IT Examiner School - Oct 2025

IT Examiner School

October 7-16 , 202 5 Live Virtual

@ www.csbs.org ♦ @csbsnews

CONFERENCE OF STATE BANK SUPERVISORS 1300 I Street NW / Suite 700 / Washington, DC 20005 / (202) 296-2840

IT Examiner School Live Virtual October 7-16, 2025

Week 1 Tuesday, October 7, 2025 12:30 pm – 1:30 pm

Introduction & Pre-Course Review/Terminology

Regulations/Guidance

1:30 pm – 2:15 pm

2:15 pm –2:30 pm

Break

IT Examination Work Programs

2:30 pm – 3:00 pm

3:00 pm – 4:00 pm Audit Wednesday, October 8, 2025 12:30 pm – 1:15 pm Audit

Cyber Maturity Assessment/FFIEC CAT Tool Sunsetting

1:15 pm – 1:45 pm

1:45 pm – 2:00 pm

Break

Support & Delivery

2:00 pm – 4:00 pm

Thursday, October 9, 2025 12:30 pm – 1:00 pm

Support & Delivery

Development & Acquisition

1:00 pm – 2:00 pm

2:00 pm – 2:15 pm

Break

Third-Party Risk Management

2:15 pm – 3:00 pm

Information Security Framework/Risk Assessment

3:00 pm – 4:00 pm

Internal Use Only

Week 2 Tuesday, October 14, 2025 12:30 pm – 1:00 pm

Information Security Framework/Risk Assessment

Risk Assessment Activity

1:00 pm – 1:30 pm

Business Continuity Planning & Disaster Recovery

1:30 pm – 2:00 pm

2:00 pm – 2:15 pm

Break

Business Continuity Planning & Disaster Recovery

2:15 pm – 4:00 pm

Wednesday, October 15, 2025 12:30 pm – 2:15 pm

Management

2:15 pm – 2:30 pm

Break

Composite Rating Discussion & Exercise

2:30 pm – 3:00 pm

Breakout Rooms

3:00 pm – 4:00 pm

Thursday, October 16, 2025 12:30 pm – 1:30 pm

Composite Rating Exercise Discussion

Emerging Issues

1:30 pm – 2:00 pm

2:00 pm – 2:15 pm

Break

Emerging Issues

2:15 pm – 3:30 pm

Final Assessment & Course Wrap Up

3:30 pm – 4:00 pm

Virtual IT Examiner School October 7-16, 2025

Zoom

Schedule This week:

• Tuesday, October 7: 12:30 PM – 4:00 PM ET • Wednesday, October 8: 12:30 PM – 4:00 PM ET • Thursday, October 9: 12:30 PM – 4:00 PM ET Next Week • Tuesday, October 14: 12:30 PM – 4:00 PM ET • Wednesday, October 15: 12:30 PM – 4:00 PM ET • Thursday, October 16: 12:30 PM – 4:00 PM ET

Instructor Contact Information

Matthew Fujikawa

Financial Institutions Manager California Department of Financial Protection & Innovation Matthew.Fujikawa@dfpi.ca.gov

Instructor Contact Information

Utah Department of Financial Institutions wandrus@utah.gov William Andrus

Instructor Contact Information

Advanced ITExaminer North Carolina Office of the Commissioner of Banks kbiser@nccob.gov Kenneth Biser

Instructor Contact Information

Director Financial Services Programs Cybersecurity Division New York State Department of Financial Services Craig.Farrar@dfs.ny.gov Craig Farrar

Instructor Contact Information

Assistant Deputy Superintendent Cybersecurity Division New York State Department of Financial Services William.Peterson@dfs.ny.gov William Peterson

NYS DFS Disclaimer The views expressed are those of the speaker and do not represent the official views of New York State or the NYS Department of Financial Services, aka DFS. Anything said during this training shall not bar, estop, or otherwise prevent DFS, or any federal or other state agency from taking any action different from anything said during this training. Participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.

Introductions

Name

State

IT Exam Experience

Fun fact

Something you hope to learn

Go to www.menti.com and enter Game PIN provided

Internal Use Only

Regulations & Guidance

Internal Use Only

Module Agenda Provide an Overview of Common Data Privacy Laws and Standards Discuss Information Security Related Laws Impacting Financial Institutions (FIs) Describe the Gramm-Leach Bliley Act (GLBA) and Federal Implementation of Standards Required Under 501(b) Compare Examination Approaches, Work programs, and Rating Systems for Depository and Non-Depository FIs

Internal Use Only

Examples of Data Privacy Related Laws/Standards

LAW

YEAR OVERVIEW

WHO IT IMPACTS

FERPA (Family Educational Rights and Privacy Act) HIPPAA (Health Insurance Portability and Accountability Act)

1974

Protection of student records

Any post-secondary educational institution

1996

Protects the privacy of patient records

Any company or agency that deals with Health Care Financial institutions (FIs) that offer financial products (insurance, loans, investments) US Public Companies, accounting and management firms Federal Agencies dealing with information related to National Security Companies involved in handling of credit card information

1999

Mandates that companies secure private information of clients and customers Maintain and protect financial records for seven (7) years Recognizes information security as a national security matter

GLBA (Gramm-Leach-Bliley Act)

