify all the assets and ensure they are under active security management (Polemi, 2017). Organizations should fully manage changes in their scope of the network because even a small change can result from divestitures, acquisitions or mergers (the United States, 2017). Consequently, it can lead to geographical expansion or changes within the organization offerings that calls for modifications to the present internet-facing assets. When organizations fully manage their changes, it could also save them from becoming vulnerable (Mirzaei et al., 2018). Therefore, understanding the outside and the inside of the network is important to organizations as it helps them identify unexpected gaps as well as correctable vulnerabilities. 

Thirdly, organizations should find weak links within it while adhering to processes and policies. Most of the security teams and technology operate independently; hence, there is a need for coordination and interaction (Zhang, & Ghorbani, 2020). Therefore, financial institutions require an IT team, network-engineering team, and software engineering team to help in the operation (Kohnke et al., 2017). The teams will help in assessing the effectiveness and evaluating issues related to security by category. Categorization of discernible technical flaws in configuration or posture, an organization can easily draw useful conclusions regarding the effectiveness of the processes, procedures, and maturity based on function.

Fourthly, financial institutions should make sure that their network team abides by the best practices required in network management. Sometimes the network teams might find it difficult to understand the impact of network configuration on specific risk especially while evaluating it from the outside. Items like exploitable open ports speak for themselves, whereas others are more subtle though they indicate a gap in adopting and executing best practices (Zhang, & Ghorbani, 2020). Financial institutions should avoid unnecessary exposure to network infrastructure assets. However, in case there is a need to expose, they should ensure the correct configuration for the exposed network infrastructure assets. 

Fifthly, organizations should protect and monitor endpoints of the network. Financial institutions should learn to assess endpoint security’s health by looking for evidence in their compromise (the United States, 2016). Material data breach events and compromised endpoints are not the same, but research shows a correlation between them in the incidents of malicious behavior because of subsequent breach behavior and compromise. Financial institutions need to monitor endpoints with endpoint agents actively or use virus protection products (Mirzaei et al., 2018). The institutions should go further to engaging the broader community of security in the depiction of possible endpoint compromise by looking at the published Real-time Blackhole Lists (RBLs) that show suspected or confirmed malicious activities from network endpoints.

Lastly, organizations should have active certificate management programs are present and being implemented. It is easy for the routine maintenance of security certificate programs to slip because of ignoring and deprioritizing basic tasks by favoring pressing issues (Kohnke et al., 2017). A non-standard or expired certificate may sometime fail to show serious network risks (the United States, 2016). Poor certificate management is evident when financial institutions fail to implement and maintain best practices in more broadly way. Research shows that inactive and ineffective management of certificate by organizations raise chances of them suffering from compromises like material breach event.

References 

Haouari, A., Mostapha, Z., & Yassir, S. (January 01, 2018). Current State Survey and Future Opportunities for Trust and Security in Green Cloud Computing.

Information Security Governance Practices and Commitments in Organizations. (January 01, 2019).

Kohnke, A., Sigler, K., & Shoemaker, D. (2017). Implementing cybersecurity: A guide to the National Institute of Standards and Technology Risk Management Framework.

Mirzaei, O., Maria, . F. J., & Manzano, L. G. (January 01, 2018). Dynamic Risk Assessment in IT Environments.

United States., Powner, D. A., United States., & United States. (2018). Information technology: the continued implementation of high-risk recommendations is needed to better manage acquisitions, operations, and cybersecurity: Testimony before the Subcommittees on Government Operations and Information Technology, Committee on Oversight and Government Reform, House of Representatives.

The United States. (2017). Defense cybersecurity: DOD’s monitoring of progress in implementing cyber strategies can be strengthened.

The United States. (2016). Utility resilience at Department of Defense installations: Issues and risk mitigation.

Polemi, N. (2017). Port Cybersecurity: Securing Critical Information Infrastructures and Supply Chains.

Zhang, X., & Ghorbani, A. A. (January 01, 2020). Human Factors in Cybersecurity