IT Risk Assessment

GRC Solutions assists our client’s management in the development and performance of a comprehensive Information Technology Risk Assessment (“ITRA”) in accordance with Federal Financial Institutions Examination Council (“FFIEC”) guidance and Gramm-Leach-Bliley Act (“GLBA”) 501(b) regulatory requirements for Information Security.

We apply a risk assessment methodology that considered threats and potential impact (Inherent Risk), corresponding controls and strategies (Mitigating Controls) in determining a client’s overall exposure to each risk (Residual Risk).  The use of a risk assessment methodology assists management to be more conscious and aware of the resources utilized and their accountability in addressing and mitigating risks.

The resulting report presents bank management’s summary analysis of the institution’s Information Technology risk posture in a concise and organized fashion and is intended to be shared and communicated with the Board of Directors and other appropriate staff.

The IT Risk Assessment includes the following steps:

  • IT and Operations mission critical Asset Identification
  • Asset Analysis (analysis on the basis of mission criticality of asset to the Bank and presence of Non-Public Information (“NPI”) - Customer or Bank proprietary data)
  • Risk Analysis (Threat & Impact Analysis by Asset and the Bank’s ability to mitigate the threat)
  • Controls Analysis (Administrative, Physical, Technological)
  • Final Residual Risk Ratings (developed after consideration of mitigating controls and strategies)