Technology Matters
IT Examination Procedures Get An Overhaul
In late 2005, a new program for conducting IT examinations was implemented called Information Technology Risk Management Program (IT-RMP). Unless you have been locked up in the server room for several months, you've probably heard of IT-RMP by now. There have been numerous seminars, conference calls, webinars and Internet publications on this subject. The new procedures apply to all banks, regardless of their size, complexity or prior examination rating. The focus of the new procedures is on the financial institution's information security program and risk-management practices. These risk-management practices include the following:
Risk assessment;
Operations security and risk management;
Audit and independent review;
Disaster recovery and business continuity; and
Compliance with federal regulations that make GLBA guidelines applicable to banks.
Key features of the new procedures are:
IT Examination Officer's Questionnaire
The new IT Examination Officer's Questionnaire is an important aspect of the IT-RMP examination program. This document covers the five risk-management practice areas listed above and will be used by the examiner in both pre-examination and on-site examination procedures. The questionnaire must be completed by an officer of the financial institution and returned to the examiner-in-charge prior to the on-site portion of the examination. IT officers are encouraged to review the questionnaire well in advance of their next examination.
Flexible Use of Work Programs
Use of the IT-RMP risk-management work program, which is aligned with the categories in the Questionnaire, is the standard work program used by examiners. Examiners are allowed the flexibility to customize on-site activities with the use of a variety of topic-based work programs. These extra work programs are available for identified problem areas or more complex IT environments.
Pre-examination Request List
The IT Examination Officer's Questionnaire is the only mandatory pre-examination documentation requirement. Depending on the IT environment, examiners may request additional information to facilitate the on-site examination.
IT Rating Guidelines
A single composite IT rating will be assigned to the institution. Ratings will no longer be assigned to the individual component areas.
The growth of and reliance on information technology (IT) requires a thorough assessment of the risks inherent in such activities. The new examination procedures demonstrate regulatory expectations that management recognize and address the risks and challenges posed by using technology. Examiner focus has now been shifted from detailed technical and control reviews, to an assessment of whether management has established effective risk management and audit practices. This new top-down approach places considerable emphasis on the management of risk and assurances through audit or independent review. What does this mean for you? If your institution has not developed an internal or external IT audit program, risk assessment, and information security program, you could be facing a problem rating at your next examination. It's not too late to get started. You are selling security to your customers - security is a cost of doing business today.
If you have any questions about the new IT Examination Process or how state examiners will be utilizing the procedures, please contact Glen Caspers at (785) 296-2266.
