Vulnerability Assessment (VA) for Financial Institutions

Vulnerability Assessment (VA) for Financial Institutions

Financial institutions (FIs) are prime targets for attacks—they hold an enormous amount of business information, customer financial data, and other forms of PII.  FIs should consider working with a consultant to perform a vulnerability assessment to find potential exposure points in systems, software, and procedures.

The purpose of Vulnerability Assessment (VA) is to enable the enterprise to be aware of gaps in its IT security that an attacker could exploit in order to:

  • Steal or otherwise extract customer and business-proprietary information
  • Data breach results if the customer information is regulatory-protected Personal Information (PI).
  • Disrupt/sabotage IT and business operations
  • Subvert IT systems toward the attacker’s use for attacks on others

VA by independent third parties is a Graham-Leach-Bliley Act (GLBA) compliance requirement for financial institutions.  GLBA’s “Safeguards Rule” codifies the administrative law that governs this. 

The “FFIEC Information Security Guidelines” interpret this federal administrative law’s provisions, to articulate the security practices that institutions should consider the minimum requirements for safety and soundness around the institutions’ fulfillment of their fiduciary obligations under their respective charters.

VA is one of the “Independent Tests” called for in the “Condition Monitoring” chapter of the “FFIEC Information Security Guidelines.”  VA represents the entry-level within these series of “Independent Tests.”

VA is typically effected by contracting with an independent third-party service provider, who will electronically- or/and manually-scan IT systems (i.e. firewalls, routers, switches, servers, workstations) to identify security vulnerabilities that could be exploited by a threat.

In a VA context, servers and workstations are often collectively referred to as “hosts.”

“Internal” security vulnerabilities are those that exist in the IT systems used by an organization’s employees within operations internal to the enterprise.  These typically-emanate from failure to sufficiently-apply patches and fixes to network operating systems, host operating systems, and application software, as well as from outdated network and host operating systems, and application software that is old.

“External” security vulnerabilities are those that exist in the IT systems used by an organization’s customers (e.g. website), or that can be detected and approached from outside the organization’s electronic security perimeter.  These typically-emanate from the same things as internal security vulnerabilities, particularly as associated with web servers, website code, border routers, and firewalls.

An organization’s electronic security perimeter can be thought of as the demarcation boundary between its internal IT systems and the Internet.

Internal assessment requires connection to the local network, and provides a knowledgeable insider’s view of relative security, and what an attacker would see if they were able to connect to the network internal to the enterprise’s office(s).

External assessment is performed remotely, and provides a knowledgeable outsider’s “outside-in” view of relative security, similar to what an attacker would see.