IT Examiner School eBook May 2025

Ongoing monitoring practices include reviewing critical third-parties’ resilience plans. Control Test Review a sample of documentation for ongoing monitoring of critical service providers to ensure sufficient monitoring is occurring. Click here to enter comment 13. Evaluate the institution’s IT risk assessment process. Consider the following:  Identification of all information assets and systems, including cloud-based, virtualized, and paper-based systems  Identification of critical service providers  Gathering of threat intelligence (e.g., FS-ISAC, US-CERT, InfraGard)  Determination of threats, including likelihood and impact  Identification of inherent risk levels Specific to the customer information security program, each bank shall:  Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems.  Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information.  Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. Regularly test the key controls, systems, and procedures of the information security program. The frequency and nature of such tests should be determined by the bank's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs. A risk assessment focused on safeguarding customer information identifies reasonable and foreseeable internal and external threats, the likelihood and potential damage of threats, and the sufficiency of policies, procedures, and customer information systems. The risk assessment identifies internet-based systems and high-risk transactions that warrant additional authentication controls. The institution belongs or subscribes to a threat and vulnerability information-sharing source(s) that provides information on threats (e.g., FS-ISAC, US-CERT). Threat information is used to monitor threats and vulnerabilities. The critical business processes that are dependent on external connectivity have been identified. Data flow diagrams are in place and document information flow to external parties. An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained. Organizational assets (e.g., hardware, systems, data, and applications) are prioritized for protection based on the data classification and business value. Management considers the risks posed by other critical infrastructures (e.g., telecommunications, energy) to the institution.  Documentation of controls to reduce threat impact  Determination of the quality of controls (i.e., testing)  Identification and evaluation of residual risk levels  Remediation program for unacceptable residual risk levels  Updating of the risk assessment promptly for new or emerging risks Decision Factor 7 ▲