Compliance Guru • FFIEC Guidance
  • Ask the Guru
  • The Guru Speaks
  • About
  • Ask the Guru
  • The Guru Speaks
  • About
By Tom Hinkel In From the Field

The 5 trickiest FDIC IT examination questions (part 1).

…and how to answer them.  Actually, answering them is the easy part, they all require a “Y”.  Documenting the basis for your answer is a bit harder.  Because each question really requires it’s own discussion, I will address each one in separate posts.  Also, the questionnaire I will be referring to is the newer 12/07 version, the one with Part 5 titled “Vendor Management and Service Provider Oversight”.  I’ll use this because it is the most recent, and as I posted previously, some State Banking regulators have started adopting it as well.

So, our first question is found in the “Part 2 – Operations and Risk Management” section, and asks:

“Do you have a process in place to monitor and adjust, as appropriate, the information security program (Y/N)?”

The reference for this question is found here, and again, the optimal answer is “Y”.  In FDIC-speak, a “process” means assigned to a committee (or other responsible party), guided by an standardized agenda, and documented.  The Board of Directors and Senior Management are ultimately responsible for the information security program, but often delegate day-to-day responsibility to an IT or Technology Committee.  This practice is strongly encouraged by the FFIEC, which states in the IT Examination Management Booklet that;

“Many boards of directors choose to delegate the responsibility for monitoring IT activities to a senior management committee or IT steering committee.”

Since the IT Committee should already have responsibility for day-to-day IT governance, placing them in charge of the information security program is a natural extension of their duties.  Simply make sure that the committee operates from a standard agenda, and that all meetings are documented.  Your full answer to this question is “Yes.  The process is coordinated by our IT Committee, and documented in the meeting minutes.”

Next…“Does the bank’s strategic planning process incorporate information security (Y/N)?”

Print Friendly, PDF & Email

Share this:

  • Facebook
  • LinkedIn
  • Twitter
  • Print
Examination FDIC FDIC Information Technology Officer’s Questionnaire FDIC_5_Trickiest FFIEC

Article by Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

Related Articles

  • Reading Between the Lines
    Reading Between the Lines: The Interagency Examiner Guidance for Assessing Safety and Soundness During COVID-19
  • Going beyond the FFIEC Cybersecurity Assessment Tool (CAT)
    Cybersecurity – Beyond the Assessment

1 reply added

Leave your comment Cancel Reply

You must be logged in to post a comment.

Join Our Community

Browse Posts

  • Ask the Guru
  • Ask the ISO
  • From the Field
  • Hot Topics
  • Reading Between the Lines
  • Resources

Copyright © Compliance Guru®.
All Rights Reserved.

Powered by Safe Systems. Privacy Policy

Stay up to date with these pandemic resources for community banking.See COVID-19 Resources
+