IT Examiner School eBook May 2025

IT Examiner School

May 20 - 29 , 202 5 Live Virtual

@ www.csbs.org ♦ @csbsnews

CONFERENCE OF STATE BANK SUPERVISORS 1300 I Street NW / Suite 700 / Washington, DC 20005 / (202) 296-2840

May 20-29, 2025 IT Examiner School Live Virtual

ATTENDEES Arkansas State Bank Department Hardee, Lane

lhardee@banking.state.ar.us

California Department Of Financial Protection And Innovation Ahn, Ron

Ron.Ahn@dfpi.ca.gov nhu.dao@dfpi.ca.gov

Dao, Nhu

Fonseca, Christian Kumar, Shavnita

Christian.Fonseca@dfpi.ca.gov Shavnita.Kumar@dfpi.ca.gov Kwasi.Sefah@dfpi.ca.gov Monte.Laskosky@dfpi.ca.gov Neil.Rajan@dfpi.ca.gov Randall.Shem@dfpi.ca.gov Henna.Singh@dfpi.ca.gov Samson.Tran@dfpi.ca.gov Angela.Uvidia@dfpi.ca.gov Kathy.Yang@dfpi.ca.gov ZhaoZhan.Zhou@dfpi.ca.gov

Kwasi.Sefah

Laskosky, Monte

Rajan, Neil

Shem, Randall Singh, Henna Tran, Samson Uvidia, Angela

Yang, Kathy

Zhou, ZhaoZhan

Colorado Department of Regulatory Agencies Division of Banking Scott, Nathan

nathan.scott@state.co.us

Georgia Department of Banking & Finance Mattis, Nicole

nmattis@dbf.state.ga.us bseigler@dbf.state.ga.us

Seigler, Brittney

Iowa Division of Banking Douglass, Ethan

ethan.douglass@idob.state.ia.us

Kansas Office Of The State Bank Commissioner Pierson, Andy

andy.pierson@osbckansas.org

Michigan Department Of Insurance And Financial Services Cliett, Ashley

clietta@michigan.gov

Nevada Department of Business & Industry Financial Institutions Divison Furlow, Virgil

vfurlow@mld.nv.gov

New York State Department Of Financial Services Ku, Wesley

wesley.ku@dfs.ny.gov

Mehta, Deepali

deepali.mehta@dfs.ny.gov

Tiwary-Singh, Jemima

jemima.tiwary-singh@dfs.ny.gov

North Carolina Office Of The Commissioner Of Banks Briggs, Lee

lbriggs@nccob.gov

Glidewell, Matthew

mglidewell@nccob.gov

Oregon Division of Financial Regulation Rylander, Joshua

Joshua.T.RYLANDER@dcbs.oregon.gov

Texas Department of Banking Pecero, Ray

ray.pecero@dob.texas.gov

INSTRUCTORS California Department Of Financial Protection And Innovation Fujikawa, Matthew

matthew.fujikawa@dfpi.ca.gov

New York State Department Of Financial Services Farrar, Craig

craig.farrar@dfs.ny.gov

Peterson, William

william.peterson@dfs.ny.gov

North Carolina Commissioner of Banks Biser, Kenneth

kbiser@nccob.gov

CSBS STAFF Richardson, Amy

arichardson@csbs.org

IT Examiner School Live Virtual May 20-29, 2025

Internal Use Only

Week 1 Tuesday, May 20, 2025 12:30 pm – 1:30 pm

Introduction & Pre-Course Review/Terminology

Regulations/Guidance

1:30 pm – 2:15 pm

2:15 pm –2:30 pm

Break

IT Examination Work Programs

2:30 pm – 3:00 pm

3:00 pm – 4:30 pm Audit Wednesday, May 21, 2025 12:30 pm – 1:30 pm Audit

Cyber Maturity Assessment/FFIEC CAT Tool Sunsetting

1:30 pm – 2:00 pm

2:00 pm – 2:15 pm

Break

Development & Acquisition

2:15 pm – 3:15 pm

Information Security Framework/Risk Assessment

3:15 pm – 4:00 pm

Thursday, May 22, 2025 12:30 pm – 12:45 pm

Information Security Framework/Risk Assessment

Risk Assessment Activity

12:45 pm – 1:30 pm

1:30 pm – 1:45 pm

Break

Support & Delivery

1:45 pm – 4:00 pm

Week 2 Tuesday, May 27, 2025 12:30 pm – 12:45 pm

Prior Week Review

Business Continuity Planning & Disaster Recovery

12:45 pm – 2:00 pm

2:00 pm – 2:15 pm

Break

Internal Use Only

Business Continuity Planning & Disaster Recovery

2:15 pm – 3:15 pm

Third-Party Risk Management

3:15 pm – 4:00 pm

Wednesday, May 28, 2025 12:30 pm – 2:15 pm

Management

2:15 pm – 2:30 pm

Break

Composite Rating Discussion & Exercise

2:30 pm – 3:00 pm

Breakout Rooms

3:00 pm – 4:00 pm

Thursday, May 29, 2025 12:30 pm – 1:30 pm

Composite Rating Exercise Discussion

Emerging Issues

1:30 pm – 2:00 pm

2:00 pm – 2:15 pm

Break

Emerging Issues

2:15 pm – 3:30 pm

Final Assessment & Course Wrap Up

3:30 pm – 4:00 pm

Virtual IT Examiner School May 20-29, 2025

Zoom

Schedule This week:

