Skip to content
BOL Conferences
Thread Options
#2206703 - 02/21/19 05:30 PM IT and GLBA Risk Asssessments
Dlynn58 Offline
Platinum Poster
Joined: Mar 2006
Posts: 789
Texas
We were told a few years back by an examiner that is was ok to combine our GLBA and IT Risks Assessments which we did. We have had no issues at all, but now it is "suggested" that we split them. I do not have a problem doing that, but was wondering if anyone had a template for an IT Risk Assessment. We are a small community bank and only have one branch. I realize every bank's risk is different, but I just want to see what everyone is including on the assessment. Any help would be appreciated. Thanks.

Return to Top
Risk Management
#2206732 - 02/21/19 08:38 PM Re: IT and GLBA Risk Asssessments Dlynn58
bcompliance Offline
Diamond Poster
Joined: Sep 2014
Posts: 1,294
ask them for a citation where it has to be a separate document
_________________________
CRCM, CAMS

Return to Top
#2206777 - 02/22/19 01:36 PM Re: IT and GLBA Risk Asssessments Dlynn58
Adam Witmer Offline
Power Poster
Joined: Sep 2010
Posts: 2,658
A agree with bcompliance that there isn't a citation for this, but there definitely is a trend where examiners want to see a segregation of info security and IT. At least they do when it comes to the IS officer and the IT officer, so I can see why this desired segregation would trickle down to the risk assessment(s).

That said, there isn't a citation for this so it really is more of a recommendation or (dare I say) best practice.
_________________________
Adam Witmer, CRCM

All statements are my opinion, not those of my employer, and should not be taken as legal advice.
www.compliancecohort.com

Return to Top
#2206786 - 02/22/19 02:18 PM Re: IT and GLBA Risk Asssessments Dlynn58
Dlynn58 Offline
Platinum Poster
Joined: Mar 2006
Posts: 789
Texas
That is correct. It was just a recommendation along with the segregation of an IS and IT officer. We chose to go ahead and separate the two. The explanation for the two separate risk assessments were because of the different risks. GLBA being how you protect your customer data and IT being more on the technology side. How you protect your systems information. Connectivity, cloud storage. patch management, etc.. After doing some digging, I found what I needed. Thanks for your input.

Return to Top
#2206788 - 02/22/19 02:42 PM Re: IT and GLBA Risk Asssessments Dlynn58
bcompliance Offline
Diamond Poster
Joined: Sep 2014
Posts: 1,294
I guess as long as you can distinguish between the two and could explain what you're doing to the examiner, I'm not really sure why it would matter if it was one spreadsheet or two. To each their own...
_________________________
CRCM, CAMS

Return to Top

Moderator:  Andy_Z