The FDIC updated its Information Technology Risk Examination (InTREx) procedures to improve the Audit module‘s usability, specify compliance review steps relative to the Computer Security Incident Notification Rule (Part 304 Subpart C), provide more specificity regarding examiner review of service provider reports of examination, and update links to references. Examiners use these procedures to review information technology risk management at each bank safety and soundness examination.
Statement of Applicability: The contents of, and material referenced in, this FIL apply to all FDIC-supervised financial institutions.
- The Audit module now positions the procedures next to the Core Analysis Decision Factors to increase examiner efficiency (the Support and Delivery module was changed in the same way previously and the other core modules will be changed similarly).
- The Support and Delivery module now provides more specific instructions to examiners regarding checking for compliance with the Computer Security Incident Notification Rule that was effective on April 1, 2022.
- The Management and Support and Delivery modules now provide more specific instructions to examiners regarding service provider report of examination review.
- Links throughout the procedures were updated to current Internet locations.
Part 304 Subpart C - FDIC Rules and Regulations
Part 364 Appendix B - FDIC Rules and Regulations
Federal Register Notice - Uniform Rating System for Information Technology
Examination Processes and Procedures