Nonbank Cyber Exam Program: Examiner ... - Home | CSBS



Nonbank Cyber Exam Program OverviewThe Nonbank Cyber Exam Program is designed to enhance identification, assessment, and validation of information technology and operations risks in nonbank/nondepository financial institutions and ensure that identified risks are fully addressed by financial institution management. It is a risk-based examination approach for conducting IT examinations. The Nonbank Cyber Exam Program consists of two segments: the Pre-Exam communication and the Onsite Exam procedures. During the Pre-Exam, the examination team requests basic organizational cybersecurity information from the entity. The entity’s responses are then used to scope and to shape the exam itself. Pre-Exam Planning and Communication with EntityDuring the Pre-Exam process, the IT EIC will send the following documents to the entity Point of Contact:The First Day Letter provides an overview of the exam process and sets expectations for both the examiner and the entity.The IT Officer’s Questionnaire requests information about the organization’s operations and includes cybersecurity-specific questions.* * Please note the entity must sign and attest to the information provided in the IT Officer’s Questionnaire.The Document Request List (DRL) outlines the supporting information that will be reviewed and assessed as part of the exam.Once the IT Officer’s Questionnaire has been returned and the documentation requested in the DRL provided, the examination team then determines the level of exam effort required. (Any documentation that cannot be provided ahead of time should be ready for examiner review on the first day of the exam.)How to Scope an ExamThe scope of your examination will be dictated by the size and complexity of the nonbank and your agency’s resource commitment to the examination. Full scope examinations are warranted where the institution is larger or more complex, has known or suspected cybersecurity deficiencies, and the agency has committed appropriate resources to the examination. Limited scope examinations may be more appropriate for small, less complex institutions, where the agency intends to target specific issues, or where the agency does not wish to commit the resources necessary for a full scope examination.Pre-examination planning is a critical component of effective risk-based examinations and the time allotted to this part of the examination should be commensurate with the intended scope. The IT EIC should be allotted sufficient offsite time to appropriately plan and scope the examination. The IT EIC is expected to assess the preliminary risk profile using information gathered during the pre-examination process, including requested institution documents, prior examination reports, and the IT Officer’s Questionnaire. In particular, the IT Questionnaire responses can help identify risk indicators that factor into the examination scope. These risk indicators may include business activities such as in-house software development, cloud computing, or online transaction activity. Such activities may suggest the need for completing additional noncore examination questions to effectively assess the related risks. Finally, risk indicators could include reports of recent security incidents, warranting greater review of incident response programs and corrective action.The cybersecurity questions that should be asked as a part of all nonbank exams are called “Core Controls.” Outside of those mandatory controls, an examiner may choose to add additional requirements based on the entity’s Questionnaire responses, the examiner’s personal expertise, previous exam results, current events, and/or State regulatory priorities. 340042546990000center52705000The “Pre-Exam Questionnaire Answers” sheet of the Nonbank Cyber Exam Program workbook includes recommendations for additional controls. These Non-Core Control Considerations are not mandatory, but they are suggested to perform a more comprehensive examination.Using the Exam Program74580751753235G00G41052751734185F00F23622001467485D00D4381502191385C00C-1238252258060B00B1238252257425A00A3324225695960E00E-57150046736000The Exam Program itself is organized by NIST Cybersecurity Framework capability: Identify (ID), Protect (PR), Detect (DE), Respond (RS), and Recover (RC). Questions are numbered within each capability. 25622256369685A00A24098256217285A00A22574256064885A00A21050255912485A00AA: “Work Program Question” provides a unique identifier for the exam question. In this example, the question is ID 1 (Identity 1).B: “Request List Number” identifies items from the DRL that are inputs to the question or may help clarify the entity’s response(s).C: If Column C contains a “Y,” the control is a Core Control and should be included in the exam. An “N” indicates it as an optional Non-Core Control. Here, Question ID-1 is a Core Control. To include all controls, select the dropdown arrow and check “Y” and “N.”D: The question that should be asked of the entity.E: For questions that can be answered with a simple yes or no, the examiner can place an “x” or a check as necessary. “N/A” is an acceptable response, but the examiner must verify accuracy. F: “Examiner guidance” explains why the question is included. It may serve as a communication starting point between the entity and the examiner.G: Examiners should document details and answer the question here. Note any weaknesses that exist. How to Report Examination FindingsThe exam program and these instructions do not currently include a report template or guidance on developing and reporting examination findings. This determination to not include this information is based on requirements that vary from state to state, making it difficult at this time to create a standardized process.Note: If enough states request inclusion of a report template and instructions in the exam program, future iterations of the exam program will include these. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download