NABARD – IS Audit of District
IT Security assessment include checks for vulnerabilities in the IT Systems and business processes, as well as recommending steps to lower the risk of future attacks.
Plan the controls
Estimate the impact
NABARD – IS Audit of District Co-operative Banks
You can conduct security assessments internally with help from your IT team, or through a third-party assessor. Third-party security assessments are useful if an internal preliminary assessment reveals grave security gaps, or if you don’t have a dedicated team of IT professionals with expertise in this area.
The security assessment includes two components:
- Security review: A collaborative process that includes identifying security issues and their level of risk, as well as preparing a plan to mitigate these risks.
- Security testing: The process of finding vulnerabilities in software applications or processes.
Security review: Conducting regular security assessments is the first step to building a culture of security and constant vigilance. Below mentioned are the steps involved in conducting an internal security review :
- Create a core assessment team – This team will lead the assessment, prepare the report and suggest recommendations.
- Review existing security policies – The policy must cover the security strategies, data backup plans, password management policies, security update/patch timelines etc. The same needs to be reviewed if the policy is already framed.
- Create a database of IT assets – Prepare a comprehensive list of all software and hardware assets that the bank owns. This includes the networks, servers, desktops, laptops, software applications, websites, POS devices, the personal devices that your employees use to check emails, external drives, etc.
- Understand threats and vulnerabilities – . Identify gaps in the system that the threats could potentially exploit. You can use IT security software that offers features such as vulnerability scanning and vulnerability alerts to identify weak points in your applications and networks.
- Estimate the impact – The impact could be in monetary terms, loss of clients, or loss of brand value or credibility. Categorize the impact of a cyberattack as “high, “medium,” or “low” based on its severity and estimated cost.
- Determine the likelihood – Categorize the likelihood that each potential risk would happen as “high,” “medium,” or “low.” The risk level increases if the likelihood is high.
Plan the controls – List the existing control systems in place and outline further actions that can help mitigate the identified risks. These controls can include a change in policies or procedures, application procurement, training content and configurations, or implementation of new applications and/or hardware.