2002

SOX (Sarbanes-Oxley Act)

2002

FISMA (Federal Information Security Management Act) PCI-DSS (Payment Card Industry/Data Security Standard)

2004

Consumer Credit Card

Internal Use Only

Information Security Related Laws Impacting FI's OVERVIEW LAW

Subjects bank service companies to examination and regulation by Federal Regulators and requires notice within 30 days of entering into a service contract Requires installation, maintenance, and operation of security devices and procedures, to discourage robberies, burglaries, and larcenies and assist in the identification and apprehension of persons who commit such acts Requires each FI to develop, implement, and maintain, as part of its existing information security program, appropriate measures to properly dispose of consumer information derived from consumer reports to address risks associated with identity theft Requires each agency or authority to establish appropriate standards for the FI's subject to their jurisdiction relating to administrative, technical, and physical safeguards

Bank Service Company Act 12 USC 1867(c)

Bank Protection Act 12 USC 1882 "Security Measures for Banks and Savings Associations"

Fair and Accurate Credit Reporting Act (FCRA) 15 USC 1681W

Gramm-Leach-Bliley Act (GLBA) 15 USC 6801

Source: https://ithandbook.ffiec.gov/laws-regulations-guidance/information-security/#Laws Complete List of FFIEC Maintained Laws, Regulations, and Guidance: https://ithandbook.ffiec.gov/laws-regulations-guidance/

Internal Use Only

The Gramm Leach Bliley Act (GLBA)

The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.

Internal Use Only

The Gramm-Leach-Bliley Act (GLBA) - cont.

Title V, Subtitle A of the Gramm-Leach-Bliley Act (“GLBA”) governs the treatment of nonpublic personal information (NPPI or NPI ) about consumers by financial institutions. • Section 501 – protection of nonpublic personal information • Section 502 – prohibits financial institutions from disclosing nonpublic personal information about a consumer to non-affiliated third parties, unless (i) the institution satisfies various notice and opt-out requirements; and (ii) the consumer has not elected to opt out of the disclosure • Section 503 - institutions to provide notice of its privacy policies and practices to its customers

"It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security andconfidentiality of those customers’ nonpublic personal information" (Section 501(a))

Internal Use Only

The Gramm Leach Bliley Act (GLBA) - 501(b)

501(b) requires each agency or authority to establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards: • To ensure the security and confidentiality of customer records and information; • To protect against any anticipated threats or hazards to the security or integrity of such records; and • To protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

In 2000, the Board of Governors of the FRS (“Board”), the FDIC, the NCUA, the OCC, and the former OTS, published regulations implementing provisions of GLBA governing the treatment of nonpublic personal information about consumers by financial institutions.

Internal Use Only

Regulatory Authority Examples: Depository Institutions

Regulators / Licensure

Laws, Regulations, or Guidance Related to IT, InfoSec, Privacy, etc.

Type of Entity

12 CFR 364, Appendix B; Section 501(b) of GLBA; FFIEC; State Laws/Regulations (e.g., Part 500, CCPA)

Banks (state-member, national, state non-member, credit union)

FDIC, FRB, OCC, States, CFPB

Bank Holding Companies, Trust Companies, US Branches of FBOs

FRB, States

Generally, the same as banks (above)

Credit Unions (Federal or State)

NCUA, States

12 CFR 748 (Appendix A & B)

Internal Use Only

Regulations & Guidance - FDIC Appendix B, including Supplement, to Part 364 of the FDIC Rules and Regulations – Interagency Guidelines Establishing Information Security Standards

Internal Use Only

Regulations & Guidance - FRB Appendix D-2, including Supplement, to Part 208 of the FR Rules and Regulations – Interagency Guidelines Establishing Standards for Safeguarding Customer Information

Internal Use Only

Regulations & Guidance - NCUA Appendix A (“Guidelines for safeguarding member information”) & Appendix B (“Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice”) of 12 CFR 748 (“Security Program”)

Internal Use Only

Regulatory Authority Examples: Non-Depository Institutions

Regulators / Licensure CFPB, FTC, States

Laws, Regulations, or Guidance Related to IT, InfoSec, Privacy, etc.

Type of Entity

Mortgage Originators and Servicers

16 CFR 314; 501 and 505(b)(2) of GLBA; State Laws and Regulations (e.g., Part 500 and CCPA).

Money Service Businesses / Money Transmitters

FTC, States

Consumer Finance

CFPB, FTC, States

Internal Use Only

Regulations & Guidance – Non-Depository

16 CFR Part 314 of the FTC Rules and Regulations “Standards for Safeguarding Customer Information” • Took effect in 2003 and is designed to ensure that covered entities maintain safeguards to protect the security of customer information • It applies to financial institutions subject to FTC jurisdiction and that aren’t subject to enforcement authority of another regulator under Section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. • In December 2021, the FTC amended the Safeguards Rule to keep pace with current technology.

