Page 1 of 2 BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM WASHINGTON, DC. 20551 DIVISION OF BANKING SUPERVISION AND REGULATION SR 16-14 September 19, 2016 TO: OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK AND TO INSTITUTIONS SUPERVISED BY THE FEDERAL RESERVE SUBJECT:FFIEC Information Technology Examination Handbook – Information Security Booklet Applicability: This letter applies to all institutions supervised by the Federal Reserve, including those with $10 billion or less in consolidated assets. The Federal Financial Institutions Examination Council (FFIEC) has revised the July 2006 version of the Information Security booklet of the FFIEC Information Technology Examination Handbook (IT Handbook). The Information Security booklet is one of 11 booklets that makeup the IT Handbook. 1 This revised booklet provides guidance to examiners for assessing the level of security risks to a financial institution’s information systems. The booklet describes effective information security program management and helps examiners evaluate the adequacy of a financial institution’s integration of information security into its overall risk management program The booklet also provides an overview of information security operations, including the need for effective (1) threat identification, assessment, and monitoring and (2) incident identification, assessment, and response. The revised booklet highlights important attributes among effective information security programs, including assurance and testing, and the adequacy of an institution’s culture, To consolidate letters that announce revisions to FFIEC IT-related booklets, this letter supersedes the following letters SR letter 16-10, “FFIEC Information Technology Examination Handbook – Retail Payment Systems Booklet which addresses IT practices associated with activities and devices for mobile financial services SR letter 15-14, “FFIEC Information Technology Examination Handbook,” which provides guidance on the oversight and administration of IT and IT risk management practices and SR letter 15-3, “FFIEC Information Technology Examination Handbook,” which explains the components of an effective third-party management program that can identify, measure, monitor, and control the risks associated with outsourcing. The information in those booklets is still relevant, and examiners can find the latest versions of those booklets on the FFIEC IT Examination Handbook InfoBase at http://ithandbook.ffiec.gov/it-booklets.aspx 2 For purposes of this guidance, financial institutions refers to state member banks, bank and savings and loan holding companies (including their nonbank subsidiaries, and US. operations of foreign banking organizations.
Page 2 of 2 governance, and security operations. Further, the revised booklet includes examination procedures to evaluate these areas and addresses • cybersecurity concepts such as threats, controls and resource requirements for preparedness and the stages of the IT risk management program, including risk identification, risk measurement, risk mitigation, monitoring, and reporting. Electronic versions of the Information Security booklet and the other booklets in the IT Handbook are available at http://ithandbook.ffiec.gov/it-booklets.aspx Reserve Banks are asked to distribute this SR letter to the Federal Reserve-supervised institutions in their districts, as well as to their supervisory and examination staff. Questions regarding the revised guidance should be addressed to the following staff in the Board’s Systems and Operational Resiliency Policy section Todd Sheets, Supervisory Financial Analyst, at (202) 872-7541. In addition, questions maybe sent via the Board’s public website. 3 Maryann F. Hunter Acting Director Supersedes: SR letter 16-10, “FFIEC Information Technology Examination Handbook – Retail Payment Systems Booklet SR letter 15-14, “FFIEC Information Technology Examination Handbook” SR letter 15-3, “FFIEC Information Technology Examination Handbook” 3 http://www.federalreserve.gov/apps/contactus/feedback.aspx