CSI Resources

The Advisor banner

FFIEC Takes Aim at Information Security Programs

  • by Steve Sanders
  • Nov 16, 2016

7 Key Takeaways from the FFIEC’s Updated Information Security Booklet 

With four updates to its IT Handbook in 20 months, the Federal Financial Institutions Examination Council (FFIEC) has its hands full keeping up with the accelerating speed of technological advancements and the increasing frequency and sophistication of cyberattacks. 

Its latest update, the Information Security Booklet revision, takes direct aim at information security review programs in an effort to increase security awareness, effectiveness and resiliency. The 98-page update is a lot to digest for institutions already swamped by regulatory requirements. To assist you, we’ve conducted a page-by-page review of the September 2016 booklet and a side-by-side comparison with the July 2006 version. Our analysis reveals seven key takeaways that financial institutions need to act upon.

  1. A Security Culture Needs to Be Created and Cultivated

    Through the booklet, institutions are reminded that, “Information security exists to provide protection from malicious and non-malicious actions that increase the risk of adverse effects on earnings, capital, or enterprise value.” The update also emphasizes that a deeply embedded security culture is a crucial factor in successfully providing that protection. In 2006, culture was only briefly mentioned. Now, however, the idea of a security culture is explicitly addressed, holding management responsible for “establishing an information security culture that promotes an effective information security program and the role of all employees in protecting the institution’s information and systems.”

    What does this look like per the FFIEC?

    • “Management and employees are committed to integrating the program into the institution’s lines of business, support functions and third-party management program.”
    • The institution carefully considers information security before implementing any new product, process or system and carries that through the life cycle of the same.
    • Everyone is “held accountable for complying with the institution’s information security program.”

    Biggest Cost Implication: Time. Use existing communication programs to minimize your financial cost.

  2. The CISO Must Be Qualified and Empowered

    Part and parcel with creating a security culture is placing the right person in charge of information security. The FFIEC states that, “Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program.” A chief information security officer (CISO) must possess a wide range of skills. According to the IBM blog, Security Intelligence, this includes the ability to effectively communicate with all levels, to firmly grasp the institution’s big picture as well as the nitty-gritty technical details, and to gain an in-depth understanding of the products and services of the organization. In other words, the blog notes, the CISO must “be equal parts security and marketing professional.”

    What does this look like per the FFIEC?

    • The CISO “should report directly to the board or senior management and have sufficient authority, stature within the organization, knowledge, background, training and independence …”
    • An “appropriate segregation of duties,” which means “the information security officers should be independent of the IT operations staff and should not report to IT operations management.”
    • The CISO may have an internal team carry out the information security program or utilize managed services from a third-party service provider.

    Biggest Cost Implication: Salary dollars and mindset change. Just having “some” technical expertise is no longer enough. 

  3. Board Responsibility Goes Well Beyond Rubber-Stamping

    The “buck stops with the board” has been a common theme in regulatory compliance over the last decade. Not only does this update reinforce that message, but also it expands it considerably, making clear that the board has absolute responsibility for information security. This includes gaining a firm, and relatively in-depth, grasp on the topic and providing adequate funding for the program. Gone are the days of rubber-stamping a line item in the budget for information security. The FFIEC indicates “the board should reasonably understand the business case for information security and the business implications of information security risks.” In this regard, it is helpful if at least one board member has experience with information security, including cybersecurity, and can speak intelligently about both to help educate the other board members on the topic.

    What does this look like per the FFIEC?

    • Board and senior management are clear in “defining and communicating information security responsibility and accountability throughout the institution.”
    • Appropriate human and financial resources are allocated to the program by the board.
    • “Management should be able to identify and characterize the threats, assess the risks, make decisions regarding the implementation of appropriate controls and provide appropriate monitoring and reporting.”

    Biggest cost implication: Commitment. That commitment, however, is vital and must be ongoing.

