IT Examiner School eBook

Common Exam Themes, Findings & Weaknesses

Management may not be fully aware of GLBA or 16 CFR Part 314 of the FRC Rules and Regulations. Policies, procedures, and standards are not sufficiently detailed to guide program activities. There is limited evidence that the Board and Senior Management provided effective oversight of IT/IS. Vulnerability and Patch Management processes and standards inconsistent and not documented. Third-Party (Vendor) Risk Management Program is in infancy and not well documented.

Lack of a formal risk-based IT Audit program and/or independent testing program. Information Security Program not based on an assessment of unique risks and threats. Management has not designated an individual with independence, authority, expertise, or time to effectively oversee the Information Security Program. Incident Response Plans are non-existent. Disaster Recovery & Business Continuity Plans are not based on comprehensive BIA & risk assessments.