The role of the information security team is protecting the information and data from misuse or losses.
The information security team identifies the organization’s information assets and sources and performs risk assessment and management activities. The team identifies current cybersecurity risks, threats, and vulnerabilities of information resources and assets of the organization.
Some examples of critical assets and resources include but are not limited to the core application system, software, computer systems, servers, networks, data rooms, software acquired from third parties, cloud arrangements, alternate delivery channels, internal information, contracts, agreements, etc.
The Role of the Information Security Team in an Organization
Assets and resources are identified through effective communication and coordination with different stakeholders in the bank, including risk management, business lines, compliance, internal audit, operations staff, and technology team. After identifying information assets and their categorization, the information security team needs to assess the vulnerability assessment to identify weaknesses and loopholes in the information assets.
Threat and vulnerability assessment plays a significant role in identifying paths to be focused on and areas to be controlled through an integrated risk assessment approach. These initial risk-based vulnerability and threat assessments will assist the information security team in prioritizing the most crucial information assets, products, delivery channels, and other operational activities that demand improved and centralized data and information security practices.
Cybersecurity risk identification is vital for developing a robust monitoring and control system. Effective risk identification considers internal and external sources and factors that could adversely affect the organization’s objectives.
The information and data loss risks shall be identified from different sources, including regulatory requirements, cyber threat trends in the banking industry, previous risk incidents, feedback from risk owners, etc. Identified cybersecurity and information security risks shall be assessed from the significance, probability of occurrence, and point of view.
Inherent risk assessment based on defined risk criteria shall help the information security team prioritize the high, medium, and low categories of cybersecurity and information security risks.
Information and data security risks are inherent in all business activities and processes, and all inherent risks need to be identified and assessed. The business and technology units have the best cybersecurity and information security risk knowledge. Hence, they should play a major role in risk identification. The organization must document the reasons if any asset or information resource is left out of the risk identification process.
The information security team assesses risks based on judgment-based risk scoring and/or based on financial thresholds. The risk assessment must be done at inherent and residual levels by considering both risk probability and severity. Adopting risk assessment at inherent and residual levels provides more insights into the nature of the information security risks and controls.
For risk scoring purposes, the organization may develop risk level scales ranging from low, medium, and high. The risk assessment process also includes the assessment of controls to assess the effectiveness of implemented controls by considering existing controls measures and potential events.
The information security team shall identify and assess the cybersecurity risk inherent in all material information assets, processes, and systems to ensure that inherent risks and incentives are well understood. High risks are critical and require immediate management attention to ensure appropriate mitigating controls are developed and implemented.
Internal controls are embedded in day-to-day operations and are designed to ensure, to the extent possible, that business and operational activities are efficient and effective and information is reliable and protected. Internal controls ensure that the bank complies with applicable cybersecurity, data protection, and confidentiality-related laws and regulations.
The information security team shall record the cybersecurity risks, incidents, and the management action plan taken or planned, to treat the risks. New applicable laws and regulations shall be mapped to the Governance, Risk, and Compliance or GRC solution to design and implement the cybersecurity controls for such new regulatory compliance requirements.
To control data losses and unauthorized information access, the information security team shall ensure that information and data security policies are adequately reviewed and implemented based on eavesdropping, interception, and modification risks. Such risks and information threats shall be mitigated by using strong user and device authentication, encryption and antimalware technologies, tier-based access control, and network segmentation to protect information assets’ data confidentiality and integrity.
To effectively implement the cybersecurity GRC program, XYZ bank shall establish dedicated Cyber Threat Intelligence and Emergency Case Teams to minimize and control the information or data losses resulting from possible cybersecurity incidents and offer guidance for quick recovery of systems and data. XYZ bank’s information technology and cyber or information security teams shall enhance monitoring capabilities with a special focus on VPN connections, remote user authentications, and externally exposed systems logs. They shall monitor the bank’s network on a 24/7 approach by logging access requests and identifying, detecting, and responding to malicious attacks promptly.
The information security team updates the VPNs, network infrastructure, and devices used to work environments with the latest software patches and security configurations. Connectivity to the internal data and system resources shall be properly protected through an encrypted communication channel, such as a VPN duly protected by multifactor authentication.