SAMPLE RISK ASSESSMENT

Sample Risk Assessment for Corporate Account Takeover

Threats and mitigating controls related to Corporate Account Takeovers should be addressed in the institution’s information security (or GLBA) risk assessment.
All reasonably foreseeable threats should be identified along with the likelihood of occurrence and potential impact for each threat.

Below is a sample risk assessment format. Other formats are acceptable as long as the required GLBA components are included. In the sample, the Inherent
Risk rating for each threat is derived from the ratings for Probability of Occurrence and Potential Impact before controls are considered. The Residual Risk is the
remaining risk after controls are considered. The ratings system can use either a (H)igh, (M)edium, (L)ow value or a numeric score. In either case, the ratings
used for each category should be well defined. Ratings can be influenced by many factors including services offered, customer base, and transaction size and
volume; and will change over time, hence annual update is needed.

This risk assessment should be modified to fit your institution's technology capabilities, specific needs, and circumstances.

Mitigating Controls
Potential Residual
Probability of Inherent
Potential Threats and Impact/ Risk
Occurrence Risk Rating Admin./Policy Technical Physical Security Comments
Vulnerabilities Severity Rating
(H, M, L) (H, M, L)
(H, M, L) (H, M, L)

Vendor Management
policies/procedures are in place.
Implementation of technical controls
Obtain a SSAE16 (FKA SAS 70) offered by the service provider.
Weakness of each third party
M M M report from the vendor. L, M, or H
service provider
Use of other software to mitigate
Obtained vendor's assessment of weaknesses in service provider products.
their vulnerabilities, and mitigating
services and controls they offer.

Customer's lack of knowledge of

Provide training or training resources
the risks associated with online H H H L, M, or H
to customers.
payment systems.

Customer education and training

program.
Manual or automated anomaly detection
Automated "pass-through" system is in place.
Customer reconciles account daily.
payments sent directly to the H H H L, M, or H
wire processor or ACH operator. Use of payee "whitelisting" and/or
Prior out-of-band notice of intent to
"blacklisting."
deliver wire instructions or an ACH
file is required.
 SAMPLE RISK ASSESSMENT
Mitigating Controls
Potential Residual
Probability of Inherent
Potential Threats and Impact/ Risk
Occurrence Risk Rating Admin./Policy Technical Physical Security Comments
Vulnerabilities Severity Rating
(H, M, L) (H, M, L)
(H, M, L) (H, M, L)

IDS/IPS system in place to help thwart

man-in-the-middle attacks.

Customer reconciles account daily.

Customer education and training
System configuration requires re-
Customer can change a program.
authentication before processing a
wire/ACH transaction without M H H L, M, or H
change.
further authentication. (Or) Institution policy requires re-
authentication.
Manual or automated anomaly detection
system is in place.

Use of payee "whitelisting" and/or

"blacklisting."

Periodic review of activity levels and

Inadequate institution staffing trends. Generation of automated reports for
M H H L, M, or H
and risk awareness. activity level and trends.
Staff training.

Involvement of management from all

functional areas in the risk
management process.

Resources are used to stay abreast

of emerging issues.

Inadequate risk management Consultation with service and security

M H H L, M, or H
practices providers and auditors.

Periodic review and revision of the

risk assessment.

Policies/procedures are periodically

reviewed, revised, and Board
approved.

Electronic theft coverage has been

Inadequate insurance coverage M M M purchased and is reviewed L, M, or H
periodically.

Each commercial customer is

evaluated based on type of business,
financial strength, institution history,
security measures in place, and type
and volume of transactions. Monitoring system generates reports on
Inadequate customer evaluations M H H L, M, or H
usage and trends,
Policies with appropriate criteria for
evaluating customers risk profile
(beyond rating them as simply
consumer or commercial risks).
 SAMPLE RISK ASSESSMENT
Mitigating Controls
Potential Residual
Probability of Inherent
Potential Threats and Impact/ Risk
Occurrence Risk Rating Admin./Policy Technical Physical Security Comments
Vulnerabilities Severity Rating
(H, M, L) (H, M, L)
(H, M, L) (H, M, L)

Policy requires and system enforces Passwords are not stored on the access
strict password rules. device for the wire transfer system.
Inadequate password policies for
M H H L, M, or H
the institution
Employee training enforces System requires password changes every
importance of password security. 90 days.

