III.A Risk Identification
Financial institution management should maintain a risk identification process that is coordinated and consistent throughout the institution. Risk identification includes ongoing data collection from existing activities and new initiatives.
All activities within a financial institution present a degree of risk. The nature of such risk, before applying controls and other mitigations, is called inherent risk. Senior management should ensure that IT risk identification efforts at the enterprise-wide level are coordinated and consistent throughout the institution. Management should maintain inventories of assets (e.g., hardware, software, and information), event classes (e.g., natural disaster, cyber, and insider abuse or compromise), threats (e.g., theft, malware, and social engineering), and existing controls as an important part of effective risk identification. Inventories should include systems and information hosted or maintained externally. Comprehensive IT risk identification should include identification of cybersecurity risks as well as details gathered during information security risk assessments required under guidelines implementing the GLBA.Refer to the "Information Security" booklet of the IT Handbook for more information on the GLBA and the "Interagency Guidelines Establishing Information Security Standards." Participation in an information-sharing forum, such as FS-ISAC, Refer to "FFIEC Releases Cybersecurity Assessment Observations, Recommends Participation in Financial Services Information Sharing and Analysis Center," November 3, 2014. should be a component of the risk identification process because sharing information may help the institution identify and evaluate relevant cybersecurity threats and vulnerabilities. Ibid.
Senior management should make risk management decisions based on a full understanding of identified risks. Small institutions with less complex systems may have a more simplified risk identification process. Regardless of the complexity, the process should be formal and adapt to changes in the IT environment. The effectiveness of the risk identification process is demonstrated by management's understanding and awareness of risk, the adequacy of formal risk assessments, and the effectiveness of the risk mitigation, including policies and internal controls.
III IT Risk Management
III.A.1 Ongoing Data Collection