IT Examiner School - Oct 2025

CONTROLLED//FDIC INTERNAL ONLY

Procedure 2 – Support and Delivery (S&D) Core Module Procedure 17; Management Core Module Procedures 7, 8, 10, and 11; Development and Acquisition (D&A) Core Module Procedure 7 (End-of-life (EOL) Only) Assessment of information security and cybersecurity risk management programs. The program(s) should be designed to:  Ensure the security and confidentiality of customer information.  Protect against any anticipated threats or hazards to the security or integrity of such information.  Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. Reference InTREx Core Modules – S&D Procedure 17; Management Procedures 7, 8, 10, and 11; D&A Procedure 1 EOL Only as prescribed below: S&D Core Module Procedure 17 – Patch Management Determine whether sufficient patch management policies and procedures are in place to protect computer systems against software vulnerabilities. Consider the following:  Assignment of responsibilities for patch management  Documentation of reasons for any missing or excluded patches o Intrusion detection/prevention systems (IDS/IPS) o Applications o Workstation products (e.g., Adobe, Microsoft Office, Java) o Other critical systems  Validation that system security configurations remain within standards after patch installation  Documented reviews of vendor-provided patch reports, if patch management is outsourced  Adequacy of automated tools (if being used) to implement patches, to audit for missing patches, and to validate secure configurations after patching  Adequacy of the vulnerability management program in validating the effectiveness of patch management FDIC: When weaknesses are found, consider controls identified in the following Ransomware TEA: Operating System Hardening. Click here to enter comments  Tests of patches prior to implementation  Installation of vendor supplied patches for: o Operating systems o Firewalls o Routers o Switches

Management Core Module Procedure 7 – Information Security Policy

InTREx Abbreviated Core Examination Procedures Module July 29, 2025

Page 4 of 17