IT Examiner School, Providence, RI

Risk Assessment Process

CFR Part 314/GLBA requires each financial institution to:

 Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems.  Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information.  Assess the sufficiency of policies procedures, customer information systems, and other arrangements in place to control risks.

Risk Assessments

Often considered the basis for developing formal risk management strategies.

Risk assessment process is an ongoing process

A risk assessment should generally:  Identify and value assets

 Identify potential risks/threats/vulnerabilities  Rank the threats/vulnerabilities  Document mitigating control

Helps to determine the scope and frequency of the audit program (and other controls testing)

Risk assessments take many forms. The content of the risk assessment is more important than the format.