Skip to main content




Nearly one year after releasing an updated IT Management Booklet (November 10, 2015), the FFIEC has updated its cornerstone handbook, the Information Security (IS) Booklet. While the IT Management Booklet provides guidance around IT Operations management and oversight, with a focus towards top-down management, the IS Booklet is geared toward the meat-and-potatoes of the Information Security Program and Risk Management processes.

According to the FFIEC, the new IS Booklet updates include “the removal of redundant management material and a refocus on IT risk management and an update of information security processes. The revision reflects changes in the industry, it streamlined and reordered information security concepts throughout the booklet. The updates are consistent with the FFIEC Cybersecurity Assessment Tool (CAT) and the NIST Cybersecurity Framework where appropriate. The booklet contains updated examination procedures to help examiners measure the adequacy of an institution's culture, governance, information security program, security operations, and assurance processes.”

Key observations include:
  • Re-enforced accountability for information security
  • ISO independence from IT operations
  • Leveraging industry data for risk management
  • Focus on third party risk management
  • ISP built from risk management process
  • Continuous monitoring and auditing of ISP components
  • New section - Security Operations; addresses incident response


The new IS Booklet is broken down into four (4) major components, including a number of subsections:

1. Governance of the Information Security Program
     a. Security Culture
     b. Responsibility and Accountability
     c. Resources


2. Information Security Program Management
     a. Risk Identification
     b. Risk Measurement
     c. Risk Mitigation
     d. Risk Monitoring and Reporting


3. Security Operations
     a. Threat Identification and Assessment
     b. Threat Monitoring
     c. Incident Identification and Assessment
     d. Incident Response


4. Information Security Program Effectiveness
     a. Assurance and Testing


As with all FFIEC IT Examination Handbooks, this updated IS Booklet also contains Examination Procedures in Appendix A to give financial institutions insight into how you can expect to be examined.

As the FFIEC states, this new update takes the same language and components that you may already be familiar with from the Cybersecurity Assessment Tool (CAT) and the IT Management Booklet. The IS Booklet focuses on a top-down management approach, a strong Risk Management process, Incident Response, and continuous testing and monitoring.

Information Security Plan Mangaement
Figure 1: Information Security Plan Management


Written by: Jon Waldman, CRISC, CISA
Co-founder and Senior Information Security Consultant - SBS


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Friday, September 9, 2016
Categories: Blog, In the News