IT Examiner School eBook May 2025

Internal Use Only

Risk Assessment from a Management Component Perspective  The Board is responsible for communicating their risk tolerance to management  Management is responsible for performing the risk assessment, ensuring that the RA is complete, accurate, and reasonable, and reporting the results to the Board  Risk acceptance decisions should be made at the Board level  Review Board minutes for support for answers provided by management during discussions (approval/discussion of risk assessment findings, risk acceptance decisions, etc.)

Internal Use Only

Compliance

Gramm-Leach-Bliley Act • Interagency Guidelines Establishing Information Security Standards Fair and Accurate Credit Transactions Act ID Theft Prevention and Red Flags • Interagency Guidelines on Identity Theft Detection, Prevention & Mitigation