Inherent Risk Profile
FFIEC Cybersecurity Assessment ToolInherent Risk ProfileInherent Risk ProfileRisk LevelsCategory: Technologies andConnection TypesLeastMinimalModerateSignificantMostTotal number of Internet serviceprovider (ISP) connections (includingbranch connections)No connectionsMinimal complexity(1–20 connections)Moderate complexity Significant(21–100 connections) complexity (101–200connections)Substantial complexity( 200 connections)Unsecured external connections,number of connections not users(e.g., file transfer protocol (FTP),Telnet, rlogin)NoneFew instances ofunsecuredconnections (1–5)Several instances ofunsecuredconnections (6–10)Significant instancesof unsecuredconnections (11–25)Substantial instances ofunsecured connections( 25)Wireless network accessNo wireless accessSeparate accesspoints for guestwireless andcorporate wirelessGuest and corporatewireless networkaccess are logicallyseparated; limitednumber of users andaccess points (1–250users; 1–25 accesspoints)Wireless corporatenetwork access;significant number ofusers and accesspoints (251–1,000users; 26–100access points)Wireless corporatenetwork access; allemployees have access;substantial number ofaccess points ( 1,000users; 100 accesspoints)Personal devices allowed to connectto the corporate networkNoneOnly one device typeavailable; availableto 5% of employees(staff, executives,managers); e-mailaccess onlyMultiple device typesused; available to 10% of employees(staff, executives,managers) andboard; e-mail accessonlyMultiple device typesused; available to 25% of authorizedemployees (staff,executives,managers) andboard; e-mail andsome applicationsaccessedAny device type used;available to 25% ofemployees (staff,executives, managers)and board; allapplications accessedThird parties, including number oforganizations and number ofindividuals from vendors andsubcontractors, with access tointernal systems (e.g., virtual privatenetwork, modem, intranet, directconnection)No third parties andno individuals fromthird parties withaccess to systemsLimited number ofthird parties (1–5)and limited numberof individuals fromthird parties ( 50)with access; lowcomplexity in howthey access systemsModerate number ofthird parties (6–10)and moderatenumber of individualsfrom third parties(50–500) withaccess; somecomplexity in howthey access systemsSignificant number ofthird parties (11–25)and significantnumber of individualsfrom third parties(501–1,500) withaccess; high level ofcomplexity in termsof how they accesssystemsSubstantial number ofthird parties ( 25) andsubstantial number ofindividuals from thirdparties ( 1,500) withaccess; high complexityin how they accesssystemsJune 201511
FFIEC Cybersecurity Assessment ToolInherent Risk ProfileRisk LevelsCategory: Technologies andConnection TypesLeastMinimalModerateSignificantMostWholesale customers with dedicatedconnectionsNoneFew dedicatedconnections(between 1–5)Several dedicatedconnections(between 6–10)Significant number ofdedicatedconnections(between 11–25)Substantial number ofdedicated connections( 25)Internally hosted and developed ormodified vendor applicationssupporting critical activitiesNo applicationsFew applications(between 1–5)Several applications(between 6–10)Significant number ofapplications(between 11–25)Substantial number ofapplications andcomplexity ( 25)Internally hosted, vendor-developedapplications supporting criticalactivitiesLimited applications(0–5)Few applications (6–30)Several applications(31–75)Significant number ofapplications (76–200)Substantial number ofapplications andcomplexity ( 200)User-developed technologies anduser computing that support criticalactivities (includes Microsoft Excelspreadsheets and Access databasesor other user-developed tools)No user-developedtechnologies1–100 logies 2,500 technologiesEnd-of-life (EOL) systemsNo systems(hardware orsoftware) that arepast EOL or at risk ofnearing EOL within 2yearsFew systems that areat risk of EOL andnone that supportcritical operationsSeveral systems thatwill reach EOL within2 years and somethat support criticaloperationsA large number ofsystems that supportcritical operations atEOL or are at risk ofreaching EOL in 2yearsMajority of criticaloperations dependenton systems that havereached EOL or willreach EOL within thenext 2 years or anunknown number ofsystems that havereached EOLOpen Source Software (OSS)No OSSLimited OSS andnone that supportcritical operationsSeveral OSS thatsupport criticaloperationsLarge number ofOSS that supportcritical operationsMajority of operationsdependent on OSSNetwork devices (e.g., servers,routers, and firewalls; includephysical and virtual)Limited or no networkdevices ( 250)Few devices (250–1,500)Several devices(1,501–25,000)Significant number ofdevices (25,001–50,000)Substantial number ofdevices ( 50,000)Third-party service providers storingand/or processing information thatsupport critical activities (Do not haveaccess to internal systems, but theinstitution relies on their services)No third parties thatsupport criticalactivities1–25 third partiesthat support criticalactivities26–100 third partiesthat support criticalactivities101–200 third partiesthat support criticalactivities; 1 or moreare foreign-based 200 third parties thatsupport critical activities;1 or more are foreignbasedJune 201512
