IT Examiner School

Data and Procedural Controls: Computer operations recovery; data backup and recovery capabilities for hardware and software failures; procedural control for receipt of data. Verify adequate testing of recovery procedures has occurred. Local and Wide Area Network Security: Review design, supports and security policies and procedures; network management responsibilities; network password administration; network access restrictions; critical network device replacement procedures; firewall/intrusion detection/vulnerability assessment systems; network topology.

Social Engineering Test: Utilize various techniques of physical and physic logical engineering to gain unauthorized access to systems, customer information, or non-public bank information.

Levels of Risk

All finding outlined in this report present some level of risk to the Bank. We have assessed a specific risk level to each finding based on regulatory requirements and/or industry best practices. However, the Bank’s Technology Committee and executive management team should review each against its own risk assessment strategy to determine what risk level it ultimately presents to the operation.

Risk Level

Potential Impact

High

Significant probability of affecting business-critical operations; non-compliance of key regulatory requirements; impending risk to customer and/or non-public information. These items should be addressed immediately. Potential to affect business operations and/or non-critical computing systems; non-compliance of key regulatory requirements; some risk to customer and/or non-public information. These items require proactive consideration of resource allocation and should be addressed as soon as reasonably possible. Minimal probability of affecting business operations or key IT systems; little to no risk to customer and/or non-public information. These items should be considered only when resources are available and High and Medium vulnerabilities have been adequately addressed.

Medium

Low