IT Examiner School, Providence, RI

Board and Management Oversight Board of Directors  Should set (or at least approve) policies and procedures to implement the Information Security Program (ISP) and also to manage IT and operational risks  Designate someone to oversee the ISP on a day-to-day basis  Review and approve (or take part in) an IT strategic plan that aligns with the overall business strategy  Oversee the adequacy and allocation of IT resources for funding and personnel.  Oversee and receive updates on major IT projects, IT budgets, IT priorities, and overall IT performance  Hold management accountable for identifying, measuring, and mitigating IT risks.  Provide for independent, comprehensive, and effective audit (or other forms of testing) of IT controls

Board and Management Oversight (continued)

Executive and Senior Management  Executive and Senior Management develops the strategic plans and objectives for the institution and sets the budget for the allocation of resources to achieve these objectives.  Executive and Senior Management should understand at a high level the IT risks faced by the institution and ensure that those risks are included in the institution’s risk assessments. IT Management  Assess the institution’s inherent IT risks across the institution (the risk assessment process is the next topic).  Provide regular reports to the Executive Management and the Board on IT risks, IT strategies, and IT changes.  Establish and coordinate priorities between the IT department and lines of business.  Implement effective processes for IT risk management.