Welcome » IT Booklets » Information Security » Information Security Risk Assessment » Key Steps » Gather Necessary Information
An effective risk assessment should be based on a current and detailed knowledge of the institution's operating and business environments. Sufficient information should be referenced in the risk assessment to document a thorough understanding of these environments. Both technical and non-technical information should be gathered. Examples of relevant technical information include network maps detailing internal and external connectivity; hardware and software inventories; databases and files that contain critical and/or confidential information; processing arrangements and interfaces with external entities; hardware and software configurations; and policies, standards, and procedures for the operation, maintenance, upgrading, and monitoring of technical systems.
Non-technical information that may be necessary includes the policies, standards, and procedures addressing physical security (including facilities as well as information assets that include loan documentation, deposit records and signature cards, and key and access code lists), personnel security (including hiring background checks and behavior monitoring), vendor contracts, personnel security training and expertise, and insurance coverage. Additionally, information regarding control effectiveness should be gathered. Typically, that information comes from security monitoring, including self-assessments, metrics, and independent tests.