Category: From the Field

31 Aug 2010

The 5 trickiest FDIC IT examination questions (part 2).

Last time we addressed a question from the FDIC IT Examination Questionnaire, found in PART 2, OPERATIONS SECURITY AND RISK MANAGEMENT titled “Do you have a process in place to monitor and adjust, as appropriate, the information security program”.

This time, we take a closer look at another potentially troublesome Part 2 question;

“Does the bank’s strategic planning process incorporate information security (Y/N)?”

Once again, the optimal answer is “Y”, but documenting compliance is a bit tricky because this is a complex question.  In fact, it’s really several questions with multiple parts, all requiring a “Y” answer.

  1. Do you have a strategic planning process?
    1. Do you have an enterprise-wide strategic plan?
    2. Do you have an IT strategic plan?
  2. Does the IT strategic plan support the overall enterprise-wide  strategic plan?
  3. Do you have an risk-based information security program?
  4. and finally (assuming “Y” to all the above)… Does your strategic planning process incorporate information security?

The reference for this is the FFIEC IT Examination Handbook, Management, June 2006, and although the entire document is an excellent guide for how management can address and control information security, I think the most relevant reference to the issue of strategic planning and information security is found on page 22:

“IT strategic plans provide insight into the organization’s planning process. Review and analysis of the strategic plans as part of the risk assessment process (my emphasis) may spotlight developing risk  exposures or other deficiencies that limit the institution’s ability to  implement strategic priorities.”

The FFIEC suggests that strategic planning be incorporated into the risk assessment process.  As I mentioned in my previous post, (and highly recommended by the FFIEC on page 5 of the same Management Handbook) the IT Steering Committee is the most logical forum for risk assessment process provided the committee consists of representatives from all departments, operates from a standardized agenda, and keeps meeting minutes.  (There is one more requirement; that it assign responsible parties to the issues and findings that arise in the meetings, and follow them through to resolution.  More about this in my next post).

So, assuming you have both an overall strategic plan, and an IT strategic plan, and assuming you incorporate discussion of these plans in the risk assessment section of your IT Steering Committee agenda, then the answer to this question is “Yes, The process is guided by the FFIEC Management Handbook, coordinated by our IT Committee, and documented in the meeting minutes.”

Next time, in Part 3;  “Are project management techniques and system  development life cycle processes used to guide efforts at acquiring and implementing technology (Y/N)?”

26 Aug 2010

The 5 trickiest FDIC IT examination questions (part 1).

…and how to answer them.  Actually, answering them is the easy part, they all require a “Y”.  Documenting the basis for your answer is a bit harder.  Because each question really requires it’s own discussion, I will address each one in separate posts.  Also, the questionnaire I will be referring to is the newer 12/07 version, the one with Part 5 titled “Vendor Management and Service Provider Oversight”.  I’ll use this because it is the most recent, and as I posted previously, some State Banking regulators have started adopting it as well.

So, our first question is found in the “Part 2 – Operations and Risk Management” section, and asks:

“Do you have a process in place to monitor and adjust, as appropriate, the information security program (Y/N)?”

The reference for this question is found here, and again, the optimal answer is “Y”.  In FDIC-speak, a “process” means assigned to a committee (or other responsible party), guided by an standardized agenda, and documented.  The Board of Directors and Senior Management are ultimately responsible for the information security program, but often delegate day-to-day responsibility to an IT or Technology Committee.  This practice is strongly encouraged by the FFIEC, which states in the IT Examination Management Booklet that;

“Many boards of directors choose to delegate the responsibility for monitoring IT activities to a senior management committee or IT steering committee.”

Since the IT Committee should already have responsibility for day-to-day IT governance, placing them in charge of the information security program is a natural extension of their duties.  Simply make sure that the committee operates from a standard agenda, and that all meetings are documented.  Your full answer to this question is “Yes.  The process is coordinated by our IT Committee, and documented in the meeting minutes.”

Next…“Does the bank’s strategic planning process incorporate information security (Y/N)?”

18 Aug 2010

State regulators adopting FDIC pre-exam questionnaire… (Update)

…at least in Georgia.  The most recent Georgia State IT examinations are using a carbon copy of the FDIC 12/07 pre-examination IT questionnaire.  If your primary federal regulator is the FDIC, this makes filling out the State questionnaire much easier.  If not however, you’ll want to familiarize yourself with the format.

There are 5 parts to the questionnaire:

  1. Risk Assessment
  2. Operations Security and Risk Management
  3. Audit/Independent Review Program
  4. Disaster Recovery and Business Continuity Management
  5. either…
    1. Vendor Management and Service Provider Management (newer version), or
    2. Gramm-Leach-Bliley Act/FDIC Rules and Regulations – 12 CFR Part 364 Appendix B (older version)

Also, we’ve definitely seen increased State examiner activity in general.  I’ve seen more State exam questionnaires this month than I’ve seen in the past 4 months.

UPDATE:  Add the State of Maryland to this list, with Vendor Management as Part 5.

09 Jul 2010


Auditors (and some FDIC examiners) are scrutinizing disaster recovery plans more closely, specifically looking to verify that the plan structure adheres to FFIEC guidance. We’ve definitely seen this regarding the Business Impact Analysis and the Risk Assessment; the first 2 phases specified by the guidance.


UPDATE: At least one regulator (OTS) is demanding that all Recovery Time Objectives (RTO’s) be based on an methodical analysis of the tolerance for downtime for each process, and NOT simply a subjective value.