Source: https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know

Internal Use Only

Regulations & Guidance – Non-Depository Section 314.4 of the Safeguards Rule identifies 9 elements that a company’s ISP must include: • Designate a qualified individual to implement & supervise the InfoSec program • Conduct a risk assessment • Design & implement safeguards to control risk identified by the risk assessment • Regularly monitor & test the effectiveness of those controls • Train staff

• Monitor Service Providers • Keep the program current • Create a written Incident Response Plan • Require the qualified individual to report to the Board

Internal Use Only

Examination Approach Examples: Depository Institutions

Type of Entity

IT Exam Approaches/Rating Systems

Information Technology Risk Examination (InTREx) ; UFIRS/CAMELS, FFIEC Uniform Rating System for IT (URSIT); CAMEL, where “M” includes a review of information systems

Banks

Credit Unions

Trust Companies

FFIEC Uniform Interagency Trust Rating System (UITRS)

Foreign Banking Organizations & Bank Holding Companies

FRB, States; ROCA Rating System – where “O” is operational controls

Internal Use Only

Examination Approach Examples: Non-Depository Institutions

Type of Entity

IT Exam Approaches/Rating Systems

Mortgage Originators and Servicers

FFIEC Uniform Interagency Consumer Compliance Rating System (CC Rating System)

CSBS Non-Bank Cybersecurity Exam Program ; MTRA Workprogram (multi-state exams); FILMS rating system

Money Service Businesses / Money Transmitters

Internal Use Only

Regulations & Guidance

Good reference, but remember the booklet does not specifically apply to FIs not regulated by the FFIEC FFIEC IT Booklet Handbooks:

Internal Use Only

IT Examination Work Programs

Internal Use Only

Depository vs Non-Depository Work Programs

Internal Use Only

CSBS Non-Bank Cybersecurity Workprogram

CSBS Non-Bank Workprogram (WP) Overview

Used by state examiners to assess the cyber preparedness of non-depository entities

Provides in-depth risk evaluation of the four critical components of the URSIT (Audit, Management, Development and Acquisition, & Support and Delivery). Questions contain applicable Gramm-Leach-Bliley Act (GLBA) Safeguards Rule citation and document request list reference.

The Baseline (v1.0) WP & Enhanced WP were both released in May 2022

An update Baseline WP (V1.1) was released in March 2023

Internal Use Only

Components of CSBS Nonbank Cyber Exam Programs Pre-Examination Resources Work Programs

Baseline Nonbank Workprogram

Exam Notification Letter

Enhanced Nonbank Workprogram

Pre-Exam Document Request List (DRL)

Internal Use Only

Pre-Exam Document Request List

Used for both Baseline & Enhanced Cybersecurity Exam Program

Covers 15 Program Areas and defines documents to be provided

Includes space for State specific requests

Internal Use Only

Nonbank Cybersecurity Exam Programs Baseline

Enhanced • More comprehensive, for larger and more complex institutions • Includes all baseline questions (light blue shading) plus additional questions in areas requiring a deeper dive • Targeted for use by examiners with more specialized knowledge of IT & Cyber

• Based on the pilot program released in December 2020 • Covers same content as pilot in a streamlined version (based on 2021 examiner feedback) • Easier to use and half the questions with no loss of coverage • Covers 4 URSIT component areas

Note: The Baseline and Enhanced Nonbank Cybersecurity Exam Programs were added to SES and are available for mortgage origination, mortgage servicing, and consumer finance exams.

Internal Use Only

Baseline Nonbank Cybersecurity Exam Program

Source: https://www.csbs.org/sites/default/files/2022-08/Baseline%20Nonbank%20Exam%20Program%20V1.0.pdf

Internal Use Only

Enhanced Nonbank Cybersecurity Exam Program

Source: https://www.csbs.org/sites/default/files/2022-08/Enhanced%20Nonbank%20Exam%20Program%20V1.0.pdf

Internal Use Only

Information Technology Risk Examination (InTREx) Procedures

Internal Use Only

InTREx Program Overview

An enhanced, risk-based, approach for conducting IT examinations of depository institutions

Based on the (URSIT) and includes Core Modules for Audit, Management, Development and Acquisition, and Support and Delivery component ratings

Incorporates procedures for assessing cybersecurity preparedness and compliance with Interagency Guidelines Establishing Information Security Standards

Examiners complete the InTREx Core Modules, the Cybersecurity Workpaper, and the Information Security Standards Workpaper to assess risk and document examination procedures, findings, and recommendations. Updated in September 2023 (by FDIC) to improve Audit module‘s usability, add steps related to Computer Security Incident Notification Rule (Part 304 Subpart C), provide specificity regarding examiner review of service provider ROEs, and to update links to references.

Internal Use Only

Components of InTREx ITP

Work Program

Information Technology Profile

Core Modules

Risk Profile

Expanded Modules

Qualitative Adjustment

Supplemental Workprograms

Internal Use Only

InTREx Workprogram Core Modules

Support & Delivery

Audit

Management • Risk Assessment • Vendor Management (Ongoing) • Information Security Standards (GLBA) • ID Theft Red Flags

Development & Acquisition • Vendor Management (Acquisition)

• BCP • Information Security • Operations • Incident Response • Network Security (IDS, Firewall) • EFT/E-Banking

Internal Use Only

InTREx Framework

Based on URSIT components

ED Module concept used for each component

ED Module core decision factors were derived from URSIT assessment factors

Internal Use Only

InTREx Features Incorporates baseline cybersecurity into procedures Requires conclusion on cybersecurity preparedness Requires conclusion on GLBA Information Security Standards (Part 364 Appendix B) Enhances focus on transaction/control testing

