Creating a Cybersecurity Risk Assessment

Many financial institutions are faced with managing and maintaining information security risk assessments, including the need to integrate cybersecurity threats. In general, financial institutions should review their existing risk assessment program with cybersecurity threats. However, if it’s easier to have a separate program, management should consider its options.

We recommend developing a five-step plan to help establish a foundation for a meaningful risk assessment program:

  1. Identify information assets
    Consider the primary types of information handled, e.g., Social Security numbers, account numbers or human resource data, and make a priority list of what needs to be protected. To properly identify assets, include personnel from various departments.
  1. Locate information assets
    Identify and list where each item on the information asset list resides within the organization, e.g., file servers, workstations, laptops, removable media or smartphones.
  1. Classify information assets
    Assign a rating to your information asset list. Consider a scale of 1 to 5, with the following categories:
  • Public information
  • Internal but not protected data
  • Sensitive internal information
  • Classified internal information
  • Regulated information
  1. Conduct a threat modeling exercise
    Rate the threats facing critical information assets. Many different methodologies are available (potential fodder for a separate article). In any case, use a scaling system to rate each identified threat, considering probability and impact.
  1. Finalize the risk assessment and start planning
    Calculate the threat scores using a scoring threshold and establish ranges and review the results.

The goal of the risk assessment exercise is to establish a risk assessment program to enhance your information security program. If you need help with the risk assessment process, please contact us.

Print Friendly, PDF & Email
The following two tabs change content below.

Jeff Pauls

As a member of BKD National Financial Services Group, Jeff brings more than 14 years auditing and technology experience to the clients he serves. Before joining BKD, Jeff was an IT auditor for the Federal Reserve Bank of St. Louis.

Latest posts by Jeff Pauls (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *