IT Examiner School eBook May 2025
IT Examiner School
May 20 - 29 , 202 5 Live Virtual
@ www.csbs.org ♦ @csbsnews
CONFERENCE OF STATE BANK SUPERVISORS 1300 I Street NW / Suite 700 / Washington, DC 20005 / (202) 296-2840
May 20-29, 2025 IT Examiner School Live Virtual
ATTENDEES Arkansas State Bank Department Hardee, Lane
lhardee@banking.state.ar.us
California Department Of Financial Protection And Innovation Ahn, Ron
Ron.Ahn@dfpi.ca.gov nhu.dao@dfpi.ca.gov
Dao, Nhu
Fonseca, Christian Kumar, Shavnita
Christian.Fonseca@dfpi.ca.gov Shavnita.Kumar@dfpi.ca.gov Kwasi.Sefah@dfpi.ca.gov Monte.Laskosky@dfpi.ca.gov Neil.Rajan@dfpi.ca.gov Randall.Shem@dfpi.ca.gov Henna.Singh@dfpi.ca.gov Samson.Tran@dfpi.ca.gov Angela.Uvidia@dfpi.ca.gov Kathy.Yang@dfpi.ca.gov ZhaoZhan.Zhou@dfpi.ca.gov
Kwasi.Sefah
Laskosky, Monte
Rajan, Neil
Shem, Randall Singh, Henna Tran, Samson Uvidia, Angela
Yang, Kathy
Zhou, ZhaoZhan
Colorado Department of Regulatory Agencies Division of Banking Scott, Nathan
nathan.scott@state.co.us
Georgia Department of Banking & Finance Mattis, Nicole
nmattis@dbf.state.ga.us bseigler@dbf.state.ga.us
Seigler, Brittney
Iowa Division of Banking Douglass, Ethan
ethan.douglass@idob.state.ia.us
Kansas Office Of The State Bank Commissioner Pierson, Andy
andy.pierson@osbckansas.org
Michigan Department Of Insurance And Financial Services Cliett, Ashley
clietta@michigan.gov
Nevada Department of Business & Industry Financial Institutions Divison Furlow, Virgil
vfurlow@mld.nv.gov
New York State Department Of Financial Services Ku, Wesley
wesley.ku@dfs.ny.gov
Mehta, Deepali
deepali.mehta@dfs.ny.gov
Tiwary-Singh, Jemima
jemima.tiwary-singh@dfs.ny.gov
North Carolina Office Of The Commissioner Of Banks Briggs, Lee
lbriggs@nccob.gov
Glidewell, Matthew
mglidewell@nccob.gov
Oregon Division of Financial Regulation Rylander, Joshua
Joshua.T.RYLANDER@dcbs.oregon.gov
Texas Department of Banking Pecero, Ray
ray.pecero@dob.texas.gov
INSTRUCTORS California Department Of Financial Protection And Innovation Fujikawa, Matthew
matthew.fujikawa@dfpi.ca.gov
New York State Department Of Financial Services Farrar, Craig
craig.farrar@dfs.ny.gov
Peterson, William
william.peterson@dfs.ny.gov
North Carolina Commissioner of Banks Biser, Kenneth
kbiser@nccob.gov
CSBS STAFF Richardson, Amy
arichardson@csbs.org
IT Examiner School Live Virtual May 20-29, 2025
Internal Use Only
Week 1 Tuesday, May 20, 2025 12:30 pm – 1:30 pm
Introduction & Pre-Course Review/Terminology
Regulations/Guidance
1:30 pm – 2:15 pm
2:15 pm –2:30 pm
Break
IT Examination Work Programs
2:30 pm – 3:00 pm
3:00 pm – 4:30 pm Audit Wednesday, May 21, 2025 12:30 pm – 1:30 pm Audit
Cyber Maturity Assessment/FFIEC CAT Tool Sunsetting
1:30 pm – 2:00 pm
2:00 pm – 2:15 pm
Break
Development & Acquisition
2:15 pm – 3:15 pm
Information Security Framework/Risk Assessment
3:15 pm – 4:00 pm
Thursday, May 22, 2025 12:30 pm – 12:45 pm
Information Security Framework/Risk Assessment
Risk Assessment Activity
12:45 pm – 1:30 pm
1:30 pm – 1:45 pm
Break
Support & Delivery
1:45 pm – 4:00 pm
Week 2 Tuesday, May 27, 2025 12:30 pm – 12:45 pm
Prior Week Review
Business Continuity Planning & Disaster Recovery
12:45 pm – 2:00 pm
2:00 pm – 2:15 pm
Break
Internal Use Only
Business Continuity Planning & Disaster Recovery
2:15 pm – 3:15 pm
Third-Party Risk Management
3:15 pm – 4:00 pm
Wednesday, May 28, 2025 12:30 pm – 2:15 pm
Management
2:15 pm – 2:30 pm
Break
Composite Rating Discussion & Exercise
2:30 pm – 3:00 pm
Breakout Rooms
3:00 pm – 4:00 pm
Thursday, May 29, 2025 12:30 pm – 1:30 pm
Composite Rating Exercise Discussion
Emerging Issues
1:30 pm – 2:00 pm
2:00 pm – 2:15 pm
Break
Emerging Issues
2:15 pm – 3:30 pm
Final Assessment & Course Wrap Up
3:30 pm – 4:00 pm
Virtual IT Examiner School May 20-29, 2025
Zoom
Schedule This week:
• Tuesday, May 20: 12:30 PM – 4:00 PM ET • Wednesday, May 21: 12:30 PM – 4:00 PM ET • Thursday, May 22: 12:30 PM – 4:00 PM ET Next Week • Tuesday, May 27: 12:30 PM – 4:00 PM ET • Wednesday, May 28: 12:30 PM – 4:00 PM ET • Thursday, May 29: 12:30 PM – 4:00 PM ET
Instructor Contact Information
Matthew Fujikawa
Financial Institutions Manager California Department of Financial Protection & Innovation Matthew.Fujikawa@dfpi.ca.gov
Advanced ITExaminer North Carolina Office of the Commissioner of Banks kbiser@nccob.gov Kenneth Biser
Instructor Contact Information
Director Financial Services Programs Cybersecurity Division New York State Department of Financial Services Craig.Farrar@dfs.ny.gov Craig Farrar
Instructor Contact Information
Assistant Deputy Superintendent Cybersecurity Division New York State Department of Financial Services William.Peterson@dfs.ny.gov William Peterson
NYS DFS Disclaimer The views expressed are those of the speaker and do not represent the official views of New York State or the NYS Department of Financial Services, aka DFS. Anything said during this training shall not bar, estop, or otherwise prevent DFS, or any federal or other state agency from taking any action different from anything said during this training. Participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.