Allows for tracking of deficiencies noted in any decision factor

Internal Use Only

InTREx Procedures Core Modules Audit, Management, D&A, S&D • All procedures should be completed, but not all bullets need to be addressed • Do have flexibility to scope down, just not scope out

Internal Use Only

InTREx Procedures

Cybersecurity Workpaper • No stand-alone workprogram • Applicable procedures are marked with • Requires summary comment

Internal Use Only

InTREx Procedures

Information Security Standards (GLBA) Workpaper • No stand-alone workprogram • Applicable procedures are marked with • Requires summary comment

Internal Use Only

InTREx Additional Procedures Expanded Modules • Available for Management and S&D • Provide additional procedures for IT products/ services not covered in Core or that may need additional analysis

Internal Use Only

InTREx Additional Procedures Supplemental Workprograms (ED Modules/FFIEC IT Handbook) • ED Modules available for a variety of areas (EFT, Mobile Banking, Merchant Acquiring, etc.) • FFIEC IT Handbook provides in-depth procedures • FDIC Risk Advisories and Technical Examination Aids provide guidance • Should be completed to assess specific products not covered in the Core or Expanded Modules, or areas of higher complexity that require more in-depth review

Internal Use Only

InTREx Control Testing

Control Tests • Core Modules identify potential control tests • Control tests are marked with • Use discretion in determining which tests to perform • Not all control tests need to be performed, and conversely, examiners can do own control tests

Internal Use Only

InTREx Control Testing

Control Tests • If a control test was performed, the results should be noted in the comments to that procedure • May leverage control testing performed by internal and external auditors • Sufficient testing should be performed to validate the effectiveness of controls

Internal Use Only

InTREx Abbreviated Examination Procedures Q3-Q4 2025 Update

Internal Use Only

RD Memo 2025-027-RMS: IT Examination Procedures • Issued by FDIC in August 2025

• Outlines guidance to examiners in planning and conducting risk-focused Information Technology (IT) examination at banks of all complexity levels • Details Abbreviated Examination Procedures (AEPs) effective until December 31 st , 2025. • CSBS analyze differences between FDIC AEPs), the Core InTREx Examination Modules, and the Federal Reserve InTREx Base Examination Program • CSBS recommends continued use of normal state IT examination procedures in place while encouraging each department to work closely with their local FDIC field offices and EICs as the FDI

Link: https://www.csbs.org/fdic-abbreviated-core-module-examination-procedures-word

Internal Use Only

FDIC AEPs - Five (5) Examination Procedures

1. Assessment of IT risk management practices and actions taken as result of risk assessment.

2. Assessment of information security and cybersecurity risk management programs.

3. Assessment of IT audit or independent review program, including independent assessment of bank cybersecurity preparedness. 4. Assessment of resilience and preparedness for responding to and recovering from unexpected event, both business continuity management and incident response.

5. Assessment of effectiveness of vendor management and service provider oversight programs.

Internal Use Only

FDIC AEPs – Workpaper Documentation

Procedure 1 - Management Core Module Procedures 1, 2, 11, and 12.

Procedure 2 - Support and Delivery Core Module Procedure 17; Management Core Module Procedures 7, 8, 10, and 11; and Development and Acquisition Procedure 7 (End-of-Life Only). Procedure 3 - Audit Core Module Procedures 1, 2, 5, 6, and 10; and Development and Acquisition Procedure 7.

Procedure 4 - Support and Delivery Core Module Procedures 4-9 and 13.

Procedure 5 - Development and Acquisition Core Module Procedures 2-5.

Internal Use Only

Audit

Internal Use Only

Objectives

Provide tools to assess the effectiveness of the IT Audit Program

IT Audit Risk, Planning, and Scope

IT Audit Component Rating

Types of IT Audits/Reviews

IT Auditor Expertise

Internal Use Only

Audit/Independent Review

IT scope & frequency based on inherent or residual risks

Performed by independent personnel

Knowledgeable individuals conduct the engagements

Risk assessment/ complexity based

Conducted separately or all at once

Board/Committees receive results

Formal report includes Findings/Recommendations

Internal Use Only

Assessment Areas for IT Audits

• Audit risk assessment, plan and scope • Appropriate coverage of the entity’s IT environment and activities • Quality of written IT reports • Audit independence • Auditor qualifications • Findings and recommendations reporting and follow-up

The IT Audit program should be assessed for the following:

Internal Use Only

Guidance for IT Audit FFIEC IT Examination Audit Handbook

Federal Agency Rules and Regulations  Interagency Policy Statement on the Internal Audit Function and its Outsourcing  Interagency Policy Statement on External Auditing Program of Banks and Savings Associations  Interagency Guidelines Establishing Information Security Standards (GLBA) Information Systems Audits and Control Association (ISACA)

Internal Use Only

IT Audit Engagements

Engaged & signed by an individual or committee not responsible for IT operations (This is an indicator of independence.)

Expectations and responsibilities

The scope, timeframes, and cost of work to be performed

Institution access to audit workpapers

Internal Use Only

IT Audit Engagement Letter

Internal Use Only

IT Audit Engagement Letter Continued

Internal Use Only

IT Audit Engagement Letter Continued

Internal Use Only

IT Audit Risk Assessment

The IT Audit Risk Assessment is not the same as the IT/GLBA Risk Assessment. They serve related but different purposes.

