Today information systems are the lifeblood of the financial services industry. This course is designed to provide examiners with an understanding of the key components of an Information Security Program for a bank. The course opens with a brief review of Information Security and Cybersecurity and an overview of potential risks and countermeasures. The course integrates elements of related IT examination guidance, resources, and tools (GLBA, FACTA, Part 364 appendix A, FFIEC Handbooks, NIST Cybersecurity Framework, Cybersecurity Assessment Tool, and InTREx). The course will take a detailed look at elements of an ISP including oversight roles and responsibilities. The course will cover security management components and practices. Throughout the course, exercises and activities will be used to reinforce the concepts and help make the information to participants for a bank examination.
By the end of this course, students will have been taught how to:
- Explain Information Security using baseline terminology and concepts;
- Describe regulatory guidance related to information security;
- Discuss security policy design and implementation;
- Explain the role of bank management and oversight responsibilities;
- Discuss security management practices;
- Describe physical and operations security;
- Explain network controls testing, auditing, and monitoring;
- Discuss security in mobile workspace and the challenges of BYOD;
- Describe secure network design, encryption, access control, and authentication;
- Discuss firewall implementation and concepts;
- Describe vendor management security;
- Explain basic types of security issues and mitigation strategies; and
- Identify what reports to look for on a bank examination in relation to information security.
Duration and Format
This course is 4 days of Facilitated classroom discussion/lectures.
Level and Credits
There are no credits available from this course.
All commissioned RMS Bank Examiners. Participants should take this course after they have been commissioned and have attended the Information Technology Examination Course (ITEC). This course is open to appropriate staff of the FDIC and partner government regulatory agencies. This course is not open to the public or staff of private banks.
Prerequisites and Prior Work Experience
Participants must be Risk Management Examiners who have a good understanding of information technology and experience performing IT examinations and should have attended the Information Technology Examination Course.
There are no pre-course assignments.
Post Course Recommendation and Feedback
There are no post course recommendations and instructors will not be providing feedback at the completion of the course.
- Program Introduction
- Participants will discuss big-picture information security concepts and apply them to banking situations. Participants will be learn about the underlying relationships between interconnecting concepts related to risk management and information security.
- Banking and Regulatory Compliance Perspective
- Participants learn about the basics of the Gramm-Leach-Bliley Act and the Fair and Accurate Credit Transactions Act, and explain the concept of compliance and how it fits in to security. The module includes several best practices considerations and references.
- NIST Cybersecurity Framework
- Participants learn about the origins and structure of the NIST Cybersecurity Framework and the five core functions.
- Information Security Oversight
- Participants learn about Information Security roles and responsibilities and common approaches to segmenting functions in great detail.
- Information Security (InfoSec) Fundamentals
- Participants learn about the foundations of security, how to identify risks and threats for data, and alternatives for handling risk.
- Security Policy
- Participants learn about the need and purpose of a security policy, examine the steps in security policy development, and learn how a bank implements an effective security policy.
- Security Management Practices
- Participants learn about asset management and seven controls: access control, encryption, VPN, firewall, device hardening, network access control, and mobile device management.
- Vendor Management
- Participants learn about the motivation for engaging a vendor and considerations for the three vendor types.
- Monitoring and Incident Response
- Participants learn about intrusion detection and prevention, security team principles and incident responsiveness.