TRAC™ is
efficient,
effective,
and easy!
 
700 S Washington Ave
Ste 200
Madison, SD 57042-3517
605-270-3321
TRAC™ - Risk Assessment Back
 

Identify Information Assets, Vendors, and Service Providers

An institution needs to identify information assets. Information assets include software, hardware, communication devices, vendors, etc., which either store or transmit information. TRAC™ has over 100 different types of assets common to financial institutions listed in its database; an institution simply selects which assets they have.

 Identify Information Assets, Vendors, and Service Providers Click on image to enlarge
Identifying Information Assets
 

Develop Protection Profiles

Each asset needs a protection profile based on the information it stores or transmits. The protection profile is determined by identifying the level of confidentiality, integrity, availability, and volume (CIAV) of the information it has. TRAC™ pre-defines the CIAV level based on the asset type. For example, a core banking system possesses information with the following rating: C= High, I= High, A= High, and V= High.

 Develop Protection Profiles Click on image to enlarge
Developing Protection Profiles
 

Identify Threats

Security threats need to be identified for each asset, including their probability of occurring, and their potential impact to the institution. TRAC™ pre-defines the list of threats for each individual asset, including the probability and impact of each.

 Identify Threats Click on image to enlarge
Identifying Threats
 

Apply Controls

Security controls can be implemented to mitigate risk and protect assets against the threats determined in the previous step. TRAC™ pre-defines a list of security controls that can be used to protect assets. The institution simply checks “Yes” on the security controls they have implemented. Each control is weighted based on the amount of risk it reduces for an asset.

 Apply Controls Click on image to enlarge
Applying Controls
 

Generate Risk Reports

TRAC™ will produce customized risk reports. The reports are more than just documents to prove to examiners that a risk assessment is complete. These reports provide guidance as to where the highest level of information security exposure is, and furthermore, should be used to help the institution determine what they can do about it. These reports can tell an institution where to spend their next security dollar.

 Generate Risk Reports Click on image to enlarge
Generating Risk Reports