Examiner-in-Charge School Feb 2024

AGENDA SAMPLES

Information Technology Management

 The Board’s supervision of the Information Security Program (ISP) is satisfactory; however, formality of reviewing management’s activities and the IT risk profile should be improved.  The IT Steering Committee meets sporadically. o The Board should implement a regular meeting schedule for the committee based on committee objectives and risk profile of the institution.  The risk assessment is generally appropriate, but provides minimal consideration to cloud services, cyber related risks, and accepted audit risks. Strategic Planning  The IT Strategic Plan is short-term (12 months) and the enterprise-wide plan lacks specificity for adequate planning. o Strategic plans should be enhanced to include IT goals and needs 3 to 5 years into the future, ensuring allocation of IT resources and budget considerations. o IT strategic planning should align with the enterprise business plans. See also the FFIEC IT Handbook – Management Reporting and Monitoring  Currently IT Steering Committee meeting minutes and IT related reporting made to the Board is insufficient. o Management should develop an IT risk reporting process including defined reporting channels to ensure accurate, timely, and relevant reporting is made to the appropriate levels of management. o Formal reports to the Board, and documentation in Board meeting minutes, should include, at a minimum, the annual GLBA report and Identity Theft/Red Flag report. See also the FFIEC IT Handbook – Management

Proposed Rating –

*Certain agenda items have been omitted for the purposes of this CSBS course.

1