IT Examiner School

Common Exam Themes, Findings & Weaknesses Third-Party (Vendor) Risk Management Program is in its infancy & not well documented • Outsourcing arrangements entered without thorough planning or assessment of third-party cybersecurity risks • Management provides only cursory supervision - limits understanding of contracts, performance standards, & services provided • Contracts with critical service providers do not address minimum cybersecurity controls, contractual protections, or reporting requirements • Internal staff may not have the requisite knowledge to fully understand the IT/IS risks associated with third-party providers

Common Exam Themes, Findings & Weaknesses Third-Party (Vendor) Risk Management Program is in its infancy & not well documented • The licensee is totally reliant on outside service providers, but management does not manage/oversee the vendor relationship • Third party access & authentication controls (including use of MFA) may not be consistent with the Licensee’s controls • Content for the web site is inaccurate, not up-to-date, & not monitored • System security logs, including remote access logs, are not reviewed for unusual activity