FFIEC Revised Information Security Booklet

The Federal Financial Institutions Examination Council (FFIEC) has revised the “Information Security” booklet of the FFIEC Information Technology Examination Handbook (IT Handbook). The “Information Security” booklet is one of 11 that make up the IT Handbook. The revised “Information Security” booklet provides guidance to examiners and addresses factors necessary to assess the level of security risks to a financial institution’s information systems. It also helps examiners evaluate the adequacy of the information security program’s integration into overall risk management.

The updates included the removal of redundant management material and a refocus on IT risk management and an update of information security processes. The revision reflects changes in the industry, it streamlined and reordered information security concepts throughout the booklet. The updates are consistent with the FFIEC Cybersecurity Assessment Tool (CAT) and the NIST Cybersecurity Framework as appropriate. The booklet contains updated examination procedures to help examiners measure the adequacy of an institution’s culture, governance, information security program, security operations, and assurance processes.

Highlights

The “Information Security” booklet describes effective information security program management, including the following phases of the life cycle of information security risk management:

  • Risk identification
  • Risk measurement
  • Risk mitigation
  • Risk monitoring and reporting

Additionally, the booklet provides an overview of information security operations. This includes the need for effective threat identification, assessment, and monitoring. It also includes effective incident identification, assessment, and response. The booklet discusses methods to achieve and assess information security program effectiveness, including assurance and testing. The booklet also contains updated examination procedures to help examiners measure the adequacy of the institution’s security culture, governance, information security program, security operations, and assurance processes.

Background

Information security is the process by which a financial institution protects the creation, collection, storage, use, transmission, and disposal of sensitive information, including the protection of hardware and infrastructure used to store and transmit such information. Information security promotes the commonly accepted objectives of confidentiality, integrity, and availability and is essential to the overall safety and soundness of an institution. Information security exists to provide protection from malicious and non-malicious actions that increase the risk of adverse effects on earnings, capital, or enterprise value. The potential adverse effects can arise from

  • disclosure of information to unauthorized individuals.
  • unavailability or degradation of services.
  • misappropriation or theft of information or services.
  • modification or destruction of systems or information.
  • records that are not timely, accurate, complete, or consistent.

Leave a Reply

Your email address will not be published. Required fields are marked *