IT Examiner School

Common Exam Themes, Findings & Weaknesses

Policies may not be formal adopted, effectively communicated, or enforced.

Management has not designated an individual with sufficient independence, authority, expertise, or time to effectively oversee the Information Security Program.

There is limited evidence that the Board and Senior Management provided effective oversight of IT/IS.

Common Exam Themes, Findings & Weaknesses Incident Response Plans are non-existent or do not provide sufficient detail to guide IR activities. Vulnerability and Patch Management processes and standards inconsistent and not documented. Periodic review of user access rights and entitlements are not consistently performed. Secure Software Development procedures and standards are not documented; project management methodologies are nonexistent.