IT Examiner School - Oct 2025

Internal Use Only

Risk Assessment: The Process

Assess sufficiency of risk control policies, procedures, information systems, etc.

Identify potential internal/external threats and/or vulnerabilities

Assess likelihood & impact of threats/vulnerabilitie s

Risk Response (Accept, Transfer, Reduce, Ignore)

Identify and value information assets

25

These materials are for internal training purposes for NYS DFS Staff. It may not be distributed outside the department.

Internal Use Only

What Are Risk Assessments

What it is...

What it is not….

A process to identify, analyze, and prioritize risks to business operations and information assets.

A one-time project; it is an ongoing process that evolves with the threat landscape.

A way to understand the potential impact of risks and determine the necessary controls to mitigate them.

A replacement for regular security controls or monitoring; it highlights risks but doesn’t fix them.

A mechanism to align security investments with business risk.

A guarantee of security; it’s an analysis tool, not a security solution.

A compliance requirement for many regulatory bodies, and basis for any Security framework.

Solely a checklist exercise; it requires analysis, strategy, and action.

A driver for improved risk communication across teams and stakeholders.

Independent of business objectives; it is directly tied to business continuity and data protection.