FFIEC Cybersecurity Assessment ToolInherent Risk ProfileRisk LevelsCategory: Technologies andConnection TypesCloud computing services hostedexternally to support critical activitiesLeastNo cloud providersMinimalFew cloud providers;private cloud only (1–3)ModerateSeveral cloudproviders (4–7)SignificantMostSignificant number ofcloud providers (8–10); cloud-providerlocations usedinclude international;use of public cloudSubstantial number ofcloud providers ( 10);cloud-provider locationsused includeinternational; use ofpublic cloudSignificantMostRisk LevelsCategory: Delivery ChannelsLeastMinimalModerateOnline presence (customer)No Web-facingapplications or socialmedia presenceServes as aninformational Website or social mediapage (e.g., providesbranch and ATMlocations andmarketing materials)Serves as a deliverychannel for retailonline banking; maycommunicate tocustomers throughsocial mediaServes as a deliverychannel forwholesalecustomers; mayinclude retail accountoriginationInternet applicationsserve as a channel towholesale customers tomanage large valueassetsMobile presenceNoneSMS text alerts ornotices only;browser-basedaccessMobile bankingapplication for retailcustomers (e.g., billpayment, mobilecheck capture,internal transfersonly)Mobile bankingapplication includesexternal transfers(e.g., for corporateclients, recurringexternal transactions)Full functionality,including originating newtransactions (e.g., ACH,wire)Automated Teller Machines (ATM)(Operation)No ATM servicesATM services offeredbut no ownedmachinesATM servicesmanaged by a thirdparty; ATMs at localand regionalbranches; cashreload servicesoutsourcedATM servicesmanaged internally;ATMs at U.S.branches and retaillocations; cashreload servicesoutsourcedATM services managedinternally; ATM servicesprovided to otherfinancial institutions;ATMs at domestic andinternational branchesand retail locations;cash reload servicesmanaged internallyJune 201513
FFIEC Cybersecurity Assessment ToolInherent Risk ProfileRisk LevelsCategory: Online/Mobile Productsand Technology ServicesLeastMinimalModerateIssue debit or credit cardsDo not issue debit orcredit cardsIssue debit and/orcredit cards througha third party; 10,000cards outstandingIssue debit or creditcards through a thirdparty; between10,000–50,000 cardsoutstandingIssue debit or creditcards directly;between 50,000–100,000 cardsoutstandingIssue debit or creditcards directly; 100,000cards outstanding; issuecards on behalf of otherfinancial institutionsPrepaid cardsDo not issue prepaidcardsIssue prepaid cardsthrough a third party; 5,000 cardsoutstandingIssue prepaid cardsthrough a third party;5,000–10,000 cardsoutstandingIssue prepaid cardsthrough a third party;10,001–20,000 cardsoutstandingIssue prepaid cardsinternally, through athird party, or on behalfof other financialinstitutions; 20,000cards outstandingEmerging payments technologies(e.g., digital wallets, mobile wallets)Do not accept or useemerging paymentstechnologiesIndirect acceptanceor use of emergingpaymentstechnologies(customer use mayaffect deposit orcredit account)Direct acceptance oruse of emergingpaymentstechnologies; partneror co-brand with nonbank providers;limited transactionvolumeDirect acceptance oruse of emergingpaymentstechnologies; smalltransaction volume;no foreign paymentsDirect acceptance ofemerging paymentstechnologies; moderatetransaction volumeand/or foreign paymentsPerson-to-person payments (P2P)Not offeredCustomers allowedto originatepayments; used by 1,000 customers ormonthly transactionvolume is 50,000Customers allowed tooriginate payments;used by 1,000–5,000customers or monthlytransaction volume isbetween 50,000–100,000Customers allowedto originatepayments; used by5,001–10,000customers or monthlytransaction volume isbetween 100,001–1 millionCustomers allowed torequest payment or tooriginate payment; usedby 10,000 customersor monthly transactionvolume 1 millionOriginating ACH paymentsNo ACH originationOriginate ACHcredits; daily volume 3% of total assetsOriginate ACH debitsand credits; dailyvolume is 3%–5% oftotal assetsSponsor third-partypayment processor;originate ACH debitsand credits with dailyvolume 6%–25% oftotal assetsSponsor nested thirdparty paymentprocessors; originatedebits and credits withdaily volume that is 25% of total assetsOriginating wholesale payments (e.g.,CHIPS)Do not originatewholesale paymentsDaily originatedwholesale paymentvolume 3% of totalassetsDaily originatedwholesale paymentvolume 3%–5% oftotal assetsDaily originatedwholesale paymentvolume 6%–25% oftotal assetsDaily originatedwholesale paymentvolume 25% of totalassetsJune 2015SignificantMost14
