Category: From the Field

  • The IT Strategic Plan – Why, Who, & How

    One of the most common examination findings recently (particularly with the FDIC) has been the lack of an IT Strategic Plan.  I’m not sure why the focus lately (perhaps the shift from the CAMELS “A” to the “M”?), but the concept is certainly not new.  The regulatory mandate for it is found in the 2004…

  • Using Technology to Drive Compliance

    In the past year to year and a half, nearly all of the IT examination findings I’ve seen have in the broad category of “documentation”, or more specifically, lack thereof.  In other words, policies and procedures were satisfactory, but documentation was either non-existent, or insufficient, to demonstrate that actual practices followed policy and procedure. To…

  • “Concentration of duties”

    It is not unusual for a community financial institution with limited personnel to have the Information Security Officer (ISO) act as a backup network administrator.  In fact, this is a relatively common practice in an environment where key personnel will typically wear several hats.  And there are practical reasons for this; the ISO is typically…

  • The Control Self-Assessment (CSA)

    If there was a process that was mentioned 43 times in 7 of the 12 FFIEC IT Examination Handbooks, (including 12 times in the Information Security Handbook alone!), would you consider implementing it?  How about if it virtually assured better audits and examinations?  OK, you’re interested, but the last thing you need is to implement…

  • IT Composite Ratings: 1 vs. 2

    In a recent survey conducted with our customers, we asked them to tell us (anonymously) what their FDIC IT composite scores were after their last IT examination, and whether those scores increased (got worse), or decreased (got better).  The average score was 1.8 on the 5 point scale.  Of course the results could be attributed…

  • Management of IT reflects overall management

    (This is an extract from an article written for Bank Technology News. The full article is here.) One of the reasons compelling the shift towards increased focus on IT is found in the only non-financial element in the CAMELS ratings: management…