Answer:
The Risk Assessment is a phase you go through when constructing an Information Security Program. The reason the examiners are asking for your risk assessment is because it is considered a vital step in the formation of any information security program ("ISP"). Those institutions that followed proper procedures in developing their ISP will find that the risk assessment would have been documented during the process of creating the ISP. The Risk Assessment identifies all potential risks to a financial institutions' customers' data, assesses the likelihood of the threat and the potential severity of damage, and describes the countermeasures selected to control those risks. The risks should range from simple internal threats, such as unauthorized disclosures occurring through a third party looking at customer information on an employee's desk or computer monitor, to complex external threats like a computer hacker breaking into your computer system by virtue of an unpatched security flaw in some system.
A few documents that should help you perform a good risk assessment are:NIST Special Publication 800-18 "Guide for Developing security Plans for Information Technology Systems"
and
NIST Special Publication 800-14 "Generally Accepted Principles and Practices for Securing Information Technology Systems"
First published on BankersOnline.com 9/16/02
print
share