FFIEC IT Examination Handbook: what your examiners actually use

• Information security program management
• Threat identification and risk assessment
• Security controls implementation
• Security monitoring and incident response
• Cybersecurity resilience and recovery

• Authentication program management
• Multi-factor and layered authentication
• Access rights administration and review
• Privileged access management

• Business impact analysis and planning
• Resilience and recovery strategies
• Testing and exercises across scenarios
• Third-party continuity considerations

• IT architecture and governance
• Infrastructure management and cloud computing
• Operations and change management
• Data management and data governance

• Third-party risk management lifecycle
• Due diligence and contract management
• Ongoing monitoring and oversight

How do examiners assess cybersecurity maturity?

FFIEC examiners now use the NIST Cybersecurity Framework as the standard methodology for assessing institutional cybersecurity maturity, replacing the previously used FFIEC CAT tool which was sunset. The NIST CSF evaluates practices across six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. Institutions should establish Current and Target Profiles documenting their existing practices and desired maturity, and use the gap between them to prioritize improvements.

How do examiners use the IT Examination Handbook?

Examiners use the handbook as their primary reference during IT examinations. Each booklet contains detailed examination procedures with specific questions, evidence requests, and evaluation criteria. Examiners assess whether an institution's practices meet the expectations outlined in the relevant booklets, scaled to the institution's size, complexity, and risk profile. Examination findings are documented and can result in matters requiring attention, recommendations, or formal enforcement actions.

What is the relationship between the FFIEC Handbook and GLBA?

The GLBA Interagency Guidelines establish the legal requirement for financial institutions to maintain written information security programs. The FFIEC IT Examination Handbook provides the detailed procedures and expectations that examiners use to evaluate whether those programs are adequate. Think of GLBA as the legal mandate and the FFIEC Handbook as the examination playbook examiners use to verify compliance.

What are the FFIEC expectations for cloud computing?

The FFIEC addresses cloud computing primarily through the Architecture, Infrastructure, and Operations booklet and supplemental guidance. Institutions must perform thorough due diligence on cloud service providers, ensure contractual protections including audit rights, understand data location and sovereignty implications, verify that security controls meet or exceed on-premises standards, and plan for concentration risk and vendor lock-in.

How does the FFIEC examine technology service providers?

The FFIEC conducts direct, multi-agency examinations of significant technology service providers under the Bank Service Company Act. These examinations evaluate the TSP's operations, security posture, resilience capabilities, and risk management practices. Results are shared with supervised institutions through examination reports. Institutions are expected to review these reports, understand findings relevant to their operations, and ensure appropriate corrective actions are taken.