• Tuesday, May 20: 12:30 PM – 4:00 PM ET • Wednesday, May 21: 12:30 PM – 4:00 PM ET • Thursday, May 22: 12:30 PM – 4:00 PM ET Next Week • Tuesday, May 27: 12:30 PM – 4:00 PM ET • Wednesday, May 28: 12:30 PM – 4:00 PM ET • Thursday, May 29: 12:30 PM – 4:00 PM ET

Instructor Contact Information

Matthew Fujikawa

Financial Institutions Manager California Department of Financial Protection & Innovation Matthew.Fujikawa@dfpi.ca.gov

Advanced ITExaminer North Carolina Office of the Commissioner of Banks kbiser@nccob.gov Kenneth Biser

Instructor Contact Information

Director Financial Services Programs Cybersecurity Division New York State Department of Financial Services Craig.Farrar@dfs.ny.gov Craig Farrar

Instructor Contact Information

Assistant Deputy Superintendent Cybersecurity Division New York State Department of Financial Services William.Peterson@dfs.ny.gov William Peterson

NYS DFS Disclaimer The views expressed are those of the speaker and do not represent the official views of New York State or the NYS Department of Financial Services, aka DFS. Anything said during this training shall not bar, estop, or otherwise prevent DFS, or any federal or other state agency from taking any action different from anything said during this training. Participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.

Introductions

Name

State

IT Exam Experience

Fun fact

Something you hope to learn

Internal Use Only

Regulations & Guidance

Internal Use Only

Module Agenda Provide an Overview of Common Data Privacy Laws and Standards Discuss Information Security Related Laws Impacting Financial Institutions (FIs) Describe the Gramm-Leach Bliley Act (GLBA) and Federal Implementation of Standards Required Under 501(b) Compare Examination Approaches, Work programs, and Rating Systems for Depository and Non-Depository FIs

Internal Use Only

Examples of Data Privacy Related Laws/Standards

LAW

YEAR OVERVIEW

WHO IT IMPACTS

FERPA (Family Educational Rights and Privacy Act) HIPPAA (Health Insurance Portability and Accountability Act)

1974

Protection of student records

Any post-secondary educational institution

1996

Protects the privacy of patient records

Any company or agency that deals with Health Care Financial institutions (FIs) that offer financial products (insurance, loans, investments) US Public Companies, accounting and management firms Federal Agencies dealing with information related to National Security Companies involved in handling of credit card information

GLBA (Gramm-Leach-Bliley Act)

1999

Mandates that companies secure private information of clients and customers Maintain and protect financial records for seven (7) years Recognizes information security as a national security matter

SOX (Sarbanes-Oxley Act)

2002

FISMA (Federal Information Security Management Act) PCI-DSS (Payment Card Industry/Data Security Standard)

2002

2004

Consumer Credit Card

Internal Use Only

Information Security Related Laws Impacting FI's OVERVIEW LAW

Bank Service Company Act 12 USC 1867(c)

Subjects bank service companies to examination and regulation by Federal Regulators and requires notice to be provided within 30 days of entering into a service contract Requires installation, maintenance, and operation of security devices and procedures, to discourage robberies, burglaries, and larcenies and assist in the identification and apprehension of persons who commit such acts Requires each FI to develop, implement, and maintain, as part of its existing information security program, appropriate measures to properly dispose of consumer information derived from consumer reports to address risks associated with identity theft Requires each agency or authority to establish appropriate standards for the FI's subject to their jurisdiction relating to administrative, technical, and physical safeguards

Bank Protection Act 12 USC 1882 "Security Measures for Banks and Savings Associations" Fair and Accurate Credit Reporting Act (FCRA) 15 USC 1681W

Gramm-Leach-Bliley Act (GLBA) 15 USC 6801

Source: https://ithandbook.ffiec.gov/laws-regulations-guidance/information-security/#Laws Complete List of FFIEC Maintained Laws, Regulations, and Guidance: https://ithandbook.ffiec.gov/laws-regulations-guidance/

Internal Use Only

The Gramm Leach Bliley Act (GLBA)

The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.

Internal Use Only

The Gramm-Leach-Bliley Act (GLBA) - cont. Title V, Subtitle A of the Gramm-Leach-Bliley Act (“GLBA”) governs the treatment of

"It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security andconfidentiality of those customers’ nonpublic personal information" (Section 501(a))

nonpublic personal information (NPPI or NPI ) about consumers by financial institutions. • Section 501 – protection of nonpublic personal information • Section 502 – prohibits financial institutions from disclosing nonpublic personal information about a consumer to non-affiliated third parties, unless (i) the institution satisfies various notice and opt-out requirements; and (ii) the consumer has not elected to opt out of the disclosure • Section 503 - institutions to provide notice of its privacy policies and practices to its customers

Internal Use Only

The Gramm Leach Bliley Act (GLBA) - 501(b)

501(b) requires each agency or authority to establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards: • To ensure the security and confidentiality of customer records and information; • To protect against any anticipated threats or hazards to the security or integrity of such records; and • To protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

In 2000, the Board of Governors of the FRS (“Board”), the FDIC, the NCUA, the OCC, and the former OTS, published regulations implementing provisions of GLBA governing the treatment of nonpublic personal information about consumers by financial institutions.

Internal Use Only

Regulatory Authority Examples: Depository Institutions

Regulators / Licensure

Laws, Regulations, or Guidance Related to IT, InfoSec, Privacy, etc.