FFIEC Cybersecurity Assessment ToolInherent Risk ProfileRisk LevelsCategory: Online/Mobile Productsand Technology ServicesLeastMinimalModerateSignificantMostWire transfersNot offeredIn person wirerequests only;domestic wires only;daily wire volume 3% of total assetsIn person, phone,and fax wirerequests; domesticdaily wire volume3%–5% of totalassets; internationaldaily wire volume 3% of total assetsMultiple requestchannels (e.g.,online, text, e-mail,fax, and phone); dailydomestic wirevolume 6%–25% oftotal assets; dailyinternational wirevolume 3%–10% oftotal assetsMultiple requestchannels (e.g., online,text, e-mail, fax, andphone); daily domesticwire volume 25% oftotal assets; dailyinternational wirevolume 10% of totalassetsMerchant remote deposit capture(RDC)Do not offer Merchant 100 merchantRDCclients; daily volumeof transactions is 3% of total assets100–500 merchantclients; daily volumeof transactions is3%–5% of totalassets501–1,000 merchantclients; daily volumeof transactions is6%–25% of totalassets 1,000 merchant clients;daily volume oftransactions is 25% oftotal assetsGlobal remittancesDo not offer globalremittancesGross dailytransaction volume is 3% of total assetsGross dailytransaction volume is3%–5% of totalassetsGross dailytransaction volume is6%–25% of totalassetsGross daily transactionvolume is 25% of totalassetsTreasury services and clientsNo treasurymanagementservices are offeredLimited servicesoffered; number ofclients is 1,000Services offeredinclude lockbox, ACHorigination, andremote depositcapture; number ofclients is between1,000–10,000Services offeredinclude accountsreceivable solutionsand liquiditymanagement;number of clients isbetween 10,001–20,000Multiple services offeredincluding currencyservices, onlineinvesting, andinvestment sweepaccounts; number ofclients is 20,000Trust servicesTrust services are notofferedTrust services areoffered through athird-party provider;assets undermanagement total 500 millionTrust servicesprovided directly;portfolio of assetsunder managementtotal 500 million– 999 millionTrust servicesprovided directly;assets undermanagement total 1 billion– 10 billionTrust services provideddirectly; assets undermanagement total 10 billionAct as a correspondent bank(Interbank transfers)Do not act as acorrespondent bankAct as acorrespondent bankfor 100 institutionsAct as acorrespondent bankfor 100–250institutionsAct as acorrespondent bankfor 251–500institutionsAct as a correspondentbank for 500institutionsJune 201515
FFIEC Cybersecurity Assessment ToolInherent Risk ProfileRisk LevelsCategory: Online/Mobile Productsand Technology t acquirer (sponsormerchants or card processor activityinto the payment system)Do not act as amerchant acquirerAct as a merchantacquirer; 1,000merchantsAct as a merchantacquirer; outsourcecard paymentprocessing; 1,000–10,000 merchantsAct as a merchantacquirer and cardpayment processor;10,001–100,000merchantsAct as a merchantacquirer and cardpayment processor; 100,000 merchantsHost IT services for otherorganizations (either through jointsystems or administrative support)Do not provide ITservices for otherorganizationsHost or provide ITservices for affiliatedorganizationsHost or provide ITservices for up to 25unaffiliatedorganizationsHost or provide ITservices for 26–50unaffiliatedorganizationsHost or provide ITservices for 50unaffiliatedorganizationsRisk LevelsCategory: ignificantMostMergers and acquisitions (includingdivestitures and joint ventures)None plannedOpen to initiatingdiscussions oractively seeking amerger or acquisitionIn discussions withat least 1 partyA sale or acquisitionhas been publiclyannounced within thepast year, innegotiations with 1 ormore partiesMultiple ongoingintegrations ofacquisitions are inprocessDirect employees (includinginformation technology andcybersecurity contractors)Number ofemployees totals 50Number ofemployees totals 50–2,000Number ofemployees totals2,001–10,000Number of employeestotals 10,001–50,000Number of employees is 50,000Changes in IT and informationsecurity staffingKey positions filled;low or no turnover ofpersonnelStaff vacancies existfor non-critical rolesSome turnover inkey or seniorpositionsFrequent turnover inkey staff or seniorpositionsVacancies in senior orkey positions for longperiods; high level ofemployee turnover in ITor information securityPrivileged access (Administrators–network, database, applications,systems, etc.)Limited number ofadministrators;limited or no externaladministratorsLevel of turnover inadministrators doesnot affect operationsor activities; mayutilize some externaladministratorsLevel of turnover inadministratorsaffects operations;number ofadministrators forindividual systems orapplications exceedswhat is necessaryHigh reliance onexternaladministrators;number ofadministrators is notsufficient to supportlevel or pace ofchangeHigh employee turnoverin networkadministrators; many ormost administrators areexternal (contractors orvendors); experience innetwork administrationis limitedJune 201516