The IT Audit Risk Assessment is designed to identify key risk areas (business units or functions) in to determine a reasonable level of engagement frequency. This assessment is entity wide. The IT Audit Risk Assessment covers all aspects of an entities IT program (operations, wires, security, vendor management, etc.). The scope is much larger than an IT/GLBA risk assessment that covers security and private, non public, other pieces of sensitive information.

Internal Use Only

IT Audit Scope

Identifies areas to be reviewed consistent with risk assessment/ risk level

Describes how the audit will be performed and tools to be used

Provides the timeframe for completing the audit

Firms may provide engagement letter specifying this information including costs, otherwise the scope will be defined in the report.

Internal Use Only

Example – Risk Assessment ≠ Audit Scope

Risk Assessment / Audit Schedule

• Network Penetration and Vulnerability Assessment • Wire Transfer Audit • Internet Banking/Social Media Audit • IT Audit • Vendor Management Audit

List of IT Audits

Scope from IT Audit

Internal Use Only

IT Audit Examples

IT General Controls

Information Security Program (GLBA)

EFT (ACH/Wires/RDC)

NACHA Compliance

Penetration Testing/ Vulnerability Assessment/ Phishing Test Identity Theft Red Flags Program

Regulation GG/Unlawful Internet Gambling Enforcement Act

Internal Use Only

IT Audit Coverage by Category

Business Continuity Planning

Change/Patch Management

Vendor Management

Cybersecurity

Management

Internet/ Online Banking Network

Strategic Planning

Third-Party Outsourcing

Disaster Recovery

Project Management

Architecture (Firewalls & IDS/IPS)

BIA

ITGC/GLBA

Incident Response

Social Engineering

Red Flags/ ID Theft Prevention

Security Monitoring

Internal Use Only

Written IT Audit Reports Describe scope, objectives, and result

Identifies deficiencies/ weaknesses

Suggests corrective action(s)

Management’s response/timing for corrective action(s)

Provides information on prior audit findings

• Identifies repeat findings

Complies with audit plan & schedule

Internal Use Only

Types of IT Audits

Internal Audits/ Certifications

IT General Controls

Penetration Tests

Vulnerability Assessments

Statement on Standards for Attestation Engagements (SSAE-16/18) SOC Reports- SSAE 18 supersedes 16

Internal Use Only

IT General Controls (ITGC)

• Management, Board reporting, and governance • Logical access controls over infrastructure, applications and data • System development life cycle controls • Program change management controls • Data center physical controls • System and data back-up & recovery controls • Computer operation controls

ITGC:

ITGC engagements should be performed based on risk, which usually indicates annual performance.

Internal Use Only

Wire Transfer/ACH Audits These services are critical to many financial entities

• Particularly in small to medium community banks, CUs, and MTs Usually included in with ITGC audit • Could occur in financial entities with significant wire/ACH activity • Usually in large community financial entities Can be a separate audit

Internal Use Only

Question 1 Which of the following would you not expect to find as part of the scope of the IT Audit Program?

A. Model Risk Management B. Funds Transfers Controls C. GLBA Compliance D. Business Continuity Planning

Internal Use Only

Vulnerability Assessment & Penetration Testing

Internal Use Only

Vulnerability Assessment & Penetration Testing

Vulnerability assessment is a process that defines, identifies & classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure  Vulnerability Scans  Tabletop Assessments A penetration test subjects a system to the real-world attacks selected & conducted by the testing personnel

Internal Use Only

Vulnerability Assessments

• Requires specific skills/knowledge • Audit team tries to find weak points • Tools used simulate a variety of attacks • Results are used in Penetration Testing for potential exploitation Testing: • Checking building windows and doors to see if they are secured • Checking if building is susceptible to other events, e.g. natural catastrophes Basic Vulnerability Assessment description:

Internal Use Only

Performing Vulnerability Assessments The goal of vulnerability assessments is to identify devices, applications, or systems that have known vulnerabilities or configuration issues without compromising your systems.

A risk-based security vulnerability methodology is designed to comprehensively identify, classify and analyze known vulnerabilities to recommend the right mitigation actions.

Internal Use Only

Vulnerability Assessment vs. Risk Assessment

Assist in mitigating or eliminating vulnerabilities for key resources

Assigning quantifiable value and importance to a resource

Identifying the vulnerability or potential threat(s) to each resource

Cataloging assets and capabilities (resources) in a system

FI will sometimes use vulnerability assessment to aid in completing the risk assessment process

Internal Use Only

Penetration Test Considerations External Penetration Testing Internal Penetration Testing “Black Box, White Box” Application Penetration Tests Independent Party Qualifications of Penetration Testers

Internal Use Only

Why They Are Important: Penetration tests can give security personnel real experience in dealing with an intrusion

Ideally, should be performed without informing staff, to test whether policies are truly effective. However, may not be practical The test can uncover aspects of network security, application & operational policies that are lacking

Internal Use Only

Pen Test Strategies

Targeted Testing

External Testing

Internal Testing

mimics an insider attack by an authorized user with standard access privileges (what can happen with a disgruntled employee)

targets externally visible servers or devices (seen by anybody on Internet) to see if they can get into internal systems and how far

performed by the entity’s IT team and external testing team

Internal Use Only

Pen Test Value Ascertain the likelihood of gaining system access

Detecting vulnerabilities not easily found using standard system protective means Ability of current security methods to detect or repel an attack

