IT Examiner School - Oct 2025

Internal Use Only

Attributes of a Satisfactory Risk Assessment

What key elements are you seeking to identify in a Risk Assessment to ensure its thoroughness and compliance? • Formally Written

• Mitigation Strategy • Include Risk Acceptance • Traceable to Risk Monitoring & Control Testing

• Link Risk to Safeguards • Reviewed and Updated • Include Assets, Assess Vulnerabilities, Likelihood

21

These materials are for internal training purposes for NYS DFS Staff. It may not be distributed outside the department.

Internal Use Only

Attributes of a Satisfactory Risk Assessment

Risk Assessment Governance & Ownership • Board / Risk Committee: approves methodology, reviews residual risk • Senior Management: oversees execution, integrates results into strategy • CISO / IT Risk Officer: leads process & reporting, maintains documentation • System & Business Owners: validate assets & risk ratings • Trigger Events: new system/vendor, major upgrade, incident, regulation change → update RA