skip navigation
IT Booklets
Audit
Introduction
IT Audit Roles and Responsibilities
Board of Directors and Senior Management
Audit Management
Internal IT Audit Staff
Operating Management
External Auditors
Independence and Staffing of Internal IT Audit
Independence
Staffing
Internal Audit Program
Risk Assessment and Risk-Based Auditing
Program Elements
Risk Scoring System
Audit Participation in Application Development, Acquisition, Conversions, and Testing
Outsourcing Internal IT Audit
Independence of the External Auditor Providing Internal Audit Services
Examples of Arrangements
Third-Party Reviews of Technology Service Providers
Appendix A: Examination Procedures
Appendix B: Glossary
Appendix C: Laws, Regulations, and Guidance
Business Continuity Planning
Introduction
Board and Senior Management Responsibilities
Business Continuity Planning Process
Business Impact Analysis
Risk Assessment
Risk Management
Business Continuity Plan Development
Assumptions
Internal and External Components
Mitigation Strategies
Risk Monitoring and Testing
Principles of the Business Continuity Testing Program
Roles and Responsibilities
Testing Policy
Execution, Evaluation, Independent Assessment, and Reporting of Test Results
Updating Business Continuity Plan and Test Program
Other Policies, Standards and Processes
Security Standards
Project Management
Change Control Policies
Data Synchronization Procedures
Crisis Management
Incident Response
Remote Access
Employee Training
Notification Standards
Insurance
Government and Community
Summary
Appendix A: Examination Procedures
Appendix B: Glossary
Appendix C: Internal And External Threats
Appendix D: Pandemic Planning
Appendix E: Interdependencies
Appendix F: Business Impact Analysis Process
Appendix G: Business Continuity Plan Components
Appendix H: Testing Program - Governance and Attributes
Appendix I: Laws, Regulations, and Guidance
Development and Acquisition
Introduction
Examination Objectives
Standards
Accounting for Software Costs
Information Security
Project Management
System Development Life Cycle
Alternative Development Methodologies
Roles and Responsibilities
Project Plans
Project Management Standards
Project Planning Standards
Configuration Management Standards
Quality Assurance Standards
Risk Management Standards
Testing Standards
Documentation Standards
Project Management Effectiveness
Capability Maturity Model
International Organization for Standardization
Development Procedures
Development Standards
Systems Development Life Cycle
Initiation Phase
Planning Phase
Design Phase
Development Phase
Testing Phase
Implementation Phase
Maintenance Phase
Disposal Phase
Large-Scale Integrated Systems
Software Development Techniques
Object-Oriented Programming
Computer-Aided Software Engineering
Rapid Application Development
Databases
Database Management Systems
Acquisition
Acquisition Standards
Escrowed Documentation
Software Development Contracts and Licensing Agreements
Overview
Software Licenses - General
Software Licenses and Copyright Violations
Documentation, Modification, Updates, and Conversion
Bankruptcy
Regulatory Requirements
Representations and Warranties
Dispute Resolution
Agreement Modifications
Vendor Liability Limitations
Security
Subcontracting and Multiple Vendor Relationships
Restrictions on Adverse Comments
Maintenance
Major Modifications
Routine Modifications
Emergency Modifications
Patch Management
Library Controls
Conversions
Utility Controls
Appendix A: Examination Procedures
Appendix B: Glossary
E-Banking
Introduction
Definition of E-Banking
Informational Websites
Transactional Websites
E-Banking Components
E-Banking Support Services
Weblinking
Account Aggregation
Electronic Authentication
Website Hosting
Payments for E-Commerce
Wireless E-Banking
E-Banking Risks
Transaction/Operations Risk
Liquidity, Interest Rate, Price/Market Risks
Compliance/Legal Risk
Strategic Risk
Reputation Risk
Risk Management of E-Banking Activities
Board and Management Oversight
E-Banking Strategy
Cost-Benefit Analysis and Risk Assessment
Monitoring and Accountability
Audit
Managing Outsourcing Relationships
Due Diligence for Outsourcing Solutions
Contracts for Third-Party Services
Oversight and Monitoring of Third Parties
Information Security Program
Security Guidelines
Information Security Controls
Authenticating E-Banking Customers
Administrative controls
Internal Controls
Business Continuity Controls
Legal and Compliance Issues
Trade Names on the Internet
Website Content
Customer Privacy and Confidentiality
Transaction Monitoring and Consumer Disclosures
Appendix B: Glossary
Appendix C: Laws, Regulations, and Guidance
Appendix D: Aggregation Services
Appendix E: Wireless Banking
Information Security
Introduction
Overview
Coordination with GLBA Section 501(b)
Security Objectives
Regulatory Guidance, Resources, and Standards
Security Process
Overview
Governance
Management Structure
Responsibility and Accountability
