IT Examiner School - Oct 2025

CONTROLLED//FDIC INTERNAL ONLY

Management Core Module Procedure 1 – Board and Management Oversight Evaluate the quality of Board and management oversight of the IT function. Consider the following:  Adequacy for developing and approving IT policies  Effectiveness of IT organizational structure, including representation at the board and senior management level, segregation of duties, and resource adequacy  Composition of IT-related committees (e.g., board, senior management, business lines, audit, and IT personnel)  Scope and frequency of IT-related meetings  Designation of an individual or committee to oversee the information security program, including cybersecurity  Technology support for business lines  The adequacy of contracts and management’s ability to monitor relationships with third party services, including supply chain partners ( Refer to Development and Acquisition Module Procedure #s 3, 4 and 5 )  Oversight of IT functions as identified in other InTREx modules (Consider concerns that were identified in other modules)  Management’s ability to address the issuance of new laws/regulations and regulatory guidelines Click here to enter comments Management Core Module Procedure 2 – Management Reporting  Documentation of an annual report to the board or an appropriate committee thereof, which describes the overall status of the information security program and the institution's compliance with 12 CFR 364 Appendix B. The report should discuss material matters related to its program, addressing issues such as: Risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations, and management's responses; and recommendations for changes in the information security program. Reference InTREx Core Modules – Management Procedures 1, 2, 11, and 12 as prescribed below: Procedure 1 – Management Core Module Procedures: 1, 2, 11, and 12 Assessment of IT risk management practices and the actions taken as a result of the risk assessment. The components of the assessment should include the following:  Reasonably foreseeable internal and external threats could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems.  The likelihood and potential damage of threats, taking into consideration the sensitivity of customer information.  The sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.

InTREx Abbreviated Core Examination Procedures Module July 29, 2025

Page 2 of 17