What does an Appendix B doing?
Appendix B to 12 CFR 30 establishes these.
What are the Interagency Guidelines Establishing Information Security Standards?
Interagency Guidance on Risk Management
What is OCC BULLETIN 2023-17?
What are the three key aspects of information security - abbreviated CIA
What are confidentiality, integrity, and availability?
This worksheet helps bank examiners determine the operational risk of a bank and can be found in the community bank supervision handbook.
What is the Operational RAS worksheet?
This individual is typically responsible for information security at a bank.
Who is the CISO or CIO?
Under Appendix B Part III, this subsection (a,b,c,d,e,f, or g) describes expectations for how a bank will Manage and Control Risk.
What is part III.C?
This committee typically oversees third party relationships at most community banks.
Who/What is the IT Steering Committee
A Phishing email is this type of attack vector.
What is social engineering?
This plan describes how a bank will recover from a cyber attack.
What is an incident response plan?
This describes how a bank will maintain appropriate network and cybersecurity and improve its program each year and aligns with the enterprise one of these.
What is a strategic plan?
This security audit report is typically reviewed by bank management to monitor how effectively a vendor is maintaining cyber and information security controls.
What is a SOC2?
This phase of the third party risk management lifecycle precedes the due diligence phase.
What is Planning?
This type of malware does not replicate itself in other software, and does not require a 'host' application.
What is a computer worm?
This type of assessment helps a bank prioritize restoration and set recovery objectives, and is a precursor to establishing and testing a BCP.
What is a business impact analysis?
This individual is the East/Northeast IT Lead Expert
Under Appendix B Part III, this subsection (a,b,c,d,e,f, or g) describes expectations for Board Reporting on Information Security
What is part III.F?
This bulletin communicates the Third-Party Relationships: Supplemental Examination Procedures.
What is OCC Bulletin 2017-7?
This type of cybersecurity process or control deals with the remediation of vulnerabilities.
What is patch management?
These attacks overwhelm a bank’s network or services, rendering them unavailable to legitimate users, and are often used to mask other types of cyber attacks, such as a ransomware event.
What is Distributed Denial of Service or DDoS attacks?
This group is ultimately responsible for the risk and direction of the bank, including setting the tone and approving the information security program at a bank.
Who is the Board of Directors?
This supplement to Appendix B to Part 30—Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice
What is Supplement A?
This GLBA provision requires proper oversight of service providers.
What is 12 CFR Appendix-B-to-Part-30 III.D.? - Remember, see your vendors in 3D!
This type of control testing is conducted by an ethical hacker, and is typically performed at least annually.
What is a penetration test?
These types of users, if not managed appropriately, present the highest risk to an organization?
Who are administrators or privileged account users?
This individual is the Chief Information Officer and Chief Data Officer at the OCC
Kristen Baldwin