2023 IT Examiner School

First page Table of contents Previous page 280 Next page Last page

Information Technology Risk Examination

Information Technology Profile

1. Determine whether the following policies and processes address cloud computing. Consider the following:  Information Security Risk Assessment  Technology Outsourcing (Vendor Management) Policy  Information Security Policy  Security Incident or Customer Notification Policy  Business Continuity Plan Decision Factor 1 ▲ Click here to enter comment 2. For cloud computing, determine that inherent risks have been comprehensively evaluated, control mechanisms have been clearly identified, and residual risks are at acceptable levels. Consider the following:  Data in the cloud is identified and appropriately classified  Controls are commensurate with the sensitivity and criticality of the data  Effectiveness of the controls are tested and verified

 Institution’s business continuity plan addresses contingencies for cloud services  Institution has an exit strategy, including a de-conversion plan, for cloud services

Decision Factor 1 ▲

Click here to enter comment

3. Evaluate the institution’s participation in user groups to monitor and influence critical service providers.

Decision Factor 2 ▲

Click here to enter comment

4. For critical service providers or vendors with access to sensitive customer information, evaluate management’s assessment of these vendors’ written information security programs. Consider the following:

 Physical, logical, and environmental controls  Encryption of electronic customer information

 Dual control procedures, segregation of duties, and employee background checks  Monitoring systems and procedures to detect actual and attempted attacks or intrusions  Incident response program that specifies actions to be taken when the vendor suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to the institution, regulators, and law enforcement agencies  Training, including cybersecurity, for vendor employees Decision Factor 3 ▲ Click here to enter comment

49

Made with FlippingBook - Share PDF online