Baseline Nonbank Cybersecurity Exam Program

Question 8

Are written policies and procedures in place for secure destruction and disposal of physical and electronic records of sensitive information?

13

Question 9

Is there a documented Risk Assessment process that includes inherent and residual risk identification?

• Asset Identification • Risk Identification

• Risk Assessment and Measurement: Analyze the risk (likelihood/impact on specific assets); should allow you to rank/measure risk (High, Medium, Low for impact and likelihood  ‐ and definitions should be provided) • Risk Mitigation: Identify and prioritize ways to reduce those risks; describe how identified risks will be mitigated or accepted • Risk Monitoring

14