Sign up for FFIEC IT Handbook InfoBase Email Updates and What’s New RSS Feed
What's NewLink to a feed containing any updates to the FFIEC IT Handbook InfoBase (e.g., booklets, appendices, and joint statements)
GlossaryDefinitions of terms found in or relating to IT booklet concepts
Laws, Regulations, & GuidanceLink to the regulatory resources by IT booklet and further sorted by regulatory agency
ReferencesThis page contains topical materials that supplement booklet content and are for informational purposes
FFIEC IT BOOKLETS
Access all the resources associated with the individual handbooksTable of Contents
Audit
- Introduction
- IT Audit Roles and Responsibilities
- Independence and Staffing of Internal IT Audit
- Internal Audit Program
- Risk Assessment and Risk-Based Auditing
- Audit Participation in Application Development, Acquisition, Conversions, and Testing
- Outsourcing Internal IT Audit
- Third-Party Reviews of Technology Service Providers
- Appendix A: Examination Procedures
- Appendix B: Glossary
- Appendix C: Laws, Regulations, and Guidance
Table of Contents
Business Continuity Management
- Introduction
- I Business Continuity Management
- II Business Continuity Management Governance
- III Risk Management
- IV Business Continuity Strategies
- V Business Continuity Plan
- VI Training
-
VII Exercises and Tests
- VII.A Exercise and Test Program
- VII.B Exercise and Test Policy
- VII.C Exercise and Test Strategies
- VII.D Exercise and Test Objectives
- VII.E Exercise and Test Plans
- VII.F Exercise and Test Scenarios
- VII.G Exercise and Test Methods
- VII.H Industry Exercises and Resilience
- VII.I Third-Party Service Provider Testing
- VII.J Testing for Core and Significant Firms
- VII.K Post-Exercise and Post-Test Actions
- VIII Maintenance and Improvement
- IX Board Reporting
- Appendix A: Examination Procedures
- Appendix B: Glossary
- Appendix C: Abbreviations
- Appendix D: References
Table of Contents
Development and Acquisition
- Introduction
- Project Management
- Development Procedures
-
Acquisition
- Acquisition Standards
- Acquisition Project Guidance
- Escrowed Documentation
-
Software Development Contracts and Licensing Agreements
- Overview
- Software Licenses - General
- Software Licenses and Copyright Violations
- Software Development Specifications and Performance Standards
- Documentation, Modification, Updates, and Conversion
- Bankruptcy
- Regulatory Requirements
- Payments
- Representations and Warranties
- Dispute Resolution
- Agreement Modifications
- Vendor Liability Limitations
- Security
- Subcontracting and Multiple Vendor Relationships
- Restrictions on Adverse Comments
- Maintenance
- Appendix A: Examination Procedures
- Appendix B: Glossary
Table of Contents
Information Security
- Introduction
- I Governance of the Information Security Program
-
II Information Security Program Management
- II.A Risk Identification
- II.B Risk Measurement
-
II.C Risk Mitigation
- II.C.1 Policies, Standards, and Procedures
- II.C.2 Technology Design
- II.C.3 Control Types
- II.C.4 Control Implementation
- II.C.5 Inventory and Classification of Assets
- II.C.6 Mitigating Interconnectivity Risk
- II.C.7 User Security Controls
- II.C.8 Physical Security
- II.C.9 Network Controls
- II.C.10 Change Management Within the IT Environment
- II.C.11 End-of-Life Management
- II.C.12 Malware Mitigation
- II.C.13 Control of Information
- II.C.14 Supply Chain
- II.C.15 Logical Security
- II.C.16 Customer Remote Access to Financial Services
- II.C.17 Application Security
- II.C.18 Database Security
- II.C.19 Encryption
- II.C.20 Oversight of Third-Party Service Providers
- II.C.21 Business Continuity Considerations
- II.C.22 Log Management
- II.D Risk Monitoring and Reporting
- III Security Operations
- IV Information Security Program Effectiveness
- Appendix A: Examination Procedures
- Appendix B: Glossary
- Appendix C: Laws, Regulations, and Guidance
Table of Contents
Management
- Introduction
- I Governance
- II Risk Management
- III IT Risk Management
- Appendix A: Examination Procedures
- Appendix B: Glossary
- Appendix C: References
Table of Contents
Architecture, Infrastructure, and Operations
- Introduction
- I Architecture, Infrastructure, and Operations
- II Architecture, Infrastructure, and Operations Governance
- III Common AIO Risk Management Topics
- IV Architecture
- V Infrastructure
- VI Operations
- VII Evolving Technologies