  4. Use of a Cybersecurity Framework Is Expected

    Given the amount of business conducted online and data stored in the cloud, cybersecurity is quickly becoming a consuming subset of information security. The FFIEC is clear that tackling this aspect of information security requires a cybersecurity framework. Even though the use of the FFIEC Cybersecurity Assessment Tool (CAT) is voluntary, implementing a framework is not. The revised booklet notes that “institution management can select a single framework or use a combination of resources to help identify its risks and determine its cybersecurity preparedness.” Rest assured that regulators will expect to find a cybersecurity framework in place when conducting examinations.

    What does this look like per the FFIEC?

    • Use of the FFIEC’s CAT; the NIST Cybersecurity Framework; the US-CERT cybersecurity self-assessment; a third-party provided framework, such as CSI’s Cybersecurity Risk Assessment; or a combination of all.
    • The framework helps “management identify a cybersecurity and resilience posture that is commensurate with the institution’s risk and complexity.”

    Biggest cost implication: Time, commitment, and depending on program’s maturity level, dollars. Although the FFIEC, NIST and US-CERT frameworks are free, they could still end up costing you if not conducted by someone with the appropriate level of expertise. The upfront cost of hiring experts to complete the assessment will pay dividends in the end.

  5. Explicitly Defined Security Principles Must Be Incorporated into the Information Security Program

    This update delves much deeper into security principles. While awareness is the culture change for the general employee population, this is the culture change for the technical and security employee population. They need to review the following sections and ensure that the protocols identified for these principles are embedded into your institution’s information security program.

    What does this look like per the FFIEC?

    • Change control (Pages 21–22): “The institution should have an effective process to introduce application and system changes, including hardware, software and network devices, into the IT environment.”
    • End-of-life management (Page 25): “Management should plan for a system’s life cycle, eventual end of life, and any corresponding security and business impacts.” Think hardware, software, third-party supported systems and unsupported legacy systems.
    • Application security (Pages 38–40): “The institution should ensure that all applications are securely developed.”
    • Log management (Pages 44–45): “Management should have effective log retention policies that address the significance of maintaining logs for incident response and analysis needs.”

    Biggest cost implication: Time, commitment and, depending on program’s maturity level, dollars.

  6. Threat and Incident Identification and Assessment Must Be Robust

    The FFIEC views threat and incident identification and assessment as vital to information security. “To be effective, an information security program should have documented processes to identify threats and vulnerabilities continuously.” The FFIEC concludes in this revision that such robust tactics yield cyber resilience: the state in which an institution can quickly detect and assess threats, effectively mitigate or thwart them, and seamlessly maintain or return to normal business operations.

    What does this look like per the FFIEC?

    • “A grouping of threats,” both internal and external, are identified during the risk assessment.
    • “Management should develop procedures for obtaining, monitoring, assessing and responding to evolving threat and vulnerability information.”

    Biggest cost implication: Time, commitment and, depending on program’s maturity level, dollars.

  7. More Mature Measurement of Program Effectiveness is Anticipated
  8. The final, biggest takeaway from this revision: it is not enough to simply have an information security program; you have to show that it is effective. If your measurement indicates that it is not effective, you must be able to show what you are doing to correct that. Or as the FFIEC puts it, “A mature and effective information security program uses metrics to improve the program’s effectiveness and efficiency.”

    What does this look like per the FFIEC?

    • “Management should develop metrics that demonstrate the extent to which the security program is implemented and whether the program is effective.”
    • “The measurement of security characteristics can allow management to increase control and drive improvements to the security process.”

    Biggest cost implication: Time, commitment and, depending on program’s maturity level, dollars.

Information Security Is a Business Risk, Not Just an IT Risk

Every member of your institution’s board and senior management, down to every front line and back office employee, must understand the significance of today’s cyber threats and play a part in defending your institution’s security posture, which is a significant aspect of its overall business health. Use this analysis of the FFIEC Information Security Booklet update to help build your institution’s defenses and determine regulatory requirements you must achieve toward your information security efforts.


Steve Sanders is vice president of Internal Audit for CSI. In his role, he oversees the evaluation and mitigation of risks associated with IT, financial and operational systems. Steve is a CISA, CRISC, CRMA, and CTGA, and he speaks regularly on information security, cybersecurity, IT and IT audit topics.