Conducting an electronic information risk assessment for Gramm-Leach-Bliley Act compliance.

To obtain compliance with the new Gramm-Leach-Bliley privacy regulations, financial institutions need to identify vulnerabilities in electronic systems, assess likelihood and impact of threats, and assess sufficiency of controls to mitigate those risks. In response to these new regulations, I developed a process for conducting an electronic risk assessment in accordance with GLBA, and used it to conduct a risk assessment for Johnson Financial Group. The process involves listing each technology and vendor service and categorizing these systems based on the data they process or store. Threats and vulnerabilities are listed for each technology, and then controls are specified for each vulnerability. Controls are categorized, and definitions for control adequacy and residual risk are developed and applied to each technology. Output includes a report showing vulnerabilities, controls, and a risk rating for each technology, a report showing which vulnerabilities have insufficient controls, and others.