Page 26 - Digital Financial Services security assurance framework
P. 26
highlighted in the risk assessment alongside the ability of the assets. Amongst others, the securi-
threats that affect an asset. ty consequences to DFS can also be in terms of
iii. Threat identification: A threat is a potential for a financial loss, image reputation, loss goodwill, reg-
source to exploit (accidentally or intentionally) a ulatory bans and fines.
specific vulnerability. Threats can to DFS assets ii. Assess the probability of occurrence of a potential
can be natural e.g. earthquake and floods, human threat that can exploit vulnerability and its impact
e.g. theft and fraud or technical e.g. malware or if successful. The probability of occurrence should
server failures. Once a threat is identified, all infor- take into consideration the preventive, detective
mation assets should be analyzed to uncover any controls in place, their effectiveness, implementa-
vulnerabilities present that can be exploited by tion and usage.
the threat. iii. Define Inherent risk rating as a product of Proba-
iv. Existing control identification: a list of all existing bility and Impact. The purpose of the inherent risk
and planned controls, their implementation and rating is to assist management in prioritizing man-
usage status. agement actions to address the most significant
v. Consequence identification: The magnitude of risks.
damage that could be caused by an incidents of a iv. Define residual risk by assessing the effectiveness
threat successfully exploiting a vulnerability. This of the controls that exist for treating the risk. The
process identifies the assets that can be affected controls implemented should reduce the risks to
and severity of impact. The magnitude of damage an acceptable level based on the DFS stakehold-
to a DFS asset in most cases is higher than the ers risk appetite.
simple replacement cost, they are various damage
considerations which may be monetary, technical,
human and regulatory. 7�6 Risk Evaluation
During the risk evaluation process, the DFS stake-
holder will compare identified risks and evaluate
7�5 Risk Analysis them against predetermined risk criteria to help
Risk analysis helps to understand the overall likeli- determine the risks net effect to the DFS ecosys-
hood and impact of the threat on asset, which are tem. It also involves determining the effectiveness
both important for decision making and prioritiz- of the existing controls; that is, analyzing the proba-
ing actions to address the most critical risks and bility and impact of the risks after considering exist-
significant risks (risks with the greatest impact). The ing controls then estimating the residual risks, this
output of the risk analysis is an updated risk register process facilities prioritization and decision making
that includes the probability and impact ratings of relating to the risk treatment and implementation.
each risk, Risk analysis may be done quantitatively or When performing a risk evaluation, the following
qualitatively, or a combination of both. should be considered:
The following process should be outputs of the
risk analysis phase i. Determine the effectiveness of existing controls in
place for each threat vulnerability combination for
i. Assessment of consequences; the business an asset class i.e. effectiveness of controls in place
impact upon the organization that might result that would mitigate the threat vulnerability pairing
from possible or actual information security inci- ii. Determine the Risk Impact
dents should be assessed, taking into account the iii. Determine the Residual Risk Rating as product of
consequences of a breach of information security Probability of occurrence and Impact
such as loss of confidentiality, integrity or avail-
24 Digital Financial Services Security Assurance Framework
