2023 IT Examiner School

Internal Use Only

Examples of Assets to be Protected

People • Expertise, corporate memory

Hardware • CPU, routers, drives

Software • OS, applications, source code

Data • Database, files, email, backups

Documentation • Loan & deposit documents • Disclosures • Signature cards

Third Parties • Processors • Aggregators

Cloud • AWS • Salesforce • Jira

Internal Use Only

Identifying Asset Sensitivity

Once the assets are identified, their criticality & sensitivity must be valued

It is critical to differentiate the importance of assets so that institutions can assign priorities & appropriate controls

It is the firm’s responsibility to provide definitions for the classifications they use in their risk assessment

Management should be able to define all terms used in the risk assessment