The following is an excerpt about penetration testing from the ffiec information security booklet. Financial regulators release revised information security booklet. The it handbook is designed to provide information and reference to financial institutions and examiners. Ffiec information security booklet, page 8 the risk assessment identifies internetbased systems and high risk transactions that warrant additional authentication controls. Ffiec information security booklet, page 21 production and nonproduction environments are segregated to prevent unauthorized access or changes to information assets. Occ bulletin federal financial institutions examination. Federal financial institutions examination council ffiec. While the it management booklet provides guidance around it operations management and oversight, with a focus towards topdown management, the is booklet is geared toward the meatandpotatoes of the information security. Risk mitigation and response guidance for web site spoofing incidents. Ffiec it examination handbook infobase it booklets. This session will provide detailed information on how to prevent the latest information security threats or ways to mitigate the latest vulnerabilities with controls from common security. Information security ffiec it examination handbook infobase.
The institution should be able to provide maintenance logs to demonstrate that physical security devices are regularly maintained. Physical security devices frequently need preventive maintenance to function properly. The supervision of technology service providers booklet tsp booklet, of the ffiec 2 information technology examination handbook it handbook, addresses this authority and rescinds the previous version dated march 2003. Additional information on the types of retail payment systems ach payment systems is available in the ffiec information technology examination handbook. Overview federal financial institutions examination council. Updated ffiec management booklet part of it examination handbook series summary. Mapping baseline statements to ffiec it examination handbook. Page 2 ffiec authentication guidance on bank information.
On september 9, 2016 the federal financial institution examination council ffiec updated its information security booklet available here. Ffiec it examination handbook infobase introduction. Cwdwcdj b booklet is one of several that comprise the federal financial institutions examination council ffiec information technology examination handbook it handbook. Development and acquisition, ebanking, fedline, information security. Review the web site content for inclusion of the following information which. The revised booklet provides guidance to examiners, addresses factors necessary to assess the level of security risks to a financial institutions information systems, and helps examiners evaluate the. Ffiec it security booklet revised password protected. The it examination handbook infobase home page this screen provides users with access to everything in one place. Information security programs are created based on risk assessment processes that assist the handbook focuses on the governance, culture, and responsibilities to make information security. The federal financial institutions examination council ffiec member agencies today announced the addition of a new feature to the information technology examination handbook.
The federal financial institutions examination council ffiec members today issued a revised management booklet, which is part of the ffiec information technology examination handbook it handbook the management booklet. Consistent with the ffiec information technology examination handbook, information security booklet, december 2002, financial institutions should periodically. Federal financial institutions examination council. Refer to the expanded overview section, automated clearing house transactions, page 216, for additional guidance.
The federal financial institutions examination council ffiec has issued a revised management booklet that provides guidance to assist examiners in evaluating the information. Financial institutions should use effective authentication methods. Ffiec issues cyberresilience guidance bankinfosecurity. While it governance is generally addressed in the it handbook s management booklet, this booklet addresses specific governance topics related to information security, including the following implementation and promotion of security culture. The ffiec information security handbook is the most comprehensive resource from the ffiec on constructing an adequate information security program. Mapping baseline statements to ffiec it examination handbook june 2015 1 the purpose of this appendix is to demonstrate how the ffiec cybersecurity assessment tool. The federal financial institutions examination council ffiec members today issued a revised information security booklet, which is part of the ffiec information technology examination handbook it handbook the revised booklet. The information security booklet is one of 12 that, in total, comprise the ffiec it examination handbook. Referencesthis page contains topical materials that supplement booklet content and are for informational purposes. The management booklet is one of 11 booklets that make up the federal financial institutions examination council ffiec information technology examination handbook it handbook. The board and management should understand and support information security and provide appropriate resources for developing, implementing, and. This information security booklet is an integral part of the federal financial institutions examination council ffiec the ffiec was established on march 10, 1979, pursuant to title x of the financial institutions regulatory and interest rate control act of 1978, public law 95630. The information security booklet is one of several that comprise the federal financial institutions examination council ffiec information technology. While it governance is generally addressed in the it handbooks management booklet, this booklet addresses specific governance topics related to information security, including the following.
