IT Examiner School

Examiner: What tools do you use to make that determination? NA Fossil: It is based on my experience and observations. CO Thomas does the same thing.

Examiner: Talk about your asset inventory list. NA Fossil: It stems from our depreciation schedule. We also query each department each year as an additional check in case we have overlooked something.

Examiner: Is it used in conjunction with completing the risk assessment? NA Fossil: No. It is strictly an accounting tool.

Examiner: Your risk assessment does not identify all assets or connections requiring some kind of risk reduction strategy. NA Fossil: Both CO Thomas and I were just recently assigned this task and may not have it exactly right just yet. If that is required, we can certainly do that. Examiner: You should think beyond your physical bank building in order to capture everything on your risk assessment. NA Fossil: Okay Examiner: I reviewed your information technology policies and it does not address all assets that need defined controls associated with them. Is this the only policy addressing security? NA Fossil: Okay Examiner: May I have a copy of the Board minutes reflecting when the risk assessment program was reviewed/approved by them and also when the risk assessment findings were presented? NA Fossil: We did not do a formal presentation. Ben just informed the Board that we were in compliance.

Examiner: Has your FI deployed any new technologies since the last exam? NA Fossil: Yes, we’re testing two mobile banking platforms and we recently deployed Cloud backup.

Examiner: Did you perform a risk assessment of these activities? NA Fossil: Yes, I did a limited review of the mobile applications to get the testing started. As for Cloud, we performed a fairly thorough review since FI and customer data is now stored on U-Store’s servers. Examiner: Regarding request for staffing, what did you mean by that and how many will be hired? NA Fossil: Well, for one, we requested an ISO position and two additional staff members to assist me since we had some growth and a recent DDoS threat. Also, we want to take on some standard daily IT activities from our MSSP as the Board and executives feels we are too reliant on the MSSP.