We have the required IT Risk Assessment and have been updating it annually and when new products are added.

We just had an external IT Audit and were told we need to have an IT Risk Management Program/Policy. Does anyone have a sample they'd be willing to share? I really hate 'recreating the wheel'.

Thank you.

Are you a SOX bank?

We are a SOX bank and have two separate policies that govern our program (Information Security Policy and IT Operations Policy). We also have a Vendor Mgt. Policy. I guess you could combine them into one policy but I prefer to have them separate.

The manual for the programs is combined but each program has their own documents. See the Table of Contents below.

Hope this helps!

Subject
Overview
Security Objectives
Information Security Policy Framework
Information Security Policy Availability and Maintenance
Regulations Addressed
Security Policy Exceptions
Security Policy Violations
Information Security Roles and Responsibilities
The Board of Directors
IT Steering Committee
Senior Management
Employees
Board Reporting
Risk Management
Risk Control and Management
Risk Assessment
Risk Management Program Review
Information Security Documents
1. Confidentiality and Non-Repudiation
2. Vendor Management and Service Provider Oversight
3. Third-Party Security
4. Incident Response and Reporting
5. Acquisition
6. Access Rights Review
7. User Access
IT Documents
1. Auditing, Logging and Monitoring
2. Authentication and Authorization
3. Password Management
4. Back-up and Recovery
5. Network and Remote Access
6. Physical Access
7. Anti-virus
8. System configuration, Software Usage, and Licensing
9. Patch Management
10. Change Control
11. Data Management
12. Appropriate Usage
13. Separation of Duties
14. Problem Resolution