Skip to content
BOL Conferences
Thread Options Tools
#110891 - 08/29/03 01:10 PM Safeguarding Risk Assess. Testing
P*Q Offline

Power Poster
P*Q
Joined: May 2001
Posts: 8,458
Somewhere
Our internal auditor cited in our last audit of safeguarding of customer information the fact that we have a risk assessment matrix however, we have not conducted the testing piece as required by the regulation. Can anyone shed some light on this. What should we be testing and how? Thanks!

Return to Top
General Discussion
#110892 - 08/29/03 02:02 PM Re: Safeguarding Risk Assess. Testing
Anonymous
Unregistered

I think your IA is referring to the testing of the controls, processes and procedures of your ISP. While the Risk Assessment provides insight of where and with what concentration risk lies, the testing facet subjectively challenges the controls for ensuring InfoSec.

Possible testing relating to administrative controls:
check disposal of sensitive paper, cust info stored properly, incident response escalation testing,

Possible testing relating to technical controls:
penetration testing, internal/external threat analysis, password guessing, intruder detection lock-out, electronic sec certificate validation, etc.

Possible testing relating to physical controls:
checking locked doors, restricted area admission logging, anti-static precautions, off-site tape security transit/storage/rotation, etc.

-g

Return to Top
#110893 - 09/05/03 05:22 PM Re: Safeguarding Risk Assess. Testing
Rangers Fan Offline
Gold Star
Rangers Fan
Joined: Dec 2001
Posts: 345
Pam, you may want to check out the guidance out there for this info because it tells you exactly what needs to be reviewed at: Interagency Guidelines on Standards for Safeguarding Customer Information Use this as a guide to take you step by step through what needs to be looked at, trained on, and tested. This will help tremendously in doing your risk assessment. And do have fun!

Return to Top