IT Examiner School, Providence, RI

Common Exam Themes/Findings/Weaknesses (continued) Disaster Recovery/Business Continuity Planning  is not sufficient, lacks formality, or only covers the main business location  is not based on a business impact analysis or risk assessment  management thinks DR/BCP is not needed because their systems are hosted by AWS or another external provider  management thinks DR/BCP is not needed because everyone can “just work from home” (yes, this capability has never been tested. So no one knows if the VPN load capabilities are sufficient or will work)  minimal DR/BCP testing if any, or table-top only testing  no employee DR/BCP training; employees are totally unaware of what to do in a disaster

Common Exam Themes/Findings/Weaknesses (continued)

 The vendor management program is informal or is nonexistent  Vendors/service providers (especially smaller firms) have not signed contracts or written agreements  There is no one with IT expertise. The licensee is totally reliant on outside service providers, but management does not manage/oversee the vendor relationship  Enhanced authentication has not been implemented (or considered through the risk assessment process) for employees, agents, or customers  Content for the web site is inaccurate, not up-to-date, and not monitored  System security logs are not reviewed for unusual activity

 Firewalls do not produce logs or the logs are not monitored/reviewed  System logs are not maintained for a reasonable period of time