Welcome » IT Booklets » Information Security » Security Process Monitoring and Updating » Updating
Financial institutions should evaluate the information gathered to determine the extent of any required adjustments to the various components of their security program. The institution will need to consider the scope, impact, and urgency of any new or changing threat or vulnerability. Depending on the nature of changing environment, the institution will need to reassess the risk and make changes to its security process (e.g., the security strategy, the controls implementation, or the security monitoring requirements).
Institution management confronts routine security issues and events on a regular basis. In many cases, the issues are relatively isolated and may be addressed through an informal or targeted risk assessment embedded within an existing security control process. For example, the institution might assess the risk of a new operating system vulnerability before testing and installing the patch. More systemic events like mergers, acquisitions, new systems, or system conversions, however, warrant a more extensive security risk assessment. Regardless of the scope, the potential impact and the urgency of the risk exposure will dictate when and how controls are changed.