A licensee shall conduct a risk assessment, which must: (1) Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of nonpublic information, including the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers. (2) Assess the likelihood and potential damage of threats, taking into consideration the sensitivity of the nonpublic information. (3) Assess the sufficiency of policies, procedures, information systems and other safeguards in place to manage threats in each relevant area of the licensee's operations, including: (i) Employee training and management. (ii) Information systems, including network and software design and information classification, governance, processing, storage, transmission and disposal. (iii) Detection, prevention and response to attacks, intrusions or other system failures. (4) Implement information safeguards to manage the threats identified in its ongoing assessment. nd disposal. (iii) Detection, prevention and response to attacks, intrusions or other system failures. (4) Implement information safeguards to manage the threats identified in its ongoing assessment. (5) At least annually, assess the effectiveness of the safeguards' key controls, systems and procedures. Cross References. Section 4512 is referred to in sections 4502, 4514, 4516, 4521, 4532, 4536 of this title.
Pennsylvania Legal Code