(a) identifies reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems;
(b) assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and
(c) assesses the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.