I am drawing a blank as I've seen it several times but I need to find in the regs or some FIL what specific items need to be in the annual report of Information Security to the Board. I'm doing an audit of a bank that their annual reporting is extremely weak but I know they will want to see some guidance on this when I present it to them.

Thanks and God bless.