IT Examiner School

Findings and Recommendations

Organizational Controls Findings

Level of Risk

Updates on IT-related issues are not being reported to the Board and noted in Board minutes

Medium

The Board should consistently be made aware of significant activities and initiatives taking place in IT. These updates will improve the Board’s knowledge of IT-related issues, allowing them to more efficiently oversee IT operations, and provide management with appropriate guidance for making technology decisions that will support the business objectives of the bank.

Findings

Level of Risk

The bank does not have a formal management succession plan for IT

Low

This issue was identified in the prior examination. At the time of the audit, Network Administrator E. Fossil was finalizing an IT management succession plan to submit to senior management and the Board for approval at the July Board meeting.

Systems Control Findings

Level of Risk

Critical Systems Updates and/or Vulnerabilities (continued)

Medium

Host 10.1.1.3 – Windows Security Updates- 6 critical security updates are missing. Install the security updates identified in

the MBSA report dated 06/29/20XX. Management response: Patch installed

Multiple Hosts - Windows Media Player Security Updates- 1 critical security updates Install the security update for uninstall this application. Management response: Updates installed Multiple Hosts – Folder Permissions on and/or MSDE installation folders are not set per Microsoft’s security recommendations. Solution: remove any other users or groups (with the exception of local administrators, SQL Server serviced accounts and the SYSTEM account) that might be contained in the ACL for each of these directories. Management response: Management will contact the vendor to determine if there are compensating controls available.