Cyber & IT Supervisory Forum - November 2023

Internal Use Only

High level findings from Analysis

Align With current laws and practices • NIST/IT Handbook terminology • Third party risk management • Information Security Guidelines • Enhance distinctions between components (ex: Between the Support & Delivery Component and the Management Component)

Update Risk Management Principles/Practices Assessed in URSIT • Critical activities in assessment factors • Risk appetite in all components • Governance practices (three lines of defense) • Operational resilience expectations • Industry standards and implementation

Modernize For current technology environment and risk landscape • Current technology environment • Effective IT and service provider inventories and risk assessments • Cybersecurity threats • Innovation including cloud • Authentication to secure internal and external (SAAS) IT environments • Supply chain risk vs service provider

3

Internal Use Only

Options for an Update to URSIT

4