IT Examiner School, Palm Springs, CA

Technology Overview • Risk assessments for networks should be performed annually • Network topologies should be updated regularly • Appropriate monitoring deployed • Vulnerability Assessments and Penetration Tests should be performed annually • Applications and systems should be patched regularly

Audit

• Performed by independent personnel • Conducted by knowledgeable individuals • Based on risk assessment/complexity • Findings/recommendations are documented • Results are reported to the Board/Committee • Conducted separately or all at once • IT scope & frequency based on inherent or residual risk

FFIEC specifies that high risk areas should be audited/reviewed at least annually