Introductions
Name
State
IT Exam Experience
Fun fact
Something you hope to learn
Internal Use Only
Regulations & Guidance
Internal Use Only
Module Agenda Provide an Overview of Common Data Privacy Laws and Standards Discuss Information Security Related Laws Impacting Financial Institutions (FIs) Describe the Gramm-Leach Bliley Act (GLBA) and Federal Implementation of Standards Required Under 501(b) Compare Examination Approaches, Work programs, and Rating Systems for Depository and Non-Depository FIs
Internal Use Only
Examples of Data Privacy Related Laws/Standards
LAW
YEAR OVERVIEW
WHO IT IMPACTS
FERPA (Family Educational Rights and Privacy Act) HIPPAA (Health Insurance Portability and Accountability Act)
1974
Protection of student records
Any post-secondary educational institution
1996
Protects the privacy of patient records
Any company or agency that deals with Health Care Financial institutions (FIs) that offer financial products (insurance, loans, investments) US Public Companies, accounting and management firms Federal Agencies dealing with information related to National Security Companies involved in handling of credit card information
GLBA (Gramm-Leach-Bliley Act)
1999
Mandates that companies secure private information of clients and customers Maintain and protect financial records for seven (7) years Recognizes information security as a national security matter
SOX (Sarbanes-Oxley Act)
2002
FISMA (Federal Information Security Management Act) PCI-DSS (Payment Card Industry/Data Security Standard)
2002
2004
Consumer Credit Card
Internal Use Only
Information Security Related Laws Impacting FI's OVERVIEW LAW
Bank Service Company Act 12 USC 1867(c)
Subjects bank service companies to examination and regulation by Federal Regulators and requires notice to be provided within 30 days of entering into a service contract Requires installation, maintenance, and operation of security devices and procedures, to discourage robberies, burglaries, and larcenies and assist in the identification and apprehension of persons who commit such acts Requires each FI to develop, implement, and maintain, as part of its existing information security program, appropriate measures to properly dispose of consumer information derived from consumer reports to address risks associated with identity theft Requires each agency or authority to establish appropriate standards for the FI's subject to their jurisdiction relating to administrative, technical, and physical safeguards
Bank Protection Act 12 USC 1882 "Security Measures for Banks and Savings Associations" Fair and Accurate Credit Reporting Act (FCRA) 15 USC 1681W
Gramm-Leach-Bliley Act (GLBA) 15 USC 6801
Source: https://ithandbook.ffiec.gov/laws-regulations-guidance/information-security/#Laws Complete List of FFIEC Maintained Laws, Regulations, and Guidance: https://ithandbook.ffiec.gov/laws-regulations-guidance/
Internal Use Only
The Gramm Leach Bliley Act (GLBA)
The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
Internal Use Only
The Gramm-Leach-Bliley Act (GLBA) - cont. Title V, Subtitle A of the Gramm-Leach-Bliley Act (“GLBA”) governs the treatment of
"It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security andconfidentiality of those customers’ nonpublic personal information" (Section 501(a))
nonpublic personal information (NPPI or NPI ) about consumers by financial institutions. • Section 501 – protection of nonpublic personal information • Section 502 – prohibits financial institutions from disclosing nonpublic personal information about a consumer to non-affiliated third parties, unless (i) the institution satisfies various notice and opt-out requirements; and (ii) the consumer has not elected to opt out of the disclosure • Section 503 - institutions to provide notice of its privacy policies and practices to its customers
Internal Use Only
The Gramm Leach Bliley Act (GLBA) - 501(b)
501(b) requires each agency or authority to establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards: • To ensure the security and confidentiality of customer records and information; • To protect against any anticipated threats or hazards to the security or integrity of such records; and • To protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
In 2000, the Board of Governors of the FRS (“Board”), the FDIC, the NCUA, the OCC, and the former OTS, published regulations implementing provisions of GLBA governing the treatment of nonpublic personal information about consumers by financial institutions.
Internal Use Only
Regulatory Authority Examples: Depository Institutions
Regulators / Licensure
Laws, Regulations, or Guidance Related to IT, InfoSec, Privacy, etc.
