Last time in Part 3 we discussed (at some length) the FDIC IT Exam question “Are project management techniques and system development life cycle processes used to guide efforts at acquiring and implementing technology (Y/N)?”. This time, we address a question from the Part 3 – Audit/Independent Review Program section titled:
“Are the results of your audits/independent reviews used to adjust your risk assessment findings/results (Y/N)?”
I’m going to give you a 2 for 1 bonus on this one. There is another question just after this one that is closely related, so we’ll address them both at the same time:
“Do you have a system for tracking audit and regulatory exceptions to final resolution (Y/N)?”
They should really be asked in the reverse order, because if you have a “system” in place for tracking audit findings, it would necessarily address (as the final step in the audit process) adjusting your risk assessment findings. It would serve no useful purpose to submit to the time and expense of an audit, only to discard the findings. Nevertheless, you want to answer “Y” to both questions, and the proper way to document your answer is found in the references for both questions.
Both questions share the first reference (FDIC Rules and Regulations Part 364 Appendix B Section III (C)(3) and (E)), which states:
Section III (C)(3) – “Each Bank shall…Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the bank’s risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.”
Section III (E) – “Adjust the Program. Each bank shall monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the bank’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems.”
Simply put, you must first test the controls in your risk management program, and then adjust your program with the results of the findings. How do you prove compliance? The answer is found in the details of your audit program, specifically with your external auditor. The terms of the contract with your auditor determine the nature, scope and objectives of the audit engagement. An information security audit (sometimes referred to as a GLBA audit), will by definition include coverage of the key controls, systems and procedures of your information security program.
But just because you have an audit program, you haven’t directly addressed the questions just yet. What do you actually do with the findings from the audit? Whenever the FFIEC mentions a “system”, what they usually mean is that its formalized (policy driven), standardized (operates in a committee, and from an agenda), and documented. So what committee in your organization is tasked with IT security? If you follow FFIEC guidelines, it’s probably your IT Steering Committee. It’s logical then that IT related audit findings would be presented there as well. (Some institutions have a separate audit committee, but if audit findings require changes to IT policies or procedures, they would still need to be presented to IT Steering for implementation.)
So the correct answer to both questions is “Yes, the findings from our information security audits are presented to the IT committee, and are used to adjust our information security program.”
We’re down to the last of the 5 trickiest questions, and I’m going to turn to you for the final post in this series. What IT audit or examination question(s) have you had the most difficulty with? Leave a comment at the bottom, or send me an email, and I’ll discuss not only the correct answer, but most importantly how to answer the “If Yes,…” part.