The Top Five Mistakes to Avoid While Planning an IT Risk Assessment

What is an IT Risk Assessment?

There are several reasons to perform a risk assessment for a firm’s IT activities and resources. First, an IT risk assessment is intended to help IT management:

1. Better allocate resources and perform capital budgeting
2. Assign resources based on a risk-based approach.

Second, various regulatory authorities, such as the Federal Financial Institutions Examination Council (FFIEC), BASEL, Securities Exchange Commission (SEC), and the Financial Industry Regulatory Authority (FINRA) require risk assessments be performed for all financial institutions. For example, see below.

“A financial institution establishes and maintains truly effective information security when it continuously integrates processes, people, and technology to mitigate risk in accordance with risk assessment and acceptable risk tolerance levels. Financial institutions protect their information by instituting a security process that identifies risks, forms a strategy to manage the risks, implements the strategy, tests the implementation, and monitors the environment to control the risks.” - Page 1, FFIEC IT Examination Handbook: Information Security

“A strong security program reduces levels of reputation, operational, legal, and strategic risk by limiting the institution’s vulnerability to intrusion …