The 5 trickiest FDIC IT examination questions (part 3).


The 5 trickiest FDIC IT examination questions (part 3).

Last time in Part 2 we tackled “Does the bank’s strategic planning process incorporate information security (Y/N)?” from the FDIC IT Examination Questionnaire. This time we take a closer look at another question that stumps many institutions preparing for examination;

“Are project management techniques and system development life cycle processes used to guide efforts at acquiring and implementing technology (Y/N)?”

This is the last of 25 questions in the PART 2 section Operations Security and Risk Management, and as with most of the other questions, you want to be able to answer “Y” to this.  Although there is no explicit “if Yes,…” followup to this question (as there is to 14 other questions), you really don’t want to answer “Y” to anything unless you can document your answer.  But how, exactly, do you document compliance with this?  As with many of these trickier questions, it actually carries multiple presumptions:

  • You have established Project Management Techniques,
  • You have established System Development Life-Cycle Processes,
  • You utilize both when Acquiring and Implementing Technology.

It’s important to add here that I have not personally seen any particular increased scrutiny in this area.  Most institutions simply answer “Y”, and move on without consequence.  But before you decide that documenting compliance with this is too difficult (or unnecessary), remember that for every “Yes” answer, there is an implicit (if not explicit) “If Yes,…” response required.  So let’s take a look at the references.  The first is the FFIEC IT Examination Handbook, Development and Acquisition, December, 2003.

Development and Acquistion HandbookThis is the only question in the FDIC questionnaire that references this particular handbook, so it’s easy to see why this manual is often overlooked when preparing for an IT examination.  Additionally, how many financial institutions really utilize the System Development Life Cycle (SDLC) methodology when managing their technology projects?  (Very, very few that I am aware of.)  Still, having a basic understanding of effective project management is a good thing, because as the handbook states on page 3, “Project management in its basic form involves planning and completing a task.”  This is done every day…and by most institutions, several times a day.  So what does it take to demonstrate “Project Management Techniques”?  Fortunately, the FFIEC does not expect you to become experts in the latest PM techniques and methodologies:

“Examiners should not expect organizations to employ elaborate project management techniques in all situations.”

However,

“The critical importance technology plays in financial institutions dictates the use of appropriate development, acquisition, and maintenance standards. Standards do not guarantee that organizations will appropriately develop, acquire, and maintain technology systems. However, standards do enhance management’s control over projects, thereby decreasing project risks.”

So, how do we define (and document) “appropriate standards”?  Regardless of the exact methodology used, all successful projects have the following characteristics:

  • Detailed project plans (including integration with the overall strategic plan)
  • Clearly defined expectations and objectives
  • Realistic budgets
  • Participation by all departments impacted by the project
  • Effective communication

The best way to accomplish all of these is by incorporating discussion of IT projects (proposed, in process, and implemented) into your regular IT Steering Committee meetings.  If the meetings are well attended, agenda driven, and documented, the correct answer to the question is “Yes. We acquire, implement, and maintain technology according to a risk-based management process, and document the process in our IT Steering Committee.”

By the way, I mentioned that there were multiple references for this question.  The other reference cited is for FDIC FIL-12-99.  Although this is too complex to cover adequately in this post, the referenced FIL discusses the Uniform Rating System for Information Technology (URSIT), and it’s four critical components: Audit, Management, Development and Acquisition, and Support and Delivery (AMDS), and specifically how these components are used to assess the overall performance of IT within the organization.  As the IT Composite Rating affects the institutions’ overall CAMELS rating, it is important enough to cover in more detail in a future post.  (I actually covered the “Management” element in a previous post.)

Next, in Part 4: “Are the results of your audits/independent reviews used to adjust your risk assessment findings/results (Y/N)?”


Tom Hinkel
As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

Write a Comment