Policy requires and system enforces Passwords are not stored on the access
strict password rules. devices for online banking.
Inadequate password policies for
H H H L, M, or H
the customer
Employee training enforces System requires password changes every
importance of password security. 90 days.

Policies and procedures outline dual

System requires two individuals to
control and segregation of duties
authenticate and approve a transaction.
requirements, and the consequences
Lack of dual controls at the
M H H for non-compliance. L, M, or H
business The two approvals must be performed
from separate dedicated and isolated
Deposit accounts are reconciled
devices.
daily.

Contact information (including after A secure database for customer contact

Inadequate contact information if
M H H hours) is incorporated in contracts information is maintained to prevent L, M, or H
an incident occurs
and training materials. unauthorized changes.

The FDIC, IRS, NACHA, and many

other entities do not contact business
customers to request software
installation or provide access
credentials.

Phishing attempts and phone Institution and customer staff

H M M Spam email filters are in place. L, M, or H
calls training.

Institution staff will not request

account holders to click on links,
install software, or require changes to
established procedures without
securely communicated notification.

Institution must approve addition of

new Admin. Changes require additional authentication
and out-of-band verification before
Unauthorized changes using the
Institution will suspend the Admin changes are implemented.
Admin account (users, password
H H H account if the customer fails to L, M, or H
resets, device registration, time
adhere to minimum standards. The account holder is automatically sent a
of day restrictions, etc.)
notice immediately after the changes are
Out-of-bank verification is performed made.
prior to changes taking effect.
 SAMPLE RISK ASSESSMENT
Mitigating Controls
Potential Residual
Probability of Inherent
Potential Threats and Impact/ Risk
Occurrence Risk Rating Admin./Policy Technical Physical Security Comments
Vulnerabilities Severity Rating
(H, M, L) (H, M, L)
(H, M, L) (H, M, L)

Fraud detection and monitoring systems

are in place. Manual or automated
anomaly detection system is in place.

Dual authorization required from separate

isolated devices.

Software or other techniques are used to

restrict transactions to approved limits.
Dual controls implemented.
Transactions are approved only from
Daily reconcilement.
authorized IP addresses, or IP addresses
Out-of-band verification required.
associated with fraud are blocked.
Institution policies and procedures for
Complex device identification: One-time
dealing with customers with
Fraudulent transaction has been cookies are used that detect the PC's
H H H compromised equipment. L, M, or H
initiated. configuration, IP address, geo-location,
and other factors.
Staff will identify potential “suspicious
activity” and flag the transactions for
Enhanced challenge questions.
further review.
Pattern recognition software to detect
High risk customers may utilize a
unusual activity.
restricted funds transfer recipient list.
Transaction aggregation and monitoring
system.

Transaction limits within the system are

appropriate that reduce the risk.

Use of payee "whitelisting" and/or

"blacklisting."

The customer's access logs are Computer is in a secured area with

The customer's Acceptable Use
periodically reviewed. restricted access.
Policy is reviewed and signed
Unauthorized physical access to annually.
M H H Administrative rights are restricted. USB ports and optical drives are L, M, or H
customer's computer system
disabled.
Information security and social
Manual or automated anomaly detection
engineering training are performed.
system is in place. Security cameras are installed.
 SAMPLE RISK ASSESSMENT
Mitigating Controls
Potential Residual
Probability of Inherent
Potential Threats and Impact/ Risk
Occurrence Risk Rating Admin./Policy Technical Physical Security Comments
Vulnerabilities Severity Rating
(H, M, L) (H, M, L)
(H, M, L) (H, M, L)

Using dedicated/isolated workstations.

Hardware and software firewalls are in

place.

Commercial anti-virus and malware

products are installed and automatically
updated.
Customer has Firewall, Patch
Management, Anti-Virus, and
OS and peripheral software is regularly
Unauthorized external access to Acceptable Use Policies.
H H H patched. Modems are disabled. L, M, or H
the customer's computer system
Staff trained on Phishing and Social
An intrusion detection/prevention system
Engineering techniques.
is in place.

