Tag: IT Examination Handbooks

  • FFIEC Rewrites the Information Security IT Examination Handbook

    FFIEC Rewrites the Information Security IT Examination Handbook

    In the first update in over 10 years, the FFIEC just completely rewrote the definitive guidance on their expectations for managing information systems in financial institutions.  This was widely expected, as the IT world has changed considerably since 2006. There is much to unpack in this new handbook, starting with what appears to be a…

  • FFIEC Updates (and Greatly Expands) the Management Handbook

    FFIEC Updates (and Greatly Expands) the Management Handbook

    This latest update to the IT Examination Handbook series comes 11 years after the original version.  And although IT has changed significantly in the past 11 years, the requirement that financial institutions properly manage the risks of IT has not changed.  This new Handbook contains many changes that will introduce new requirements and new expectations…

  • Ask the Guru: The IT Audit “Scope”

    Hey Guru Our examiner is asking about the “scope” of our IT audits. What is she referring to, and how do we define a reasonable scope? Audit results are one of the first things examiners want to see, and the “scope” of the audit is very important to examiners.  In fact, the term is used…

  • Patch deployment – now or later? (with interactive poll!)

    We recently saw an examination finding that recommended that “Critical Patches be deployed within 24 hours of notice (of patch release)”.  This would seem to contradict the FFIEC guidance in the Information Security Handbook that states that the institution: “Apply the patch to an isolated test system and verify that the patch… (1) is compatible…

  • FFIEC Handbook Update – Outsourcing

    The FFIEC has just added a section to the Outsourcing Technology Services IT Examination Handbook, and it should be required reading for financial institutions as well as any managed service providers.  The new section is Appendix D: Managed Security Service Providers, and it is the first significant change to the Handbook since it was released in…

  • “Data-flow diagrams”

    This request was seen in a recent State examiners pre-examination questionnaire, and although I usually like to see a request a couple of times from different examiners before identifying it as a legitimate trend, this one could prove so potentially problematic that I thought I needed to get ahead of it. Before we go much…