The Federal Financial Institutions Examination Council (FFIEC) updated its Information Security Booklet for examiners and financial institutions to reflect changes in technology and mitigation strategies, as well as recent revisions to related supervisory guidance. The discussion on risk assessments has been expanded to provide more detailed guidance on identifying information security risks and evaluating the adequacy of controls and applicable risk management practices. In addition, new or revised material is included regarding authentication, monitoring programs, malware, remote access, and other topics.
In addition to the revised Information Security Booklet, the FFIEC also issued an executive summary of its IT Examination Handbook that contains a high level synopsis of each of the twelve booklets that comprise the handbook. The Information Security Booklet and the executive summary are available electronically via the Internet through the FFIEC's InfoBase application at http://www.ffiec.gov/ffiecinfobase/index.html.
Reserve Banks are asked to distribute this SR Letter to the banking organizations supervised by the Federal Reserve, as well as to their supervisory and examination staff. If you have any questions regarding the revised guidance, please contact Stacy Coleman, Assistant Director, Operational and IT Risk Section, at (202) 452-2934, Elton Hill, Senior Supervisory Financial Analyst, at (202) 452-2514, or Ken Fulton, Supervisory Financial Analyst, at (202) 452-2314.