ithandbook.ffiec.govFFIEC IT Examination Handbook InfoBase - Home

IT Booklets Audit Introduction IT Audit Roles and Responsibilities Independence and Staffing of Internal IT Audit Internal Audit Program Risk Assessment and Risk-Based Auditing Audit Participation in Application Development, Acquisition, Conversions, and Testing Outsourcing Internal IT Audit Third-Party Reviews of Technology Service Providers Appendix A: Examination Procedures Appendix B: Glossary Appendix C: Laws, Regulations, and Guidance Business Continuity Management Introduction I Business Continuity Management II Business Continuity Management Governance III Risk Management IV Business Continuity Strategies V Business Continuity Plan VI Training VII Exercises and Tests VIII Maintenance and Improvement IX Board Reporting Appendix A: Examination Procedures Appendix B: Glossary Appendix C: Abbreviations Appendix D: References Development and Acquisition Introduction Project Management Development Procedures Acquisition Maintenance Appendix A: Examination Procedures Appendix B: Glossary Information Security Introduction I Governance of the Information Security Program II Information Security Program Management III Security Operations IV Information Security Program Effectiveness Appendix A: Examination Procedures Appendix B: Glossary Appendix C: Laws, Regulations, and Guidance Management Introduction I Governance II Risk Management III IT Risk Management Appendix A: Examination Procedures Appendix B: Glossary Appendix C: References Architecture, Infrastructure, and Operations Introduction I Architecture, Infrastructure, and Operations II Architecture, Infrastructure, and Operations Governance III Common AIO Risk Management Topics IV Architecture V Infrastructure VI Operations VII Evolving Technologies Appendix A: Examination Procedures Appendix B: Glossary Appendix C: Abbreviations Appendix D: References Outsourcing Technology Services Introduction Board and Management Responsibilities Risk Management Related Topics Appendix A: Examination Procedures Appendix B: Laws, Regulations, and Guidance Appendix C: Foreign-Based Third-Party Service Providers Appendix D: Managed Security Service Providers Retail Payment Systems Introduction Retail Payment Systems Overview Payment Instruments, Clearing, and Settlement Retail Payment Systems Risk Management Appendix A: Examination Procedures Appendix B: Glossary Appendix C: Schematic of Retail Payments Access Channels & Payments Method Appendix D: Laws, Regulations, and Guidance Appendix E: Mobile Financial Services Supervision of Technology Service Providers Introduction Supervisory Policy Supervisory Programs Roles and Responsibilities Risk-Based Supervision Appendix A: URSIT Wholesale Payment Systems Introduction Interbank Payment and Messaging Systems Securities Settlement Systems Intrabank Payment and Messaging Systems Wholesale Payment Systems Risk Management Appendix A: Examination Procedures Appendix B: Glossary Appendix C: Laws, Regulations and Guidance Appendix D: Legal Framework for Interbank Payment Systems Appendix E: Federal Reserve Board Payment System Risk Policy: Daylight Overdrafts Appendix F: Payment System Resiliency Archived Booklets IT WorkPrograms Glossary FFIEC Home Welcome to FFIEC IT Examination Handbook InfoBase Prompt delivery of introductory, reference, and educational training material on specific topics of interest to field examiners from FFIEC members. IT Booklets Audit, Business Continuity Planning, Development and Acquisition, E-Banking, Information Security, Management, Operations, Outsourcing Technology Services, Retail Payment Systems, Supervision of Technology Service Providers, and Wholesale Payment Systems. IT WorkPrograms Easy to follow procedures to help determine the quality and effectiveness of the financial institution’s IT risk management. / Sign up for FFIEC IT Handbook InfoBase Email Updates and What’s New RSS Feed What’s New Link to a feed containing any updates to the FFIEC IT Handbook InfoBase (e.g., booklets, appendices, and joint statements) Glossary Definitions of terms found in or relating to IT booklet concepts Laws, Regulations, & Guidance Link to the regulatory resources by IT booklet and further sorted by regulatory agency References This page contains topical materials that supplement booklet content and are for informational purposes FFIEC IT BOOKLETS Access all the resources associated with the individual handbooks Table of Contents Audit Introduction IT Audit Roles and Responsibilities Board of Directors and Senior Management Audit Management Internal IT Audit Staff Operating Management External Auditors Independence and Staffing of Internal IT Audit Independence Staffing Internal Audit Program Risk Assessment and Risk-Based Auditing Program Elements Risk Scoring System Audit Participation in Application Development, Acquisition, Conversions, and Testing Outsourcing Internal IT Audit Independence of the External Auditor Providing Internal Audit Services Examples of Arrangements Third-Party Reviews of Technology Service Providers Appendix A: Examination Procedures Appendix B: Glossary Appendix C: Laws, Regulations, and Guidance Close Table of Contents Business Continuity Management Introduction I Business Continuity Management II Business Continuity Management Governance II.A Board and Senior Management Responsibilities II.B Audit III Risk Management III.A Business Impact Analysis III.A.1 Identification of Critical Business Functions III.A.2 Interdependency Analysis III.A.3 Impact of Disruption III.B Risk Assessment III.B.1 Risk Identification III.B.2 Likelihood and Impact IV Business Continuity Strategies IV.A Resilience IV.A.1 Physical IV.A.2 Cyber Resilience IV.A.3 Data Backup and Replication IV.A.4 Personnel IV.A.5 Third-Party Service Providers IV.A.6 Telecommunications IV.A.7 Power IV.A.8 Change Management IV.B Communications V Business Continuity Plan V.A Event Management V.B Continuity and Recovery V.C Facilities and Infrastructure V.C.1 Data Center Recovery Alternatives V.C.2 Branch Relocation V.D Payment Systems V.E Liquidity Considerations V.F Other Components V.F.1 Incident Response V.F.2 Disaster Recovery V.F.3 Crisis or Emergency Management VI Training VII Exercises and Tests VII.A Exercise and Test Program VII.B Exercise and Test Policy VII.C Exercise and Test Strategies VII.D Exercise and Test Objectives VII.E Exercise and Test Plans VII.F Exercise and Test Scenarios VII.G Exercise and Test Methods VII.G.1 Full-Scale Exercise VII.G.2 Limited-Scale Exercise VII.G.3 Tabletop Exercise VII.G.4 Tests VII.H Industry Exercises and Resilience VII.I Third-Party Service Provider Testing VII.J Testing for Core and Significant Firms VII.K Post-Exercise and Post-Test Actions VIII Maintenance and Improvement IX Board Reporting Appendix A: Examination Procedures Appendix B: Glossary Appendix C: Abbreviations Appendix D: References Close Table of Contents Development and Acquisition Introduction Examination Objectives Standards Accounting for Software Costs Information Security Project Management System Development Life Cycle Alternative Development Methodologies Roles and Responsibilities Project Plans Project Management Standards Project Planning Standards Configuration Management Standards Quality Assurance Standards Risk Management Standards Testing Standards Documentation Standards Project Management Tools Gantt Charts Project Evaluation Review Techniques Groupware Project Management Effectiveness Capability Maturity Model International Organization for Standardization Development Procedures Development Standards Systems Development Life Cycle Initiation Phase Planning Phase Design Phase Development Phase Testing Phase Implementation Phase Maintenance Phase Disposal Phase Large-Scale Integrated Systems Software Development Techniques Object-Oriented Programming Computer-Aided Software Engineering Rapid Application Development Databases Database Management Systems Acquisition Acquisition Standards Acquisition Project Guidance Escrowed...