Type of Entity
Banks (state-member, national, state non-member, credit union)
FDIC, FRB, OCC, States, CFPB
12 CFR 364, Appendix B; Section 501(b) of GLBA; FFIEC; State Laws/Regulations (e.g., Part 500, CCPA)
Bank Holding Companies, Trust Companies, US Branches of FBOs
FRB, States
Generally, the same as banks (above)
Credit Unions (Federal or State)
NCUA, States
12 CFR 748 (Appendix A & B)
Internal Use Only
Regulations & Guidance - FDIC Appendix B, including Supplement, to Part 364 of the FDIC Rules and Regulations – Interagency Guidelines Establishing Information Security Standards
Internal Use Only
Regulations & Guidance - FRB Appendix D-2, including Supplement, to Part 208 of the FR Rules and Regulations – Interagency Guidelines Establishing Standards for Safeguarding Customer Information
Internal Use Only
Regulations & Guidance - NCUA Appendix A (“Guidelines for safeguarding member information”) & Appendix B (“Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice”) of 12 CFR 748 (“Security Program”)
Internal Use Only
Use of Supervisory Guidance Agencies issue supervisory guidance, such as interagency statements, advisories, policy statements, questions and answers, and FAQs
Supervisory guidance does not have the force and effect of law
Guidance outlines supervisory expectations or priorities and views regarding appropriate practices for given subject areas Federal Agencies (e.g., FDIC), do not take enforcement actions based on supervisory guidance;
Important Note: Check with your own agency, as the approach may differ from that of the federal agencies.
Source: https://www.ecfr.gov/current/title-12/chapter-III/subchapter-A/part-302
Internal Use Only
Use of Supervisory Guidance
Examiners will not criticize a supervised FI for, or issue an enforcement action on the basis of, a “violation” of or “non-compliance” with supervisory guidance.
Examiners may reference guidance to provide examples of safe and sound conduct, appropriate risk management practices, and/or actions for addressing compliance with laws or regulations Supervisory criticisms should address matters that could have a negative effect on Safety and Soundness, cause consumer harm, result in violations of laws, regulations, final agency orders, or other legally enforceable conditions
Important Note: Check with your own agency, as the approach may differ from that of the federal agencies.
Source: https://www.ecfr.gov/current/title-12/chapter-III/subchapter-A/part-302
Internal Use Only
Regulatory Authority Examples: Non-Depository Institutions
Regulators / Licensure CFPB, FTC, States
Laws, Regulations, or Guidance Related to IT, InfoSec, Privacy, etc.
Type of Entity
Mortgage Originators and Servicers
16 CFR 314; 501 and 505(b)(2) of GLBA; State Laws and Regulations (e.g., Part 500 and CCPA).
Money Service Businesses / Money Transmitters
FTC, States
Consumer Finance
CFPB, FTC, States
Internal Use Only
Regulations & Guidance – Non-Depository
16 CFR Part 314 of the FTC Rules and Regulations – “Standards for Safeguarding Customer Information”
• The “Safeguards Rule”, which took effect in 2003, is designed to ensure that covered entities maintain safeguards to protect the security of customer information • It applies to financial institutions subject to FTC jurisdiction and that aren’t subject to enforcement authority of another regulator under Section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. • In December 2021, the FTC amended the Safeguards Rule to keep pace with current technology.
Source: https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know
Internal Use Only
Regulations & Guidance – Non-Depository Section 314.4 of the Safeguards Rule identifies 9 elements that a company’s ISP must include: • Designate a qualified individual to implement & supervise the InfoSec program • Conduct a risk assessment • Design & implement safeguards to control risk identified by the risk assessment • Regularly monitor & test the effectiveness of those controls • Train staff
• Monitor Service Providers • Keep the program current • Create a written Incident Response Plan • Require the qualified individual to report to the Board
Internal Use Only
Computer Security Incident Notification Rule
The FDIC, FRB, OCC issued a joint final rule in 2021 to establish computer-security incident notification requirements for banking organizations (BO) and bank service providers Required notification to regulators as soon as possible and no later than 36 hours after the BO determines that a computer-security incident that rises to the level of a notification incident has occurred
Compliance with the final rule was required by May 1, 2022
The FTC Amended its Safe Guards Rules in October 2023 to require notification to FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers.
Sources: www.fdic.gov/news/financial-institution-letters/2021/fil21074.html www.ftc.gov/news-events/news/press-releases/2023/10/ftc-amends-safeguards-rule-require-non-banking-financial-institutions-report-data-security-breaches
Internal Use Only
SEC Public Company Cybersecurity Disclosures
In July 2023, the SEC adopted rules requiring registrants to disclose material cybersecurity incidents they experience and ( on an annual basis ) material information regarding their cybersecurity risk management, strategy, and governance.
An Item 1.05 Form 8-K will generally be due four (4) business days after a registrant determines a cybersecurity incident is material.
Companies must describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant
The Rule also requires companies to describe (1) processes for identifying, assessing, and managing material cybersecurity risks, as well as Board oversight and management’s role and expertise in assessing and managing material risks from cybersecurity threats , in the annual report on Form 10-K
The final rule became effective 30 days after public notice and the Form 10-K was due beginning with annual reports for fiscal years ending on or after December 15, 2023.
