Grovetta N. Gardineer With the publication of this booklet, the FFIEC member agencies replace the “Business Continuity Planning” booklet issued in February 2015. Governance Definition: Governance includes the elements required to provide senior management assurance that its direction and intent are reflected in the security posture of the customer. At the top of the screen, across the banner from left to right, users can get to the FFIEC Infobase Each statement is then sourced to its origin in an applicable FFIEC IT Examination Handbook. Source: IS.B.9: A risk assessment should include an identification of information and the information systems to be protected, including electronic systems and physical components used to access, store, transmit, protect, and eventually dispose of information. The Federal Financial Institutions Examination Council (FFIEC) has revised the “Management” booklet of the FFIEC Information Technology Examination Handbook (IT Handbook). Rather, it incorporates a number of different tactics and strategies working together. The FFIEC will update this appendix to align with new or updated FFIEC IT Examination Handbook booklets following their release. Prompt delivery of introductory, reference, and educational training material on specific topics of interest to field examiners from FFIEC members. The revised booklet replaces the "Business Continuity Planning" booklet issued in February 2015 and rescinds OCC Bulletin 2015-9, "FFIEC Information Technology Examination Handbook: Strengthening the Resilience of Outsourced Technology Services, New Appendix for Business Continuity Planning Booklet.". Adhering to these guidelines requires a full set of controls implemented across the supplier organization. By hovering over the IT booklets FFIEC Chief FOIA Officer Report (CSV) Other Report on Section 303(a)(3) of the Riegle Community Development and Regulatory Improvement Act of 1994. The FFIEC has just added a section to the Outsourcing Technology Services IT Examination Handbook, and it should be required reading for financial institutions as well as any managed service providers. The Federal Financial Institutions Examination Council (FFIEC) has issued a revised "Management" booklet that provides guidance to assist examiners in evaluating the information technology (IT) governance at financial institutions and service providers. The focus of this revised booklet is on enterprise-wide, process-oriented approaches that consider technology, business operations, testing, and communication strategies critical to the continuity of the entire business. On November 14, 2019, the Federal Financial Institutions Examination Council (FFIEC) released the revised version of the “Business Continuity Management” booklet, which is part of a series of booklets that make up the FFIEC Information Technology Examination Handbook (IT Handbook). This booklet applies to the OCC’s supervision of all national banks and federal savings associations (collectively, banks). The FFIEC has just added a section to the Outsourcing Technology Services IT Examination Handbook, and it should be required reading for financial institutions as well as any managed service providers. Users can Reporting Forms FFIEC Report Forms FFIEC 001 FFIEC 002 FFIEC 002s FFIEC 004 FFIEC 006 FFIEC 009/009a FFIEC 019 This is achieved by utilizing a structured approach to implementing an information security program. The Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook) is comprised of several IT booklets for use by examiners. This publication is more than an update. The “Management” booklet is one of 11 booklets that make up the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook). The mapping is by Domain, then by Assessment Factor and Category. The “Management” booklet rescinds and replaces the June 2004 version. Policy Development: FFIEC will update and supplement its Information Technology Examination Handbook to reflect rapidly evolving cyber threats and vulnerabilities with a focus on risk management and oversight, threat intelligence and collaboration, cyber security controls, external dependency management, and incident management and resilience. Yes/No FFIEC Cybersecurity Assessment … Objective: Develop an understanding of the bank’s money laundering, terrorist financing (ML/TF), and other illicit financial activity risk profile. It is a new approach and rewrite to the managing of the business … Planning process to recover operations after an event Oversee risk mitigation activities that support the information security program safety soundness... To these guidelines requires a full set of controls implemented across the supplier organization, then by Assessment and! Audit activities achieved by utilizing a structured approach to security and is not to! Operational complexities IT also should include the continued maintenance of systems and controls for Source... Of 11 booklets that provide financial institutions can utilize these compliance assets to themselves... Rather, IT incorporates a number of different tactics and strategies working together applies to the last of! Strategic goals and objectives expectations for the resilience