IT Examiner School, Providence, RI

Comment Elements

• Audit – Audit plan, scope, and frequency, resolution of audit and examination issues, audit independence, Board and management oversight. • Management – Risk assessment process, vendor management (ongoing), Information Security Standards (GLBA), Account Takeover Risk Mitigation Program, Cybersecurity Readiness Efforts (if not covered under Support and Delivery) • Development and Acquisition – In-house programming, vendor management (acquisition), source code licensing and escrow, project management • Support and Delivery – Business Continuity/Disaster Recovery Planning and Testing, Information Security, Operations, Incident Response, Payment Systems, Cybersecurity Readiness Efforts

ROE and Confidential Pages

• IT Comments and ratings support should be addressed on the Examiner’s Comments and Conclusions (ECC) page. • You may include specific examples within the ROE comment to support overall conclusions: – This is important if you are citing contravention of GLBA or have issues with GLBA activities • In case of a “3” or worse rating, the comments may have higher priority.