Type of Entity

Banks (state-member, national, state non-member, credit union)

FDIC, FRB, OCC, States, CFPB

12 CFR 364, Appendix B; Section 501(b) of GLBA; FFIEC; State Laws/Regulations (e.g., Part 500, CCPA)

Bank Holding Companies, Trust Companies, US Branches of FBOs

FRB, States

Generally, the same as banks (above)

Credit Unions (Federal or State)

NCUA, States

12 CFR 748 (Appendix A & B)

Internal Use Only

Regulations & Guidance - FDIC Appendix B, including Supplement, to Part 364 of the FDIC Rules and Regulations – Interagency Guidelines Establishing Information Security Standards

Internal Use Only

Regulations & Guidance - FRB Appendix D-2, including Supplement, to Part 208 of the FR Rules and Regulations – Interagency Guidelines Establishing Standards for Safeguarding Customer Information

Internal Use Only

Regulations & Guidance - NCUA Appendix A (“Guidelines for safeguarding member information”) & Appendix B (“Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice”) of 12 CFR 748 (“Security Program”)

Internal Use Only

Use of Supervisory Guidance Agencies issue supervisory guidance, such as interagency statements, advisories, policy statements, questions and answers, and FAQs

Supervisory guidance does not have the force and effect of law

Guidance outlines supervisory expectations or priorities and views regarding appropriate practices for given subject areas Federal Agencies (e.g., FDIC), do not take enforcement actions based on supervisory guidance;

Important Note: Check with your own agency, as the approach may differ from that of the federal agencies.

Source: https://www.ecfr.gov/current/title-12/chapter-III/subchapter-A/part-302

Internal Use Only

Use of Supervisory Guidance

Examiners will not criticize a supervised FI for, or issue an enforcement action on the basis of, a “violation” of or “non-compliance” with supervisory guidance.

Examiners may reference guidance to provide examples of safe and sound conduct, appropriate risk management practices, and/or actions for addressing compliance with laws or regulations Supervisory criticisms should address matters that could have a negative effect on Safety and Soundness, cause consumer harm, result in violations of laws, regulations, final agency orders, or other legally enforceable conditions

Important Note: Check with your own agency, as the approach may differ from that of the federal agencies.

Source: https://www.ecfr.gov/current/title-12/chapter-III/subchapter-A/part-302

Internal Use Only

Regulatory Authority Examples: Non-Depository Institutions

Regulators / Licensure CFPB, FTC, States

Laws, Regulations, or Guidance Related to IT, InfoSec, Privacy, etc.

Type of Entity

Mortgage Originators and Servicers

16 CFR 314; 501 and 505(b)(2) of GLBA; State Laws and Regulations (e.g., Part 500 and CCPA).

Money Service Businesses / Money Transmitters

FTC, States

Consumer Finance

CFPB, FTC, States

Internal Use Only

Regulations & Guidance – Non-Depository

16 CFR Part 314 of the FTC Rules and Regulations – “Standards for Safeguarding Customer Information”

• The “Safeguards Rule”, which took effect in 2003, is designed to ensure that covered entities maintain safeguards to protect the security of customer information • It applies to financial institutions subject to FTC jurisdiction and that aren’t subject to enforcement authority of another regulator under Section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. • In December 2021, the FTC amended the Safeguards Rule to keep pace with current technology.

Source: https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know

Internal Use Only

Regulations & Guidance – Non-Depository Section 314.4 of the Safeguards Rule identifies 9 elements that a company’s ISP must include: • Designate a qualified individual to implement & supervise the InfoSec program • Conduct a risk assessment • Design & implement safeguards to control risk identified by the risk assessment • Regularly monitor & test the effectiveness of those controls • Train staff

• Monitor Service Providers • Keep the program current • Create a written Incident Response Plan • Require the qualified individual to report to the Board

Internal Use Only

Computer Security Incident Notification Rule

The FDIC, FRB, OCC issued a joint final rule in 2021 to establish computer-security incident notification requirements for banking organizations (BO) and bank service providers Required notification to regulators as soon as possible and no later than 36 hours after the BO determines that a computer-security incident that rises to the level of a notification incident has occurred

Compliance with the final rule was required by May 1, 2022

The FTC Amended its Safe Guards Rules in October 2023 to require notification to FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers.

Sources: www.fdic.gov/news/financial-institution-letters/2021/fil21074.html www.ftc.gov/news-events/news/press-releases/2023/10/ftc-amends-safeguards-rule-require-non-banking-financial-institutions-report-data-security-breaches

Internal Use Only

SEC Public Company Cybersecurity Disclosures

In July 2023, the SEC adopted rules requiring registrants to disclose material cybersecurity incidents they experience and ( on an annual basis ) material information regarding their cybersecurity risk management, strategy, and governance.

An Item 1.05 Form 8-K will generally be due four (4) business days after a registrant determines a cybersecurity incident is material.

Companies must describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant

The Rule also requires companies to describe (1) processes for identifying, assessing, and managing material cybersecurity risks, as well as Board oversight and management’s role and expertise in assessing and managing material risks from cybersecurity threats , in the annual report on Form 10-K

The final rule became effective 30 days after public notice and the Form 10-K was due beginning with annual reports for fiscal years ending on or after December 15, 2023.

