CHIEF EXECUTIVE OFFICER (also of interest to Chief Information Officer)
New Information Security Guidance for
Examiners and Financial Institutions
The Federal Financial Institutions Examination Council (FFIEC) has issued a booklet with revised guidance for identifying institutions' information security risks and evaluating their risk-management practices. This is the first in a series of updates to the 1996 FFIEC Information Systems Examination Handbook, which will eventually replace the1996 handbook and comprise the new FFIEC Information Technology (IT) Examination Handbook.
On January 29, 2003, the Federal Financial Institutions Examination Council (FFIEC)
issued revised guidance for examiners and financial institutions to use in
identifying information security risks and evaluating the adequacy of controls
and applicable risk- management practices of financial institutions. This
guidance The Information Security Booklet is the first in a series of
updates to the 1996 FFIEC Information Systems Examination Handbook. These
updates will address significant changes in technology since 1996 and
incorporate a risk-based examination approach.
The safety and soundness of the federal financial services industry and the
privacy of customer information depend on the security practices of banks,
thrifts and credit unions. The Information Security Booklet describes how an
institution should protect and secure the systems and facilities that process
and maintain information. Financial institutions and technology service
providers (TSPs) should maintain effective security programs, tailored to the
complexity of their operations.
The FFIEC plans to issue updates in separate booklets that will ultimately
replace all chapters of the 1996 handbook and comprise the new FFIEC Information
Technology (IT) Examination Handbook. In addition to the booklet on information
security, future booklets will address business continuity planning, electronic
banking, IT audits, payment systems, outsourcing, IT management, computer
operations, and systems development and acquisition.
The FFIEC agencies plan to distribute these booklets electronically to
financial institutions and TSPs via the Internet through the FFIECs InfoBase
application. The InfoBase will include each booklet in Adobe Acrobat PDF file
format, as well as an online version with links to various resource materials
and an orientation to the handbook update process.
Distribution: FDIC-Supervised Banks (Commercial and Savings)
NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342, option 5, or (703) 562-2200).