Answer:
The Risk Assessment is a phase you go through when constructing an Information Security Program. The reason the examiners are asking for your Risk Assessment documents is that the Risk Assessment is considered a vital step in the formation of any Information Security Program. For those institutions that followed the proper procedures in coming up with their Information Security Program it is just some of the paper work they created during the process of creating the Program. The Risk Assessment documents all potential risks to a financial institutions' customers' data and the countermeasures selected to control those risks. The risks should range from simple internal threats of ?shoulder surfing? ? a third party looking at customer information on an employee?s desk or computer monitor, to complex external threats like a computer hacker breaking into your computer system by virtue of an unpatched security flaw in some system.
A few documents that should help you perform a good risk assessment are:
NIST Special Publication 800-18 "Guide for Developing security Plans for Information Technology Systems"
and
NIST Special Publication 800-14 "Generally Accepted Principles and Practices for Securing Information Technology Systems"
First published on BankersOnline.com 9/2/02
print
share