Source: SEC.gov | SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies 33-11216-fact-sheet.pdf

Internal Use Only

Examination Approach Examples: Depository Institutions

Type of Entity

IT Exam Approaches/Rating Systems

Information Technology Risk Examination (InTREx) ; UFIRS/CAMELS, FFIEC Uniform Rating System for IT (URSIT); CAMEL, where “M” includes a review of information systems

Banks

Credit Unions

Trust Companies

FFIEC Uniform Interagency Trust Rating System (UITRS)

Foreign Banking Organizations & Bank Holding Companies

FRB, States; ROCA Rating System – where “O” is operational controls

Internal Use Only

Examination Approach Examples: Non-Depository Institutions

Type of Entity

IT Exam Approaches/Rating Systems

Mortgage Originators and Servicers

FFIEC Uniform Interagency Consumer Compliance Rating System (CC Rating System)

CSBS Non-Bank Cybersecurity Exam Program ; MTRA Workprogram (multi-state exams); FILMS rating system

Money Service Businesses / Money Transmitters

Internal Use Only

Regulations & Guidance

Good reference, but remember the booklet does not specifically apply to FIs not regulated by the FFIEC FFIEC IT Booklet Handbooks:

Internal Use Only

IT Examination Work Programs

Internal Use Only

Depository vs Non-Depository Work Programs

Internal Use Only

CSBS Non-Bank Cybersecurity Workprogram

CSBS Non-Bank Workprogram (WP) Overview

Used by state examiners to assess the cyber preparedness of non-depository entities

Provides in-depth risk evaluation of the four critical components of the URSIT (Audit, Management, Development and Acquisition, & Support and Delivery). Questions contain applicable Gramm-Leach-Bliley Act (GLBA) Safeguards Rule citation and document request list reference.

The Baseline (v1.0) WP & Enhanced WP were both released in May 2022

An update Baseline WP (V1.1) was released in March 2023

Internal Use Only

Components of CSBS Nonbank Cyber Exam Programs Pre-Examination Resources Work Programs

Baseline Nonbank Workprogram

Exam Notification Letter

Enhanced Nonbank Workprogram

Pre-Exam Document Request List (DRL)

Internal Use Only

Pre-Exam Document Request List

Used for both Baseline & Enhanced Cybersecurity Exam Program

Covers 15 Program Areas and defines documents to be provided

Includes space for State specific requests

Internal Use Only

Nonbank Cybersecurity Exam Programs Baseline

Enhanced • More comprehensive, for larger and more complex institutions • Includes all baseline questions (light blue shading) plus additional questions in areas requiring a deeper dive • Targeted for use by examiners with more specialized knowledge of IT & Cyber

• Based on the pilot program released in December 2020 • Covers same content as pilot in a streamlined version (based on 2021 examiner feedback) • Easier to use and half the questions with no loss of coverage • Covers 4 URSIT component areas

Note: The Baseline and Enhanced Nonbank Cybersecurity Exam Programs were added to SES and are available for mortgage origination, mortgage servicing, and consumer finance exams.

Internal Use Only

Baseline Nonbank Cybersecurity Exam Program

Source: https://www.csbs.org/sites/default/files/2022-08/Baseline%20Nonbank%20Exam%20Program%20V1.0.pdf

Internal Use Only

Enhanced Nonbank Cybersecurity Exam Program

Source: https://www.csbs.org/sites/default/files/2022-08/Enhanced%20Nonbank%20Exam%20Program%20V1.0.pdf

Internal Use Only

Information Technology Risk Examination (InTREx) Procedures

Internal Use Only

InTREx Program Overview

An enhanced, risk-based, approach for conducting IT examinations of depository institutions

Based on the (URSIT) and includes Core Modules for Audit, Management, Development and Acquisition, and Support and Delivery component ratings

Incorporates procedures for assessing cybersecurity preparedness and compliance with Interagency Guidelines Establishing Information Security Standards

Examiners complete the InTREx Core Modules, the Cybersecurity Workpaper, and the Information Security Standards Workpaper to assess risk and document examination procedures, findings, and recommendations. Updated in September 2023 (by FDIC) to improve Audit module‘s usability, add steps related to Computer Security Incident Notification Rule (Part 304 Subpart C), provide specificity regarding examiner review of service provider ROEs, and to update links to references.

Internal Use Only

Components of InTREx ITP

Work Program

Information Technology Profile

Core Modules

Risk Profile

Expanded Modules

Qualitative Adjustment

Supplemental Workprograms

Internal Use Only

InTREx Workprogram Core Modules

Support & Delivery

Audit

Management • Risk Assessment • Vendor Management (Ongoing) • Information Security Standards (GLBA) • ID Theft Red Flags

Development & Acquisition • Vendor Management (Acquisition)

• BCP • Information Security • Operations • Incident Response • Network Security (IDS, Firewall) • EFT/E-Banking

Internal Use Only

InTREx Framework

Based on URSIT components

ED Module concept used for each component

ED Module core decision factors were derived from URSIT assessment factors

Internal Use Only

InTREx Features Incorporates baseline cybersecurity into procedures Requires conclusion on cybersecurity preparedness Requires conclusion on GLBA Information Security Standards (Part 364 Appendix B) Enhances focus on transaction/control testing

Allows for tracking of deficiencies noted in any decision factor

Internal Use Only

InTREx Procedures Core Modules Audit, Management, D&A, S&D • All procedures must be completed, but not all bullets need to be addressed • Do have flexibility to scope down, just not scope out

Internal Use Only

InTREx Procedures

Cybersecurity Workpaper • No stand-alone workprogram • Applicable procedures are marked with • Requires summary comment

Internal Use Only

InTREx Procedures

Information Security Standards (GLBA) Workpaper • No stand-alone workprogram • Applicable procedures are marked with • Requires summary comment