Source: SEC.gov | SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies 33-11216-fact-sheet.pdf
Internal Use Only
Examination Approach Examples: Depository Institutions
Type of Entity
IT Exam Approaches/Rating Systems
Information Technology Risk Examination (InTREx) ; UFIRS/CAMELS, FFIEC Uniform Rating System for IT (URSIT); CAMEL, where “M” includes a review of information systems
Banks
Credit Unions
Trust Companies
FFIEC Uniform Interagency Trust Rating System (UITRS)
Foreign Banking Organizations & Bank Holding Companies
FRB, States; ROCA Rating System – where “O” is operational controls
Internal Use Only
Examination Approach Examples: Non-Depository Institutions
Type of Entity
IT Exam Approaches/Rating Systems
Mortgage Originators and Servicers
FFIEC Uniform Interagency Consumer Compliance Rating System (CC Rating System)
CSBS Non-Bank Cybersecurity Exam Program ; MTRA Workprogram (multi-state exams); FILMS rating system
Money Service Businesses / Money Transmitters
Internal Use Only
Regulations & Guidance
Good reference, but remember the booklet does not specifically apply to FIs not regulated by the FFIEC FFIEC IT Booklet Handbooks:
Internal Use Only
IT Examination Work Programs
Internal Use Only
Depository vs Non-Depository Work Programs
Internal Use Only
CSBS Non-Bank Cybersecurity Workprogram
CSBS Non-Bank Workprogram (WP) Overview
Used by state examiners to assess the cyber preparedness of non-depository entities
Provides in-depth risk evaluation of the four critical components of the URSIT (Audit, Management, Development and Acquisition, & Support and Delivery). Questions contain applicable Gramm-Leach-Bliley Act (GLBA) Safeguards Rule citation and document request list reference.
The Baseline (v1.0) WP & Enhanced WP were both released in May 2022
An update Baseline WP (V1.1) was released in March 2023
Internal Use Only
Components of CSBS Nonbank Cyber Exam Programs Pre-Examination Resources Work Programs
Baseline Nonbank Workprogram
Exam Notification Letter
Enhanced Nonbank Workprogram
Pre-Exam Document Request List (DRL)
Internal Use Only
Pre-Exam Document Request List
Used for both Baseline & Enhanced Cybersecurity Exam Program
Covers 15 Program Areas and defines documents to be provided
Includes space for State specific requests
Internal Use Only
Nonbank Cybersecurity Exam Programs Baseline
Enhanced • More comprehensive, for larger and more complex institutions • Includes all baseline questions (light blue shading) plus additional questions in areas requiring a deeper dive • Targeted for use by examiners with more specialized knowledge of IT & Cyber
• Based on the pilot program released in December 2020 • Covers same content as pilot in a streamlined version (based on 2021 examiner feedback) • Easier to use and half the questions with no loss of coverage • Covers 4 URSIT component areas
Note: The Baseline and Enhanced Nonbank Cybersecurity Exam Programs were added to SES and are available for mortgage origination, mortgage servicing, and consumer finance exams.
Internal Use Only
Baseline Nonbank Cybersecurity Exam Program
Source: https://www.csbs.org/sites/default/files/2022-08/Baseline%20Nonbank%20Exam%20Program%20V1.0.pdf
Internal Use Only
Enhanced Nonbank Cybersecurity Exam Program
Source: https://www.csbs.org/sites/default/files/2022-08/Enhanced%20Nonbank%20Exam%20Program%20V1.0.pdf
Internal Use Only
Information Technology Risk Examination (InTREx) Procedures
Internal Use Only
InTREx Program Overview
An enhanced, risk-based, approach for conducting IT examinations of depository institutions
Based on the (URSIT) and includes Core Modules for Audit, Management, Development and Acquisition, and Support and Delivery component ratings
Incorporates procedures for assessing cybersecurity preparedness and compliance with Interagency Guidelines Establishing Information Security Standards
Examiners complete the InTREx Core Modules, the Cybersecurity Workpaper, and the Information Security Standards Workpaper to assess risk and document examination procedures, findings, and recommendations. Updated in September 2023 (by FDIC) to improve Audit module‘s usability, add steps related to Computer Security Incident Notification Rule (Part 304 Subpart C), provide specificity regarding examiner review of service provider ROEs, and to update links to references.
