Ffiec Itworkprogram Informationsecurity
Ffiec Itworkprogram Informationsecurity
Ffiec Itworkprogram Informationsecurity
These examination procedures (commonly referred to as the work program) are intended to help
examiners determine the effectiveness of the institution’s information security process.
Examiners may choose, however, to use only particular components of the work program based
on the size, complexity, and nature of the institution’s business. Examiners should also use these
procedures to measure the adequacy of the institution’s cybersecurity risk management
processes.
Work
Examiner Comments
Paper Ref
Objective 1: Determine the appropriate scope and objectives for the examination.
September 2016 1
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
e. Technology service providers and software vendor
listings.
f. Communication lines with other business units (e.g.,
loan review, credit risk management, line of business
quality assurance, and internal audit).
g. Credit or operating losses primarily attributable (or
thought to be attributable) to IT (e.g., system
problems, fraud occurring due to poor controls, and
improperly implemented changes to systems).
h. Changes to internal business processes.
i. Internal reorganizations.
September 2016 2
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
implementation, and maintenance of the institution’s
information security program.
September 2016 3
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
j. Protection of data consistently throughout the
institution.
k. Definition of the information security
responsibilities of third parties.
l. Facilitation of annual information security and
awareness training and ongoing security-related
communications to employees.
September 2016 4
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
Objective 4: As part of the information security program, determine whether management has
established risk identification processes.
September 2016 5
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
c. A process to determine the institution's information
security risk profile.
d. A validation of the risk identification process
through audits, self-assessments, penetration tests,
and vulnerability assessments.
e. A validation though audits, self-assessments,
penetration tests, and vulnerability assessments that
risk decisions are informed by appropriate
identification and analysis of threats and other
potential causes of loss.
Objective 5: Determine whether management measures the risk to guide its recommendations for
and use of mitigating controls.
September 2016 6
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
September 2016 7
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
6. Determine whether management effectively maintains an
inventory(ies) of hardware, software, information, and
connections. Review whether management does the
following:
a. Identifies assets that require protection, such as
those that store, transmit, or process sensitive
customer information, or trade secrets.
b. Classifies assets appropriately.
c. Uses the classification to determine the sensitivity
and criticality of assets.
d. Uses the classification to implement controls
required to safeguard the institution's assets.
e. Updates the inventory(ies) appropriately.
September 2016 8
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
9. Determine whether management applies appropriate
physical security controls to protect its premises and
more sensitive areas, such as its data center(s).
September 2016 9
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
13. Determine whether management has processes to harden
applications and systems (e.g., installing minimum
services, installing necessary patches, configuring
appropriate security settings, enforcing principle of least
privilege, changing default passwords, and enabling
logging).
September 2016 10
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
c. Tracking changes made to the systems and
applications, availability of updates, and the
planned end of support by the vendor.
d. Planning for the update or replacement of systems
nearing obsolescence.
e. Outlining procedures for the secure destruction or
wiping of hard drives being returned to vendors or
donated to prevent the inadvertent disclosure of
sensitive information.
September 2016 11
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
network, operating systems, applications, databases, and
network devices. Review whether management has the
following:
a. An enrollment process to add new users to the
system.
b. An authorization process to add, delete, or modify
authorized user access to operating systems,
applications, directories, files, and specific types of
information.
c. A monitoring process to oversee and manage the
access rights granted to each user on the system.
d. A process to control privileged access.
e. A process to change or disable default user accounts
and passwords.
September 2016 12
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
c. Periodically reviews and approves the application
access assigned to users for appropriateness.
d. Communicates and enforces the responsibilities of
programmers, security administrators, and
application owners in maintaining effective
application access control.
e. Sets time-of-day or terminal limitations for some
applications or for more sensitive functions within
an application.
f. Logs access and events, defines alerts for significant
events, and develops processes to monitor and
respond to anomalies and alerts.
September 2016 13
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
potential interruptions in service. Review whether
management does the following:
a. Develops and maintains policies and procedures to
securely offer and ensure the resilience of remote
financial services (e.g., using appropriate
authentication, layered security controls, and fraud
detection monitoring). (For additional questions,
refer to the "Mobile Financial Services"
examination procedures.)
b. Plans and coordinates with ISPs and third parties to
minimize exposure to incidents and continue
services when faced with an incident (e.g., monitors
threat alerts, service availability, applications, and
network traffic for indicators of nefarious activity,
and ensures traffic filtering).
c. Develops and tests a response plan in conjunction
with the institution's ISPs and third-party service
providers to mitigate the interruption of mobile or
remote financial services.
September 2016 14
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
common security weaknesses, and network
segregation.
September 2016 15
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
c. Contractual assurances from third-party service
providers for security responsibilities, controls, and
reporting.
d. Nondisclosure agreements with third-party service
providers with access to the institution's systems
and data (including before, during, and following
termination of the contract).
e. Independent review of the third-party service
provider's security through appropriate reports from
audits and tests.
f. Coordination of incident response policies and
contractual notification requirements.
g. Verification that information and cybersecurity
risks are appropriately identified, measured,
mitigated, monitored, and reported.
September 2016 16
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
logging to a separate computer, use of read-only
media, controlled log parameters, and restricted
access to log files).
c. Independent review of logging practices.
d. Processes to effectively collect, aggregate, analyze,
and correlate security event information from
discrete systems and applications.
Objective 7: Determine whether management has effective risk monitoring and reporting
processes.
September 2016 17
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
Objective 8: Determine whether management has security operations that encompass necessary
security-related functions, are guided by defined processes, are integrated with lines of business and
activities outsourced to third-party service providers, and have adequate resources (e.g., staff and
technology).
September 2016 18
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
the system, security procedures, business line
controls, and implementation of the system and
controls).
d. Using threat knowledge to drive risk assessment
and response.
e. Designing policies to allow immediate and
consequential threats to be dealt with expeditiously.
f. Developing appropriate processes to evaluate and
respond to vulnerability information from external
groups or individuals.
September 2016 19
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
b. Procedures to minimize damage through the
containment of the incident, restoration of systems,
preservation of data and evidence, and notification,
as appropriate, to customers and others as needed.
c. Appropriate balance of adequate people and
technologies in the response.
d. A plan that is comprehensive, coordinated,
integrated, and periodically tested with appropriate
internal and external parties.
e. Policies and procedures to guide the response,
assigning responsibilities to individuals; providing
appropriate training; formalizing information flows;
and selecting, installing, and understanding the tools
used in the response effort.
f. Thresholds for reporting significant security
incidents and processes to notify, as appropriate, the
institution's regulators of those incidents that may
affect the institution or the financial system.
g. Assignment of responsibilities, training, and testing.
h. Containment strategies.
i. Restoration and follow-up strategies.
Objective 10: Determine whether assurance activities provide sufficient confidence that the
security program is operating as expected and reaching intended goals.
September 2016 20
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
d. Confidentiality, integrity, and availability of the
institution's information.
e. Confidentiality of test plans and data.
f. Frequency.
September 2016 21
FFIEC IT Examination Handbook Information Security
Work
Examiner Comments
Paper Ref
4. Organize work papers to ensure clear support for
significant findings by examination objective.
September 2016 22