Recent IT Security Changes

The Federal Financial Institutions Examination Council (FFIEC) is the formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS) and to make recommendations to promote uniformity in the supervision of financial institutions.  Most other regulatory agencies, including many state banking agencies, use  the FFIEC examination requirements.

The FFIEC published an IT Examination Handbook in 1996 outlining examination requirements. Since then, technology changes, Internet availability, Internet Banking and other drivers have changed dramatically.  The FFIEC began to update the old handbook and formed the web-based InfoBase concept.

The InfoBase concept was developed by the Task Force on Examiner Education to provide field examiners in financial institution regulatory agencies with a quick source of introductory training and basic information. The long-term goal of the InfoBase is to provide just-in-time training for new regulations and for other topics of specific concern to examiners and auditors.  Each chapter in the 1996 handbook was updated and rewritten. Significant additional detail has been included and each chapter is becoming an individual Booklet.

The Booklets, with their respective published dates, include:
 

Booklet Name Published Date
Audit April 2012
Business Continuity Planning February 2015
Development & Acquisition April 2004
E-Banking August 2003
FedLine August 2003
Information Security September 2016
Management November 2015
Operations July 2004
Outsourcing Technology Services June 2004
Retail Payment Systems April 2016
Supervision of Tech Service Providers October 2012
Wholesale Payment Systems July 2004

Federal and State regulatory agencies have been training field examiners as the booklets are published.  The current publication status and booklet contents are available at the FFIEC site.

The regulatory agencies have recognized for years that many institution's IT security controls have not kept pace with technology.  They have also recognized many financial auditors and examiners  do not have the experience or knowledge necessary to adequately address the risks and controls required, and in some cases, may represent a conflict of interests.

An underlying theme throughout the new examination booklets is the validation of the processes and controls discussed within each.  For example, past examinations have included a review of the business continuity plan. However, the new booklet (and examiners work program objectives) specially addresses test results from exercising the continuity plan. Have you actually tested your business continuity plan?  Some examples of changes include the following.

Audit Booklet (44 pages): It is important that examiners ensure that management has designed any audit outsourcing arrangements in order to maintain the independence of the audit provider.  An accounting firm hired to perform internal audit services for an institution risks compromising its independence when it also performs the external audit for the institution. Concerns arise because, rather than having an independent review, the responsibility of performing outsourced internal audits places the accounting firm in the position of auditing its own work. 

Business Continuity Planning (BCP) Booklet (135 pages):  Reviewing a financial institution's BCP is an established part of examinations performed by the FFIEC agencies.  However, new business practices, changes in technology, and increased terrorism concerns, have focused even greater attention on the need for effective business continuity planning and have altered the benchmarks of an effective plan.  For example, an effective BCP should take into account the potential for wide-area disasters that impact an entire region and for the resulting loss or inaccessibility of staff.  It also should consider and address interdependencies, both market-based and geographic, among financial system participants as well as infrastructure service providers. In most cases, recovery time objectives are now much shorter than they were even a few years ago, and for some institutions recovery time objectives are based on hours and even minutes.

The BCP and test results should be subjected to an independent audit and reviewed by the board of directors.

The board fulfills its business continuity planning responsibilities by setting policy, prioritizing critical business functions, allocating sufficient resources and personnel, providing oversight, approving the BCP, reviewing test results, and ensuring maintenance of a current plan.

Information Security Booklet (98 pages):  Information security enables a financial institution to meet its business objectives by implementing business systems with due consideration of information technology (IT) related risks to the organization, business and trading partners, technology service providers, and customers.  Organizations meet this goal by striving to accomplish the following objectives.

  • Availability
  • Integrity of Data or Systems
  • Confidentiality of Data or Systems
  • Accountability
  • Assurance

Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability directly supports non-repudiation, deterrence, intrusion prevention, intrusion detection, recovery and legal admissibility of records.

Senior management should designate one or more individuals as information security officers.  Security officers should be responsible and accountable for security administration. At a minimum, they should directly manage or oversee risk assessment, development of policies, standards, procedures, testing, and security reporting process. Security officers should have the authority to respond to a security event by ordering emergency actions to protect the financial institution and its customers from an imminent loss of information or value.

Other portions of the Information Security Booklet address user accountability in terms of login ID's, length of passwords, frequency for changing passwords, system security audit requirements as well as many other steps needed to manage and monitor overall security.  The complexity of the steps is highly dependent upon the number of systems deployed, type of systems, etc.

As examiners and auditors become trained using the new FFIEC booklets, additional questions will be asked to determine the whether the controls are in place to mitigate the risks associated with IT systems.  Many of the questions will get into areas not previously covered.

 


Client List
Partners
Press Releases
Client Comments
Past Projects
Information Request


Net Health Check
Net Performance Review
Vulnerability Assessment
Banking I/T Assessment
NetSentry Monitoring
Frame Relay Analysis
Custom Services
NetDocs Documentation
On-Site Training


NetLogger
NetSpector
Technical Reference






 

 


About NPI | Contact Us | Services | Tools | Site Map | Reseller Programs
Professional Ethics | Privacy
Copyright 1993-2024 Network Partners, Inc. All rights reserved