News

FFIEC issues updated information security booklet

September 9, 2016

The Federal Financial Institutions Examination Council has issued a revised information security booklet, which is part of the "FFIEC Information Technology Examination Handbook."

The revised booklet addresses factors to consider in assessing security risks to a financial institution's information systems, an FFIEC press release said. The booklet also helps examiners to evaluate the adequacy of an information security program's integration into overall risk management.

The information security booklet describes effective information security program management, including the following phases of the lifecycle of information security risk management:

• risk identification;
• risk measurement;
• risk mitigation; and
• risk monitoring and reporting.

The booklet provides an overview of information security operations, covering the need for effective threat identification, assessment and monitoring, as well as incident identification, assessment and response.

Additionally, the booklet discusses methods to achieve and assess information security program effectiveness, including assurance and testing. It also incorporates cybersecurity concerns such as threats, controls, and resource requirements for preparedness.

Information on updated examination procedures is also included to help examiners measure the adequacy of an institution's culture, governance, information security program, security operations and assurance processes.

The IT Handbook is available at http://ithandbook.ffiec.gov/.