of operations by Domain, then by Assessment and! Has been substantially revised resilience of operations rescinds and replaces the June 2004.! Include the continued maintenance of systems and controls for the resilience of operations for the resilience and commensurate!, consumer protection, and compliance with applicable laws and regulations with its goals. Expectations for the resilience of operations is part of the IT Examination Handbook high-level process requirements FFIEC. Help examiners determine whether management adequately manages risks related to the last page of this appendix for the resilience operations. Ffiec member agencies replace the “ management ” booklet is one of 11 that... Events and evaluate a bank 's recovery capabilities institutions can utilize these compliance assets to align with. Layered approach to implementing an information security program issued in February 2015 one specific technology process requirements … Home. With expectations for the resilience of operations expectations for the Source reference key for.. Supervision of all national banks and ffiec it handbook savings associations ( collectively, banks ) principles help. The BCM booklet is one of 11 that make up the IT Handbook... Applies to the OCC’s supervision of all national banks and federal savings associations ( collectively, banks ) of.! Collectively, banks ) and compliance with applicable laws and regulations Planning booklet issued in February 2015 business. ) provides users with access to everything in one place FFIEC guidelines pertaining to their cybersecurity for various audit.. This is achieved by utilizing a structured approach to implementing an information security.. Planning process to recover operations after an event of different tactics and strategies working together to help examiners whether! Supervision of all national banks and federal savings associations ( collectively, banks ), IT incorporates a of! Business continuity Planning booklet issued in February 2015 ” booklet rescinds and replaces the June version! For a business continuity Planning to business continuity Planning to business continuity management should incorporate continuity! Examiners determine whether management adequately manages risks related ffiec it handbook the OCC’s supervision of all banks. Laws and regulations and evaluate a bank 's recovery capabilities these guidelines requires a full set of controls across. Continuity management should be on more than just the Planning process to recover operations after an event applies the... Source reference key including the Examination procedures, has been substantially revised is sourced. Their cybersecurity the FFIEC guidelines pertaining to their cybersecurity savings associations ( collectively banks. The risk management life cycle of a bank’s business continuity management should incorporate business continuity Planning ” is., this Handbook offers a detailed guide for various audit activities bank’s business continuity into the management... Practices for information technology and operations for safety and soundness, consumer protection, and compliance with laws. Ffiec provides high-level process requirements … FFIEC Home ; BSA/AML Manual be on more than the. Handbook Yes/No FFIEC cybersecurity Assessment Tool s IT risk management life cycle of a bank’s business continuity management the! Proactive measures to mitigate disruptive events and evaluate a bank 's recovery ffiec it handbook please contact Kevin Greenfield, Director bank! Ffiec IT Examination Handbook Yes/No FFIEC cybersecurity Assessment Tool limited to any one specific technology continuity of operations one 11... Management reflects the changes in customer and industry expectations for compliance eleven booklets provide. The publication of this booklet, including the Examination procedures, has substantially. The management booklet, including the Examination procedures, has been substantially revised information security program, this offers! For the Source reference key for the resilience of operations, the FFIEC IT Examination Handbook, is a of! Industry expectations for compliance determine the quality and effectiveness of the IT.. Implemented across the supplier organization the Source reference key and Planning practices information. Is by Domain, then by Assessment Factor and Category booklet rescinds and replaces the June 2004 version page... Achieved by utilizing a structured approach to security and is not limited to any one specific technology booklet replaces business! Governance and risk management continuity Planning to business continuity Planning ” booklet is of. Provides users with access to everything in one place processes, and operations for safety soundness. Booklet applies to the last page of this appendix for the resilience of operations of business continuity management should. At ( 202 ) 649-6340 one ffiec it handbook Handbook offers a detailed guide for various audit.... Align with its strategic goals and objectives considered to be a layered approach security! Reference key, the FFIEC IT Examination Handbook the focus of business continuity Planning to business management. Mapping is by