Internal Use Only
Components of InTREx ITP
Work Program
Information Technology Profile
Core Modules
Risk Profile
Expanded Modules
Qualitative Adjustment
Supplemental Workprograms
Internal Use Only
InTREx Workprogram Core Modules
Support & Delivery
Audit
Management • Risk Assessment • Vendor Management (Ongoing) • Information Security Standards (GLBA) • ID Theft Red Flags
Development & Acquisition • Vendor Management (Acquisition)
• BCP • Information Security • Operations • Incident Response • Network Security (IDS, Firewall) • EFT/E-Banking
Internal Use Only
InTREx Framework
Based on URSIT components
ED Module concept used for each component
ED Module core decision factors were derived from URSIT assessment factors
Internal Use Only
InTREx Features Incorporates baseline cybersecurity into procedures Requires conclusion on cybersecurity preparedness Requires conclusion on GLBA Information Security Standards (Part 364 Appendix B) Enhances focus on transaction/control testing
Allows for tracking of deficiencies noted in any decision factor
Internal Use Only
InTREx Procedures Core Modules Audit, Management, D&A, S&D • All procedures must be completed, but not all bullets need to be addressed • Do have flexibility to scope down, just not scope out
Internal Use Only
InTREx Procedures
Cybersecurity Workpaper • No stand-alone workprogram • Applicable procedures are marked with • Requires summary comment
Internal Use Only
InTREx Procedures
Information Security Standards (GLBA) Workpaper • No stand-alone workprogram • Applicable procedures are marked with • Requires summary comment
Internal Use Only
InTREx Additional Procedures Expanded Modules • Available for Management and S&D • Provide additional procedures for IT products/ services not covered in Core or that may need additional analysis
Internal Use Only
InTREx Additional Procedures Supplemental Workprograms (ED Modules/FFIEC IT Handbook) • ED Modules available for a variety of areas (EFT, Mobile Banking, Merchant Acquiring, etc.) • FFIEC IT Handbook provides in-depth procedures • FDIC Risk Advisories and Technical Examination Aids provide guidance • Should be completed to assess specific products not covered in the Core or Expanded Modules, or areas of higher complexity that require more in-depth review
Internal Use Only
InTREx Control Testing
Control Tests • Core Modules identify potential control tests • Control tests are marked with • Use discretion in determining which tests to perform • Not all control tests need to be performed, and conversely, examiners can do own control tests
Internal Use Only
InTREx Control Testing
Control Tests • If a control test was performed, the results should be noted in the comments to that procedure • May leverage control testing performed by internal and external auditors • Sufficient testing should be performed to validate the effectiveness of controls
Internal Use Only
Audit
Internal Use Only
Objectives
Provide tools to assess the effectiveness of the IT Audit Program
IT Audit Risk, Planning, and Scope
IT Audit Component Rating
Types of IT Audits/Reviews
IT Auditor Expertise
Internal Use Only
Audit/Independent Review
IT scope & frequency based on inherent or residual risks
Performed by independent personnel
Knowledgeable individuals conduct the engagements
Risk assessment/ complexity based
Conducted separately or all at once
Board/Committees receive results
Formal report includes Findings/Recommendations
Internal Use Only
Assessment Areas for IT Audits
• Audit risk assessment, plan and scope • Appropriate coverage of the entity’s IT environment and activities • Quality of written IT reports • Audit independence • Auditor qualifications • Findings and recommendations reporting and follow-up
The IT Audit program should be assessed for the following:
Internal Use Only
Guidance for IT Audit FFIEC IT Examination Audit Handbook
Federal Agency Rules and Regulations Interagency Policy Statement on the Internal Audit Function and its Outsourcing Interagency Policy Statement on External Auditing Program of Banks and Savings Associations Interagency Guidelines Establishing Information Security Standards (GLBA) Information Systems Audits and Control Association (ISACA)
Internal Use Only
IT Audit Engagements
Engaged & signed by an individual or committee not responsible for IT operations (This is an indicator of independence.)
Expectations and responsibilities
The scope, timeframes, and cost of work to be performed
Institution access to audit workpapers
Internal Use Only
IT Audit Engagement Letter
Internal Use Only
IT Audit Engagement Letter Continued
Internal Use Only
IT Audit Engagement Letter Continued
Internal Use Only
The IT Audit Risk Assessment
The IT Audit Risk Assessment is not the same as the IT/GLBA Risk Assessment. They serve related but different purposes.
The IT Audit Risk Assessment is designed to identify key risk areas (business units or functions) in to determine a reasonable level of engagement frequency. This assessment is entity wide.
The IT Audit Risk Assessment covers all aspects of an entities IT program (operations, wires, security, vendor management, etc.) The scope is much larger than an IT/GLBA risk assessment that covers security and private, non-public, other pieces of sensitive information.
Internal Use Only
IT Audit Scope
Identifies areas to be reviewed consistent with risk assessment/ risk level
Describes how the audit will be performed and tools to be used
Provides the timeframe for completing the audit
Firms may provide engagement letter specifying this information including costs, otherwise the scope will be defined in the report.
Internal Use Only
Example – Risk Assessment ≠ Audit Scope
Risk Assessment / Audit Schedule
• Network Penetration and Vulnerability Assessment • Wire Transfer Audit • Internet Banking/Social Media Audit • IT Audit • Vendor Management Audit
List of IT Audits
Scope from IT Audit
Internal Use Only
IT Audit Coverage
IT General Controls
Information Security Program (GLBA)
EFT (ACH/Wires/RDC)
NACHA Compliance
Penetration Testing/ Vulnerability Assessment/ Phishing Test Identity Theft Red Flags Program
Regulation GG/Unlawful Internet Gambling Enforcement Act
Internal Use Only
IT Audit Coverage
Business Continuity Planning
Change/Patch Management
Vendor Management
Cybersecurity
Management
Internet/ Online Banking Network
Third-Party Outsourcing
Disaster Recovery
Strategic Planning
Project Management
Architecture (Firewalls & IDS/IPS)
BIA
Incident Response
ITGC/GLBA
Social Engineering
Red Flags/ ID Theft Prevention
Security Monitoring
Internal Use Only
Written IT Audit Reports Describe scope, objectives, and result
Identifies deficiencies/ weaknesses
Suggests corrective action(s)
Management’s response/timing for corrective action(s)
Provides information on prior audit findings
• Identifies repeat findings
Complies with audit plan & schedule
Internal Use Only
Types of IT Audits
Internal Audits/ Certifications
IT General Controls
Penetration Tests
Vulnerability Assessments
Statement on Standards for Attestation Engagements (SSAE-16/18) SOC Reports- SSAE 18 supersedes 16
Internal Use Only
IT General Controls (ITGC)
• Management, Board reporting, and governance • Logical access controls over infrastructure, applications and data • System development life cycle controls • Program change management controls • Data center physical controls • System and data back-up & recovery controls • Computer operation controls
ITGC:
ITGC engagements should be performed based on risk, which usually indicates annual performance.