- Appendix A: Examination Procedures
- Appendix B: Glossary
- Appendix C: Abbreviations
- Appendix D: References
Table of Contents
Outsourcing Technology Services
- Introduction
- Board and Management Responsibilities
- Risk Management
- Related Topics
- Appendix A: Examination Procedures
- Appendix B: Laws, Regulations, and Guidance
- Appendix C: Foreign-Based Third-Party Service Providers
- Appendix D: Managed Security Service Providers
Table of Contents
Retail Payment Systems
- Introduction
- Retail Payment Systems Overview
- Payment Instruments, Clearing, and Settlement
- Retail Payment Systems Risk Management
- Appendix A: Examination Procedures
- Appendix B: Glossary
- Appendix C: Schematic of Retail Payments Access Channels & Payments Method
- Appendix D: Laws, Regulations, and Guidance
- Appendix E: Mobile Financial Services
Table of Contents
Wholesale Payment Systems
- Introduction
- Interbank Payment and Messaging Systems
- Securities Settlement Systems
- Intrabank Payment and Messaging Systems
- Wholesale Payment Systems Risk Management
- Appendix A: Examination Procedures
- Appendix B: Glossary
- Appendix C: Laws, Regulations and Guidance
- Appendix D: Legal Framework for Interbank Payment Systems
- Appendix E: Federal Reserve Board Payment System Risk Policy: Daylight Overdrafts
- Appendix F: Payment System Resiliency
Audit
Guidance to examiners and financial institutions on the characteristics of an effective information technology (IT) audit function
Business Continuity Management
Guidance to examiners on the principles of BCM and approaches of business continuity planning and resilience; and examination procedures to help determine the effectiveness of business continuity and resilience
Development and Acquisition
Guidance to examiners to determine whether an institution effectively identifies and controls development and acquisition risks
Information Security
Guidance to examiners on factors to assess information security risks and procedures to evaluate the adequacy of the information security program
Management
Guidance to examiners outlining the principles of overall governance and IT governance and provides examination procedures to evaluate IT governance and processes for ITRM
Architecture, Infrastructure, and Operations
Guidance to examiners on enterprise-wide, process-oriented approaches that relate to the design of technology within the overall business structure, implementation of IT infrastructure components, and delivery of services and value for customers.
Outsourcing Technology Services
Guidance and examination procedures for examiners evaluate risk management processes to establish, manage, and monitor third-party service provider relationships
Retail Payment Systems
Guidance to examiners on identifying and controlling risks associated with retail payment systems and related banking activities
Supervision of Technology Service Providers
Outlines the Agencies' risk-based supervisory program and includes the examination ratings used for regulated financial institutions and their third-party service providers
Wholesale Payment Systems
Guidance to examiners on the risks and risk management practices when originating and transmitting large-value payments
HOW TO USE THE IT EXAMINATION HANDBOOK INFOBASE
The IT Examination Handbook InfoBase Home page (this screen) provides users with access to everything in one place. At the top of the screen, across the banner from left to right, users can get to the FFIEC Infobase Home Page, the IT booklets, IT workprograms, Glossary, and the FFIEC Home Page. By hovering over the IT booklets link in the banner, users can select the booklet they want to see, including a page of archived IT booklets. Users can scroll down past the introduction of the Infobase to opt in to receive e-mail or RSS feed updates when changes are made to the Infobase. Lower in the page, the user can access several pages under solid circles including What’s New, Glossary, Laws, Regulations, & Guidance, and References. Finally, the IT booklets are laid out on the screen, with a description of each, and the ability for the user to select the view they choose, from the Table of Contents, the Online View of the booklet, a Download of the booklet, or a Download of the workprogram. At the bottom of the screen, the user can link to a page containing all of the booklets and workprograms available for single or bulk download.