FFIEC Cybersecurity Assessment ToolInherent Risk ProfileRisk LevelsCategory: ignificantMostChanges in IT environment (e.g.,network, infrastructure, criticalapplications, technologies supportingnew products or services)Stable ITenvironmentInfrequent or minimalchanges in the ITenvironmentFrequent adoption ofnew technologiesVolume of significantchanges is highSubstantial change inoutsourced provider(s)of critical IT services;large and complexchanges to theenvironment occurfrequentlyLocations of branches/businesspresence1 state1 region1 country1–20 countries 20 countriesLocations of operations/data centers1 state1 region1 country1–10 countries 10 countriesRisk LevelsCategory: External ThreatsAttempted cyber attacksJune 2015LeastMinimalModerateSignificantMostNo attempted attacksor reconnaissanceFew attemptsmonthly ( 100); mayhave had genericphishing campaignsreceived byemployees andcustomersSeveral attemptsmonthly (100– 500);phishing campaignstargeting employeesor customers at theinstitution or thirdparties supportingcritical activities; mayhave experienced anattempted DistributedDenial of Service(DDoS) attack withinthe last yearSignificant number ofattempts monthly(501–100,000); spearphishing campaignstargeting high networth customers andemployees at theinstitution or thirdparties supportingcritical activities;Institution specificallyis named in threatreports; may haveexperienced multipleattempted DDoSattacks within the lastyearSubstantial number ofattempts monthly( 100,000); persistentattempts to attack seniormanagement and/ornetwork administrators;frequently targeted forDDoS attacks17
FFIEC Cybersecurity Assessment ToolInherent Risk ProfileRisk tMinimalModerateSignificantMostNumber of Statements Selected inEach Risk LevelBased on Individual Risk LevelsSelected, Assign an Inherent RiskProfileJune 201518
provider (ISP) connections (including branch connections) No connections Minimal complexity (1–20 connections) Moderate complexity (21–100 connections) Significant complexity (101–200 connections) Substantial complexity ( 200 connections) Unsecured external connections, number of connections not users (e.g., file transfer protocol (FTP),
Risk Matrix 15 Risk Assessment Feature 32 Customize the Risk Matrix 34 Chapter 5: Reference 43 General Reference 44 Family Field Descriptions 60 ii Risk Matrix. Chapter 1: Overview1. Overview of the Risk Matrix Module2. Chapter 2: Risk and Risk Assessment3. About Risk and Risk Assessment4. Specify Risk Values to Determine an Overall Risk Rank5
of S&P Global Ratings' credit ratings. Our analysts use the matrix below to combine the business risk profile and financial risk profile assessments. Table 1 Combining The Business And Financial Risk Profiles To Determine The Anchor--Financial risk profile--Business risk profile 1 (minimal) 2 (modest) 3 (intermediate) 4 (significant) 5 (aggressive)
Risk is the effect of uncertainty on objectives (e.g. the objectives of an event). Risk management Risk management is the process of identifying hazards and controlling risks. The risk management process involves four main steps: 1. risk assessment; 2. risk control and risk rating; 3. risk transfer; and 4. risk review. Risk assessment
Risk Committee, the Institute Executive Team or the Chief Risk Officer at any stage during the year if a new risk is identified that warrants immediate attention. 4.2 Gross risk assessment Following the risk analysis, the gross (inherent) risk rating of each risk
Pension Country Profile: Canada (Extract from the OECD Private Pensions Outlook 2008) Contents Each Pension Country Profile is structured as follows: ¾ How to Read the Country Profile This section explains how the information contained in the country profile is organised. ¾ Country Profile The country profile is divided into six main sections:
[This Page Intentionally Left Blank] Contents Decennial 2010 Profile Technical Notes, Decennial Profile ACS 2008-12 Profile Technical Notes, ACS Profile [This Page Intentionally Left Blank] Decennial 2010 Profile L01 L01 Decennial 2010 Profile 1. L01 Decennial 2010 Profile Sex and Age 85 and over 80 84 75 79 70 74
institution’s level of cybersecurity risk and preparedness. Part one of this Assessment is the Inherent Risk Profile, which identifies an institution’s inherent risk relevant to cyber risks. Part two is the Cybersecurity Maturity, which determines an institution’s current state of
SFMTA King Street Substation Utilities Water 40. Bay Bridge Pump Station (conveys water to Treasure Island) Flood Risk Profile South Beach . Waterfront Resilience Program Subarea 3-1 Flood Risk Profile Page 11 of 15 Flood Scenario Assets Consequences High tide 66" SLR 100-YR Flood Risk Profile South Beach Subarea 3-1