Internal Use Only

InTREx Additional Procedures Expanded Modules • Available for Management and S&D • Provide additional procedures for IT products/ services not covered in Core or that may need additional analysis

Internal Use Only

InTREx Additional Procedures Supplemental Workprograms (ED Modules/FFIEC IT Handbook) • ED Modules available for a variety of areas (EFT, Mobile Banking, Merchant Acquiring, etc.) • FFIEC IT Handbook provides in-depth procedures • FDIC Risk Advisories and Technical Examination Aids provide guidance • Should be completed to assess specific products not covered in the Core or Expanded Modules, or areas of higher complexity that require more in-depth review

Internal Use Only

InTREx Control Testing

Control Tests • Core Modules identify potential control tests • Control tests are marked with • Use discretion in determining which tests to perform • Not all control tests need to be performed, and conversely, examiners can do own control tests

Internal Use Only

InTREx Control Testing

Control Tests • If a control test was performed, the results should be noted in the comments to that procedure • May leverage control testing performed by internal and external auditors • Sufficient testing should be performed to validate the effectiveness of controls

Internal Use Only

Audit

Internal Use Only

Objectives

Provide tools to assess the effectiveness of the IT Audit Program

IT Audit Risk, Planning, and Scope

IT Audit Component Rating

Types of IT Audits/Reviews

IT Auditor Expertise

Internal Use Only

Audit/Independent Review

IT scope & frequency based on inherent or residual risks

Performed by independent personnel

Knowledgeable individuals conduct the engagements

Risk assessment/ complexity based

Conducted separately or all at once

Board/Committees receive results

Formal report includes Findings/Recommendations

Internal Use Only

Assessment Areas for IT Audits

• Audit risk assessment, plan and scope • Appropriate coverage of the entity’s IT environment and activities • Quality of written IT reports • Audit independence • Auditor qualifications • Findings and recommendations reporting and follow-up

The IT Audit program should be assessed for the following:

Internal Use Only

Guidance for IT Audit FFIEC IT Examination Audit Handbook

Federal Agency Rules and Regulations  Interagency Policy Statement on the Internal Audit Function and its Outsourcing  Interagency Policy Statement on External Auditing Program of Banks and Savings Associations  Interagency Guidelines Establishing Information Security Standards (GLBA) Information Systems Audits and Control Association (ISACA)

Internal Use Only

IT Audit Engagements

Engaged & signed by an individual or committee not responsible for IT operations (This is an indicator of independence.)

Expectations and responsibilities

The scope, timeframes, and cost of work to be performed

Institution access to audit workpapers

Internal Use Only

IT Audit Engagement Letter

Internal Use Only

IT Audit Engagement Letter Continued

Internal Use Only

IT Audit Engagement Letter Continued

Internal Use Only

The IT Audit Risk Assessment

The IT Audit Risk Assessment is not the same as the IT/GLBA Risk Assessment. They serve related but different purposes.

The IT Audit Risk Assessment is designed to identify key risk areas (business units or functions) in to determine a reasonable level of engagement frequency. This assessment is entity wide.

The IT Audit Risk Assessment covers all aspects of an entities IT program (operations, wires, security, vendor management, etc.) The scope is much larger than an IT/GLBA risk assessment that covers security and private, non-public, other pieces of sensitive information.

Internal Use Only

IT Audit Scope

Identifies areas to be reviewed consistent with risk assessment/ risk level

Describes how the audit will be performed and tools to be used

Provides the timeframe for completing the audit

Firms may provide engagement letter specifying this information including costs, otherwise the scope will be defined in the report.

Internal Use Only

Example – Risk Assessment ≠ Audit Scope

Risk Assessment / Audit Schedule

• Network Penetration and Vulnerability Assessment • Wire Transfer Audit • Internet Banking/Social Media Audit • IT Audit • Vendor Management Audit

List of IT Audits

Scope from IT Audit

Internal Use Only

IT Audit Coverage

IT General Controls

Information Security Program (GLBA)

EFT (ACH/Wires/RDC)

NACHA Compliance

Penetration Testing/ Vulnerability Assessment/ Phishing Test Identity Theft Red Flags Program

Regulation GG/Unlawful Internet Gambling Enforcement Act

Internal Use Only

IT Audit Coverage

Business Continuity Planning

Change/Patch Management

Vendor Management

Cybersecurity

Management

Internet/ Online Banking Network

Third-Party Outsourcing

Disaster Recovery

Strategic Planning

Project Management

Architecture (Firewalls & IDS/IPS)

BIA

Incident Response

ITGC/GLBA

Social Engineering

Red Flags/ ID Theft Prevention

Security Monitoring

Internal Use Only

Written IT Audit Reports Describe scope, objectives, and result

Identifies deficiencies/ weaknesses

Suggests corrective action(s)

Management’s response/timing for corrective action(s)

Provides information on prior audit findings

• Identifies repeat findings

Complies with audit plan & schedule

Internal Use Only

Types of IT Audits

Internal Audits/ Certifications

IT General Controls

Penetration Tests

Vulnerability Assessments

Statement on Standards for Attestation Engagements (SSAE-16/18) SOC Reports- SSAE 18 supersedes 16

Internal Use Only

IT General Controls (ITGC)

• Management, Board reporting, and governance • Logical access controls over infrastructure, applications and data • System development life cycle controls • Program change management controls • Data center physical controls • System and data back-up & recovery controls • Computer operation controls

ITGC:

ITGC engagements should be performed based on risk, which usually indicates annual performance.

