Editor's note: This is part one of a five part series on the FFIEC IT Examination Handbooks, by Dorian Cougias, co-founder of the Unified Compliance Framework. New parts will premier each Tuesday in July on SearchFinancialSecurity.com.
The Federal Financial Institutions Examination Council (FFIEC) is charged with creating uniform principals, standards and report forms for financial institutions. Thanks to the FFIEC Information Technology Examination Handbook series, compliance with these standards is now much easier. This series consists of a suite of a dozen IT handbooks that can be found at the FFIEC IT Handbook InfoBase. The handbook list currently consists of a dozen topics such as audit, business continuity, operations and retail payment systems. But how do these examination guides fit within the world of IT compliance?
The FFIEC IT Examination Handbook series is broader than the Payment Card Industry Data Security Standard (PCI DSS), but it is less comprehensive than the NIST 800 series. Each topic is written as an examination handbook, offering both general control guidance and specific audit guidance.
The series was jointly developed by several parties including the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).
What does each examination handbook cover?
Audit describes the roles and responsibilities of the board of directors, management, and internal or external auditors; identifies effective practices for IT audit programs; and details examination objectives and procedures.
Business Continuity Planning provides guidance to assist examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services. This booklet was also designed to provide helpful guidance to financial institutions regarding the implementation of their business continuity planning processes.
Development and Acquisition is defined in the handbook as "an organization's ability to identify, acquire, install, and maintain appropriate information technology systems." The Development and Acquisition Booklet describes common project management activities and emphasizes the benefits of using well-structured project management techniques. The booklet details general project management standards, procedures and controls, and it discusses various development, acquisition and maintenance project risks.
E-Banking provides guidance on identifying and controlling the risks associated with e-banking activities. The booklet discusses e-banking risks from the perspective of the services or products provided to customers. This approach differs from other booklets that discuss risks from the perspective of the technology and systems that support automated information processing.
FedLine addresses the risks, risk management practices, and mitigating controls necessary to establish and maintain an appropriate operating environment for the FedLine Funds Transfer application. FedLine is the Federal Reserve Bank's proprietary electronic delivery channel for financial institution access to Federal Reserve financial services, and includes DOS-based FedLine and FedLine for the Web.
Information Security provides guidance to examiners and organizations on assessing the level of security risks to the organization and evaluating the adequacy of the organization's risk management.
Management assists examiners in evaluating financial institution risk management processes to ensure effective IT management, maximize the benefits from technology, and support enterprise-wide goals and objectives.
Operations provides the framework for examiners to evaluate an institution's controls and risk management processes relative to the risks of technology systems and operations that reside in, or are connected to the institution.
Outsourcing Technology Services provides guidance and examination procedures to assist examiners and bankers in evaluating a financial institution's risk management processes to establish, manage and monitor IT outsourcing relationships.
Retail Payment Systems provides guidance to examiners, financial institutions, and technology service providers on identifying and controlling IT-related risks associated with retail payment systems and related banking activities
Supervision of Technology Service Providers outlines the agencies' risk-based supervision approach, the supervisory process, and the examination ratings used for IT service providers.
Wholesale Payment Systems provides guidance to examiners and financial institution management regarding the risks and risk management practices when originating and transmitting large-value payments.
How useful are these examination handbooks?
Whether you are just beginning your compliance efforts or have a comprehensive program in place, this series is invaluable. While there is a great deal of overlap between topics, the FFIEC IT Examination Handbooks form a strong set of auditing guides that can be used by any organization to bring its IT compliance operations into check. In fact, when harmonized together in the Unified Compliance Framework, the resulting work is reduced by two-thirds overall.
About the author:
Dorian J. Cougias is the co-founder and primary architect of the Unified Compliance Framework, the first and largest independent initiative to map IT controls across international regulations, standards, and best practices. A frequent speaker and well respected author, Cougias has written hundreds of articles and dozens of books, including the award-winning Backup Book: Disaster Recovery from Desktop to Data Center and most recently the Unified Compliance Series. Dorian has served as CIO of two global ad agencies and CEO of an international software company. He is currently an adjunct professor at the University of Delaware and the lead analyst at Network Frontiers, a company that focuses on systems continuity, regulatory compliance, and IT infrastructure. For more information, visit www.unifiedcompliance.com.