Examiner-in-Charge School Feb 2024

REPORT OF EXAMINATION (ROE) SAMPLE COMMENTS

IT MANAGEMENT – 2

The Board has established satisfactory risk management practices and identify, monitor, and control IT and Information Security Program (ISP) related risk appropriately. IT policies and procedures generally reflect the complexity of the risk environment. The Risk Assessment lacks adequate identification of cloud services, and cyber security risks, and acceptances of audit findings are minimally addressed. The IT Strategic Plan is short-term and limited to considerations of the IT department. The bank-wide Strategic Plan encompasses all business units, including the IT department; however, it lacks specificity necessary to coordinate IT resources, and assess and mitigate risks of new services and technologies. Compliance with Interagency Information Security Standards Management is compliant with Appendix B to Part 364 – Interagency Guidelines Establishing Information Security Standards of the FDIC’s Rules and Regulations. The annual IT Report covering the status of the ISP was reported to the Board as a consent agenda item on August 22, 2023. Cybersecurity Preparedness Management self-assessed cyber risk using the FFIEC Cybersecurity Assessment Tool resulting in an inherent risk profile of minimal and baseline maturity level. Management also completed the Ransomware Self-Assessment Tool to evaluate ransomware threats. Reporting and Monitoring Currently all IT related items receive blanket Board approval with no discussion or review of supporting documentation. Management should develop an IT risk reporting process including defined reporting channels to ensure accurate, timely, and relevant reporting is made to the appropriate levels of management. Documents which assign responsibility for the ISP and annual reports of management’s efforts to implement the ISP should be formally reviewed the by the Board and noted in meeting minutes, including annual approval of the information security program/policy and risk assessment, annual Gramm Leach Bliley Act (GLBA) report, and annual Identity Theft/Red Flag report. Refer also to the FFIEC Management IT Handbook for additional guidance.

COO Jody Smith committed to ensuring the aforementioned items are reviewed and formally approved at the next meeting on February 8, 2024.

1