The FFIEC Inherent Risk Profile -
Framework for Grading Your Risks
Managing risk requires visibility to all sensitive data, analytics to understand the context of how data is used, and controls to enforce data protection policies. These requirements hold true for all types of data. Policies governing use, however, are different for different types of data and different users. A finance director needs access to financial data and may need to share that data with outside auditors. This role does not need access to source code, however. Software engineers need to access source code, but some of that IP may be illegal to provide to a foreign national inside the company. In other words, effective data protection requires visibility to data events, user events, and system events, across endpoints, databases or shares, network traffic, and cloud storage.
Understanding the risk in the existing environment includes visibility to data that may be sought be an adversary such as employee data, financial projections, customer information, and other Intellectual Property (IP). It also includes activities, services, and products that may handle that information. The FFIEC CAT groups these into five categories.
Technologies and Connection Types
Financial institutions have numerous access points and use a variety of connection types, including:
- Virtual private networks
- Wireless networks
- Telnet, File Transfer Protocol
- Local area network that directly connects to other networks or to Internet service providers
- Bring your own device (BYOD)
It makes sense that the more devices and connections with access to data, the greater the risk that unauthorized data movement may go undetected. Organizations should consider whether all types technologies and connection types are required to support business goals, or whether these can be reduced in types and frequency to mitigate risk
Delivery Channels
Delivery channels cover how users of a system access information. This includes services provided through Automated Teller Machines (ATM), applications for mobile devices, and online internet applications. The greater the number of delivery channels, and the greater the functionality provided through each, the greater the inherent risk.
Online/Mobile Products and Technology Services
This category covers all types of payment services, including in-person payments, debit/credit/prepaid cards, Automated Clearing House, wire transfers, treasury/trust services, and emerging payment technologies like digital wallets. The more payment services and products offered and supported by an organization, the more inherent risk to the organization from misuse. Even more so if the organization provides these technology services to other organizations.