IT Examiner School eBook May 2025

The Board of Directors or an appropriate committee of the Board of each bank shall:  Approve the bank's written information security program.  Oversee the development, implementation, and maintenance of the bank's information security program, including assigning specific responsibility for its implementation and reviewing reports from management. Designated members of management are held accountable by the Board or an appropriate Board committee for implementing and managing the information security and business continuity programs. Management assigns accountability for maintaining an inventory of organizational assets. Processes are in place to identify additional expertise needed to improve information security defenses. Information security roles and responsibilities have been identified. Information security risks are discussed in management meetings when prompted by highly visible cyber events or regulatory alerts. Employee access to systems and confidential data provides for separation of duties. Click here to enter comment

2. Evaluate the quality of IT reporting to the Board of Directors. Consider reports such as:  IT risk assessments  IT standards and policies  Resource allocation (e.g., major hardware/software acquisitions and project priorities)  Status of major projects  Corrective actions on significant audit and examination deficiencies  Information security program, including cybersecurity

Decision Factor 1 ▲ Report to the Board. Each bank shall report to its Board or an appropriate committee of the Board at least annually. This report should describe the overall status of the information security program and the bank's compliance with these Guidelines. The report, which will vary depending upon the complexity of each bank's program should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations, and management's responses; and recommendations for changes in the information security program . Management provides a written report on the overall status of the information security and business continuity programs to the Board or an appropriate Board committee at least annually. The institution prepares an annual report of security incidents or violations for the Board or an appropriate Board committee. Control Test Review the most recent annual information security program report to the Board and ensure it covers the minimum required elements outlined in the Information Security Standards. Click here to enter comment 3. Evaluate the adequacy of the short- and long-term IT strategic planning and budgeting process. Consider the following:  Involvement of appropriate parties

 Identification of significant planned changes  Alignment of business and technology objectives

 Ability to promptly incorporate new or updated technologies to adapt to changing business needs  Coverage of any controls, compliance, or regulatory issues which may arise or need to be considered