IT Examiner School, Providence, RI

Common Exam Themes/Findings/Weaknesses

 Management is not aware of GLBA or 16 CFR Part 314 of the FRC Rules and Regulations (aka The Safeguards Rule)  The Information Security Program lacks formality or no written policies have been implemented  Have not designated a person or persons to oversee the Information Security Program  Management has not performed any type of risk assessment or risk analysis  Employee/agent/customer security awareness training is nonexistent or very limited  An internal audit program has not been implemented, other than for BSA/AML. IT areas, including IT general controls, penetration testing, vulnerability scans, etc., have not been included within the scope of any audits  Audit findings are not tracked through resolution

Common Exam Themes/Findings/Weaknesses (continued)

 Incident response planning is nonexistent or informal  Patch management policies/procedures are not formal or consistent  Access permissions are not based on least privilege or periodically reviewed for accurateness  Application Development/programming is quite common, but controls are ad hoc/lax, there are no formal procedures, quality assurance and testing requirements are not consistent, project management methodologies are nonexistent  Internally developed applications, such as Internet-facing or mobile applications which have become very common, have never been audited or penetration tested.  Data destruction policies are not defined (including paper documents)  Board reporting for IT and Information Security is not sufficient or nonexistent  Encryption capabilities have not been implemented for email or laptops  Licensees are using outdated or unsupported technology (XP, Windows 2003)