Excerpt of FAQs from the Webinar "IT Risk Assessments: Understanding the Process"

Listen to Susan Orr CISA, CISM, CRP - ex-FDIC examiner respond to some of the FAQs from our IT risk assessments webinar. See below for a sampling of the questions asked.Sample questions addressed during this podcast:

• Who should be conducting a risk assessment? Can we do this in-house or do we need to have this done by someone external to our institution?

• How do I know if the risk assessment we’ve conducted is appropriate? More so, will it be accepted by our regulators?

• How far do I need to go to assess third-party vendors as part of our assessment?

• Do regulators have preferences of one type of risk assessment; the qualitative vs. the quantitative?

• You mentioned that the qualitative approach works in the majority of institutions, you also mentioned this is subjective in nature. If it is subjective, how do I make decisions based on the outcome of this assessment?

• Do I only need to cover only systems and processes that are specific to bank customers, or do I need to cover other systems and processes as well, such as human resources, department systems, or systems used by our accounting and finance groups?

• How often do we do our risk assessment? Is this dependant on our size or the results of our initial risk assessment? I.E. dependant on “fair” or “unfair” results.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.