2023 IT Examiner School

Internal Use Only

Why have a Risk Assessment? Helps organizations identify inherent business risks and provide measures, processes and controls to reduce the impact of these risks to business operations • Without a Risk Assessment: • Not in compliance with GLBA (Appendix B of Part 364 of the FDIC Rules and Regulations) • Protection of information assets are not aligned with business objectives or regulatory requirements • Loss (or compromise) of critical information can be catastrophic • Loss of trust between a financial institution and its customers • Harms the safety and soundness of institution

Internal Use Only

Information Security “CIA TRIAD”

• Confidentiality. Only authorized entities, have access to the data. • Integrity. There are no unauthorized modifications of the data. • Availability. Authorized entities can access the data when and how they are permitted to do so.