Internal Use Only
Wire Transfer/ACH Audits These services are critical to many financial entities
• Particularly in small to medium community banks, CUs, and MTs Usually included in with ITGC audit • Could occur in financial entities with significant wire/ACH activity • Usually in large community financial entities Can be a separate audit
Internal Use Only
Vulnerability Assessment & Penetration Testing
Internal Use Only
Vulnerability Assessment & Penetration Testing
Vulnerability assessment is a process that defines, identifies & classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure Vulnerability Scans Tabletop Assessments A penetration test subjects a system to the real-world attacks selected & conducted by the testing personnel
Internal Use Only
Vulnerability Assessments
• Requires specific skills/knowledge • Audit team tries to find weak points • Tools used simulate a variety of attacks • Results are used in Penetration Testing for potential exploitation Testing: • Checking building windows and doors to see if they are secured • Checking if building is susceptible to other events, e.g. natural catastrophes Basic Vulnerability Assessment description:
Internal Use Only
Performing Vulnerability Assessments The goal of vulnerability assessments is to identify devices, applications, or systems that have known vulnerabilities or configuration issues without compromising your systems.
A risk-based security vulnerability methodology is designed to comprehensively identify, classify and analyze known vulnerabilities to recommend the right mitigation actions.
Internal Use Only
Vulnerability Assessment vs. Risk Assessment
Assist in mitigating or eliminating vulnerabilities for key resources
Assigning quantifiable value and importance to a resource
Identifying the vulnerability or potential threat(s) to each resource
Cataloging assets and capabilities (resources) in a system
FI will sometimes use vulnerability assessment to aid in completing the risk assessment process
Internal Use Only
Penetration Test Considerations External Penetration Testing Internal Penetration Testing “Black Box, White Box” Application Penetration Tests Independent Party Qualifications of Penetration Testers
Internal Use Only
Why They Are Important: Penetration tests can give security personnel real experience in dealing with an intrusion
Ideally, should be performed without informing staff, to test whether policies are truly effective. However, may not be practical The test can uncover aspects of network security, application & operational policies that are lacking
Internal Use Only
Pen Test Strategies
Targeted Testing
External Testing
Internal Testing
mimics an insider attack by an authorized user with standard access privileges (what can happen with a disgruntled employee)
targets externally visible servers or devices (seen by anybody on Internet) to see if they can get into internal systems and how far
performed by the entity’s IT team and external testing team
Internal Use Only
Pen Test Value Ascertain the likelihood of gaining system access
Detecting vulnerabilities not easily found using standard system protective means Ability of current security methods to detect or repel an attack
Likelihood of exploiting a low-risk vulnerability to gain higher level access
List of vulnerabilities that require remediation
Measure of risk for a cyber attack
Identify gaps and control weakenesses
Internal Use Only
Penetration Test (Pen Test)
Pen Test “tests” systems to find & exploit known vulnerabilities that an attacker could exploit
Determine if there are
Pen Test report will describe any weaknesses as “high”, “medium” or “low”
Require management’s knowledge & consent
Require a high degree of skill to perform
weaknesses and if able to access system functionality and data
Are intrusive as actual “attack” tools are used
Internal Use Only
External Technology Service Provider (TSP) Reports
• FFIEC TSP Reports • Public/open section that is available to FI clients • Confidential section is available to regulatory agencies • Service Organization Control (SOC) Reports • AICPA standard for reviews of service providers • A type of control assessment provided to a service provider’s clients
FFIEC TSP Reports
SOC Reports SSAE 18
Internal Use Only
Service Organization Control (SOC) Reports • SOC I • Focus on internal controls over financial reporting (ICFR) • SOC II • Review of internal controls related to: • Security, Availability, Processing, Integrity, Confidentiality, Privacy Three Levels of Service
Organization Control (SOC) Reports:
• Review of specific controls based on service or product. Not environment wide. These are for different users not audit. • SOC III • Includes a description of the system and the auditor’s opinion. Like SOC II, but excludes disclosure/notes • Other SOC Reports- for Supply Chain and Cybersecurity
Internal Use Only
Service Organization Control (SOC) Reports
• Type I • Describes the servicer’s descriptions of controls at a specific point in time • Auditor performs no testing of servicer’s controls attesting to controls based on servicer’s account of controls- no opinion • Type II (preferred) • Includes information from a Type I Report • Detailed testing of the servicer’s controls over a minimum consecutive six-month period • Auditor expresses an opinion based on their testing
Two types of Service Organization Control (SOC) Reports:
Internal Use Only
Audit Reporting/Follow-up
Like Safety & Soundness:
o IT Audit reporting channels What is being reported and to whom o Senior Management Responses Are they reasonable and corrective timeframe is appropriate o Exception Tracking Show all IT audit findings, both Internal and External, and regulatory along with corrective action(s)
Internal Use Only
Auditor Independence & Qualifications Independence : Whether or not there are conflicting duties, e.g., involved in auditing areas they have responsibilities or oversight Auditor should be reporting to Board or Audit Committee Whether or not the Auditor has a debt with the entity (may have some influence)
Type of IT experience and training • Some IT audits require specific skill sets
Current IT certifications the auditor maintains
List of references from entities with similar IT activities
Qualifications :
These qualifications provide some assurances, but don’t guarantee a quality audit
Internal Use Only
IT Audit Review
•Audit scope and objectives •Pertinent areas for improvement based on results of testing •Reasonable and appropriate recommendations, often with managements' responses •Findings and observations consistent with your examination results
Audit Reports include:
Internal Use Only
Audit Report Review
• Be wary of auditors who rely solely on checklists • Using only regulatory work programs could indicate a lower standard of engagement • Absence or lack of workpapers could indicate a poorly performed audit Especially if there are no workpapers showing how ITGCs were reviewed/tested
Signs of a questionable audit:
Internal Use Only
Audit Findings Tracking & Resolution
A formal tracking system that assigns responsibility and target date for resolution
Timely and formal status reporting
Tracking and reporting of changes in target dates or proposed corrective actions to the Board or Audit Committee
Process to ensure findings are resolved
Independent validation to assess the effectiveness of corrective measures
Issues & corrective actions from internal audits and independent testing/assessments are formally tracked to ensure procedures and control lapses are resolved in a timely manner.
