IT Examiner School - Oct 2025

CONTROLLED//FDIC INTERNAL ONLY

Management Core Module Procedure 10 – Incident Response Evaluate management’s process for responding to incidents, including adherence to institutions incident response plan. Consider the following:  Filing a SAR

 Notify primary regulator  Notify law enforcement  Notify customers (if necessary)  Forensic and incident response services (if necessary)  Insurance company Refer to InTREx Core Module – Support and Delivery, Procedure #13

Click here to enter comments

Management Core Module Procedure 11 – Risk Assessment Process Evaluate the institution’s risk assessment process. Consider the following:  Identification of all information assets and systems (e.g., cloud-based, interfaces and middleware, virtualized, and paper-based systems)  Identification of critical service providers  Gathering of threat intelligence (e.g., FS-ISAC, US-CERT, InfraGard)  Determination of threats, including likelihood and impact  Identification of inherent risk levels  Documentation of controls to reduce threat impact  Determination of the quality of controls (i.e., testing)  Identification and evaluation of residual risk levels  Remediation program for unacceptable residual risk levels  Updating the risk assessment promptly for new or emerging risks FDIC: When weaknesses are found, consider controls identified in the following Ransomware TEA: Authentication.

Click here to enter comments

D&A Core Module Procedure 7 – EOL Only Assess the level and quality of oversight and support of development and acquisition activities by management and the board of directors for identification and replacement of systems nearing or at EOL ONLY.

Click here to enter comments

InTREx Abbreviated Core Examination Procedures Module July 29, 2025

Page 6 of 17