IT Examiner School - Oct 2025

Internal Use Only

Risk Terms Level Set

• Asset : Anything of value to the organization • Vulnerability : A weakness, abscess of a safeguard (control). • Threat : Something that could pose loss to all or part of an asset. • Threat Agent : What carries out the attack. • Exploit : An instance of compromise • Risk : The probability of a threat materializing.

• Controls : Physical, Administrative, and Technical protections. • Safeguard – Deterrents or Preventives. • Countermeasures- Detective or Correctives. • Inherent Risk : The risk before any control is implemented. • Residual Risk : Leftover risk after applying a control. • Secondary Risk : When one risk response triggers another risk event.

23

Internal Use Only

24

Why have a Risk Assessment? A Risk Assessment is a foundational component of any robust Information Security Program. Its primary purpose is to identify, evaluate, and prioritize risks to information assets, business operations, and overall organizational stability. By understanding these risks, organizations can implement targeted controls to mitigate vulnerabilities, prevent data breaches, and ensure regulatory compliance.

Compliance: Ensures alignment with regulatory requirements (GLBA, NYDFS 23 NYCRR 500, HIPAA). Business Alignment: Aligns the protection of information assets with business objectives. Prevents Loss: Identifies potential risks that could lead to data breaches or critical information loss. Trust and Reputation: Protects the trust between financial institutions and their customers. Operational Stability: Reinforces the safety and soundness of the institution.