IT Examiner School, Palm Springs, CA

Core Procedure #1 (Supports Decision Factor M1)

Core Procedure #2 (Supports Decision Factor M1)

1. Evaluate the quality of IT reporting to the Board of Directors. Consider reports such as:  IT risk assessments  IT standards and policies  Resource allocation (e.g., major hardware/software acquisitions and project priorities)  Status of major projects  Corrective actions on significant audit and examination deficiencies  Information security program, including cybersecurity

Report to the Board. Each bank shall report to its Board or an appropriate committee of the Board at least annually. This report should describe the overall status of the information security program and the bank's compliance with these Guidelines. The report, which will vary depending upon the complexity of each bank's program should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations, and management's responses; and recommendations for changes in the information security program . Management provides a written report on the overall status of the information security and business continuity programs to the Board or an appropriate Board committee at least annually. The institution prepares an annual report of security incidents or violations for the Board or an appropriate Board committee. Control Test Review the most recent annual information security program report to the Board and ensure it covers the minimum required elements outlined in the Information Security Standards. Click here to enter comment