Occ bulletin 201627 announces that the federal financial institutions examination council has revised the information security booklet of the ffiec information technology examination handbook. Information security booklet july 2006 coordination with glba section 501b member agencies of the federal financial institutions examination council ffiec implemented section 501b of the grammleachbliley act of 1999 glba1 by defining a processbased approach to security in the interagency guidelines establishing infor. The information technology examination handbook infobase concept was developed by the task force on examiner education to provide field examiners in financial institution regulatory agencies with a quick source of introductory training and basic information. Ffiec information security booklet, page 21 confidential data are encrypted when transmitted across public or untrusted networks e. Guidance on instant messaging, guidance, july 21, 2004. Ffiec information security booklet, page 6 management provides a written report on the overall status of the. By hovering over the it booklets link in the banner, users can select the booklet. On september 9th, 2016, the federal financial institutions examination council ffiec released a revised information security booklet. Risk management issues and corrective actions from internal audits and independent testingassessments are formally tracked to ensure procedures and control lapses are resolved in a timely manner. Mapping baseline statements to ffiec it examination. Ffiec it examination handbook information security september 2016 4 understand the business case for information security and the business implications of information security risks.
Ffiec rewrites the information security it examination. The council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the board of governors of the federal reserve system, the federal deposit insurance corporation, the national credit union administration, the office of the comptroller of the currency, and the consumer financial. The information technology examination handbook infobase concept was. Assess the banks policies, procedures, and processes, and overall compliance with. The ffiec also released an executive summary that contains a highlevel synopsis of each of the 12 booklets. V2 suspicious activity reporting overview objective. The risk assessment is updated to address new technologies, products, services, and connections before deployment. The ffiec is composed of the principals of the following. Nearly one year after releasing an updated it management booklet november 10, 2015, the ffiec has updated its cornerstone handbook, the information security is booklet. Ffiec rewrites the information security it examination handbook what you need to know in the first update in over 10 years, the ffiec just completely rewrote the definitive guidance on their expectations for managing information. Resilience testing should incorporate information security event scenarios identified by the institution. The federal financial institutions examination council ffiec released an updated information security booklet booklet, which replaces the booklet issued in december 2002. The information security booklet is one of several that comprise the federal financial institutions examination council ffiec information technology examination handbook it handbook.
A security cultur ffiec it examination handbook infobase. Financial regulators release revised management booklet. Baseline declarative statements for evaluation domain 1. Ffiec information security booklet, page domain 3. Select the it booklet name to view it online, select the pdf to download a single it booklet, and check the individual booklet checkboxes to download a package with multiple it booklets as a single download. Information security risk assessmenta process to identify and assess threats, vulnerabilities, attacks, probabilities of occurrence, and outcomes. Information security is the process by which a financial institution protects the creation, collection, storage, use, transmission, and disposal of sensitive information, including the protection of hardware and infrastructure used to store and transmit such information. Ffiec information security booklet, page 23 wireless network environments require security settings with strong encryption for authentication and transmission. Na if no production environment exists at the institution or the institutions third party. The ffiec was established in march 1979 to prescribe uniform principles, standards, and. Ffiec it examination handbook infobase information security.
Ffiec information security handbook updates conetrix. This is part one of a five part series on the ffiec. Ffiec bsaaml regulatory requirements office of foreign. This page primarily contains guidance on information technology it examination activities including aspects of operational risk management, which arises from the potential that inadequate information.
Ffiec information security booklet, page 3 information security risks are discussed in management meetings when prompted by highly visible cyber events or regulatory alerts. The council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the board of governors. The management booklet is one of 11 that make up the it handbook. At the top of the screen, across the banner from left to right, users can get to the ffiec infobase home page, the it booklets, it workprograms, glossary, and the ffiec home page. The ffiec it examination handbooks form a strong set of auditing guides that can be used by any organization to bring its it compliance operations into check. The information security program is more effective when security processes are deeply embedded in the institutions. The federal financial institutions examination council ffiec has revised the management booklet of the ffiec information technology examination handbook it handbook. Information security booklet ffiec it examination handbook. An institutions security culture contributes to the effectiveness of the information security program.
This booklet is one of eleven booklets that make up the ffiec information technology examination handbook ffiec it handbook. The federal financial institutions examination council today issued revised guidance for examiners and financial institutions to use in identifying information security risks and evaluating the adequacy of. Ffiec is booklet focus on security operations one of the most important and anticipated components of the ffiec s recent update to the information security booklet involves an area that has been lacking in ffiec. Each credit union should monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its member information, internal or external threats to information. Refer to the it handbooks business continuity planning. The longterm goal of the infobase is to provide justintime training for new regulations and for other topics of specific concern to. This guidance the information security booklet is the first in a series of updates to the 1996 ffiec information systems examination handbook. Continuity planning booklet appendix j update to ffiec it examination handbook.