FFIEC Audits & Risk Management

Information Security, IT Operations/Governance and IT General Controls Audit

FIPCO will perform an Information Security Assessment which will review the Bank’s Information Security program, policy and other pertinent documentation. IT Operations, risk assessment and Governance, as well as General IT Controls will be audited to provide evidence that controls have been implemented. The IT Audit will focus on the Bank’s overall information security program, management oversight and IT environment, which may include the following areas:

• Application & Operating System Controls (Authentication and Access Controls)
    - System/network
    - Critical Applications (i.e. Core, Electronic Banking, ACH)
• Business Continuity/Disaster Recovery and Incident Management
    - Backup of data and systems
    - Problem management
    - Continuity planning
    - Operations management
• Change and Configuration Management
    - Business IT change management
    - Technical change management
• End User (workstations, laptops, other mobile computing)
• Network and System
• Operations Management (i.e. operational controls)Segregation of Duties
  - Authorization processes
  - Logging and tracking of user/computer activity
  - Service levels for reporting and tracking hardware, software errors
• Policy and Standards
  - Information Security Policy and Program
  - Security management, access control standards, supporting documentation
  - Regulation considerations; eDiscovery, GLBA Section 501(b), Security Breach, etc…
• Physical Controls
  - Physical access controls to main facilities, computer rooms, network equipment, system output, etc… (assumes
    computer room is at headquarters location)
• General Administrative Controls (Human Resources and Organizational Management)
    - Senior management involvement
    - IT planning (strategic and operational)
    - Service level agreements
    - Legal compliance
    - Organization of IT 
• Vendor Management
    - Third Party Acquisition and Due Diligence
    - Documentation
    - Process and ongoing risk review
• Applications Acquisition/Development and
    - Development methodology
    - Project management
    - User/customer participation
• Information Security (i.e. Security of Data (database, transmission, files, storage mediums)) 
• eBanking (if applicable; RDC, mobile banking, ATM procedures, retail credit/debit cards)
• Monitoring and Compliance 
• Social Media
• Cybersecurity – Inherent Risk and Maturity control considerations

Testing will review mitigation of findings from previous audits and assessments. Observations will be discussed and documented as appropriate. Identified control deficiencies and an executive summary report will be provided for management comment and delivery to board of directors as appropriate. This audit follows FFIEC guidance, meets examiner expectations and provides for GLBA Compliance.