Cyber & IT Supervisory Forum - November 2023

Internal Use Only

Example Inherent Risk Assessments

Asset/Technology Grouping

Potential Threat/Damage/Risk

Impact

Likelihood Inherent Risk

Core server Core server

Employee Fraud

Medium

Medium Medium

Unauthorized Access

High

High

Medium

Application System/technical assets

Software Vulnerabilities

Medium

Medium Medium

Data Center

Fire/flood

High High

Low

Medium

Network

Denial of Service

Medium Medium

Inherent Risk

Threat

Probability

Impact

Non Compliance ‐ FFIEC, PCI, HIPAA, etc.

2 Sometimes

3.5 Critical

7 Moderate

Natural Interruption

1 Rarely

3 Moderate

3 Low

Web Application Compromise

5 Constant

5 Critical

25 High

Database Compromise

4 Frequent 4 Frequent

4.5 Moderate

18 High 16 High

Social Engineering ‐ Impersonation (Physical)

4 Critical

13

13

Internal Use Only

Controlled + Residual Risk Ratings Assesses sufficiency of controls

Control framework

14

14