OCC Bulletin 2016-27| September 9, 2016
FFIEC Information Technology Examination Handbook: Revised Information Security Booklet
Chief Executive Officers of All National Banks, Federal Branches and Agencies, and Federal Savings Associations; Technology Service Providers; Department and Division Heads; All Examining Personnel; and Other Interested Parties
The Federal Financial Institutions Examination Council (FFIEC) has revised the “Information Security” booklet of the FFIEC Information Technology Examination Handbook (IT Handbook). The “Information Security” booklet is one of 11 that make up the IT Handbook. The revised “Information Security” booklet provides guidance to examiners and addresses factors necessary to assess the level of security risks to a financial institution’s information systems. It also helps examiners evaluate the adequacy of the information security program’s integration into overall risk management.
Note for Community Banks
This guidance applies to all national banks and federal savings associations (collectively, banks). Community banks should maintain effective information security programs commensurate with their operational complexities.
The “Information Security” booklet describes effective information security program management, including the following phases of the life cycle of information security risk management:
- Risk identification
- Risk measurement
- Risk mitigation
- Risk monitoring and reporting
Additionally, the booklet provides an overview of information security operations. This includes the need for effective threat identification, assessment, and monitoring. It also includes effective incident identification, assessment, and response. The booklet discusses methods to achieve and assess information security program effectiveness, including assurance and testing. The booklet also contains updated examination procedures to help examiners measure the adequacy of the institution's security culture, governance, information security program, security operations, and assurance processes.
Information security is the process by which a financial institution protects the creation, collection, storage, use, transmission, and disposal of sensitive information, including the protection of hardware and infrastructure used to store and transmit such information. Information security promotes the commonly accepted objectives of confidentiality, integrity, and availability and is essential to the overall safety and soundness of an institution. Information security exists to provide protection from malicious and non-malicious actions that increase the risk of adverse effects on earnings, capital, or enterprise value. The potential adverse effects can arise from
- disclosure of information to unauthorized individuals.
- unavailability or degradation of services.
- misappropriation or theft of information or services.
- modification or destruction of systems or information.
- records that are not timely, accurate, complete, or consistent.
Please contact Kevin Greenfield, Director for Bank Information Technology, at (202) 649-6340.
Bethany A. Dugan
Deputy Comptroller for Operational Risk