On September 9, 2016 the Federal Financial Institution Examination Council (FFIEC) updated its Information Security Booklet (available here). In addition to certain editorial non-substantive changes, the modifications include revisions to IT risk management and information security processes, and updated examination procedures in Appendix A to help examiners evaluate an institution’s culture, governance, information security program, security operations, and assurance processes. Affected institutions include those regulated by prudential regulators in addition to those regulated by the Consumer Financial Protection Bureau (CFPB), which is a member of FFIEC and has been increasing its scrutiny of consumer-facing “financial technology” or “fintech” firms (on September 27, the CFPB also noted that is consumer complaint database had hit the 1 million-complaint-mark).

Compliance, internal auditors and cybersecurity professionals in affected institutions should in particular take note of updated Appendix A to the booklet, which lays out the following 11 objectives for examiners.

  1. Determine the appropriate scope and objectives for the examination.
  2. Determine whether management promotes effective governance of the information security program through a strong information security culture, defined information security responsibilities and accountability, and adequate resources to support the program.
  3. Determine whether management of the information security program is appropriate and supports the institution’s IT risk management process, integrates with lines of business and support functions, and integrates third-party service provider activities with the information security program.
  4. As part of the information security program, determine whether management has established risk identification processes.
  5. Determine whether management measures the risk to guide its recommendations for and use of mitigating controls.
  6. Determine whether management effectively implements controls to mitigate identified risk.
  7. Determine whether management has effective risk monitoring and reporting processes.
  8. Determine whether management has security operations that encompass necessary security-related functions, are guided by defined processes, are integrated with lines of business and activities outsourced to third-party service providers, and have adequate resources (e.g., staff and technology).
  9. Determine whether management has an effective information security program.
  10. Determine whether assurance activities provide sufficient confidence that the security program is operating as expected and reaching intended goals.
  11. Discuss corrective action and communicate findings.

Incorporating these objectives into information security programs will assist affected firms in structuring, monitoring and evaluating IT security risks in accordance with FFIEC standards.