Internal Use Only

Wire Transfer/ACH Audits These services are critical to many financial entities

• Particularly in small to medium community banks, CUs, and MTs Usually included in with ITGC audit • Could occur in financial entities with significant wire/ACH activity • Usually in large community financial entities Can be a separate audit

Internal Use Only

Vulnerability Assessment & Penetration Testing

Internal Use Only

Vulnerability Assessment & Penetration Testing

Vulnerability assessment is a process that defines, identifies & classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure  Vulnerability Scans  Tabletop Assessments A penetration test subjects a system to the real-world attacks selected & conducted by the testing personnel

Internal Use Only

Vulnerability Assessments

• Requires specific skills/knowledge • Audit team tries to find weak points • Tools used simulate a variety of attacks • Results are used in Penetration Testing for potential exploitation Testing: • Checking building windows and doors to see if they are secured • Checking if building is susceptible to other events, e.g. natural catastrophes Basic Vulnerability Assessment description:

Internal Use Only

Performing Vulnerability Assessments The goal of vulnerability assessments is to identify devices, applications, or systems that have known vulnerabilities or configuration issues without compromising your systems.

A risk-based security vulnerability methodology is designed to comprehensively identify, classify and analyze known vulnerabilities to recommend the right mitigation actions.

Internal Use Only

Vulnerability Assessment vs. Risk Assessment

Assist in mitigating or eliminating vulnerabilities for key resources

Assigning quantifiable value and importance to a resource

Identifying the vulnerability or potential threat(s) to each resource

Cataloging assets and capabilities (resources) in a system

FI will sometimes use vulnerability assessment to aid in completing the risk assessment process

Internal Use Only

Penetration Test Considerations External Penetration Testing Internal Penetration Testing “Black Box, White Box” Application Penetration Tests Independent Party Qualifications of Penetration Testers

Internal Use Only

Why They Are Important: Penetration tests can give security personnel real experience in dealing with an intrusion

Ideally, should be performed without informing staff, to test whether policies are truly effective. However, may not be practical The test can uncover aspects of network security, application & operational policies that are lacking

Internal Use Only

Pen Test Strategies

Targeted Testing

External Testing

Internal Testing

mimics an insider attack by an authorized user with standard access privileges (what can happen with a disgruntled employee)

targets externally visible servers or devices (seen by anybody on Internet) to see if they can get into internal systems and how far

performed by the entity’s IT team and external testing team

Internal Use Only

Pen Test Value Ascertain the likelihood of gaining system access

Detecting vulnerabilities not easily found using standard system protective means Ability of current security methods to detect or repel an attack

Likelihood of exploiting a low-risk vulnerability to gain higher level access

List of vulnerabilities that require remediation

Measure of risk for a cyber attack

Identify gaps and control weakenesses

Internal Use Only

Penetration Test (Pen Test)

Pen Test “tests” systems to find & exploit known vulnerabilities that an attacker could exploit

Determine if there are

Pen Test report will describe any weaknesses as “high”, “medium” or “low”

Require management’s knowledge & consent

Require a high degree of skill to perform

weaknesses and if able to access system functionality and data

Are intrusive as actual “attack” tools are used

Internal Use Only

External Technology Service Provider (TSP) Reports

• FFIEC TSP Reports • Public/open section that is available to FI clients • Confidential section is available to regulatory agencies • Service Organization Control (SOC) Reports • AICPA standard for reviews of service providers • A type of control assessment provided to a service provider’s clients

FFIEC TSP Reports

SOC Reports SSAE 18

Internal Use Only

Service Organization Control (SOC) Reports • SOC I • Focus on internal controls over financial reporting (ICFR) • SOC II • Review of internal controls related to: • Security, Availability, Processing, Integrity, Confidentiality, Privacy Three Levels of Service

Organization Control (SOC) Reports:

• Review of specific controls based on service or product. Not environment wide. These are for different users not audit. • SOC III • Includes a description of the system and the auditor’s opinion. Like SOC II, but excludes disclosure/notes • Other SOC Reports- for Supply Chain and Cybersecurity

Internal Use Only

Service Organization Control (SOC) Reports

• Type I • Describes the servicer’s descriptions of controls at a specific point in time • Auditor performs no testing of servicer’s controls attesting to controls based on servicer’s account of controls- no opinion • Type II (preferred) • Includes information from a Type I Report • Detailed testing of the servicer’s controls over a minimum consecutive six-month period • Auditor expresses an opinion based on their testing

Two types of Service Organization Control (SOC) Reports:

Internal Use Only

Audit Reporting/Follow-up

Like Safety & Soundness:

o IT Audit reporting channels  What is being reported and to whom o Senior Management Responses  Are they reasonable and corrective timeframe is appropriate o Exception Tracking  Show all IT audit findings, both Internal and External, and regulatory along with corrective action(s)

Internal Use Only

Auditor Independence & Qualifications Independence : Whether or not there are conflicting duties, e.g., involved in auditing areas they have responsibilities or oversight Auditor should be reporting to Board or Audit Committee Whether or not the Auditor has a debt with the entity (may have some influence)

Type of IT experience and training • Some IT audits require specific skill sets

Current IT certifications the auditor maintains

List of references from entities with similar IT activities

Qualifications :

These qualifications provide some assurances, but don’t guarantee a quality audit

Internal Use Only

IT Audit Review

•Audit scope and objectives •Pertinent areas for improvement based on results of testing •Reasonable and appropriate recommendations, often with managements' responses •Findings and observations consistent with your examination results