Likelihood of exploiting a low-risk vulnerability to gain higher level access

List of vulnerabilities that require remediation

Measure of risk for a cyber attack

Identify gaps and control weakenesses

Internal Use Only

Penetration Test (Pen Test)

Pen Test “tests” systems to find & exploit known vulnerabilities that an attacker could exploit

Determine if there are

Pen Test report will describe any weaknesses as “high”, “medium” or “low”

Require management’s knowledge & consent

Require a high degree of skill to perform

weaknesses and if able to access system functionality and data

Are intrusive as actual “attack” tools are used

Internal Use Only

Question 2 Fill in the blanks: A “vulnerability assessment” ______ vulnerabilities, while a “penetration test” _______

vulnerabilities. A. Assess; Corrects

B. Downloads new; Deletes old C. Scans for; Exploits discovered D. Exploits known; Discovers zero-day

Internal Use Only

External Technology Service Provider (TSP) Reports

• FFIEC TSP Reports • Public/open section that is available to FI clients • Confidential section is available to regulatory agencies • Service Organization Control (SOC) Reports • AICPA standard for reviews of service providers • A type of control assessment provided to a service provider’s clients

FFIEC TSP Reports

SOC Reports SSAE 18

Internal Use Only

Service Organization Control (SOC) Reports • SOC I • Focus on internal controls over financial reporting (ICFR) • SOC II • Review of internal controls related to: • Security, Availability, Processing, Integrity, Confidentiality, Privacy Three Levels of Service

Organization Control (SOC) Reports:

• Review of specific controls based on service or product. Not environment wide. These are for different users not audit. • SOC III • Includes a description of the system and the auditor’s opinion. Like SOC II, but excludes disclosure/notes • Other SOC Reports- for Supply Chain and Cybersecurity

Internal Use Only

Service Organization Control (SOC) Reports

• Type I • Describes the servicer’s descriptions of controls at a specific point in time • Auditor performs no testing of servicer’s controls attesting to controls based on servicer’s account of controls- no opinion • Type II (preferred) • Includes information from a Type I Report • Detailed testing of the servicer’s controls over a minimum consecutive six-month period • Auditor expresses an opinion based on their testing

Two types of Service Organization Control (SOC) Reports:

Internal Use Only

Audit Reporting/Follow-up

Like Safety & Soundness:

o IT Audit reporting channels  What is being reported and to whom o Senior Management Responses  Are they reasonable and corrective timeframe is appropriate o Exception Tracking  Show all IT audit findings, both Internal and External, and regulatory along with corrective action(s)

Internal Use Only

Auditor Independence & Qualifications Independence : Whether or not there are conflicting duties, e.g., involved in auditing areas they have responsibilities or oversight Auditor should be reporting to Board or Audit Committee Whether or not the Auditor has a debt with the entity (may have some influence)

Type of IT experience and training • Some IT audits require specific skill sets

Current IT certifications the auditor maintains

List of references from entities with similar IT activities

Qualifications :

These qualifications provide some assurances, but don’t guarantee a quality audit

Internal Use Only

IT Audit Review

•Audit scope and objectives •Pertinent areas for improvement based on results of testing •Reasonable and appropriate recommendations, often with managements' responses •Findings and observations consistent with your examination results

Audit Reports include:

Internal Use Only

Audit Report Review

• Be wary of auditors who rely solely on checklists • Using only regulatory work programs could indicate a lower standard of engagement • Absence or lack of workpapers could indicate a poorly performed audit  Especially if there are no workpapers showing how ITGCs were reviewed/tested

Signs of a questionable audit:

Internal Use Only

Audit Findings Tracking & Resolution

A formal tracking system that assigns responsibility and target date for resolution

Timely and formal status reporting

Tracking and reporting of changes in target dates or proposed corrective actions to the Board or Audit Committee

Process to ensure findings are resolved

Independent validation to assess the effectiveness of corrective measures

Issues & corrective actions from internal audits and independent testing/assessments are formally tracked to ensure procedures and control lapses are resolved in a timely manner.

Internal Use Only

Auditor Interview Areas to focus on with auditor interview: • Knowledge of the IT environment and risks • Understanding of systems covered in the audit universe • Understanding of the basic controls (of these systems) • Verify training and/or certifications (as necessary)- certifications require specific training and number of hours/year (usually 40) • Type of work program used to document issues and conclusions. The work program used should be engagement type specific and not necessarily the FFIEC Work Programs

Internal Use Only

Question 3 An effective IT Audit will not include which of the following? A. Experienced and knowledgeable auditor B. Complete workpapers C. Written audit report that details audit procedures and findings D. Documented scope based on an established standard E. All of the above is part of an effective IT audit

Internal Use Only

Audit Component Rating Areas to focus on when rating IT Audit component adequacy:

• Independence and quality of oversight • Audit risk analysis methodology/resources applied • Scope, frequency, accuracy, and timeliness of audit reports • Extent of audit participation in SDLC to ensure effectiveness internal controls and audit trails • Audit plan in providing appropriate coverage of IT risks • IT auditor’s adherence to code of ethics/professional standards • Qualifications of IT auditors • Timely and formal follow-up and reporting on management’s resolution of identified issues/weaknesses • Quality and effectiveness of internal and external audit activity related to IT controls

