IT Exam Trends

Hello everyone,

Today we’ll be discussing trends I’ve been noticing in recent exams.  We’ll explore three common topics that keep showing up and their implications for your financial institution.  If anyone needs any examples or templates related to these areas, please let me know.  Let’s dive in:

1.      Project Management: This is a frequent topic across FIs of all sizes. The FFIEC Development, Acquisition, and Maintenance IT Handbook details IT project management expectations.  The main issue arises from lacking a Project Management Policy or having an inadequate one.   Even small financial institutions need a policy.

Takeaway: It is important to establish a comprehensive Project Management policy supported by well-defined processes. It is advisable to align your policy with each Project Phase—Initiation, Planning, Execution, and Closeout—as well as incorporate a Monitoring component, in accordance with the guidance provided in the FFIEC Development, Acquisition, and Maintenance IT Handbook (https://ithandbook.ffiec.gov/it-booklets/development-acquisition-and-maintenance/ ). Additionally, policies and procedures should be appropriately tailored to your institution's specific requirements while allowing for sufficient flexibility.

2.      Vendor Management Risk Tiers: Vendor management has been an area of focus and is expected to remain important. One specific issue in vendor management policies is the lack of clearly defined risk tiers that address varying levels of risk and outline appropriate actions for each vendor category. Recent regulatory guidance has highlighted this concept, and it has become a point of attention during examinations.

Takeaway: VM Policy and Procedures should clearly differentiate between risk tiers and offer general guidance for applying due diligence and ongoing vendor management according to each tier. Straightforward risk rating systems, such as High, Medium, and Low, are suitable. The objective is for VM procedures to align with the level of risk, allocating more resources to higher-risk vendors. For example, high-risk vendors may be reviewed annually with a broader assessment scope, including items like SOC reports, insurance, cybersecurity review, and business continuity. In contrast, low-risk vendors might be reviewed every three years, focusing primarily on contract and performance reviews. It is advisable not to set rigid requirements for vendor management processes, as flexibility may be necessary in situations where critical vendors lack certain documentation (e.g., a SOC report). In these cases, document the alternative review methods used to achieve satisfactory oversight.

3.      IT Succession Planning: Recently, there has been an increased emphasis on succession planning at the institutional level, not limited to IT departments. The primary goal is to establish a clear plan for key roles, which involves more than identifying a backup; it requires outlining both short-term and long-term strategies for succession.

Takeaway: It is essential to establish an IT Succession Plan for critical positions such as the IT Director (or equivalent) and Information Security Officer. The primary objective of a succession plan is to maintain operational continuity and mitigate risks associated with staff departures. To address these risks effectively, the plan should identify designated backups, outline personnel development and cross-training strategies, ensure the maintenance of support documentation, and consider potential vendor support.  

4.      User Access Reviews: The FFIEC booklets frequently address access rights, and access reviews are a key element of this topic. There has been an increase in recommendations regarding the improvement of access review processes.  

Takeaway: It is important to conduct thorough access reviews for critical systems. A few specific guidelines include:

• Establish a methodology to determine which systems require an access review, the level of review, and the appropriate frequency. Not all systems necessitate in-depth reviews beyond confirming that accounts of terminated users have been removed.

• Review all cloud-based applications at least annually to verify that terminated users no longer have access. Many of these systems do not sync with Active Directory, so disabling network access alone may be insufficient.

• For high-risk systems, ensure all accounts are included in the review process, including system and generic accounts.  If groups are utilized, conduct a review of group profiles.

• Maintain proper documentation, noting when the review was conducted, by whom, and any resulting actions (such as removing user rights).

• Ensure the reviews are worthwhile.  I tend to first look at the actions/remediations that occur as a result of the user access review.  If these reviews are not resulting in substantive changes, then it may be time to refine the process.  In some cases, this could involve reducing documentation requirements and conducting a more focused review.  Just make sure it’s effective based upon your needs.

  
  

As mentioned before, if anyone needs any examples/templates of these just let me know. Please reach out with any questions at jrumph@harkadvisors.com or 678-672-2313.

Jim