IT Risk Assessment
State and federal mandates require your organization to protect against unauthorized access or use of customer information that could result in substantial harm or inconvenience to any customer. As such, you must not only consider risk to the business entity, but also risk to your non-public customer information.
In general, an IT risk assessment must be sufficient in scope to:
- Discover reasonably identifiable threats from within and outside an institution’s operations that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems
- Discover reasonably foreseeable threats due to the disposal of customer information
- Examine the existing security controls to evaluate their sufficiency and identify any weaknesses which could put customer information at risk
IT risk assessment is the process used to name and understand risks to the confidentiality, integrity, and availability of information and information systems.
The SMP IT Risk Assessment Methodology identifies the value and sensitivity of information and system components and then balances that knowledge with the exposure from threats and vulnerabilities.
An IT Risk Assessment provides a foundation for the remainder of the security process by guiding the selection and implementation of security controls and the timing and nature of testing those controls. Testing results provide evidence as to whether or not the selected controls are achieving their intended purpose; and testing results can also be used to validate the basis for accepting risks.
SMP’s IT Security Risk Assessment methodology includes three phases:
Gather Information. The first step in the process of identifying and understanding risk requires the analysis of a wide range of information relevant to the particular institution’s risk environment. Information gathering generally includes:
- Reviewing system asset inventory to identify where data resides and is transmitted
- Determining threats to those assets
- Identifying organizational vulnerabilities
- Identifying technical vulnerabilities
- Reviewing current controls and processes (logical and physical)
- Mapping controls to regulatory requirements (GLBA
- Ensuring there is a program to review and update this process
Analyze Information. This second step requires an analysis of all information gathered and includes:
- Identifying and measuring threats (threat scenarios) to the system and data it process, stores, and transmits
- Estimating the likelihood of a threat occurrence
- Analyzing and cross referencing vulnerabilities to current controls identifying where controls are adequate and where they are lacking
- Ranking data and system components according to their sensitivity and importance to the organization's operations while considering the potential harm to customers of unauthorized access and disclosure of customer non-public personal information
Prioritize Responses.The final step in the process generally includes:
- Ranking the outcome and probabilities from the various threat scenarios produced in the analysis phase
- Flagging threats that will be mitigated and those whose risk will be accepted
- Creating a deliverable with findings and recommendations for improvement of any identified weaknesses
Specific to Application Risk Assessments - SMP will evaluate the existing security posture of Applications and Systems that represent potential areas of concern with regards to compliance. We will evaluate the existing process for accuracy and completeness and comment on our findings.