IT Risk Assessment- Addressing Both the Intent and the Law

IT Risk Assessment

Most credit unions know that IT risk assessments are required elements of regulatory compliance. While this is true, IT risk assessments can provide a great deal of business value by helping credit unions to improve their security posture over time. Let’s first explore the regulatory perspective.

The FFIEC Information Technology Examiner’s Handbook specifies that conducting an IT risk assessment is a requirement for all banks and credit unions. While the handbook does not determine a precise process for performing this assessment, this guide, and supplemental publications from NCUA and FDIC, do point to aspects that must be covered within the assessment.

What Is an IT Risk Assessment? 

The FFIEC handbook defines a risk assessment as “a prioritization of potential business disruptions based on severity and likelihood of occurrence. The risk assessment includes an analysis of threats based on the impact to the institution, its customers, and financial markets, rather than the nature of the threat.”

This is where many of the in-house risk assessments we’ve seen over the years fall short. Often, an institution will download a template from the internet, enter basic information about their IT systems, and the likelihood of various threats to those systems from their perspective.

While basic templates are reasonable starts, they do not meet the intention of the risk assessment process. Per the NCUA IT Security Compliance Guide, the intent is to “continually review their current policies and procedures to make certain they are adequate to safeguard member information and member information systems, ensure the proper disposal of member information, and include in their written information security program both their review and their findings.”

The FFIEC Examiner’s Handbook specifies the need for information security that promotes the commonly accepted objectives of:

  • Confidentiality
  • Integrity
  • Availability of information

The NCUA and other examination agencies also call out the need to examine security guideline risks beyond what we commonly think of as IT risks, such as risks to records maintained in paper form. Most in-house IT staff at SMB banks and credit unions do not have the time or experience to go past a basic list of systems, potential threats, and the controls they have in place. They generally simply don’t have the bandwidth to delve deeply enough to satisfy the intent of a full IT risk assessment.

Here to Help – SilverSky’s IT Risk Assessment Approach

The gap between what most internal IT staff’s understanding of a risk assessment and the expectations of federal examiners is a great opportunity for SilverSky to help. Over many years of direct work with SMB banks and credit unions, SilverSky has developed a comprehensive risk assessment program that:

  1. Identifies information assets that contain or process customer information. This includes hardware like servers and NAS, workstations, systems (tellers servers, mail service, imaging systems, etc.) and physical items such as loan documents, signature cards, and backup tapes.
  2. Rates the sensitivity of the information on the listed devices in relation to confidentiality, integrity, and availability.
  3. Identifies and rates the likelihood of various internal and external threats to the assets.
  4. Identifies the technical and administrative control in place for issues such as antivirus, firewall, formal scheduled review of audit logs, and more.
  5. Produces a residual risk score for all assets.
  6. Make suggestions for additional controls or actions for items with high residual risk.

At the end of the assessment, the customer is provided both a detailed report containing lists of threats and controls for IT staff and an executive report with colored bar graphs representing residual risk levels and simply stated recommendations.

Our risk assessment process goes well beyond simply satisfying GLBA compliance for examiners. Rather, it becomes a tool for internal staff to see areas for improvement in their intuition’s risk posture and is a great point of entry for SilverSky to offer assistance to meet identified improvement goals through our managed and consulting services.

Finally, it should be noted that an IT risk assessment should not be considered static. It is an ongoing process to identify new risks as they arise and to assess the risk status of systems as they are added.

If you need help, SilverSky is here for you. Don’t hesitate to reach out to us at 1-800-234-2175 or

Jeff Jackson Editor
CISA, PCI-QSA, Advisory Consulting Team Manager , SilverSky

Jeff helps SilverSky deliver a comprehensive suite of products and services that deliver unprecedented simplicity and expertise for compliance and cybersecurity programs.

follow me



Managed Detection and Response

Comprehensive solutions to detect, prioritize, and address security incidents.

Managed Security Services

24 X 7 X 365 monitoring, management, and system maintenance.

Email Protection Suite

Monitor and manage your email environment with advanced email security and compliance protections.

Cloud Email and Collaboration

Cloud office productivity enhanced with proven security and compliance protection.

How does SilverSky's integrated stack of solutions meet your needs?

Compliance and Risk Services

Assess your program and controls, benchmark and identify areas for improvement. Develop your security roadmap for investment and improvements. Effectively measure ROI and impact on your security posture

Incident Response Readiness

Incident Response Plan Development / Review. Incident Response Readiness Review. Emergency Incident Response.

Discuss your compliance, risk management and incident response readiness needs.

Schedule Free 1-on-1 Consultation

Financial Services

1,500+ small & mid-sized financial institutions rely on SilverSky to meet and exceed FFEIC, GLBA and PCI DSS requirements and overall cybersecurity needs.


Hundreds of small & mid-sized healthcare organizations rely on SilverSky to address HIPAA and other regulatory requirements and serve overall cybersecurity needs.


Small and mid-sized retail organizations count on SilverSky to maintain PCI DSS requirements, secure customer data and reduce cybersecurity threats.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.


White papers, guides, tools, on-demand webinars, case studies and more. Explore a range of topics. 

Events & Webinars


Product Sheets

SilverSky product and services information at your fingertips. Product data sheets, compliance matrixes, & brochures.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.

Become A Partner

Partner with SilverSky to tap into the approaching $300 billion+ cybersecurity market.

Talk to one of our partner managers and consider expanding your cybersecurity offerings.

Schedule Partner Exploration Discussion

Share This