Risk Assessment

Business Impact Analysis

Risk Assessment on Business Impact Analysis

Impact
Asset Value Abbreviation Definition Value
Very High VH Exceeding P4,000,000 4
High H P2,000,000 - P3,999,999 3
Medium M P101,000 - P1,999,999 2
Low L Below P100,000 1

Criticality
Asset Value Abbreviation Definition
Very High VH 76-100
High H 51-75
Medium M 26-50
Low L 0-25

Based on the submitted BIA by Information Security Office, the critical processes in 1 hour
downtime are the following:

1. Business Areas/Risk Owner

Deposit Taking (SMG, BSSD, Treasury, Other Dept. as applicable) -
 Credit Lending (AMD/ Credit Services, LAID, Jewelry Loans & Other dept. as applicable)
X Support Services (HR, IT, GAD, & Other dept. as applicable)
 Other (e.g. Trust, IAD, ISO & Other dept.)

Department/Units IT Department
:

2. Risk Type

 People/Personnel
X Software
 Information
 Process

Process ATM Switch

 Risk Assessment
Business Impact Analysis

Estimated Criticality if not done in 4 hours (intangible and tangible) : 51.25% High
Estimated Impact Value(Tangible and Intangible): P2,000,000 - P3,999,999
Probability:

3. Probability & Impact

Probability Impact RISK Probability / Recurrence

METRICS Low Medium High

X Low Limited .
 Medium  Moderate Mitigate
 High X Severe Minor / Accept Monitor
Risk
Limited Risk Risk
(DL)

Severity / Impact
Mitigate Manage
Monitor
Moderate Risk Risk
Risk
(DL) (OPCOM)

Mitigate Manage Substantial Risk

Severe / Management is
Risk Risk Required
Critical
(DL) (OPCOM) (MANCOM)

Threat *Stealing of Virtual Circuit(VC). Switches are forwarding cells based on

the VCI(Virtual Channel Identifier) or VPI(Virtual Path Identifier) in the cell
header. If an attack manages to change these values at the end-point switches
of an ATM connection it will then mislead to another path with better
connection and forward it to attacker’s cell. The switches in the middle will
not notice these changes and will switch the ‘faked’ cells just like the
authentic cells.
*Service Denial. If an attacker sends RELEASE or DROP PARTY signal to
any intermediate switch on the way of a VC, then the VC will be
disconnected. By sending these signals frequently, the attacker can greatly
disturb the communication between one use to another, therefore will disable
the Quality of Service of ATM

Vulnerabilities *FTP Port Bounce

*Outdated Operating System that cannot be updated by patches
*Hardware was purchased way back 2003

4. Risk Management Recommendation

 Tolerable/Acceptable
X For Monitoring / Action Item for Concerned Dept.
 For Mitigation/ Action Item for OPCOM
 For Management/ Action Item for Mancom

Prepared by: _________________________ Concurred by:_____________________

 Risk Assessment
Business Impact Analysis

Risk Treatment
1. Tolerate Risk – CSBI may tolerate risk if the impact is low and probability is low provided that the
risk is residual and not inherent.

Threshold
Quantifiable Risk  P 100,000 below cost impact to the bank but not recurring
Qualitative Risk =  Reputation risk or impact to CSBI business is low

2. For Monitoring – Risk Management shall coordinate to the concerned line department for early
mitigation.

Threshold
Quantifiable Risk P 101,000- P1,999,999 cost impact to the bank and not recurring
Qualitative Risk  Reputation risk or impact to CSBI business is moderate

3. Monitor and Mitigate Risk- if the overall impact is high and the event is recurring, RMD shall
monitor and mitigate risk thru sending memo and informing the OPCOM regarding the risk/ For Action
Item to OPCOM.

Threshold
Quantifiable Risk  P2,000,000- P3,999,999- cost impact to the bank with occasional recurrence (i.e. at
least once a month recurrence)
Qualitative Risk Reputation risk or impact to CSBI business is high

4. Substantial Risk Management Required –shall report immediately to the management for action
item for board approval. Management to formulate enhance policies and procedure to treat the risk.

Threshold
Quantifiable Risk  Exceeding P 4,000,000 cost impact to the bank with frequent recurrence (i.e.
Habitual and more than twice a month occurrence).
Qualitative Risk  Reputation risk or impact to CSBI business is high

*The amounts indicated in threshold were based on the BIA values.