Information Security Risk Assessment

RELEASE DATE:  JULY 15, 2024
ESTIMATED DURATION: 60 MINUTES

Risk assessments are an essential element of overall risk management along with providing the basis for many of your policies, plans, and programs like your information security program, audit program, and business continuity plan.  The basis for the risk assessment mandated by GLBA in 2000 was initially thought to be oriented to IT, thus the requirement for an IT Risk Assessment after all it is the IT examiners that are evaluating it.  However, today the focus has shifted to an enterprise-wide information security risk assessment that encompasses the entire organization where IT is a key component.  Needless to say the change in nomenclature and focus has created some confusion and the fact that the regulators do not prescribe to any specific format, only content, many organizations are finding their assessment being criticized during their exams and audits.   A properly structured enterprise-wide information security risk assessment will not only help you focus your resources and budget dollars where they are needed, but also provide the basis for your information security program and audit program.  The right approach will also get you off to a running start on your business continuity risk assessment as well.

This presentation will provide an approach for developing an enterprise-wide information security risk assessment and a framework that can be adapted to the other numerous risk assessments now required.

If you have asked these questions, then this session is for you:

• What is meant by enterprise-wide?
• Where do I start?
• Can I outsource the risk assessment?
• Is there an approved format or template?

Objectives:

• Understanding the difference between IT and enterprise-wide risk assessments
• Simplifying the approach
• Developing a matrix

MEET THE SUBJECT MATTER EXPERT

Susan Orr is a leading financial services expert with vast regulatory, risk management, and security best practice knowledge and expertise. During her 14-year tenure as an examiner, Susan held numerous lead positions including Regional IT Examination Specialist, Special Assistant to the Regional Director, Special Assistant to the Director of DSC, and Special Assistant to the Vice Chairman of the FDIC. Susan was also a lead instructor for the FDIC’s technology school and was instrumental in key industry initiatives such as the FDIC E-Risk Strategic Initiatives Risk Monitoring Committee, the Chicago Region Interagency Technology Group, and the Federal Financial Institutions Examination Council (FFIEC) IT Handbook rewrites.

Prior to launching her consulting practice, Susan was Vice President of Regulatory Compliance for an Internet security company where she advised staff, customers, and partners on regulation, security, and risk management.