Information Security Risk Assessment
Overview
Key Steps
Gather Necessary Information
Identification of Information and Information Systems
Analyze the Information
Assign Risk Ratings
Key Risk Assessment Practices
Information Security Strategy
Key Concepts
Architecture Considerations
Policies and Procedures
Technology Design
Outsourced Security Services
Security Controls Implementation
Access Control
Access Rights Administration
Authentication
Network Access
Operating System Access
Application Access
Remote Access
Physical And Environmental Protection
Data Center Security
Cabinet and Vault Security
Physical Security in Distributed IT Environments
Encryption
How Encryption Works
Encryption Key Management
Encryption Types
Examples of Encryption Uses
Malicious Code Prevention
Controls to Protect Against Malicious Code
Systems Development, Acquisition, and Maintenance
Systems Maintenance
Personnel Security
Background Checks and Screening
Agreements: Confidentiality, Non-Disclosure, and Authorized Use
Training
Data Security
Theory and Tools
Practical Application
Service Provider Oversight
Business Continuity Considerations
Insurance
Security Monitoring
Architecture Issues
Activity Monitoring
Network Intrusion Detection Systems
Host Intrusion Detection Systems
Log Transmission, Normalization, Storage, and Protection
Condition Monitoring
Self Assessments
Metrics
Independent Tests
Analysis and Response
Security Incidents
Intrusion Response
Outsourced Systems
Security Process Monitoring and Updating
Monitoring
Updating
Appendix A: Examination Procedures
Appendix B: Glossary
Appendix C: Laws, Regulations, and Guidance
Management
Introduction
Risk Overview
Operational / Transaction Risk
Roles and Responsibilities
IT Roles
Board of Directors / Steering Committee
Chief Information Officer / Chief Technology Officer
IT Line Management
Business Unit Management
IT Responsibilities and Functions
Risk Management Functions
Project Management
Other IT Functions and Support Roles
IT Risk Management Process
Planning IT Operations and Investment
Strategic IT Planning
Operational IT Planning
Risk Identification and Assessment
IT Controls Implementation
Policies, Standards, and Procedures
Internal Controls
Personnel
Insurance
Information Security
Business Continuity
Software Development and Acquisition
Operations
Outsourcing Risk Management
Measure and Monitor
Plan-to-Actual Outcome Measures (Outcome-based Measurement)
Performance Benchmarks
Service Levels
Quality Assurance/Quality Control
Policy Compliance
Management Considerations for Technology
Financial Information
Contracts
Audit Reports
Customer Service
Appendix A: Examination Procedures
Appendix B: Laws, Regulations,and Guidance
Operations
Introduction
Roles and Responsibilities
Board of Directors and Senior Management
Operations Management
Risk Management
Risk Identification
Environmental Survey
Technology Inventory
Hardware
Software
Network Components and Topology
Media
Risk Assessment
Prioritizing Risk Mitigation Efforts
Risk Mitigation and Control Implementation
Policies, Standards, and Procedures
Policies
Standards
Procedures
Controls Implementation
Environmental Controls
Preventive Maintenance
Security
Physical Security
Logical Security
Database Management
Personnel Controls
Change Management
Change Control
Patch Management
Conversions
Information Distribution and Transmission
Output
Transmission
Storage/Back-Up
Disposal of Media
Imaging
Event/Problem Management
User Support/Help Desk
Other Controls
Scheduling
Negotiable Instruments
Risk Monitoring and Reporting
Performance Monitoring
Capacity Planning
Control Self-Assessments
Appendix A: Examination Procedures
Tier I Objectives and Procedures
Tier II Objectives and Procedures
Appendix B: Glossary
Appendix C: Item Processing
Appendix D: Advanced Data Storage Solutions
Outsourcing Technology Services
Introduction
Board and Management Responsibilities
Risk Management
Risk Assessment and Requirements
Quantity of Risk Considerations
Requirements Definition
Service Provider Selection
Request for Proposal
Due Diligence
Contract Issues
Service Level Agreements (SLAs)
Pricing Methods
Bundling
Contract Inducement Concerns
Ongoing Monitoring
Key Service Level Agreements and Contract Provisions
Financial Condition of Service Providers
General Control Environment of the Service Provider
Potential Changes due to the External Environment
Related Topics
Business Continuity Planning
Outsourcing the Business Continuity Function
Information Security/Safeguarding
Multiple Service Provider Relationships
Outsourcing to Foreign Service Providers
Appendix A: Examination Procedures
Appendix B: Laws, Regulations, and Guidance
Appendix C: Foreign-Based Third-Party Service Providers
Appendix D: Managed Security Service Providers
MSSP Engagement Criteria
MSSP Examination Procedures
Retail Payment Systems
Introduction
Retail Payment Systems Overview
Payment Instruments, Clearing, and Settlement
