In January of 2003, the FFIEC issued updated guidance relative to identifying information technology (“IT”) security risks and evaluating the adequacy of controls and applicable risk management processes. The IT examination handbook serves as a supplement to the regulatory agencies guidelines covering Gramm Leach Bliley Act (GLBA) 501(b). Meeting the regulatory burden of establishing and implementing a systematic approach to measure and quantify information security risk has become a challenge for many small community banks. We recognize that the development and maintenance of an Information Security Risk Assessment is a complex process that must identify threat likelihood, potential damage and risk level, define controls to mitigate identified threats and establish a compliance plan. We have developed a customized proprietary process to meet the specific needs of community banks in this regard.
An IT risk assessment is required to identify the reasonably foreseeable threats from within and outside your bank’s operation that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems, as well as the reasonable foreseeable threats due to the disposal of customer information. Customer information stored on systems owned or managed by service providers and customer information disposed of by your bank’s service provider are factors that should be considered. Regulators require institutions to develop a thorough, written IT risk assessment.
The P&G IT risk assessment process is designed to provide an objective framework which assigns risk scores to potential risks in existing controls, applications and processes, and network designs of your bank. It identifies and risk scores the inherent risk of your existing IT infrastructure. This analysis is followed with the identification and documentation of existing compensating controls that may mitigate the identified risks. The end result is a quantifiable easy to understand measurement of inherent and residual risk of the IT processes, applications and infrastructure. This is delineated in a report which can be used as a living document to be periodically updated and presented to regulators and the Board of Directors.
We believe that an effective risk reporting process increases your bank’s ability to implement processes for potential risks identified at an early stage and help to quantify the potential impact on the bank relating their absence. P&G’s experts work with you on an ongoing manner to ensure that your institution remains cognizant of changing emphasis, as it may affect your IT environment.
P&G Associates has developed a customized proprietary process to meet the specific needs of community banks. P&G’s experts work with you on an ongoing manner to ensure that your institution remains cognizant of changing emphasis, as it may affect your IT environment.