Pub. 3 2013-2014 Issue 2

O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S September • October 2013 13 Information Security A 21 Question Self-Assessment I nformation security is a signif icant busi- ness risk that demands our attention. But too many times, the personnel tasked to oversee information security don’t have the time, resources or knowledge to do the job right. Although this article cannot provide the time or knowledge needed tomake a true evalu- ation, it can help get the internal conversation started. Answering the following 21 questions can help you measure your overall information security posture. Risk Management Risk assessments are the foundation of a good information security program, so the risk management process needs to be strong for the overall program to be strong. In regards to risk management, ask yourself: 1. Have we conducted an information security risk assessment within the past year? 2. Do we have appropriate participation from various departments during the development and analysis of the information security risk management process? 3. Have results from risk assessments been presented to the Board or an appropriate committee of the Board? 4. Is the risk assessment process enterprise wide? “This list of questions should not be considered exhaustive. Instead, use these questions as a starting point to help you gauge your bank’s information security posture.” FEATURE ARTICLE Russ Horn CISA, CISSP, CRISC President CoNetrix  Information Security | continued on page 14