The Federal Financial Institutions Examination Council (FFIEC) has revised the “Information Security” booklet of the FFIEC Information Technology Examination Handbook (IT Handbook).
The IT Handbook is comprised of a total of 11 booklets of which the “Information Security” booklet is one. Revisions to the booklet provides guidance that assists examiners in evaluating the adequacy of a information security program’s integration into overall risk management and addresses factors necessary to assess the level of security risks associated with information systems.
Additionally, the “Information Security” booklet discusses the management of the information security program including security program management and the following phases of the life cycle of information security risk management:
- Risk identification
- Risk measurement
- Risk mitigation
- Risk monitoring and reporting
Finally, an information security operations overview is discussed including the need for effective threat identification, assessment, and monitoring. Also included is a discussion of effective incident identification, assessment, and response.