Trust Examiner School eBook

INFORMATION TECHNOLOGY Item # Status Individual Responsible Comment 8.01

Page 11

Please provide a copy of all policies and procedures that comprise the information security program and include topics such as the following: -- Information Security -- Vendor Management -- Patch Mangaement -- Anti-Virus -- Change Management -- Data Retention -- Data Disposal -- System & Data Backups -- Acceptable Use -- Clean Desk -- Encryption -- Mobile Device Management (BYOD) -- Data Loss Prevention -- System Hardening -- Asset Inventory/End-of-Life -- Business Continuity/Disaster Recovery -- Incident Response -- Rules of Behavior/Social Media -- User Access and Authentication -- Network/System Monitoring

8.02 Provide any material and related support documents for all Information and Cyber security trainings condcuted for employees and Board members since the last examination. (Support documents may include attendance records, course slides, etc.) 8.03 Please provide copies of any IT and/or cyber related risk assessments. 8.04 Provide documentation supporting Board/Management oversight of IT, including but not limited to: -- Board approved IT strategic plan and budget -- Minutes noting the Board report on information security -- Materials to support Board discussion of risk acceptance -- Board/committee minutes to support designation of employee(s) to coordinate the information security program -- Backup coordinator for the information security program 8.05 Provide a list of individuals and/or committees designated to stay abreast of IT related matters. 8.06 8.07 8.08 8.09 8.10 8.11 8.17 8.18

Please provide a list of key individuals (names and contact information), both internal and external, that are responsible for management of the IT function (including security, operations, and maintanence). Provide a network diagram(s) depicting all assets that make up the current IT operating environment. The diagram should include devices such as servers, workstations, printers, firewalls, routers, switches, wireless access points, voice over IP, internet, network segmentations, mobile devices, etc. Provide a data flow diagram(s) depicting the outputs and inputs of data for each system. The diagram should indicate and define data endpoints and list any restrictions in place to ensure data security. Provide an inventory of all hardware devices and the operating systems running on them. Please idnetify any upcoming, or current, hardware or operating system end-of-life instances. Provide a current inventory of all software and applications, including network monitoring tools. Please identify any upcoming, or current, software end-of life instances. Provide a copy of the most recent internal and external penetration tests and/or vulnerabilitiy assessment conducted. Also, include any remediation actions planned or taken as a result of these engagements. 8.12 Provide a copy of the most recent phishing test results. 8.13 Provide a copy of any patch management status reports that are periodically reviewed by management. 8.14 Provide a copy of the IT Audit policies and procedures, if not included in 8.01. 8.15 Provide a copy of the current IT audit risk assessment and plan. Include the current IT audit schedule. 8.16

Provide a copy of any IT audit reports conducted since the prior examination. (Note: The IT audit reports should include engagements that periodcally assess IT general controls.) Provide a copy of the most recent audit and regulatory findings/exceptions tracking reports and Board or committee meeting minutes in which the reports were presented. Provide a list of all vendors, indicating the each vendor's criticality/rating and most recent ongoing monitoring/review date. (a sample of documentation supporting the vendor review process will be selected for review during the examination) 8.19 Provide copies of vendor contracts for key outsourced IT providers. 8.20 Provide documentation to support the most recent incident response plan test. 8.21 Provide details for any incidents, breaches, cyberattacks, and identity thefts occurring since the prior examination. 8.22

In addition to the business continuity/disaster recovery document requested in item 8.01 above, please provide any disaster recovery support documents, such as the trust company's Business Imapct Analysis, Threat Analysis, annual testing schedule, and key thrid party recovery contracts. 8.23 Provide the results and supporting documentation for all business continutiy and disaster recovery testing conducted in the past 12 months.