Effective July 1, 2016, the FDIC released FIL-43-2016 - Information Technology Risk Examination (InTREx). The primary focus of FIL-43-2016 is to provide financial institutions insight into InTREx, the new FDIC IT examination process. You can view FIL-43-2016 – InTREx here: https://www.fdic.gov/news/news/financial/2016/fil16043a.pdf
InTREx is designed to be a more efficient, risk-based approach to IT Examinations that ensure IT and cybersecurity risks are properly identified and addressed by bank management. InTREx is based on the framework that we have gotten used to seeing in the Cybersecurity Assessment Tool, covering an “Information Technology Profile” (similar to the Inherent Risk profile in the CAT), as well as four (4) “Core Analysis Modules” (similar to the Cybersecurity Maturity profiles in the CAT). A couple of the main items mentioned within the FIL:
- An Enhanced Pre-Examination Process that includes an Information Technology Profile (ITP) questionnaire will be sent out 90 days before the examination. The IT Examination will then be risk-focused and based on responses from the bank. 45 days before the examination, an IT request letter will be sent to the bank according to the IT Profile previously completed by the bank. This IT Profile replaces the current IT Officer’s Questionnaire.
- The IT Profile utilizes 65% fewer questions than the IT Officer’s Questionnaire and is intended to provide examiners more focused insight into a bank’s IT operations.
- The onsite IT examination process will be adjusted to reflect the InTREx process. The InTREx examination process will then be based on the IT Profile, allowing a more "expanded" process for higher IT profiles. This includes the four (4) Core Analysis Modules.
- The Information Technology Profile includes 26 questions that cover 6 categories:
- Core Processing (4 questions)
- Network (6 questions)
- Online Banking (4 questions)
- Development and Programming (1 question)
- Software and Services (2 questions)
- Other (9 questions)
- The Core Analysis Modules cover 4 major categories, as well as 2 summary sections and 2 “expanded analysis” sections:
- Development and Acquisition
- Support and Delivery
- Information Security Standards (summary)
- Cybersecurity (summary)
- Expanded Analysis (Management, Support, and Delivery)
If you take a look at the new InTREx exam procedures, you will notice a distinct similarity to the old process in terms of items covered, so do not expect any lessened requirements. Additional items have been included to cover Cybersecurity (you will also notice the continued stress of Board and Senior Management involvement within the process).
Written by: Cole PontoInformation Security Consultant - Secure Banking Solutions
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.