Baseline Nonbank Cybersecurity Exam Program

Question 1

Is the scope and frequency of IT audits appropriate for the size and complexity of the institution? Are audit plans driven by the institution's risk assessment process?

9

Question 2

Does the institution have a process for tracking issues identified during testing, monitoring, and auditing and regulatory examinations? This includes assigning the action needed to correct the issue and recording when the issue is resolved, or the risk is accepted.

10