SMP’s IT Security Risk Assessment methodology includes three phases:

1. Gather Information. The first step in the process of identifying and understanding risk requires the analysis of a wide range of information relevant to the particular institution’s risk environment. Information gathering generally includes:
   
   
   • Reviewing system asset inventory (data, software, hardware) to identify where data resides and is transmitted (i.e. ASP or in-house)
   • Determining threats to those assets
   • Identifying organizational vulnerabilities
   • Identifying technical vulnerabilities
   • Reviewing current controls and processes (logical and physical)
   • Mapping controls to regulatory requirements (GLBA)
   • Ensuring there is a program to review and update this process
     
     
2. Analyze Information. This second step requires an analysis of all information gathered and includes:
   
   
   • Identifying and measuring threats (threat scenarios) to the system and data it processes, stores, and transmits
   • Estimating the likelihood of a threat occurrence
   • Analyzing and cross referencing vulnerabilities to current controls identifying where controls are adequate and where they are lacking
   • Ranking data and system components according to their sensitivity and importance to the organization’s operations while considering the potential harm to customers of unauthorized access and disclosure of customer non-public personal information.
     
     
3. Prioritize Responses. The final step in the process generally includes:
   
   
   • Ranking the outcome and probabilities from the various threat scenarios produced in the analysis phase
   • Flagging threats that will be mitigated and those whose risk will be accepted.
   • Creating a deliverable with findings and recommendations for improvement of any identified weaknesses

Specific to Application Risk Assessments SMP will evaluate the existing security posture of Applications and Systems that represent potential areas of concern with regards to compliance. We will evaluate the existing process for accuracy and completeness and comment on our findings.

An IT Risk Assessment provides a foundation for the remainder of the security process by guiding the selection and implementation of security controls and the timing and nature of testing those controls. Testing results provide evidence as to whether or not the selected controls are achieving their intended purpose. Testing results can also be used to validate the basis for accepting risks.