Monday, September 26, 2016

FFIEC updates (finally) their Information Security IT Examination Handbook

Well, after ten years, the FFIEC has finally updated their Information Security IT Examination Handbook.

So probably some are wondering what this is and why should they care.  If you don't work in the financial industry, you may not be aware of all of this.

The FFIEC is the Federal Financial Institutions Examination Council, which is a government interagency body that sets down uniform principles, standards, and report forms regarding the examination of financial instituions.  The Council is make up of Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), the Consumer Financial Protection Bureau (CFPB), and the State Liaison Committee (SLC), which itself includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS).

So basically if you work for banks or credit unions, you have dealt with this.  If you do IT Security consulting in this realm, you have come across them.

As part of this, they have put out several items.  I have mention on this blog the FFIEC's Cybersecurity Assessment Tool (CAT), and I have mentioned in passing their IT Examination Handbooks.  These are a series of booklets you can download from their site (no idea how one can get printed versions) HERE.

So far they consist of the following:

  • Audit (2012)
  • Business Continuity Planning (2015)
  • Development and Acquisition (2004)
  • E-Banking (2003)
  • Information Security
  • Management (2015)
  • Operations (2004)
  • Outsourcing Technology Services (2004)
  • Retail Payment Systems (2016)
  • Supervision of Technical Service Providers (2012)
  • Wholesale Payment Systems (2004)
Even if you aren't involved with financial institutions, several of these works may be of value to you. However, just in looking at those dates, I think there are more booklets they need to be updating.

If you're involved with information security, their booklets on information security, management (that's really governance of IT), audit, business continuity planning, development and acquisition, and operations may be of interest to you.

I was mainly interested in the Information Security booklet.  I thought this would be just an update of the previous version, but it's a re-write.  It's even shorter then the previous version. I found it more in-line with the recent Management booklet as well.  Overall I found it a pretty good work, but be mindful that its high level.  It doesn't get into the technical details of information security, otherwise it would be too quickly outdated.

I did notice some flubs.  They mentioned the Council on Cybersecurity, which was the group that oversaw the Critical Security Controls.  But that group merged last year with the Center for Internet Security.  Also, COBIT is now just COBIT.  With version 5, it is no longer viewed as an acronym.  

So check it our for yourself.


No comments:

Post a Comment