Cyber & IT Supervisory Forum - November 2023

Internal Use Only

R ‐ SAT v. 2.0: Questions 7, 8, & 9

NEW: Added “unpatched vulnerabilities” to common ransomware attack vectors.

NEW: Added request to identify any specific risks identified in risk assessments that have not been appropriately remediated or mitigated to an acceptable risk level. NEW: New question. Added question to identify whether all employees are periodically provided information on emerging ransomware threats via emails, meetings, etc.

9

Internal Use Only

R ‐ SAT v. 2.0: Question 10

NEW: Added new sub ‐ question to address the frequency of formal security awareness training offerings. Reworded main question to add new consideration for “Acceptable Use Policy training and written employee acknowledgement”

10