IT Examiner School - Oct 2025

CONTROLLED//FDIC INTERNAL ONLY

D&A Core Module Procedure 7 – Change Management Evaluate change management procedures (e.g., hardware, software, security updates, vendor releases, routine and emergency program changes) for all critical systems and applications. Consider the following:  Request and approval  Testing  Segregation of duties  Implementation  Backup and back-out  Documentation  User notification and training  Identification and replacement of systems nearing or at end-of-life (EOL) – ( Refer to Procedure #2 – D&A Core Module Procedure #7 to enter examiner finding or comment) If all software updates and vendor releases have not been installed, review management’s documentation supporting the delay. FDIC: When weaknesses are found, consider controls identified in the following Ransomware TEA: Operating System Hardening Procedure 4 – Support and Delivery (S&D) Core Module Procedures 4 – 9 and 13 Assessment of resilience and preparedness for responding to and recovering from an unexpected event, both business continuity management and incident response. The program should provision for:  Assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused.  Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined below.  Notifying appropriate law enforcement authorities, in addition to filing a timely Suspicious Activity Report (SAR) in situations involving Federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing.  Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information; for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence.  Notifying customers when warranted.  Identifying critical services and recovery attributes.  Assessing the completeness and effectiveness of recovery physical testing including testing method, cadence, last test dates, and results.  Determining if the bank has effectively demonstrated the ability to physically recover critical services. Reference InTREx Core Modules – S&D Core Module Procedures 4 – 9 and 13 as prescribed below : Click here to enter comments

InTREx Abbreviated Core Examination Procedures Module July 29, 2025

Page 9 of 17