Internal Use Only

Summary • Audits are a necessity whether performed by in-house and/or external resources • Must be performed by independent and qualified individuals/companies/firms • Based on a current risk assessment • Must provide written, detailed, stand-alone reports • Results must be reported to the Board’s Audit Committee or a related Board Committee in a timely manner • Audits can aid in exam scope reduction • If the audit function appears deficient, you don’t need to keep going, document and support your conclusion

Internal Use Only

FFIEC CAT Tool

Internal Use Only

Cybersecurity Assessment Tool (CAT) • The FFIEC developed the CAT to help institutions to identify their cyber and IT security risks and determine their cybersecurity maturity. • Institutions were required to assess their inherent risk levels and domain maturities as defined by the CAT. • In late 2024, the it was announced that the CAT was being sunset by August 2025. • Institutions are still required to assess their cybersecurity posture using a formal methodology. Example methodologies include third party assessments, and resources from NIST. • On February 26, 2024, NIST released the NIST Cybersecurity Framework (CSF) 2.0. The framework is a good reference when assessing cybersecurity.

Internal Use Only

CRI Profile (Cyber Risk Institute Profile)

DEVELOPED BY THE CYBER RISK INSTITUTE (CRI) , THIS PROFILE IS SPECIFICALLY

ALIGNS WITH EXISTING REGULATORY EXPECTATIONS, SUCH AS GLBA AND NYDFS 23 NYCRR 500.

PROVIDES A STREAMLINED APPROACH TO RISK ASSESSMENT, MAPPING DIRECTLY TO NIST, ISO, AND FFIEC EXPECTATIONS.

FOCUSES ON CORE CYBERSECURITY DOMAINS: GOVERNANCE, ASSET MANAGEMENT, DATA PROTECTION, THREAT AND VULNERABILITY MANAGEMENT, AND INCIDENT RESPONSE .

ENABLES MORE EFFICIENT REPORTING AND EXAMINATION READINESS.

DESIGNED FOR THE FINANCIAL SERVICES SECTOR.

Internal Use Only

NIST Cybersecurity Framework (CSF) 2.0

AN UPDATED VERSION OF THE ORIGINAL NIST CSF , FOCUSING ON IMPROVING RISK MANAGEMENT STRATEGIES.

PROVIDES A STRUCTURED APPROACH TO IDENTIFY, PROTECT, DETECT, RESPOND, AND RECOVER .

ENHANCED EMPHASIS ON SUPPLY CHAIN RISK MANAGEMENT AND SECURE SOFTWARE DEVELOPMENT .

ENCOURAGES DEEPER INTEGRATION WITH ORGANIZATIONAL RISK MANAGEMENT AND STRATEGIC OBJECTIVES.

WELL-RECOGNIZED BY REGULATORS AS A ROBUST FRAMEWORK FOR CYBERSECURITY READINESS.

Internal Use Only

NIST Cybersecurity Framework (CSF) 2.0

DEVELOPED BY THE CENTER FOR INTERNET SECURITY (CIS) , THE CONTROLS OFFER

INCLUDES 18 CRITICAL CONTROLS THAT ARE MAPPED TO SPECIFIC DEFENSIVE ACTIONS.

EMPHASIZES BASIC CYBER HYGIENE , VULNERABILITY MANAGEMENT , AND INCIDENT RESPONSE PREPAREDNESS .

HIGHLY ACTIONABLE AND IDEAL FOR RESOURCE CONSTRAINED ORGANIZATIONS LOOKING FOR RAPID IMPROVEMENT IN SECURITY POSTURE.

PROVIDES A CLEAR PATH TO COMPLIANCE WITH BOTH REGULATORY REQUIREMENTS AND RISK MANAGEMENT GOALS.

A PRIORITIZED LIST OF CYBERSECURITY BEST PRACTICES.

Internal Use Only

Presenter Round Table

How effective do you think the FFIEC CAT was in evaluating cybersecurity maturity and identifying gaps for financial institutions?

Which of the alternative frameworks—CRI Profile, NIST CSF 2.0, or CIS Controls—do you think best aligns with current regulatory expectations, and why?

What steps should financial institutions be taking right now to prepare for the transition away from the CAT tool?

How should examiners adjust their engagement strategies with institutions during this transition period to ensure continued cybersecurity readiness?

Internal Use Only

Support & Delivery (S&D)

Internal Use Only

Support & Delivery Component

Internal Use Only

Question Which topics come to mind when you think about the phrase Support & Delivery?

(Type in Chat)

Internal Use Only

What is Support & Delivery?

