Pub. 1 2010 Issue 4

www.wvbankers.org 22 D uring our first three articles we covered various areas as it related to effective risk management. The ar- ticles have covered the following areas: • Best practices and definition of risk (first article) • Concepts, requirements and definitions (second article) • Process (third article) With our final article, we discuss what we consider the end result of your risk Effective Risk Management By Keith A. Morgan, CISA, CISSP and Chris Joseph, CPA, CISA This is the fourth and final article of a multi-part series oriented toward risk assessment and the management of your Information Technology (IT) assets. • Information technology, including obsolescence • New regulatory requirements • Changes in the economy • A national, regional or local disaster event • Issues at a significant service provider • New viruses and other security threats from intruders This, of course, is not an exhaustive list but just a few examples. There are numerous other events that could impact your risk assessment process. A point of emphasis is that the risks and events that can affect your current risk assessment and management process are not always within your own system. Assume you have identified what you consider the risk areas of the bank. The likelihood of occurrence has been identified along with the various com- pensating controls to assist the bank with mitigating those risks and risk rating has been applied. Where do you go from here? A completed risk assess- ment matrix and process that does not result in any action is the use of valuable resources with limited results. In our second article, we noted that the Bank’s Information Security Program is designed to be based upon the Bank’s risk assessment process. As noted in the FDIC’s Information Technology Officer’s Questionnaire, “each bank shall implement a comprehensive writ- ten information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities.” Also, from the FDIC Information Tech- nology Officer’s Questionnaire, the objectives of the Information Security Program include: • Ensure the security and confidentiality of customer information; • Protect against any anticipated threats or hazards to the security or integrity of such information; • Protect against unauthorized access to or use of such information that management/assessment efforts. We want to emphasize that effective risk management is not a static event. Ef- fective risk management is a process that is ongoing and can change based upon the circumstances of your bank and sometimes your local, regional and national area. Items and events that could impact the risk management process include: • New products and services • Changes in key personnel