Wednesday, January 20, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights

FFIEC Releases Updates to Information Security Booklet

by Craig Nazzaro
October 6, 2016
in Uncategorized
Updates help to minimize regulatory risk

The Federal Financial Institutions Examination Council (FFIEC) recently revised their Information Security Booklet. This moves the financial services industry one step closer to defining clear cybersecurity and data protection protocols to ensure regulatory compliance and furthers the implementation effort of the cybersecurity tool the FFIEC announced in June of 2013. The booklet is one of 11 which together comprise the FFIEC IT Handbook. The FFIEC states that the “updates include the removal of redundant management material and a refocus on IT risk management and an update of information security processes. The revision reflects changes in the industry … The updates are consistent with the FFIEC Cybersecurity Assessment Tool (CAT) and the NIST Cybersecurity Framework as appropriate. The booklet contains updated examination procedures to help examiners measure the adequacy of an institution’s culture, governance, information security program, security operations and assurance processes.”

Special focus should be paid to the updated Appendix A, which was published as guidance for your regulator’s field examiners to assess the level of security risks to your institutions information systems and the adequacy of your information security program’s integration into overall risk management. The following 11 objectives are listed for said examiners within the appendix, but objectives two through 10 can be used as internal guidance to assess your own program:

  1. Determine the appropriate scope and objectives for the examination.
  2. Determine whether management promotes effective governance of the information security program through a strong information security culture, defined information security responsibilities and accountability and adequate resources to support the program.
  3. Determine whether management of the information security program is appropriate and supports the institution’s ITRM process, integrates with lines of business and support functions and integrates third-party service provider activities with the information security program.
  4. As part of the information security program, determine whether management has established risk identification processes.
  5. Determine whether management measures the risk to guide its recommendations for and use of mitigating controls.
  6. Determine whether management effectively implements controls to mitigate identified risk.
  7. Determine whether management has effective risk monitoring and reporting processes.
  8. Determine whether management has security operations that encompass necessary security-related functions, are guided by defined processes, are integrated with lines of business and activities outsourced to third-party service providers and have adequate resources (e.g., staff and technology).
  9. Determine whether management has an effective information security program.
  10. Determine whether assurance activities provide sufficient confidence that the security program is operating as expected and reaching intended goals.
  11. Discuss corrective action and communicate findings.

The entire booklet should be studied, understood and utilized by your IT, compliance and risk and audit operations in order to have your institution’s compliance management system reflect the strongest integration of cyber and data security controls. This approach will not only allow your institution to avoid the regulatory risk that is associated with findings and/or fines in this space, but will position you to limit your litigation exposure in the event of a data breech through your ability to show pre-existing robust policies and procedures to limit risk as much as possible.

It’s also important to note that the FFIEC is comprised of a Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB). Certain institutions look at cybersecurity and data protection as a safety and soundness issue and only see regulatory exposure through the prudential regulators; but that would be a mistake, as the CFPB can just as easily utilize these protocols within a consumer regulatory exam. As we saw earlier this year in the CFPB’s action against Dwolla, Inc. they are reviewing data security controls as well. If you have any questions regarding data security best practices, please contact any of the attorneys in Baker Donelson’s Privacy and Information Security practice group.


Tags: communications management
Previous Post

Reducing Risk Through Compliance Automation (Not to Mention CYA)

Next Post

Can General Counsel and Compliance Officers Blow the Whistle?

Craig Nazzaro

oct-6-craig-nazzaro-headshotCraig Nazzaro, of counsel in Baker Donelson’s Atlanta office, advises lenders and servicers on all regulatory and compliance issues that impact the consumer lending industry and defends them against charges of liability and any regulatory violations. Before joining Baker Donelson, Mr. Nazzaro was a Vice President and Assistant General Counsel with JPMorgan Chase, where he managed and coordinated a team of 22 senior legal officers and attorneys in responding to and resolving consumer lending issues. Mr. Nazzaro also led the implementation and management process for the bank’s Executive Office’s compliance with the National Mortgage Settlement, as well as changes to various processes to comply with the Dodd-Frank Act. He can be reached at cnazzaro@bakerdonelson.com.

Related Posts

silhouette of businesspeople in meeting with blue cyber background

Cyber Risk Quantification and Prioritization is the Future of GRC

January 20, 2021
miniature airplane on global currency

FinCEN’s Proposed Changes to the Recordkeeping and Travel Rule Thresholds

January 20, 2021
man working on smartphone and laptop

Adverse Media Screening: Relying on Google Alone Can Expose Organizations to Risk

January 19, 2021
hand showing three fingers on gray background

A Culture of Compliance: The 3 R’s

January 19, 2021
Next Post
Legal and ethical considerations for potential whistleblowers

Can General Counsel and Compliance Officers Blow the Whistle?

Access realtime data

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management culture of ethics cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights