Risk Assessment and Management (CC-11000, applicable to securities firms placing ordersvia the Internet, but not applicable to those doing so via telephone or in thetraditional manner; annual audit)
- All of the company's information assets within the scope of applicable information security risk and all owners of such assets shall be identified.
- The acceptable level of information security risk for each of the company's operations shall be determined.
- The company shall prepare written reports on information security risk evaluations. An evaluation shall be carried out at least once per year and all relevant records retained.