Many incidents of information systems result in imperfect protection of information assets. Since overall protection is expensive, even impossible, security measures should be made at the most needed places in terms of cost and time. By means of classification of information assets and their risk assessment, we are able to know the degree of risk of the assets and to achieve a better decision in security measures. Owing to the secrecy policy, research reports on risk assessment of information assets are rarely made public. In this research we classified the information assets of a financial institution and assessed their risks. Because the institution is one of the major banks in Taiwan, the research results should be representative. The Delphi method was adopted in this research and the questionnaires were designed based on the guidelines of information security management of BS 7799-1:2000, BS 7799-2: 2002 and ISO/ IEC TR 13335. In total, 24 information assets subject to security breaches were chosen for risk assessment, and 7 experts in information security and computer auditing were invited to answer the questionnaires concerning current value of the assets, possible threats, vulnerabilities and degree of risks. Risks are expressed in low, medium and high, ranging over 10 degrees on risk scale. The results revealed that there is one item, the core router, with medium risk while others are of low risk. We also made suggestions for enhancing security measures for all assets with risk degree greater or equal to 2. Owing to the lack of publications of researches on classification of information assets and assessment of their risk in financial field, the results achieved in this study is of practical value.