An organization's ability to provide technology services in a secure environment

Condition of IT operations & factors such as reliability, security, & integrity, which may affect the quality of the information delivery system

Operational risks throughout the organization & service providers

Internal Use Only

Major Elements of Support & Delivery

Information Security

IT Operations

Business Continuity Management

Third-Party (Vendor) Risk Management

Internal Use Only

FFIEC IT Handbooks

Business Continuity Management

Architecture, Infrastructure & Operations

Information Security

Outsourcing Technology Services

E-Banking

https://ithandbook.ffiec.gov/it-booklets.aspx

Internal Use Only

Architecture, Infrastructure, & Operations (AIO)

Internal Use Only

What does Architecture, Infrastructure, and Operations Cover? Architecture : The strategic design and integration of systems (hardware and software) to support a business's objectives. Effective architecture planning and design enable the alignment of infrastructure with an entity's strategic goals Infrastructure : Encompasses physical elements, products, and services crucial for sustaining business operations, such as facility maintenance. It covers IT infrastructure, networking, environmental controls (power and HVAC), and physical access. Infrastructure management can be handled internally or by third-party service providers as part of operations. Operations : The activities that support business functions by employing methods, processes, procedures, and services. They transform inputs into desired products or services, delivering value to both internal and external customers. This includes maintaining, monitoring, and supporting business systems.

Internal Use Only

Module Agenda

Governance

Risk Management

Infrastructure

Operations

Evolving Technologies

Internal Use Only

AIO Infrastructure Governance

Internal Use Only

AIO/Support & Delivery Governance

To comprehensively address risks, it's essential management focus on the following key questions:

1. Are responsibilities clearly delineated at the board, executive management, and operational levels? 2. How does strategic planning factor into risk mitigation? 3. Are policies, standards, and procedures effectively developed and followed?. 4. How effective are audit processes and independent assessments? 5. How is risk management information reported to both management and the board?

Internal Use Only

AIO/Support & Delivery Key Roles and Responsibilities

IT Management Roles & Responsibilities

CIO/CTO

Responsible for overseeing the architecture function, implementing and maintaining the entity’s infrastructure, and managing IT operations in an integrated IT environment. For more information about CIO and CTO roles, refer to the IT Handbook’s “Management” booklet. Responsible for overseeing the IT architecture process and works with the CIO in maintaining entity’s IT architecture to achieve the enterprise wide business and strategic plan objectives. Oversees enterprise-wide governance, focusing on the strategic use of data. This role involves safeguarding data, optimizing its utility, developing data-related policies, managing the data life cycle, standardizing data formats, and ensuring compliance with applicable laws and industry standards.

Chief Architect

Chief Data Officer (CDO)

Internal Use Only

AIO Infrastructure IT Operations Personnel Responsibilities

Network infrastructure management • Network and connectivity for internal and external communication. • Remote access. • Internal and external telecommunications management. • Port management. • Network monitoring and issue resolution.

Server and device management • Servers (on premises and off premises). • Storage solutions. • Entity-supported devices (e.g., desktops, laptops, and mobile devices) and personally owned devices (e.g., mobile devices and personal assistants) where used.

IT environment management

• Facility management, including data centers and connectivity to third-party service providers. • Help desk management. • Identity and access management (IAM). • Backup and replication management. • Configuration management. • IT environment resilience. • Cyber and information security. • IT project management.

Internal Use Only

AIO Infrastructure IT Operations Personnel Responsibilities

Network infrastructure management • Network and connectivity for internal and external communication. • Remote access. • Internal and external telecommunications management. • Port management. • Network monitoring and issue resolution.

Server and device management • Servers (on premises and off premises). • Storage solutions. • Entity-supported devices (e.g., desktops, laptops, and mobile devices) and personally owned devices (e.g., mobile devices and personal assistants) where used.

IT environment management

• Facility management, including data centers and connectivity to third-party service providers. • Help desk management. • Identity and access management (IAM). • Backup and replication management. • Configuration management. • IT environment resilience. • Cyber and information security. • IT project management.

Internal Use Only

AIO Infrastructure Board and Senior Management Reporting

Management should report periodically AIO-related initiatives, issues and metrics, and the board should regularly monitor strategy, security, and resilience activities to verify that they are implemented as envisioned and reviewed periodically and as changes occur. Board minutes should reflect significant AIO-related discussions, including credible challenges and approvals. • Performance of IT and AIO activities. • Return on investment for IT. • Anomalies (Performance/Capacity) • Areas for improvement (e.g., cost, system, process, or service) providing opportunities for AIO. .

Internal Use Only

AIO Infrastructure Risk Topics

Internal Use Only

AIO Infrastructure Data Governance & Data Management

Effective data management ensures data is readily accessible, reliable, and timely for users. Additionally, it includes a process for securely removing or destroying data when it's no longer needed, with a focus on verifying the process's effectiveness. Examiners should assess the following: • Data identification and classification procedures. • Controls for safeguarding data in both physical and digital formats. • The monitoring of databases, including new and existing ones, as well as noncompliant or misconfigured databases and any changes to them. • The effectiveness of securing databases, analytics tools, and reports. • Procedures for controlling unmasked data in non-production environments. • Processes for applying patches to databases and monitoring the production database's patch level for updates.

Internal Use Only

AIO Infrastructure IT Asset Management ITAM, or Information Technology Asset Management, is the process of tracking, managing, and reporting on information and technology assets from acquisition to disposal.

Architecture • Inventories enables management to make informed design changes to align with strategic

Infrastructure

Operations • ITAM identifies

• ITAM facilitates management's ability to procure hardware or software

systems that require patching, hardware or software nearing end-of-life, vulnerability management.

goals and objectives.

components that are compatible with the entity's existing infrastructure.