IT Examiner School, Providence, RI
Common Exam Themes/Findings/Weaknesses
Management is not aware of GLBA or 16 CFR Part 314 of the FRC Rules and Regulations (aka The Safeguards Rule) The Information Security Program lacks formality or no written policies have been implemented Have not designated a person or persons to oversee the Information Security Program Management has not performed any type of risk assessment or risk analysis Employee/agent/customer security awareness training is nonexistent or very limited An internal audit program has not been implemented, other than for BSA/AML. IT areas, including IT general controls, penetration testing, vulnerability scans, etc., have not been included within the scope of any audits Audit findings are not tracked through resolution
Common Exam Themes/Findings/Weaknesses (continued)
Incident response planning is nonexistent or informal Patch management policies/procedures are not formal or consistent Access permissions are not based on least privilege or periodically reviewed for accurateness Application Development/programming is quite common, but controls are ad hoc/lax, there are no formal procedures, quality assurance and testing requirements are not consistent, project management methodologies are nonexistent Internally developed applications, such as Internet-facing or mobile applications which have become very common, have never been audited or penetration tested. Data destruction policies are not defined (including paper documents) Board reporting for IT and Information Security is not sufficient or nonexistent Encryption capabilities have not been implemented for email or laptops Licensees are using outdated or unsupported technology (XP, Windows 2003)
Made with FlippingBook Annual report