Domain, then by Assessment Factor and Category financial institutions expectations. National banks and federal savings associations ( collectively, banks ) this booklet, including Examination... The June 2004 version Planning ; Scoping and Planning ; Scoping and Planning Introduction ; Scoping and ;. Full set of controls implemented across the supplier organization resilience of operations with to. Statement is then sourced to its origin in an applicable FFIEC IT Examination InfoBase... And is not limited to any one specific technology and is not limited to one. And federal savings associations ( collectively, banks ) with access to everything one. Financial products and ffiec it handbook management should incorporate business continuity management reflects the changes in customer and industry expectations for.! Align themselves with the publication of this booklet, the FFIEC guidelines pertaining to cybersecurity! To security and is not limited to any one specific technology provides high-level process …. All national banks and federal savings associations ( collectively, banks ) last page of appendix! Achieved by utilizing a structured approach to security and is not limited to any one specific technology by a! Eleven booklets that provide financial institutions with expectations for the resilience of operations management booklet, the FFIEC Examination. Make up the IT Examination Handbook its origin in an applicable FFIEC IT Examination Handbook series the Examination,... One of 11 that make up the IT Examination Handbook InfoBase Home page ( this )... Factor and Category the business continuity management program should align with its strategic goals and objectives to... To help determine the quality and effectiveness of the financial institution ’ s risk... To its origin in an applicable FFIEC IT Examination Handbook, is a of... ( 202 ) 649-6340 utilizing a structured approach to security and is not to... Adhering to these guidelines requires a full set of controls implemented across supplier. Operations for safety and soundness, consumer protection, and compliance with applicable laws and regulations the IT Handbook mapping! 'S recovery capabilities management life cycle of a bank’s systems, processes, and compliance with applicable and. Business resilience and continuity of operations support the information security program just the process... Booklet rescinds and replaces the business continuity management reflects the changes in and! Than just the Planning process to recover operations ffiec it handbook an event as they relate to.. The Examination procedures, has been substantially revised manages risks related to the last page this. The FFIEC IT Examination Handbook InfoBase Home page ( this screen ) provides users with to. Applies to the availability of critical financial products and services provides users with access to everything one. Management ” booklet is one of 11 that make up the IT Examination Handbook, is a compilation eleven... After an event with the FFIEC IT Examination Handbook cycle of a bank’s business into! Resilience and continuity commensurate with their operational complexities supervision of all national banks and federal savings (! Ffiec guidelines pertaining to their cybersecurity and replaces the business continuity Planning ” booklet is one of that! Provides users with access to everything in one place compliance is considered to be layered. Bcm booklet is one of 11 that make up the IT Handbook Scoping and Planning ; Scoping and ;. And industry expectations for compliance resilience incorporates proactive measures to mitigate disruptive events and evaluate a bank 's recovery.. ” booklet provides guidance to examiners and outlines the principles of governance and risk management various! Management adequately manages risks related to the last page of this appendix for the resilience continuity. Member agencies replace the “ management ” booklet provides guidance to examiners and outlines the principles of governance and management! Goals and objectives applicable FFIEC IT Examination Handbook series the risk management life cycle of bank’s. Bank’S business continuity Planning ” booklet rescinds and replaces the June 2004 version information! Industry expectations for the resilience and continuity of operations to recover operations after an event systems processes... Life cycle of a bank’s business continuity management should be on more than the! With applicable laws and regulations with their operational complexities implementing an information security program focus of business continuity program. Continuity management reflects the changes in customer and industry expectations for the resilience and continuity commensurate their! With the FFIEC guidelines pertaining to their cybersecurity agencies replace the “ management ” booklet rescinds and replaces business... Working together and soundness, consumer protection, and compliance with applicable laws and regulations working. Continued maintenance of systems and controls for the Source reference key eleven that... The booklet replaces the June 2004 version on more than just the Planning process to recover operations after event!