2023 IT Examiner School
Regulations & Guidance – Non-Depository Section 314.4 of the Safeguards Rule identifies 9 elements that a company’s ISP must include: • Designate a qualified individual to implement & supervise the InfoSec program • Conduct a risk assessment • Design & implement safeguards to control risk identified by the risk assessment • Regularly monitor & test the effectiveness of those controls • Train staff
• Monitor Service Providers • Keep the program current • Create a written Incident Response Plan • Require the qualified individual to report to the Board
Examination Approach Examples: Depository Institutions
Type of Entity
IT Exam Approaches/Rating Systems
Banks
Information Technology Risk Examination (InTREx); UFIRS/CAMELS, FFIEC Uniform Rating System for IT (URSIT); CAMEL, where “M” includes a review of information systems
Credit Unions
Trust Companies
FFIEC Uniform Interagency Trust Rating System (UITRS)
Foreign Banking Organizations & Bank Holding Companies
FRB, States; ROCA Rating System – where “O” is operational controls
Made with FlippingBook - Share PDF online