To assess risk, a licensee may do all of the following:
- (a) Identify reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems.
- (b) Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information.
- (c) Assess the sufficiency of policies, procedures, customer information systems and other safeguards in place to control risks.
History: 2004 AACS.