Audit Reports include:

Internal Use Only

Audit Report Review

• Be wary of auditors who rely solely on checklists • Using only regulatory work programs could indicate a lower standard of engagement • Absence or lack of workpapers could indicate a poorly performed audit  Especially if there are no workpapers showing how ITGCs were reviewed/tested

Signs of a questionable audit:

Internal Use Only

Audit Findings Tracking & Resolution

A formal tracking system that assigns responsibility and target date for resolution

Timely and formal status reporting

Tracking and reporting of changes in target dates or proposed corrective actions to the Board or Audit Committee

Process to ensure findings are resolved

Independent validation to assess the effectiveness of corrective measures

Issues & corrective actions from internal audits and independent testing/assessments are formally tracked to ensure procedures and control lapses are resolved in a timely manner.

Internal Use Only

Auditor Interview Areas to focus on with auditor interview: • Knowledge of the IT environment and risks • Understanding of systems covered in the audit universe • Understanding of the basic controls (of these systems) • Verify training and/or certifications (as necessary)- certifications require specific training and number of hours/year (usually 40) • Type of work program used to document issues and conclusions. The work program used should be engagement type specific and not necessarily the FFIEC Work Programs

Internal Use Only

Audit Component Rating Areas to focus on when rating IT Audit component adequacy:

• Independence and quality of oversight • Audit risk analysis methodology/resources applied • Scope, frequency, accuracy, and timeliness of audit reports • Extent of audit participation in SDLC to ensure effectiveness internal controls and audit trails • Audit plan in providing appropriate coverage of IT risks • IT auditor’s adherence to code of ethics/professional standards • Qualifications of IT auditors • Timely and formal follow-up and reporting on management’s resolution of identified issues/weaknesses • Quality and effectiveness of internal and external audit activity related to IT controls

Internal Use Only

Conclusion

Learned basics for IT Audits

At a minimum, risk focused examination process must include a review the entity’s audit program

If audit program is deficient or lacking • Don’t need to dig deeper • Describe the deficiencies & record in your WP • Notify the Safety & Soundness EIC If audit program is satisfactory • Leverage audit results to create a more focused review

Internal Use Only

Summary • Audits are a necessity whether performed by in-house and/or external resources • Must be performed by independent and qualified individuals/companies/firms • Based on a current risk assessment • Must provide written, detailed, stand-alone reports • Results must be reported to the Board’s Audit Committee or a related Board Committee in a timely manner • Audits can aid in exam scope reduction

Internal Use Only

FFIEC CAT Tool

Internal Use Only

Cybersecurity Assessment Tool (CAT) • The FFIEC developed the CAT to help institutions to identify their cyber and IT security risks and determine their cybersecurity maturity. • Institutions were required to assess their inherent risk levels and domain maturities as defined by the CAT. • In late 2024, the it was announced that the CAT was being sunset by August 2025. • Institutions are still required to assess their cybersecurity posture using a formal methodology. Example methodologies include third party assessments, and resources from NIST. • On February 26, 2024, NIST released the NIST Cybersecurity Framework (CSF) 2.0. The framework is a good reference when assessing cybersecurity.

Internal Use Only

CRI Profile (Cyber Risk Institute Profile)

DEVELOPED BY THE CYBER RISK INSTITUTE (CRI) , THIS PROFILE IS SPECIFICALLY

ALIGNS WITH EXISTING REGULATORY EXPECTATIONS, SUCH AS GLBA AND NYDFS 23 NYCRR 500.

PROVIDES A STREAMLINED APPROACH TO RISK ASSESSMENT, MAPPING DIRECTLY TO NIST, ISO, AND FFIEC EXPECTATIONS.

FOCUSES ON CORE CYBERSECURITY DOMAINS: GOVERNANCE, ASSET MANAGEMENT, DATA PROTECTION, THREAT AND VULNERABILITY MANAGEMENT, AND INCIDENT RESPONSE .

ENABLES MORE EFFICIENT REPORTING AND EXAMINATION READINESS.

DESIGNED FOR THE FINANCIAL SERVICES SECTOR.

Internal Use Only

NIST Cybersecurity Framework (CSF) 2.0

AN UPDATED VERSION OF THE ORIGINAL NIST CSF , FOCUSING ON IMPROVING RISK MANAGEMENT STRATEGIES.

PROVIDES A STRUCTURED APPROACH TO IDENTIFY, PROTECT, DETECT, RESPOND, AND RECOVER .

ENHANCED EMPHASIS ON SUPPLY CHAIN RISK MANAGEMENT AND SECURE SOFTWARE DEVELOPMENT .

ENCOURAGES DEEPER INTEGRATION WITH ORGANIZATIONAL RISK MANAGEMENT AND STRATEGIC OBJECTIVES.

WELL-RECOGNIZED BY REGULATORS AS A ROBUST FRAMEWORK FOR CYBERSECURITY READINESS.

Internal Use Only

CIS Controls

DEVELOPED BY THE CENTER FOR INTERNET SECURITY (CIS) , THE CONTROLS OFFER

INCLUDES 18 CRITICAL CONTROLS THAT ARE MAPPED TO SPECIFIC DEFENSIVE ACTIONS.

EMPHASIZES BASIC CYBER HYGIENE , VULNERABILITY MANAGEMENT , AND INCIDENT RESPONSE PREPAREDNESS .

