The Federal Financial Institutions Examination Council (FFIEC) recently issued a revised Information Security booklet, updating the councilâ€™s Information Technology Examination Handbook. The update addresses how to:
- Assess the level of security risks facing a financial institutionâ€™s information systems
- Assess the status of an information security programâ€™s integration into the institutionâ€™s overall risk management program
- Effectively identify, monitor and respond to cyber threats and incidents
According to the FFIEC, information security is a â€œprocessâ€ that institutions have to follow. More specifically, institutions have to protect how their sensitive information is:
Information security also requires having the appropriate hardware and infrastructure to store and transmit the information.
To comply with the FFIECâ€™s guidance, institutions need to have a plan in place to demonstrate that they can effectively manage the confidentiality, integrity, and availability of sensitive information. Serious violations could result in a consent order since the regulators consider weaknesses to be a safety and soundness issue.
Managementâ€™s plan has to address the risk of malicious and non-malicious actions that could adversely impact earnings, capital, or enterprise value. Of concern to the regulators is the potential for:
- Disclosing sensitive information to unauthorized individuals
- Increased exposure to misappropriation or theft of information or services
- Attacks that could degrade services or even render them unavailable
- Unchecked modification or destruction of systems or information
- Records that are not timely, accurate, complete, or consistent Information security has become a mission critical obligation for financial institutions. Internal audit, as well as managers that are responsible for implementing security measures, need to conduct periodic audits to ensure compliance with FFIEC guidance.
WHAT YOUâ€™LL LEARN
During this important webinar, our speaker will discuss conducting audit procedures related to:
- Assessing the adequacy of board and senior management support
- Evaluating the integration of security activities and controls throughout the institutionâ€™s business processes
- Assessing the adequacy of accountability for carrying out security responsibilities
- Determining the adequacy of cybersecurity measures
- Evaluating the effectiveness of security controls
- Evaluating the institutionâ€™s ability to react appropriately to mitigate threats as technologies and business conditions evolve
- Evaluating the enterprise risk management approach for integrating processes, people, and technology to maintain a risk profile consistent with the boardâ€™s risk appetite
- Determining the effectiveness of oversight and controls related to outsourced IT security functions
YOUR CONFERENCE LEADER
Your conference leader for "Conducting a Risk-based Audit of IT Security: Complying with FFIEC Guidanceâ€ is Gary Deutsch, president, BRT Publications LLC. Mr. Deutsch is a licensed CPA in Maryland and has a B.A. in accounting and an MBA in finance from Loyola University Maryland. He has also achieved the Certified Management Accountant, Certified Internal Auditor and Certified Bank Auditor designations. Mr. Deutsch is the founder and president of BRT Publications LLC. Mr. Deutsch has trained thousands of financial institution professionals in all aspects of risk management and has written numerous books in the U.S. and Europe on topics such as credit risk, internal audit and compliance with Generally Accepted Accounting Principles. Mr. Deutsch has extensive risk management and internal audit experience through his association with financial institutions of all sizes as well as through his role leading the KPMG financial institution consulting practice in the Mid-Atlantic region.