IT Examiner School, Seaside, CA

IT Exam: Expanding the Depth of the Risk Assessment Review

• Plan to expand the depth when: – A risk assessment has not been previously reviewed.

– There have been changes in management and/or environment. – The risk assessment has been completed with limited input from other departments. – There are discrepancies between the bank services/ topology and assets identified in the risk assessment. – Significant audit and independent review findings are evident. – You are not confident with management's responses .

Risk Assessment Summary

• The risk assessment process is an ongoing process

• A risk assessment should: – ID and value assets

– ID potential threats/vulnerabilities – Rank the threats/vulnerabilities

• Seek clarification from management regarding vague references, assumptions, risk assessment findings, rating definitions, etc.

• Risk assessments can take many forms