Skip to content

What's The "Information Security Risk Assessment"?

Answered by: 

I just read in ABA Bankers News, Volume 10, Issue 13 front page about Examiners asking for our "Information Security Risk Assessment". I am confused as to what the examiners are looking for.

The Risk Assessment is a phase you go through when constructing an Information Security Program. The reason the examiners are asking for your risk assessment is because it is considered a vital step in the formation of any information security program ("ISP"). Those institutions that followed proper procedures in developing their ISP will find that the risk assessment would have been documented during the process of creating the ISP. The Risk Assessment identifies all potential risks to a financial institutions' customers' data, assesses the likelihood of the threat and the potential severity of damage, and describes the countermeasures selected to control those risks. The risks should range from simple internal threats, such as unauthorized disclosures occurring through a third party looking at customer information on an employee's desk or computer monitor, to complex external threats like a computer hacker breaking into your computer system by virtue of an unpatched security flaw in some system.

A few documents that should help you perform a good risk assessment are:NIST Special Publication 800-18 "Guide for Developing security Plans for Information Technology Systems"
NIST Special Publication 800-14 "Generally Accepted Principles and Practices for Securing Information Technology Systems"

First published on 9/16/02

First published on 09/16/2002

Banker Store View All

From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

Banker Store

hot right now

image description

Looking for effective, convenient training on a particular subject?

BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

Search Topics