GLBA Risk Assessment Requirements

Last week I received a call from one of our partners (known to the outside world as clients) about a recent audit of their GLBA Risk Assessment. Their audit firm recommended they remove the Availability rating of each information system. The auditor also recommended performing a separate GLBA risk assessment, in addition to the IT Risk Assessment that Rivial had already performed for them.

The Availability Rating in IT Risk Assessment
Suggesting that Availability ratings should be removed presents a myopic view of information security risk assessment and exacerbates the challenges in performing proper risk assessments. I won’t dig into that topic in great detail in this post because the FFIEC makes my argument for me by stating “Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems.”
If you do want more details about how Availability fits into the equation, check out the link to my recently released eBook at the end of this article.

Separate GLBA Risk Assessment
After exploring the issue with our partner (aka client) we determined it was a misconception based on what the auditor was used to seeing. They were used to seeing IT risk assessments (I use the term in name only) that list technologies and associated controls, and have some kind of arbitrary measure of ‘risk’ attached. The problem with this is twofold: first, financial institutions are paying for Information Security Risk Assessments and only getting half of the package. Much like ordering a Happy Meal and not getting the cheeseburger. If all of your prior Happy Meals came without a cheeseburger, you don’t expect to see one. Rivial’s data risk assessments have the cheeseburger, or perhaps some kind of healthy, great-tasting sandwich.
The second problem is that because so many companies do risk assessments improperly, financial institutions have to duplicate efforts to meet regulatory requirements. This leads to disjointed Information Security (or GLBA) risk assessments being conducted separately from IT risk assessments. If you inspect any of the major models like NIST 800-30, ISO 27005, etc you will see the idea behind risk assessment is to look at information, systems, threats, and controls. This is one process that gets called many names…. cybersecurity risk assessment, IT risk assessment, Information Security risk assessment, GLBA risk assessment. If you, or more likely your security vendor, are not performing a proper risk assessment you’ll end up in this unfortunate situation, duplicating efforts, and trying to manage risk from a disjointed road map. Ultimately you’ll have trouble communicating real risk to the executives and spinning your wheels unnecessarily.