Multi-layered and multi-factor

authentication controls are in place.

Manual or automated anomaly detection

system is in place.

Use of payee "whitelisting" and/or

"blacklisting."

The customer's dual control procedure

requires two individuals to authenticate a
transaction.

Multi-factor authentication and multi-

layered controls are in place.

Strong password requirements are in

place.

Call-backs or out-of-band verifications are

Fraudulent transfer of customer required on all or certain transactions.
Institution policies and procedures
funds via the online wire/ACH M H H L, M, or H
are in place.
system. Transmission of wire or ACH instructions
must come from two separate isolated
devices.

Manual or automated anomaly detection

system is in place.

Transaction limits within the system are

appropriate that reduce the risk.

Use of payee "whitelisting" and/or

"blacklisting."
 SAMPLE RISK ASSESSMENT
Mitigating Controls
Potential Residual
Probability of Inherent
Potential Threats and Impact/ Risk
Occurrence Risk Rating Admin./Policy Technical Physical Security Comments
Vulnerabilities Severity Rating
(H, M, L) (H, M, L)
(H, M, L) (H, M, L)

Applications are rigorously tested prior to

implementation.
Consumer awareness and education
Strong passwords are required for access
initiatives.
to the Internet Banking platform.
Smart phone applications lack Users
L M M L, M, or H
security controls are encouraged to password protect
Data is encrypted during transmission.
their phones and have the capability
of wiping stored data remotely.
An email confirmation is sent to the
account's old and new email addresses
when the address is changed.

Users are encouraged to never reveal Security questions are "out-of-wallet"

their login credentials to anyone. questions.

Know Your Customer policies help The institution truncates account numbers
ascertain the true identity of and customer data to hinder internal
customers. employee fraud.

Employees are trained to recognize Manual or automated monitoring can help

pretext calls from persons requesting detect suspicious activity.
Consumers are subject to confidential information.
identity theft when using the Real time validation is conducted for
M H H L, M, or H
Internet Banking / Bill Pay A "Welcome" letter is mailed to the accounts opened online.
platform. address provided to help ensure the
authenticity of the new user. User is locked-out upon three failed login
attempts.
Reports monitored: Rejected
transactions; Large transactions; Bill Password changes are required
pay transactions; Debit card activity; periodically.
Employee account changes.
An email confirmation is sent to the
Institution website has links to Identity account's old and new email addresses
Theft resources. when the address is changed.
 SAMPLE RISK ASSESSMENT
Mitigating Controls
Potential Residual
Probability of Inherent
Potential Threats and Impact/ Risk
Occurrence Risk Rating Admin./Policy Technical Physical Security Comments
Vulnerabilities Severity Rating
(H, M, L) (H, M, L)
(H, M, L) (H, M, L)

Controls commensurate with the level of

risk include:

Initial login and authentication of

customers requesting access to the
Internet banking system.

Additional authentication prior to the

The institution has an ongoing
transfer of funds to other parties.
customer education and awareness
program.
Use of manual or automated transaction
monitoring and/or anomaly detection.
Customers are urged or required to
Customer access controls do not
install anti-malware software to
match the level of risk for each M H H Complex device identification: One-time L, M, or H
reduce the risk of key loggers,
customer. cookies are used that detect the PC's
adware, and spyware.
configuration, IP address, geo-location,
and other factors.
Out-of-band authentication is used
when anomalies or suspicious activity
Out-of-wallet challenge questions are
is detected.
used.

One-time password tokens are used for

high risk customers.

Vendor supplied USB devices enable a

secure link between the user's PC and the
institution.

Institution has a appropriate Incident

Response Program that addresses
Institution has Inadequate
corporate account takeover.
Response Plan or no response M H H L, M, or H
plan.
Designated response coordinator /
team is immediately notified.

Customer has a appropriate Incident

Response Program that addresses
Customer has Inadequate
corporate account takeover.
Response Plan or no response H H H L, M, or H
plan.
Customer immediately notifies the
institution.