Tag: Appendix A

11 Nov 2015

FFIEC Updates (and Greatly Expands) the Management Handbook

This latest update to the IT Examination Handbook series comes 11 years after the original version.  And although IT has changed significantly in the past 11 years, the requirement that financial institutions properly manage the risks of IT has not changed.  This new Handbook contains many changes that will introduce new requirements and new expectations from regulators.  Some of these changes are subtle, others are more significant.  Here is my first take on just a few differences between the original and the new Handbook:

Cybersecurity

  • The original Handbook contained only a single reference to “cyber”.  The revised Handbook contains 53 references.

IT Management

  • The Board and a steering committee are still responsible for overall IT management, but the guidance now introduces a new obligation for the Board, requiring that they provide a “credible challenge” to management.  Specifically, this means the Board must be “actively engaged, asking thoughtful questions, and exercising independent judgment”.  Simply put, no more “rubber stamps”.  The Board is expected to actually govern, and that means they need access to accurate, timely and relevant information.

The IT Management Structure has changed.  The 2004 Handbook listed the following structure:

  • Board of Directors / Steering Committee
  • Chief Information Officer / Chief Technology Officer
  • IT Line Management
  • Business Unit Management

The Updated Guidance is a bit more granular, and recommends the following structure (changes in bold):

  • Board of Directors  / Steering Committee
  • Executive Management
  • Chief Information Officer or Chief Technology Officer
  • Chief Information Security Officer
  • IT Line Management
  • Business Unit Management

“Risk Appetite”

  • The FFIEC Cybersecurity Assessment Tool introduced this new term (addressed here), and the Management Handbook makes an additional 11 references.  Institutions should understand this relatively new (for IT anyway) concept and incorporate it into their strategic planning process.

Managing Technology Service Providers

  • The 2004 guidance contained a separate section on best practices in this area.  The new guidance has removed the section, incorporating references to vendor management best practices throughout the document.  This reflects the reality of the prevalence and importance of outsourcing in today’s financial institutions.

Examination Procedures (Appendix A)

  • The 2004 Handbook had 8 pages containing 9 examination objectives.  The new guidance is almost completely re-written, and has 15 pages containing 13 objectives.  Several of these new objectives deal with internal governance and oversight, and a couple address the enterprise-wide nature of IT management.  All areas have been greatly expanded.  For example, the objective dealing with IT controls and risk mitigation (Objective 12) consists of 18 separate examination elements with 53 discrete items that examiners must check.




Free White Paper



Best Practices for Control and Management of Your Community Bank’s IT

A community bank’s digital assets are every bit as valuable as the money in the vault.



7 Reasons Why Small Community Banks Should Outsource IT Network Management



In summary, the updated Handbook represents a significant evolution in both the breadth and depth of IT management requirements.  It will set the standard for IT management best practices for both examiners and institutions for some time to come, and should be required reading for all Board members, CEO’s, CIO’s, ISO’s, and network administrators.

29 Apr 2015

FFIEC Issues Stealth Update to BCP Handbook

This caught me by surprise as it was not formally announced in the “What’s New” section, but the Appendix J update to the Business Continuity Planning Handbook apparently constituted a complete update to the Handbook.  Here is what the press release said in part:

The Federal Financial Institutions Examination Council (FFIEC) members today issued a revised Business Continuity Planning Booklet (BCP Booklet), which is part of the FFIEC Information Technology Examination Handbook (IT Handbook). The update consists of the addition of a new appendix, entitled Strengthening the Resilience of Outsourced Technology Services. (emphasis added)

If you only focused on the last sentence (as I did), you would think all they did was add an appendix to the existing booklet.  But the first sentence states that they issued a revised booklet.  And sure enough, they changed the date.

Here is the old booklet:

Cover page from 2008 FFIEC_IT_Booklet_BusinessContinuityPlanning

And here is the new booklet:

Cover page from 2015 FFIEC_IT_Booklet_BusinessContinuityPlanning

I’ve written about the wide-ranging implications of “Appendix J” previously.  In comparing the old and new BCP booklets I was unable to find any other changes in the document except the addition of Appendix J, and some changes to Appendix A.  Regular readers know that each of the 11 booklets has an Appendix A which contains the examination procedures. The message here is that the FFIEC considered the addition of Appendix J significant enough to warrant new examination procedures, and a whole new handbook with a new revision date!


7 Reasons Why Small Community Banks Should Outsource IT Network Management



7 Reasons Why Small Community Banks Should Outsource IT Network Management



7 Reasons Why Small Community Banks Should Outsource IT Network Management

I’ve gone through Appendix A of both the new booklet and the previous booklet and highlighted all of the changes.  If you’re interested in how your next BCP exam might differ, you can download a copy of my marked-up document here.  The complete BCP Handbook is here.