HIGHLY ACTIONABLE AND IDEAL FOR RESOURCE CONSTRAINED ORGANIZATIONS LOOKING FOR RAPID IMPROVEMENT IN SECURITY POSTURE.

PROVIDES A CLEAR PATH TO COMPLIANCE WITH BOTH REGULATORY REQUIREMENTS AND RISK MANAGEMENT GOALS.

A PRIORITIZED LIST OF CYBERSECURITY BEST PRACTICES.

Internal Use Only

Presenter Round Table

How effective do you think the FFIEC CAT was in evaluating cybersecurity maturity and identifying gaps for financial institutions?

Which of the alternative frameworks—CRI Profile, NIST CSF 2.0, or CIS Controls—do you think best aligns with current regulatory expectations, and why?

What steps should financial institutions be taking right now to prepare for the transition away from the CAT tool?

How should examiners adjust their engagement strategies with institutions during this transition period to ensure continued cybersecurity readiness?

Internal Use Only

Development and Acquisition

Internal Use Only

Development & Acquisition Learning Objectives

Senior Management & Board Oversight • Evaluate the effectiveness and adequacy of management’s oversight and support, including meeting objectives and user needs. Project Management Quality • Assess project management practices and processes for quality, efficiency, and alignment with business objectives. Change Control Practices • Review the adequacy and effectiveness of procedures for managing system changes. Source Code & Programming Controls • Determine the sufficiency and effectiveness of controls protecting the integrity of source code and programming activities. Additional Risk Considerations • Identify and evaluate other risks impacting system development, acquisition processes, and overall operational security.

Internal Use Only

Development & Acquisition Senior Management & Board Oversight

Governance Practices Clearly define responsibilities, enhance transparency, and facilitate effective oversight and informed decision-making.

Strategic Alignment Ensure IT solutions strategically align and actively support business objectives and organizational needs.

Effective Communication Board and IT management oversight committees provide transparency, accountability, and timely decisions through clear communication of project statuses, risks, and milestones to stakeholders. Policies, Standards & Procedures Comprehensive, Board-approved policies and standards foster consistency, efficiency, and reliability, significantly reducing risks of project failures and operational disruptions.

Qualified Personnel Assign qualified individuals to oversee security, audit processes, and testing activities within technology projects.

System Lifecycle Management Establish robust lifecycle management practices to proactively identify and replace aging systems approaching end-of-life.

Internal Use Only

Planning & Governance Detailed project plans, defined roles/timelines, and ongoing status reporting. Requirements & Feasibility Documented business/technical specifications, risk assessments, and feasibility studies. Cost & Vendor Analysis Cost-benefit evaluations, vendor due diligence, and contract reviews. Stakeholder Involvement & Testing Engagement of end-users, documented test plans, and validated test results. Post-Implementation Review Evaluation of project outcomes, effectiveness, and lessons learned.

Development & Acquisition Project Management Oversight

Internal Use Only

No Project Oversight? What Could Go Wrong?

PROJECTS CAN GO OVER BUDGET OR FALL BEHIND SCHEDULE WHEN THERE IS INSUFFICIENT SCOPE MANAGEMENT AND POOR ADHERENCE TO TIMELINES.

ESSENTIAL DEPENDENCIES AND POTENTIAL RISKS MAY BE IGNORED, CAUSING OPERATIONAL ISSUES

WHEN ROLES AND RESPONSIBILITIES ARE NOT CLEARLY DEFINED, ACCOUNTABILITY MAY DIMINISH, RESULTING IN CONFUSION AND REDUNDANT EFFORTS.

INEFFECTIVE COMMUNICATION CAN CREATE MISMATCHED EXPECTATIONS AMONG STAKEHOLDERS.

INEFFICIENT CHANGE MANAGEMENT MAY LEAD TO SCOPE CREEP, SUBOPTIMAL RESOURCE UTILIZATION, OR FAILURES IN IMPLEMENTATION.

THE LACK OF PROPER DOCUMENTATION AND MONITORING HINDERS THE ABILITY TO ASSESS PROJECT SUCCESS OR APPLY INSIGHTS GAINED TO FUTURE INITIATIVES.

OR LAPSES IN COMPLIANCE.

Internal Use Only

System Development Life Cycle (SDLC) • A project management approach that breaks down complex work into smaller, manageable phases. • Segmenting helps ensure each phase is completed before moving forward. • SDLC is typically structured into 5 phases. May vary by organization. 1. Initiation 4. Monitoring & Controlling 5. Closing

2. Planning

3. Executing

Internal Use Only

SDLC: Initiation • Business justification should be documented, outlining why the project is needed and how it aligns with organizational goals • A preliminary cost-benefit analysis may be conducted to evaluate feasibility. • High-level project scope and constraints should be defined early to avoid misalignment later. • Stakeholders and project sponsors should be identified and engaged at the outset. • Success criteria and metrics should be established to measure project outcomes. • Initial resource and staffing needs should be assessed and documented.

1. Initiation

5. Closing

2. Planning

4. Monitoring & Controlling

3. Executing

Internal Use Only

SDLC: Planning • Ensures project aligns with both technical needs and business objectives. • Define detailed project scope, timeline, milestones, and resource requirements. • Identify and assign project roles and responsibilities. • Develop a communication plan to ensure stakeholder alignment and status tracking. • Plan for quality assurance, testing, and validation activities. • Integrate risk mitigation strategies identified during the Initiation phase.

1. Initiation

5. Closing

2. Planning

4. Monitoring & Controlling

3. Executing

Made with FlippingBook - Online magazine maker