Skip Header
U.S. flag

An official website of the United States government

Financial Institution Letters

FIL-43-2016
June 30, 2016

Information Technology Risk Examination (InTREx) Program

Printable Format:

FIL-43-2016 - PDF (PDF Help)

Summary:

The FDIC updated its information technology and operations risk (IT) examination procedures to provide a more efficient, risk-focused approach. This enhanced program also provides a cybersecurity preparedness assessment and discloses more detailed examination results using component ratings.

Statement of Applicability to Institutions with Total Assets Under $1 Billion: This Financial Institution Letter applies to all FDIC-supervised institutions.

Highlights:

Continuation of FIL-43-2016

Distribution:

Suggested Routing:

Related Topics:

Attachment:

Contacts:

Note:

FDIC financial institution letters (FILs) may be accessed from the FDIC's Web site at https://www.fdic.gov/news/news/financial/2016/.

To receive FILs electronically, please visit https://www.fdic.gov/about/subscriptions/fil.html.

Paper copies may be obtained through the FDIC's Public Information Center, 3501 Fairfax Drive, E-1002, Arlington, VA 22226 (877-275-3342 or 703-562-2200).

Financial Institution Letters
FIL-43-2016
June 30, 2016

Information Technology Risk Examination (InTREx) Program

Enhanced Information Technology and Operations Risk Examination Procedures

On July 1, 2016, the Federal Deposit Insurance Corporation (FDIC) implemented the Information Technology Risk Examination (InTREx) Program for conducting information technology and operations risk (IT) examinations of FDIC-supervised financial institutions. The InTREx Program is designed to enhance identification, assessment, and validation of IT in financial institutions and ensure that identified risks are effectively addressed by FI management. FIL-81-2005, Information Technology Risk Management Program (IT-RMP), has been rescinded.

InTREx uses a work program based on the Uniform Rating System for Information Technology1 (URSIT) and includes Core Modules for the Audit, Management, Development and Acquisition, and Support and Delivery component ratings. The Core Modules incorporate procedures to assess compliance with Appendix B to Part 364 of the FDIC Rules and Regulations entitled Interagency Guidelines Establishing Information Security Standards2,3 as well as procedures to assess cybersecurity preparedness. The results of these assessments will be embedded in the Risk Management Report of Examination.

Other features of the InTREx program are:

For further information about the FDIC's revised IT examination procedures, please contact your FDIC Regional Office.

Doreen Eberley
Director
Division of Risk Management Supervision

1 See FIL-12-1999 FFIEC Uniform Rating System for Information Technology (URSIT) - https://www.fdic.gov/news/inactive-financial-institution-letters/1999/fil9912.html

2 See Part 364 Appendix B - FDIC Rules and Regulations - https://www.fdic.gov/regulations/laws/rules/2000-8660.html#fdic2000appendixbtopart364

3 See FIL-22-2001 Security Standards For Customer Information - https://www.fdic.gov/news/inactive-financial-institution-letters/2001/fil0122.html