Rule Requirement
314.4 (b)
Base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks.
A) The risk assessment shall be written and shall include:
(i) Criteria for the evaluation and categorization of identified security risks or threats you face;
(ii) Criteria for the assessment of the confidentiality, integrity, and availability of your information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats you face; and
(iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.
B) You shall periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and reassess the sufficiency of any safeguards in place to control these risks.
Our Service
With S2 ORG you’ll be able to easily understand the scope of your risk. The platform provides a simple scoring methodology that gives you insight into every aspect of your information security program and allows you to upload vulnerability scan data to add even more depth to your risk assessments and annual reports. Reporting tools allow you to instantly create the risk assessment documentation you need.