Beyond the Check-box: Prepping for your Next IT Exam

 Author:Jackie Marshall, JaMarshall@jackhenry.com

When prepping for your next IT exam, visualize the examiner with a pick and a shovel. As you work through the pre-exam checklist, consider what exists behind the check-box; if you don’t, the examiner certainly will. Can you provide specific details that indicate how you are complying with that task item or initiative? How often your IT Steering Committee and management team reviews exceptions, address residual risk and implements updates (technical or procedural), will indicate to the examiner that you are intentionally addressing IT management initiatives and not falling into a “check-box mentality.”

For example, indicating that your IT management staff and Information Security Officer regularly monitor systems for intrusions is considered an important activity for ensuring the security of your internal systems and data from internal and external threats/vulnerabilities. The examiner will also want to see actionable detail that supports specific reports, exception criteria, events to monitor for, and assignment of appropriate responsibilities to manage.  Policy and procedural activities should also include requirements for documentation and archiving as well as reporting and follow-up of exceptions.

Understanding that the simple answer of “internal audit monitors the Core, etc...” may not pass muster in this post-FFIEC compliance environment should draw attention to actionable supporting activities. But, don’t view this “pick and shovel” approach as negative. Your FI likely spends thousands of dollars and many resource hours annually to monitor systems and data. Maximizing the potential benefits of these services, including validation of technology service provider relationships is an important component not just for IT but for the business success of your organization.

Knowing how to spell out strategic detail to your examiner will indicate an intentional enterprise-wide security approach that will speak volumes about your FI’s management team and respect for IT from a business perspective.