Welcome » IT Booklets » Information Security » Information Security Risk Assessment » Key Steps » Identification of Information and Information Systems
A risk assessment should include an identification of information and the information systems to be protected, including electronic systems and physical components used to access, store, transmit, protect, and eventually dispose of information. Information and information systems can be both paper-based and electronic-based.
The institution's analysis should include a system characterization and data flow analysis of networks (where feasible), computer systems, connections to business partners and the Internet, and the interconnections between internal and external systems. Some systems and data stores may not be readily apparent. For example, backup tapes, portable computers, personal digital assistants, media such as compact disks, micro drives, and diskettes, and media used in software development and testing should be considered.
In identifying information and the information systems, it is important to understand how the institution uses information in its day-to-day operations. For example, the risk assessment should address employee access, use, and dissemination of information in response to requests. Institutions should also consider how they store, transmit, transfer, and dispose of media (paper or electronic) containing information, authorize and authenticate those who receive information both physically and electronically, and how they make information available for viewing.
A financial institution's outsourcing strategy also should be considered in identifying relevant data flows and information processing activities. The institution's system architecture diagram and related documentation should identify service provider relationships, where and how data is passed between systems, and the relevant controls that are in place.