In our continuing series on the FFIEC IT Examination Handbook series, we now turn to three additional handbooks; the FFIEC IT Examination Handbook -- E-Banking, FFIEC IT Examination Handbook -- Retail Payment Systems, and the FFIEC IT Examination Handbook -- Wholesale Payment Systems.
The three of these guides together comprise 220 unique controls within the 777 unique controls found within all of the banking and finance authority documents. Individually, here's how they break down.
E-Banking (92 controls) provides guidance on identifying and controlling the risks associated with electronic banking (e-banking) activities. The booklet primarily discusses e-banking risks from the perspective of the services or products provided to customers. This approach differs from other booklets that discuss risks from the perspective of the technology and systems that support automated information processing.
Retail Payment Systems (114 controls) provides guidance to examiners, financial institutions, and technology service providers on identifying and controlling IT-related risks associated with retail payment systems and related banking activities.
Wholesale Payment Systems (115 controls) provides guidance to examiners and financial institution management regarding the risks and risk-management practices when originating and transmitting large-value payments.
While all three of these examination handbooks together could provide a solid audit plan, individually, there are more holes in each handbook than Swiss cheese. We'll review the commonalities between the handbooks and the few additional (partial) overlaps that you'd expect, as well as the inconsistencies and anomalies that you may not be expecting.
All three handbooks cover the following controls:
- Defining the scope of a company's compliance framework and maintaining an up-to-date rule set.
- Creating and maintaining a high-level IT strategic plan.
- Maintaining an audit and risk management program, along with an internal audit program with full audit reporting capabilities.
- Creating an operational plan for the organization's key monitoring and logging abilities.
- Maintaining control over access rights and user privileges, including providing for session locks on systems and key applications.
- Establishing full transaction-level security by ensuring that encryption or a protected distributed system is enabled when sending sensitive information.
- Establishing a full physical security plan to include the protection of distributed assets.
- Maintaining an active and well-tested continuity plan.
- Managing third party services by formalizing all third party relationships, contracts, etc.
Asset management: Both the Wholesale and Retail guidelines call for the organization to maintain asset discovery audit trails.
The internal audit program: Both the Wholesale and Retail guidelines call for the organization to assess the quality of the audit function and ensure that Information Services governance initiates prompt action to correct any reporting deficiencies.
Physical security: Both Wholesale and Retail have controls regarding the physical control of the organization's facilities, while Wholesale calls for specific controls around creating "working in secure areas" guidelines.
Where all three handbooks are spotty
When comparing all three handbooks side-by-side, and looking at records management in particular, the three documents together cover records management controls fairly well. However, this coverage is only due to the fact that the three controls don't really overlap each other.
For instance, only Retail calls for a records retention policy, while only Wholesale calls for an automated system to capture and maintain records. And only E-Banking calls for integrity controls on the data transactions (despite the fact that Wholesale's emphasis on large transactions should translate into this handbook's concern about integrity).
And only Retail actually calls for a disposition of records at the end of their lifetime!
There are several inconsistencies between the three handbooks that are troubling, mostly because two out of the three handbooks covered the following controls, but at least one handbook here or there was missing controls that you would think are highly important to all three!
Monitoring and measurement: For some strange reason, only the Wholesale and E-Banking guides call for the organization to review the audit logs and IDS reports regularly.
Access rights control: Only the Wholesale and E-Banking guides have controls for revoking the access for terminated users. While only Wholesale and Retail call for changing users passwords on a regular basis.
Policies and procedures: While all three guides call for an organizational framework of policies and procedures on a high level , They are all almost mute regarding anything specific (such as calling for usage policies, operational procedures, etc.).
The bottom line is this: these guidelines are inconsistent and incomplete without each other. In the real world, sometimes being under multiple authority documents can be helpful in rounding out your audit plan. At least that way, you can see the complete picture instead of a partial one!
About the author:
Dorian J. Cougias is the co-founder and primary architect of the Unified Compliance Framework, the first and largest independent initiative to map IT controls across international regulations, standards, and best practices. A frequent speaker and well respected author, Cougias has written hundreds of articles and dozens of books, including the award-winning Backup Book: Disaster Recovery from Desktop to Data Center and most recently the Unified Compliance Series. Dorian has served as CIO of two global ad agencies and CEO of an international software company. He is currently an adjunct professor at the University of Delaware and the lead analyst at Network Frontiers, a company that focuses on systems continuity, regulatory compliance, and IT infrastructure. For more information, visit www.unifiedcompliance.com.