IT Examiner School

Results of On-Site Discussions with Management, Part I

General

Examiner: I noticed you signed the submitted IT Profile. Are you an executive officer? NA Fossil: No.

Examiner: Are you solely responsible for the risk assessment? NA Fossil: No. Compliance Officer Ben Thomas completes the GLBA risk assessment.

Examiner: Is there an executive officer who takes ownership of the risk assessment process? NA Fossil: No. What Ben and I complete goes directly to the Board for approval each December after we show the assessments to the IT Steering committee. Examiner: What resources available to you and CO Thomas? NA Fossil: Well, we are on a tight timeframe and are given limited time to put these together. Ben and I just do it. We have requested additional resources due increased growth, staffing and network traffic. Examiner: Do they keep minutes? NA Fossil: No Note: You had a brief conversation with CEO Base about some of these items. He confirmed that the IT Steering Committee continues to meet without formally documenting their discussion.

Examiner: Why does the bank complete two risk assessments? NA Fossil: Since GLBA is a regulation, it falls under CO Thomas’ responsibility.

Examiner: Do you all collaborate? NA Fossil: No, although we do have the same template that was provided by a banker’s association. Since I have only been assigned this for 6 months, I am new at this. If you have recommendations, I would welcome them.

Examiner: Doesn’t that leave room for potential conflicts? NA Fossil: It’s possible I guess, but I don’t see much overlap in our areas.

Examiner: Who determines your risk weighting? NA Fossil: I do.

Examiner: Have you defined what high, medium, and low qualify as? NA Fossil: Yes, but I haven’t had time to provide the written details for each.

Examiner: Who determines if a control is either effective or ineffective? NA Fossil: That would be me too.