IT Examiner School

IT management is satisfactory, notwithstanding concerns noted in this area. The Board recently approved a multi-year strategic plan that includes data security. Management has been diligent in upgrading network software with their Microsoft WSUS (Windows Server Update Services) server, however, guiding policies have not kept pace with execution. Noted findings are in support of this conclusion. Management’s risk assessments are formally approved by the Board annually. Change control is satisfactory. Once network patches or upgrades are tested and approved by the IT Steering Committee, they are installed on the production network. Microsoft’s WSUS is used to apply appropriate patches. Overall, information security is adequate. Operations are satisfactory. Main applications are serviced by Fiserv, San Antonio, TX. While there were findings and observations noted at this Information Technology examinations, they are correctable in the normal course of business. A list of these findings was left with Network Administrator Fossil. Intrusion detection is monitored by Intelligent, Inc. with an adequate incident response plan noted. Anti-virus and anti-spyware are employed at the network level in the DMZ. Annual vulnerability and penetration testing is conducted along with the external audit.

Analysis/Findings:

The IT examination revealed generally satisfactory controls, policies, and practices; however, the following issues warrant management’s attention:

• Gramm-Leach-Bliley Reporting standards not being met *; • Add “Responsibility” columns to the risk assessments; • Revise/review/approve IT Policy to reflect current asset controls; • Appoint a Data security officer; • Conduct a Disaster Recovery Test to include the network and item processing; • Update Disaster Recovery Policy*; • Record IT committee minutes; and • Restrict access to the operations room. * Indicates findings that may not be resolved in the 3-month time frame noted below.

Management’s Response:

A comprehensive findings list was left with Chief Executive Officer David Bose at the exit meeting on Sept. 23 20XX. A full discussion of the aforementioned findings, along with other corrected findings, ensued at that meeting. After conferring with EVP Anita Jones, CEO Bose agreed to try and address these findings within 3 months of the exit meeting. However, Mr. Bose state that all findings may not be resolved in that time frame due to planning and research (denoted by *). These exceptions will be resolved by year-end 20XX