Participants take part in a series of case studies and lectures designed to reinforce concepts and techniques that will enhance an examiner's ability to assess a financial institution's technology risk. Case studies focus on identification of technology risks and potential mitigation strategies along with the business consequences for failure to properly mitigate these risks. The course is not intended to fully cover all aspects of the Information Technology Risk Examination (InTREx) program and associated work programs.
By the end of this course, students will have been taught how to:
- Analyze an institution's information security program and information technology risk management practices and draw meaningful conclusions, including assignment of component and composite URSIT ratings.
Duration and Format
This course contains:
- 20 hours of Pre-course Work (Independent study)
- Self-check questions
- 2 week Facilitated classroom discussion/lectures
- Self-paced reading assignments
- Group activities
Level and Credits
No continuing education credits.
FDIC participants should attend in accordance with the parameters outlined in the Examiner Training and Development Policy. This course is for financial institution commissioned examiners who will be conducting Information Technology Examinations of non-complex institutions. Participations should attend within 12 months of becoming a commissioned risk management examiner. This course is open to appropriate partner government regulatory agencies. This course is not open to the public or staff of private banks.
Prerequisites and Prior Work Experience
Prior to attending the course, participants must have satisfactorily completed and have a working knowledge of the following:
- Be commissioned or regularly serve as the Examiner-In-Charge (EIC)
- Have actively participated in two information technology examinations within the 12 months prior to attending this course.
The items below constitute the pre-course assignment. The pre-course assignment is due in general two weeks/11 business days prior to the start of the session. The exact date the work is due for any given session is specified in the pre-course information sent approximately two months prior to the start date. Prior to attending the workshop, participants are required to complete and submit the following pre-course assignments:
- Complete an interactive self-paced study assignment designed to familiarize them with Information Technology Examination techniques and terminology
- Be introduced to a case study
- Review information typically available for pre-planning an Information Technology Examination (this case will be used extensively during the first week of the course)
NOTE: RMS has authorized 20 hours of official time to complete the pre-course assignment. Participants will also need to complete and submit a participant profile.
Post Course Recommendation and Feedback
As soon as scheduling permits but no later than 12 months after completing this course, students are expected to participate in multiple IT examinations and ultimately serve as an IT EIC of a non-complex institution to further develop the concepts learned during the course.
No post course feedback will be provided by instructors at the conclusion of this course.
During this course, students will learn how to assess IT-related risks that can impact the institution. Students will also analyze an institution's information security program, cybersecurity, and information technology risk management practices and draw meaningful IT security examination conclusions linked to business risks. Students complete a series of case studies and listen to lectures designed to reinforce concepts and techniques to enhance an examiner's ability to assess a financial institution's technology risk. Case studies focus on identification of technology risks and potential mitigation strategies along with the business consequences for failure to properly mitigate these risks. This course is not intended to cover all aspects of the Information Technology Risk Examination (InTREx) program and associated work programs.
- Technology Review
- Participants learn the purpose of common IT devices and network topologies. Additional topics covered include IT-related risks that can impact the overall condition of an institution, basic IT infrastructure and concepts, risks in Ingress (incoming) and Egress (outgoing) points on the network, and risks in mobile banking, vendors and service providers, wireless systems, and cloud services.
- Examination Process and Planning
- Participants are provided tools to help them review key characteristics and steps in the IT Examination program. They will also summarize key concepts in applying technology-related concerns to business-related risks and list steps in the exam planning process. In addition, students learn about examination planning activities in InTREx that focus on gathering information to identify a preliminary risk profile and creating an effective scope comment.
- Risk Assessment
- Participants review the purpose of an information security program and the types of information the program is designed to protect, while reviewing the Cycle of IT Governance. Elements of the risk assessment process are identified, including the relationship between the risk assessment and the Gramm-Leach-Bliley Act (GLBA), IT threats and risks a bank may be exposed to as well as controls used to identify, prevent, detect, and respond to these threats and risks. Students will also evaluate the quality of a risk assessment process.
- Audit and Independent Review
- Participants learn about key concepts of an institution’s audit and independent review activities, including the different types of IT audits and audit plans and schedules.
- Support and Delivery
- Participants learn how controls should be used to mitigate threats and vulnerabilities. They also look at the effectiveness of an institution's operations security and risk management practices, support and delivery practices, and bank management’s controls, standards, and practices and communications (aka Framework).
- Vendor Management
- Participants learn about effective vendor management and service provider oversight practices and the impact vendor management has on various component ratings. Students review vendor Reports of Examination (ROE) and Service Organization Control (SOC) reports, including the need to follow up on relevant issues and validate if a bank’s contract with the vendor addresses security of sensitive information.
- Business Continuity Management
- Participants learn the purpose of Business Continuity Management (BCM) and the importance of identifying interconnectivity between parties and interdependencies of systems. Students will also identify key elements and steps in a BCM life cycle and disaster recovery plan, and learn the difference between various recovery-testing methodologies and how to evaluate the adequacy of an institution’s BCM process.
- Development and Acquisition
- Participants will analyze an institution’s project management process, critique change management processes, and review Project Management, Acquisition and Management Practices, Change Management, and End-of-Support/End-of-Life topics.
- ACH Activities
- Participants will learn about the various types of Automated Clearing House (ACH) participants and transactions, including third-party service providers, Originating Depository Financial Institution (ODFIs), and Receiving Depository Financial Institution (RDFIs). Students will also learn how to identify risks associated with ACH transactions and controls to mitigate those risks, conduct risk assessments for ACH transactions, and access and use payments supervision data (FDIC only). Additional topics covered include review of third parties in ACH, Same Day and International ACH, ACH Risk Assessments, and Payments Supervision areas.
- Topology Review
- Participants learn about key concepts and components of network topologies and support and delivery considerations.
- EFT Activities
- Participants look at various payment types such as wire transfers and emerging payments, risks associated with these payments and the controls banks use to mitigate those risks, and assessment processes for EFT payments.
- Developing Conclusions
- After this lesson students will be able to develop and record initial conclusions in an approved work program. Also, covered is how to prepare for meetings with bank management, document examination conclusions, determine content requirements for report comments, write an appropriate and well-supported report comment, and assign an IT composite and component ratings based on the Uniform Rating System for Information Technology (URSIT).
- Case Study
- Through individual and small group activities, students complete pre-examination and examination tasks, assess the four IT components and assign the component and composite ratings, evaluate conformance with Interagency Guidelines Establishing Information Security Standards (Gramm-Leach-Bliley Act, cybersecurity assessment), and identify the need for any Enforcement Actions or follow-up monitoring. Students also learn how to follow up on issues from a previous examination, complete pre-planning visit analysis, assess management’s progress in remediation of informal enforcement actions, make recommendations to territory management relative to the current IT enforcement action and its effectiveness, and determine what the next steps are based upon the findings identified during the visit.