Internal Audit, Consulting, and IT Security Solutions
Services and Solutions About Us Contact Us Resources Careers


Recent Regulatory Guidance


In early 2003 the Federal Financial Institutions Examination Council (FFIEC) issued revised guidance for examiners and financial institutions to use in identifying information security risks and evaluating the adequacy of controls and applicable risk management practices of financial institutions. The Information Security Booklet was the first in a series of updates to the 1996 FFIEC Information Systems Examination Handbook. These updates address significant changes in technology that have occurred since 1996, and will incorporate a risk-based examination approach.

As defined in the recent examination guidance, the security process is the method an organization uses to implement and achieve its security objectives. The process is designed to identify, measure, manage, and control the risks to system and data availability, integrity, and confidentiality, and to ensure accountability for system actions. The process includes five areas that serve as the information security framework:

  • Information Security Risk Assessment - a process to identify threats, vulnerabilities, attacks, probabilities of occurrence, and outcomes.
  • Information Security Strategy - a plan to mitigate risk that integrates technology, policies, procedures and training. The plan should be reviewed and approved by the board of directors.
  • Security Controls Implementation - the acquisition and operation of technology, the specific assignment of duties and responsibilities to managers and staff, the deployment of risk-appropriate controls, and assurance that management and staff understand their responsibilities and have the knowledge, skills, and motivation necessary to fulfill their duties.
  • Security Testing - the use of various methodologies to gain assurance that risk is appropriately assessed and mitigated. These testing methodologies should verify that significant controls are effective and performing as intended.
  • Monitoring and Updating - the process of continuously gathering and analyzing information regarding new threats and vulnerabilities, actual attacks on the institution or others combined with the effectiveness of the existing security controls. This information is used to update the risk assessment, strategy, and controls. Monitoring and updating makes the process continuous instead of a one-time event.