2023 IT Examiner School

Internal Use Only

Risk Mitigation “Tools” • Properly identified risks prioritized for importance/criticality • Independent Audits • Appropriate IT policies, procedures, and standards • Appropriate IT system & application security controls and timely monitoring • Vulnerability Assessment and Pen Tests • Dual controls/separation of duties • Cybersecurity reviews/audits • Strong vendor management controls

Internal Use Only

Effective Governance Practices There are a variety of ways our financial institutions can achieve effective Governance practices, but policies, procedures, and standards are often the foundation. Policies, procedures, and standards should: • Be designed, approved & implemented enterprise-wide • Provide appropriate guidance & standards for ALL current IT activities • Be tailored to the organization’s unique characteristics • Conform to regulatory guidance and/or legal standards • Provide for appropriate employee awareness training • Reviewed & approved annually by the Board & documented in the Board minutes (Policies—not always procedures/standards)