2023 IT Examiner School

Internal Use Only

Risk Assessment: Identification & Valuation

• Institutions may value assets in a variety of ways. • Asset’s replacement value • Revenue loss • Reputation • Sensitivity of the data, etc. • No right or wrong way, but it makes sense and retain an internal consistency.

Internal Use Only

Risk Assessment Process

Identify and value Information assets

Identify potential internal/external threats and/or vulnerabilities

Assess likelihood & impact of threats/vulnerabilities

Risk Response (Accept, Transfer, Reduce, Ignore)

Assess sufficiency of risk control policies, procedures, information systems, etc.