What is a GLBA risk assessment? – WST

Home/What is a GLBA risk assessment? – WST

October 15, 2020

What is a GLBA risk assessment? – WST

The Gramm Leach Bliley Act (GLBA) Safeguards Rule directs financial institutions to:

Recently, we had an inquiry for a “GLBA Risk Assessment.”  Our first thought was “Most IT risk assessments performed by financial institutions are GLBA risk assessments.”  Looking further at the request, report deliverable samples showed a narrowly scoped threat-based risk assessment that also tested and rated control efficacy.   We don’t offer this type of service because an IT risk assessment performs better when it is asset-based, comprehensive, and is tested independently of the risk assessment process, not to mention following this process better meets regulatory needs.

The basics of the risk assessment process include:

  • identify an assets’ inherent risk based on threats, likelihood, and sensitivity,
  • note mitigating controls and rate their efficacy, and
  • calculate the resulting residual risk.

The risk assessment process should utilize a scoring system that considers relevant risk factors, and to the extent possible, avoids subjectivity.  This information is then used to help determine scope and frequency for testing controls (i.e., audit).

The risk assessment should be updated at least annually, or more frequently to reflect changes such as new processes, new infrastructure, new public facing services, security incident or breach, mergers & acquisitions, etc.

This approach fits GLBA and FFIEC guidance, examiner expectations, and allows institutions to better identify and manage risk.  So, the takeaway is that some service offerings may use all the right buzz words but may end up missing the mark.

Past Weekly Security Tips – WST

Go to Top