IT Examiner School - Oct 2025

CONTROLLED//FDIC INTERNAL ONLY

Evaluate the adequacy of IT and MIS reports, and management’s review of those reports. Assess the quality of reporting to management and the Board. Consider the following:  Report timeliness, accuracy, consistency, completeness, and relevance  IT risk assessments  IT standards and policies, procedures, and standards  Resource allocation (e.g., major hardware/software acquisitions and project priorities)  Status of major projects  Corrective actions on significant audit and examination deficiencies  Information security program, including cybersecurity Click here to enter comments Management Core Module Procedure 11 – Risk Assessment Process Evaluate the institution’s IT risk assessment process. Consider the following:  Identification of all information assets and systems (e.g., cloud-based, interfaces and middleware, virtualized, and paper-based systems)  Identification of critical service providers  Gathering of threat intelligence (e.g., FS-ISAC, US-CERT, InfraGard)  Determination of threats, including likelihood and impact  Identification of inherent risk levels  Documentation of controls to reduce threat impact  Determination of the quality of controls (i.e., testing)  Identification and evaluation of residual risk levels  Remediation program for unacceptable residual risk levels  Updating the risk assessment promptly for new or emerging risks FDIC: When weaknesses are found, consider controls identified in the following Ransomware TEA: Authentication Click here to enter comments Management Core Module Procedure 12 – Risk Monitoring Evaluate the adequacy of risk monitoring and oversight of IT operations by senior management or designee. Consider the following:  IT projects  Security incidents, including cyber incidents  End user support (e.g., help desk, compliance with service level agreements (SLAs), open tickets)  System availability and capacity  Network security, including firewalls and intrusion detection/prevention  Patch management, vulnerability management, and change management Click here to enter comments

InTREx Abbreviated Core Examination Procedures Module July 29, 2025

Page 3 of 17