Scout™ Risk Assessment Software and the IT Audit
Understand the financial value of conducting a risk assessment. Learn how Scout™, Supernal’s Risk Management Dashboard, guides institutions through the risk assessment process, providing a more accurate assessment in less time than ever before. Find out how Scout is helping institutions implement the appropriate technology and risk management procedures, allowing them to meet regulatory requirements, demonstrate compliance to examiners, and manage information security expenses.
(Read the full .pdf article: Scout Risk Assessment White Paper)
Risk Assessments: A Necessary First Step
A risk assessment is an internal evaluation to identify and understand risks to the confidentiality, integrity and availability of your data and data systems. It identifies information assets, the risks and vulnerabilities that those assets may be subject to and strategies to mitigate those risks. Risks should include both internal and external threats, natural disasters and even equipment failure.
While some businesses, notably health and financial institutions, are legally obligated to secure their data, the risk assessment process is valuable to any business, particularly those that store customer information.
For companies subject to regulatory audits, a risk assessment is necessary to demonstrate information security. A variety of state and federal regulations, including guidance issued by the Federal Financial Industry Examination Council (FFIEC), require that IT audit planning be based on results from a risk assessment. Companies must identify their critical information assets and develop appropriate information security plans.
The first step in any risk assessment is identifying information assets, including computers, flash drives, paper documents, physical and electronic storage, and more. The assessment evaluates where this information is stored, how it travels from one place to the next and who has access.
Next, the assessment identifies risks pertaining to these information assets. Examples include fires, floods, internal theft, external perpetrators, accidental loss, etc. The assessment illustrates anything that would prevent an organization from accessing its data and controlling its use.
As the final step in the information-gathering stage, an assessment identifies which controls are already in place and working well, those that need improvement, and controls that may be missing.
Once this information is gathered, risk ratings are assigned to the information assets based upon the severity of the risks and the effectiveness of the controls. This analysis may point to holes in an organization’s information security. A risk assessment helps identify which assets are at highest risk and which remediation activities will provide the best return.
What many organizations fail to realize is that a proper risk assessment will do more than see them through an examination. A risk assessment saves an organization both time and money by determining which areas of the company are most vulnerable so spending can be prioritized accordingly.
A Tale of Two Companies
Consider the risk management process at these two hypothetical companies: Company A uses a scattershot approach to risk mitigation, reacting to news reports and whatever concerns become top-of-mind in a given week. Without a plan, every new idea becomes priority, and IT staff are overworked with multiple, sometimes conflicting, directives.
At the end of the year, Company A struggles to report resources allocated and progress made on overall security. Security continues to be a nagging concern, creating stress and confusion for leadership. The regulatory compliance exam is a time-consuming process and results in several mandated improvements within a limited timeframe.
Company B goes through a risk assessment process and determines which areas of the company are most vulnerable. Management prioritizes mitigation activities based on cash available and anticipated return on investment. Staff focus their efforts on those activities.
At the end of the year, Company B has a baseline measurement and can demonstrate significant risk reduction. It has a record of mitigation activity, as well as a plan for next year’s spending. The examination process is smooth and pain-free.
Risk Management Dashboard
A risk management dashboard simplifies the risk assessment process, organizing the risk environment with a defined, consistent system that produces meaningful business intelligence. Scout is a web-based risk assessment application inspired by a former regulator and banking executive. This powerful, all-in-one tool tracks and interprets information assets, risks and controls. As a byproduct of performing the risk assessment in Scout, the scope of the controls audit is defined, prioritizing the most significant areas of review for your auditor. Vendor management and Red Flags risk assessment modules are also included with Scout.
With Scout, an organization can engage in useful, ongoing reviews rather than meaningless once-a-year cram sessions to prepare for the examiner. Backed by a robust 3D database, Scout is far superior to standalone spreadsheets and other tracking alternatives. Its intuitive user interface and advanced algorithms make compliance easier and more cost-effective. Here’s why:
Guided solution: Scout comes preloaded with standard risk assessment data and best practice information. These templates promote rapid deployment and enable financial institutions to quickly identify and monitor focus areas. All information is easily editable to fit an organization’s exact needs and situation.
Once the asset, risk, and control information is complete, Scout automatically defines the scope of the controls audit, telling you when and where to perform preventive reviews and system checks. No more relying on memory or paper files to trigger the necessary audit activities. Scout gives you the big picture so you can plan and budget for future events.
At a basic level, Scout standardizes the risk assessment process and reduces the staff time required to document and maintain assessments. But Scout also provides valuable business intelligence to mitigate future security costs
Web-based: As an online dashboard, Scout is accessible via any secure internet connection. Qualified staff can access the Scout database from home or the road, meaning risk control data is always accessible, even during disaster scenarios. Because Scout is web-based, it requires virtually no maintenance support, no costly hardware to install, and no updates to download. And as regulations change, your risk assessment program naturally evolves, with new releases available at no extra cost.
And, of course, data transmissions are secure and information is safe from loss with continuous backups in protected, redundant data centers. Information is never lost.