Internal Use Only
Auditor Interview Areas to focus on with auditor interview: • Knowledge of the IT environment and risks • Understanding of systems covered in the audit universe • Understanding of the basic controls (of these systems) • Verify training and/or certifications (as necessary)- certifications require specific training and number of hours/year (usually 40) • Type of work program used to document issues and conclusions. The work program used should be engagement type specific and not necessarily the FFIEC Work Programs
Internal Use Only
Audit Component Rating Areas to focus on when rating IT Audit component adequacy:
• Independence and quality of oversight • Audit risk analysis methodology/resources applied • Scope, frequency, accuracy, and timeliness of audit reports • Extent of audit participation in SDLC to ensure effectiveness internal controls and audit trails • Audit plan in providing appropriate coverage of IT risks • IT auditor’s adherence to code of ethics/professional standards • Qualifications of IT auditors • Timely and formal follow-up and reporting on management’s resolution of identified issues/weaknesses • Quality and effectiveness of internal and external audit activity related to IT controls
Internal Use Only
Conclusion
Learned basics for IT Audits
At a minimum, risk focused examination process must include a review the entity’s audit program
If audit program is deficient or lacking • Don’t need to dig deeper • Describe the deficiencies & record in your WP • Notify the Safety & Soundness EIC If audit program is satisfactory • Leverage audit results to create a more focused review
Internal Use Only
Summary • Audits are a necessity whether performed by in-house and/or external resources • Must be performed by independent and qualified individuals/companies/firms • Based on a current risk assessment • Must provide written, detailed, stand-alone reports • Results must be reported to the Board’s Audit Committee or a related Board Committee in a timely manner • Audits can aid in exam scope reduction
Internal Use Only
FFIEC CAT Tool
Internal Use Only
Cybersecurity Assessment Tool (CAT) • The FFIEC developed the CAT to help institutions to identify their cyber and IT security risks and determine their cybersecurity maturity. • Institutions were required to assess their inherent risk levels and domain maturities as defined by the CAT. • In late 2024, the it was announced that the CAT was being sunset by August 2025. • Institutions are still required to assess their cybersecurity posture using a formal methodology. Example methodologies include third party assessments, and resources from NIST. • On February 26, 2024, NIST released the NIST Cybersecurity Framework (CSF) 2.0. The framework is a good reference when assessing cybersecurity.
Internal Use Only
CRI Profile (Cyber Risk Institute Profile)
DEVELOPED BY THE CYBER RISK INSTITUTE (CRI) , THIS PROFILE IS SPECIFICALLY
ALIGNS WITH EXISTING REGULATORY EXPECTATIONS, SUCH AS GLBA AND NYDFS 23 NYCRR 500.
PROVIDES A STREAMLINED APPROACH TO RISK ASSESSMENT, MAPPING DIRECTLY TO NIST, ISO, AND FFIEC EXPECTATIONS.
FOCUSES ON CORE CYBERSECURITY DOMAINS: GOVERNANCE, ASSET MANAGEMENT, DATA PROTECTION, THREAT AND VULNERABILITY MANAGEMENT, AND INCIDENT RESPONSE .
ENABLES MORE EFFICIENT REPORTING AND EXAMINATION READINESS.
DESIGNED FOR THE FINANCIAL SERVICES SECTOR.
Internal Use Only
NIST Cybersecurity Framework (CSF) 2.0
AN UPDATED VERSION OF THE ORIGINAL NIST CSF , FOCUSING ON IMPROVING RISK MANAGEMENT STRATEGIES.
PROVIDES A STRUCTURED APPROACH TO IDENTIFY, PROTECT, DETECT, RESPOND, AND RECOVER .
ENHANCED EMPHASIS ON SUPPLY CHAIN RISK MANAGEMENT AND SECURE SOFTWARE DEVELOPMENT .
ENCOURAGES DEEPER INTEGRATION WITH ORGANIZATIONAL RISK MANAGEMENT AND STRATEGIC OBJECTIVES.
WELL-RECOGNIZED BY REGULATORS AS A ROBUST FRAMEWORK FOR CYBERSECURITY READINESS.
Internal Use Only
CIS Controls
DEVELOPED BY THE CENTER FOR INTERNET SECURITY (CIS) , THE CONTROLS OFFER
INCLUDES 18 CRITICAL CONTROLS THAT ARE MAPPED TO SPECIFIC DEFENSIVE ACTIONS.
EMPHASIZES BASIC CYBER HYGIENE , VULNERABILITY MANAGEMENT , AND INCIDENT RESPONSE PREPAREDNESS .
