IT Examiner School, Seaside, CA

Technology Overview

• Risk assessments for networks should be performed annually • Network topologies should be updated regularly • Appropriate monitoring deployed • Vulnerability Assessments and Penetration Tests should be performed annually • Applications and systems should be patched regularly

5

Audit

• Performed by independent personnel • Conducted by knowledgeable individuals • Based on risk assessment/complexity • Findings/recommendations are documented • Results are reported to the Board/Committee • Conducted separately or all at once • IT scope & frequency based on inherent or residual risk

FFIEC specifies that high risk areas should be audited/reviewed at least annually

6