IT Examiner School, Providence, RI
Common Exam Themes/Findings/Weaknesses (continued) Disaster Recovery/Business Continuity Planning is not sufficient, lacks formality, or only covers the main business location is not based on a business impact analysis or risk assessment management thinks DR/BCP is not needed because their systems are hosted by AWS or another external provider management thinks DR/BCP is not needed because everyone can “just work from home” (yes, this capability has never been tested. So no one knows if the VPN load capabilities are sufficient or will work) minimal DR/BCP testing if any, or table-top only testing no employee DR/BCP training; employees are totally unaware of what to do in a disaster
Common Exam Themes/Findings/Weaknesses (continued)
The vendor management program is informal or is nonexistent Vendors/service providers (especially smaller firms) have not signed contracts or written agreements There is no one with IT expertise. The licensee is totally reliant on outside service providers, but management does not manage/oversee the vendor relationship Enhanced authentication has not been implemented (or considered through the risk assessment process) for employees, agents, or customers Content for the web site is inaccurate, not up-to-date, and not monitored System security logs are not reviewed for unusual activity
Firewalls do not produce logs or the logs are not monitored/reviewed System logs are not maintained for a reasonable period of time
Made with FlippingBook Annual report