1 16 Table of Contents 18 32

Pub. 14 2019-2020 Issue 3

NEBRASKA BANKERS ASSOCIATION 17 block for what information should be shared. Keep in mind, the top level of the organization needs to know how well the organization is managing the ISP and how that compares to peers. Let’s start with what may be considered the top four areas: IT Risk, Organizational Risk, Third Party Risk and Emergency Preparedness. • IT Risk Assessment – The board and senior man- agement should understand the most important and the most risky IT assets before and after mitigating controls have been applied. If certain IT assets exceed the acceptable risk level, a plan should be provided to identify what is needed to lower the risk. This infor- mation is important when deciding where to invest in additional security controls. • Organizational Risk/Cybersecurity Assess- ment – The most common organizational risk as- sessment is the FFIEC Cybersecurity Assessment Tool (CAT). The board and seniormanagement should understand the Inherent Risk Profile and Cyber Ma- turity Levels of each CATDomain. If the organization is not meeting its maturity goals, the top level of the organization should understand the plan to meet its cybersecurity maturity goals. • Vendor Management and Risk Assessment – The board and seniormanagement should understand who the top 5-10most critical vendors are, the amount of risk each presents, and any vendors that may be on a “watch list” due to concerns identified in the due diligence process. If a vendor is on a “watch list,” the top level of the organization should understand what is being done to address the concerns. • Emergency Preparedness – It’s critical to com- municate how well the organization is prepared to respond to service-impacting incidents. The board and senior management should ensure that appro- priate plans are documented and updated annually, including a Business Continuity Plan, Business Im- pact Analysis (BIA), Incident Response Plan, and a Pandemic Preparedness Plan. The top level of the organization should ensure these plans are tested annually. The items below are also important to report upstream, but may vary: • Exam and Audit Findings – Findings and reme- diation steps should be reported for the following: Regulatory Examinations (FDIC, OCC, NCUA, etc.), Internal/External Audits, Vulnerability Assessments, Penetration Tests, Social Engineering Assessments, results of other testing, and results of risk assess- ments (including next-steps). Information Security — continued on page 18

RkJQdWJsaXNoZXIy OTM0Njg2