HIGHLY ACTIONABLE AND IDEAL FOR RESOURCE CONSTRAINED ORGANIZATIONS LOOKING FOR RAPID IMPROVEMENT IN SECURITY POSTURE.
PROVIDES A CLEAR PATH TO COMPLIANCE WITH BOTH REGULATORY REQUIREMENTS AND RISK MANAGEMENT GOALS.
A PRIORITIZED LIST OF CYBERSECURITY BEST PRACTICES.
Internal Use Only
Presenter Round Table
How effective do you think the FFIEC CAT was in evaluating cybersecurity maturity and identifying gaps for financial institutions?
Which of the alternative frameworks—CRI Profile, NIST CSF 2.0, or CIS Controls—do you think best aligns with current regulatory expectations, and why?
What steps should financial institutions be taking right now to prepare for the transition away from the CAT tool?
How should examiners adjust their engagement strategies with institutions during this transition period to ensure continued cybersecurity readiness?
Internal Use Only
Development and Acquisition
Internal Use Only
Development & Acquisition Learning Objectives
Senior Management & Board Oversight • Evaluate the effectiveness and adequacy of management’s oversight and support, including meeting objectives and user needs. Project Management Quality • Assess project management practices and processes for quality, efficiency, and alignment with business objectives. Change Control Practices • Review the adequacy and effectiveness of procedures for managing system changes. Source Code & Programming Controls • Determine the sufficiency and effectiveness of controls protecting the integrity of source code and programming activities. Additional Risk Considerations • Identify and evaluate other risks impacting system development, acquisition processes, and overall operational security.
Internal Use Only
Development & Acquisition Senior Management & Board Oversight
Governance Practices Clearly define responsibilities, enhance transparency, and facilitate effective oversight and informed decision-making.
Strategic Alignment Ensure IT solutions strategically align and actively support business objectives and organizational needs.
Effective Communication Board and IT management oversight committees provide transparency, accountability, and timely decisions through clear communication of project statuses, risks, and milestones to stakeholders. Policies, Standards & Procedures Comprehensive, Board-approved policies and standards foster consistency, efficiency, and reliability, significantly reducing risks of project failures and operational disruptions.
Qualified Personnel Assign qualified individuals to oversee security, audit processes, and testing activities within technology projects.
System Lifecycle Management Establish robust lifecycle management practices to proactively identify and replace aging systems approaching end-of-life.
Internal Use Only
Planning & Governance Detailed project plans, defined roles/timelines, and ongoing status reporting. Requirements & Feasibility Documented business/technical specifications, risk assessments, and feasibility studies. Cost & Vendor Analysis Cost-benefit evaluations, vendor due diligence, and contract reviews. Stakeholder Involvement & Testing Engagement of end-users, documented test plans, and validated test results. Post-Implementation Review Evaluation of project outcomes, effectiveness, and lessons learned.
Development & Acquisition Project Management Oversight
Internal Use Only
No Project Oversight? What Could Go Wrong?
PROJECTS CAN GO OVER BUDGET OR FALL BEHIND SCHEDULE WHEN THERE IS INSUFFICIENT SCOPE MANAGEMENT AND POOR ADHERENCE TO TIMELINES.
ESSENTIAL DEPENDENCIES AND POTENTIAL RISKS MAY BE IGNORED, CAUSING OPERATIONAL ISSUES
WHEN ROLES AND RESPONSIBILITIES ARE NOT CLEARLY DEFINED, ACCOUNTABILITY MAY DIMINISH, RESULTING IN CONFUSION AND REDUNDANT EFFORTS.
INEFFECTIVE COMMUNICATION CAN CREATE MISMATCHED EXPECTATIONS AMONG STAKEHOLDERS.
INEFFICIENT CHANGE MANAGEMENT MAY LEAD TO SCOPE CREEP, SUBOPTIMAL RESOURCE UTILIZATION, OR FAILURES IN IMPLEMENTATION.
THE LACK OF PROPER DOCUMENTATION AND MONITORING HINDERS THE ABILITY TO ASSESS PROJECT SUCCESS OR APPLY INSIGHTS GAINED TO FUTURE INITIATIVES.
OR LAPSES IN COMPLIANCE.
Internal Use Only
System Development Life Cycle (SDLC) • A project management approach that breaks down complex work into smaller, manageable phases. • Segmenting helps ensure each phase is completed before moving forward. • SDLC is typically structured into 5 phases. May vary by organization. 1. Initiation 4. Monitoring & Controlling 5. Closing
2. Planning
3. Executing
Internal Use Only
SDLC: Initiation • Business justification should be documented, outlining why the project is needed and how it aligns with organizational goals • A preliminary cost-benefit analysis may be conducted to evaluate feasibility. • High-level project scope and constraints should be defined early to avoid misalignment later. • Stakeholders and project sponsors should be identified and engaged at the outset. • Success criteria and metrics should be established to measure project outcomes. • Initial resource and staffing needs should be assessed and documented.
1. Initiation
5. Closing
2. Planning
4. Monitoring & Controlling
3. Executing
Internal Use Only
SDLC: Planning • Ensures project aligns with both technical needs and business objectives. • Define detailed project scope, timeline, milestones, and resource requirements. • Identify and assign project roles and responsibilities. • Develop a communication plan to ensure stakeholder alignment and status tracking. • Plan for quality assurance, testing, and validation activities. • Integrate risk mitigation strategies identified during the Initiation phase.
1. Initiation
5. Closing
2. Planning
4. Monitoring & Controlling
3. Executing
Made with FlippingBook - Online magazine maker