Understand at a glance: Scout was designed to provide easy, at-a-glance interpretation of risk information. Its advanced graphic reporting tools provide instant visual recognition of high-risk assets and information security weaknesses. Risk managers can evaluate the risk environment through a variety of dashboard presentations, including charts, color-coded tables and other visual displays.
For more in-depth information, users can navigate and drill down through clickable reports and graphs, using Scout’s full power to dig deeper into those areas that warrant further analysis.
3D database: The complex database behind Scout tracks multiple associations among organizational assets, risks and controls. Change one factor and all associated elements update automatically. Risk managers can quickly and easily extract reports required to meet examiner requests, demonstrate information security to the board of directors, and conduct information security reviews by branch or corporation. These multiple variable data layers provide accurate, usable business information.
Risk & ROI Scenarios
Understanding the current risk environment is valuable, but Scout goes a step further, allowing companies to evaluate hypothetical changes to the security environment. Scout also tracks planned security changes, so risk managers can capture both current and future mitigation activity. Companies can use this information to “test” new controls, demonstrating how changes would impact the risk environment.
This information gives institutions unparalleled opportunity to identify the best value security investments and prioritize projects with the biggest impact.
In 1999, Congress passed the Gramm-Leach-Bliley Act (GLBA). A key component of this law requires financial institutions to protect their clients’ personal information. The FFIEC is charged with prescribing uniform principles, standards and report forms for the various federal financial institution regulatory agencies.
Scout was developed by a former financial institution examiner to meet all FFIEC information security guidelines and includes functions that:
• Identify internal and external threats;
• Assess the likelihood of threats;
• Assess the potential impact of threats;
• Update the program as business changes; and
• Provide easy-to-understand reports to the board.
With Scout, you can manage your organization’s risk by institution, branch and (coming soon) department. As required by the FFIEC, organizations must audit their information controls according to the extent of risk identified in the risk assessment. For example, a control that is mitigating a high risk will need to be reevaluated annually, while controls that impact low-risk threats could be audited only once every three years.
Scout generates this controls audit for you automatically, based on information from the risk assessment and FFIEC guidelines. Change a risk rating or an information asset and Scout immediately updates the audit schedule. You’ll always know which control audits your examiner should expect. Plus, Scout allows you to track audit activity, with notes about when controls were tested and by whom—creating wellorganized logs your examiner will appreciate.
The Identity Theft Red Flags Regulations are part of the Fair and Accurate Credit Transactions Act (FACTA), an amendment to the Fair Credit Reporting Act. These rules are jointly issued by the Federal Trade Commission and other regulatory agencies, and became active in 2008.
Each year, more than 8 million consumers fall victim to identity theft, accounting for nearly $50 billion in losses. And according to a study by Michigan State University, more than half of those cases can be traced back to the workplace, where lax business practices gave thieves the opportunity to steal customer information.
Red Flags rules were created to require businesses to take action to prevent identity theft. The rules are clearly applicable to all banks and lending institutions. However, recent interpretations have also found that health care organizations are also obligated, as creditors under the Red Flags rules, and additional applications are still being debated.
The Red Flags rules require organizations to do the following:
• Conduct a risk assessment to identify covered accounts;
• Identify issues that indicate a possible identity theft (the rules provide 26 options as a
• Develop a detection and response procedure for each;
• Create a written program that’s been approved by the board of directors;
• Train employees in implementation;
• Update the program as necessary; and
• Review effectiveness at least once annually.
With Scout, users will spot the warning signs of identity theft and meet federal compliance regulations for tracking and reporting.
Today, vendor management has become a significant part of the IT examination. Although IT outsourcing is common in the financial services industry—to lower costs and/or improve the quality of IT services—using a third-party vendor naturally subjects an institution to risk outside its control.
Moreover, outsourcing IT services does not remove an institution from liability should vendors fail to meet information security requirements. An effective vendor management program protects an institution by ensuring its vendors are adhering to all applicable compliance requirements.
FFIEC guidance divides vendor management into several components, including vendor risk assessments, service provider selection, contract issues and ongoing monitoring. Once you’ve completed the necessary due diligence to enter into a vendor contract, that vendor relationship must still be managed with ongoing assessments to ensure it is meeting contractual obligations.
Vendor activity must be reviewed at least once a year to determine if the vendor is adhering to the service level agreement and whether or not corrective actions are required. Scout manages the vendor environment in much the same way it tracks internal risk activity.
The application allows users to rank vendor relationships on criticality and vendors’ access to confidential customer information, and then schedules ongoing due diligence activity based on identified risk and FFIEC guidelines. Scout also includes on online file center for storing supporting documents, such as contracts, correspondence and vendor reports.
Scout is a risk management dashboard that is constantly updated with the latest FFIEC/NIST standards. It is by far the most comprehensive tool available today. Scout includes risk assessments, Red Flags tracking, vendor management and GLBA—all fully integrated in one system, so organizations don’t need to replicate data in multiple places. And Scout makes it virtually effortless to pass exams, since activities and best practices demanded by examiners are built directly into Scout. Finally, because Scout’s fully integrated, real-time risk management dashboard replaces static spreadsheets and cumbersome paper documents, it reduces the time and cost needed to manage operating risks.