FFIEC Revises Information Security Booklet within IT Handbook
On September 9, 2016, members of the Federal Financial Institutions Examination Council (FFIEC) issued an update to the Information Security booklet, one of the eleven IT Booklets within the IT Handbook. The revisions speak specifically towards necessary factors used to assess security risks related to a financial institution’s information systems. The FFIEC also stated in the press release that the Booklet assists examiners in evaluating the adequacy of an information security program’s integration to overall risk management.
The Information Security booklet discusses many factors related to information security including the implementation of an effective information security program, information security program management, and specifically the phases of the information security risk management life cycle. The FFIEC defines these phases as risk identification, risk measurement, risk mitigation, and risk monitoring and reporting.
Information security operations are expanded upon within the Booklet, specifically the need for strong threat identification, assessment, and monitoring, and incident identification, assessment and response. The Information Security booklet provides an overview of practices used to identify information security program effectiveness through assurance and testing. The Booklet discusses cybersecurity concepts as well, in conjunction with the FFIEC Cybersecurity Assessment Tool (CAT), such as threats, controls, and response requirements for preparedness. Another update within the Booklet is related to examination procedure updates, which will assist in guiding examiners when measuring the maturity of a financial institution’s security culture, security governance, information security program, security operations, and overall cyber and information technology assurance processes.
To view the press release from the FFIEC, click here.
To learn more about our FFIEC Audit and Assessment Services, click here.
If you have any questions in regards to the specific changes have been made to the Information Security booklet within the FFIEC IT Handbook, please contact W. Jackson Schultz, CISA at email@example.com