Thread Options Tools
#126223 - 10/28/03 08:04 PM Information Security Risk Assessment
HR Banker Offline
Diamond Poster
Joined: Oct 2002
Posts: 1,027
I'm looking for a sample risk assessment matrix dealing with information security. I've reviewed past posts discussing information security and risk assessment but haven't been able to find what I'm looking for. I'm trying to see how detailed a matrix needs to be in the areas covered. I'm just looking for a place to start.

Return to Top
General Discussion
#126224 - 10/28/03 09:13 PM Re: Information Security Risk Assessment
Anonymous
Unregistered

The FFIEC Information Security Booklet was updated as of December 2002 and is available at www.ffiec.gov. The Information Security Booklet is part of the overall IT Examination Handbook. The Booklet has the security testing section, monitoring section, as well as examination procedures. You can't get much more deatiled than this Booklet, and it's free.

Return to Top
#126225 - 10/29/03 07:05 PM Re: Information Security Risk Assessment
P*Q Offline

Power Poster
P*Q
Joined: May 2001
Posts: 8,458
Somewhere
Do you check under the Bankers Tools section of BOL? I think there may be some sample matrices there.

Return to Top
#126226 - 10/29/03 08:12 PM Re: Information Security Risk Assessment
Pale Rider Offline
10K Club
Pale Rider
Joined: Aug 2002
Posts: 34,318
under the Lone Star
We are just about at the end of an IT exam by the FDIC. They have reviewed our risk assessment and indicated it was very adequate. All we did was follow the language of the regulation. So we have all the risks identified in the first column, and the remaining columns are as follows:

Data type (physical or electronic)
Threat Type(Unauthorized disclosure, misuse, alteration, or destruction)
Likelihood of Occurrence
Potential Damage to the Bank
Sufficiency of policies, procedures and controls, and
Risk Mitigation Comments
_________________________
Societies that do not find work in and of itself "pleasing to God and requisite to Man," tend to be highly corrupt.


Return to Top
#126227 - 10/29/03 08:16 PM Re: Information Security Risk Assessment
P*Q Offline

Power Poster
P*Q
Joined: May 2001
Posts: 8,458
Somewhere
Don, how did you go about testing the controls you have detailed in your risk assessment? Did you test all controls or only IT related ones? This was a deficiency noted in our last internal audit of IT/Info Security and I'm not quite sure how to test controls other than the obvious like penetration system testing, etc. Thanks!

Return to Top
#126228 - 10/29/03 08:30 PM Re: Information Security Risk Assessment
Pale Rider Offline
10K Club
Pale Rider
Joined: Aug 2002
Posts: 34,318
under the Lone Star
Pam:
Our internal audit department would test the controls in their integrated audits of individual departments. But the examiners did no testing of the controls and neither did our external audit vendor for IT (Deloitte-Touche). So I guess we got a pass and they just took our word that the controls would be tested in the normal course of internal and external audits.
_________________________
Societies that do not find work in and of itself "pleasing to God and requisite to Man," tend to be highly corrupt.


Return to Top