Check-Based Payments
Remotely Created Checks
Electronically Created Payment Orders
Remote Deposit Capture
Check Clearing Houses
The Automated Clearing House (ACH)
The ACH Network
NACHA Rule and Product Changes
Card-Based Electronic Payments
General Purpose Credit Cards
Co-Branded/Affinity Credit Cards
Debit and ATM Cards
EFT/POS Networks
Prepaid (Stored Value) Cards
Payroll Cards
General Spending Reloadable Cards
Online Person-to-person (P2P), Account-to-Account (A2A) Payments and Electronic Cash
Emerging Retail Payment Technologies
Contactless Payment Cards, Proximity Payments and Other Devices
Biometrics for Payment Initiation and Authentication
Emerging Network Technologies
Retail Payment Systems Risk Management
Payment System Risk (PSR) Policy
Strategic Risk
Reputation Risk
Credit Risk
Liquidity Risk
Legal (Compliance) Risk
Operational Risk
Audit
Information Security
Business Continuity Planning
Vendor and Third-Party Management
Retail Payment Instrument Specific Risk Management Controls
Checks
ACH
Third-Party ACH Processing
Credit Cards
Debit/ATM Cards
Card/PIN Issuance
Merchant Acquiring
EFT/POS and Credit Card Networks
Appendix A: Examination Procedures
Appendix B: Glossary
Appendix C: Schematic of Retail Payments Access Channels & Payments Method
Appendix D: Laws, Regulations, and Guidance
Supervision of Technology Service Providers (TSP)
Introduction
Supervisory Policy
Examination Responsibility
A. Insured Financial Institution
B. Insured Financial Institution as TSP
C. Holding Company and Non-Bank Subsidiary of the Holding Company
D. Bank Service Company as TSP
E. Independent TSPs, Including Those in the Multi-Regional Data Processing Servicers Program
Supervisory Programs
MDPS Program
Regional TSP Program
Supervision of Foreign-Based TSP Program
Shared Application Software Review Program
Roles and Responsibilities
Agency-In-Charge
Central Point of Contact
Examiner-In-Charge of Site or Activity
Risk-Based Supervision
Risk-Based-Examination Priority Ranking
Uniform Rating System for Information Technology
Frequency of Examinations
Risks Associated With TSPs
Risk Management
Audit and Internal Controls
Report of Examination
ROE Distribution
Customer List
Appendix A: URSIT
Introduction
Use of Composite Ratings
Use of Component Ratings
Composite Ratings Definitions
Component Ratings Definitions
Component Rating Areas of Coverage
Audit
Management
Development and Acquisition
Support and Delivery
Wholesale Payment Systems
Introduction
Interbank Payment and Messaging Systems
Fedwire and Clearing House Interbank Payments System (CHIPS)
Fedwire Funds Service
CHIPS
Other Clearinghouse, Settlement, and Messaging Systems
National Settlement Service (NSS)
Society for Worldwide Interbank Financial Telecommunication (SWIFT)
Telex-based Messaging Systems
Continuous Linked Settlement (CLS) Bank
Securities Settlement Systems
U.S. Government Securities
Fixed Income Clearing Corporation (FICC)
Fedwire Securities Service
Corporate and Municipal Securities
National Securities Clearing Corporation (NSCC)
Depository Trust Company (DTC)
Intrabank Payment and Messaging Systems
Internally Developed and Off-The-Shelf Funds Transfer Systems
Payment Messaging Systems
In-house Terminals
Non-automated Payment Order Origination
Funds Transfer Operations (Wire Room)
Computer and Network Operations Supporting Funds Transfer
Wholesale Payment Systems Risk Management
Payments System Risk (PSR) Policy
Reputation Risk
Strategic Risk
Credit Risk
Customer Daylight Overdrafts
Settlement Risk
Liquidity Risk
Legal (Compliance) Risk
Operational (Transaction) Risk
Internal and Operational Controls
Audit
Information Security
Business Continuity Planning (BCP)
Vendor and Third-Party Management
Appendix A: Examination Procedures
Tier I Examination Objectives and Procedures
Tier II Examination Objectives and Procedures
Appendix B: Glossary
Appendix C: Laws, Regulations and Guidance
Appendix D: Legal Framework for Interbank Payment Systems
Appendix E: Federal Reserve Board Payment System Risk Policy: Daylight Overdrafts
Appendix F: Payment System Resiliency
Resources
Audit
Business Continuity Planning
E-Banking
Information Security
Management
Outsourcing Technology Services
Retail Payment Systems
Supervision of Technology Service Providers
Wholesale Payment Systems
Reference Materials
Presentations
General Handbook
Audit
Business Continuity Planning
Development and Acquisition
E-Banking
Information Security
Management
Operations
Outsourcing Technology Services
Retail Payment Systems
Supervision of Technology Service Providers
Wholesale Payment Systems
Glossary
Help
Search
What's New
General Handbook
Audit
Business Continuity Planning
Development and Acquisition
E-Banking
Information Security
Management
Operations
Outsourcing Technology Services
Retail Payment Systems
Supervision of Technology Service Providers
Wholesale Payment Systems
Welcome
»
Presentations
»
Management
Management