IT Examiner School - Oct 2025

CONTROLLED//FDIC INTERNAL ONLY

Ensure the written information security program is approved by the Board. The program should include administrative, technical, and physical safeguards appropriate to the size and complexity of the institution and the nature and scope of its activities. Consider the following:  Access controls on customer information systems  Access restrictions at physical locations containing customer information  Encryption of electronic customer information, including while in transit or in storage on networks or systems  Procedures designed to ensure that customer information system modifications are consistent with the institution's information security program  Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information  Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems  Incident response programs that specify actions to be taken when the institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies  Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures  Measures for properly disposing of sensitive customer/consumer data containing personally identifiable information

Click here to enter comments

Management Core Module Procedure 8 – Information Security Training Program Review and evaluate the training program. Consider the following:  Periodic information security training for all employees and the Board, including cybersecurity alerts  Specialized training for employees in critical positions (i.e., system administrators, information security officer)

 Training of back-up personnel  Acceptable use expectations  Employee security awareness training  Customer awareness program

Click here to enter comments

InTREx Abbreviated Core Examination Procedures Module July 29, 2025

Page 5 of 17