Compliance Blog

FFIEC “Revises” Information Security Handbook; Programming Note

Written by Stephanie Lyon, Regulatory Compliance Counsel

Compliance officers are used to speaking their own language full of abbreviations and defined terms. Much to our bewilderment, the folks in Information Technology (IT) and Security do the same, which ends up making discussion between IT and Compliance sometimes incomprehensible. This blog will get you up to speed with IT lingo while highlighting the recent updates to the Federal Financial Institutions Examination Council (FFIEC) Information Security booklet. 

The Information Security booklet addresses regulatory expectations regarding the security of all information systems and information maintained by or on behalf of a financial institution. The last time the FFIEC revised its Information Security booklet was in 2006.  We reviewed the booklet and tracked the changes and revisions to the 2006 version and found that the new 2016 version is not too different from its predecessor. The defined terms in Appendix B did change extensively, which is worthy of highlighting because to understand Information Security, one most speak the language. Below are some notable terms that were deleted, added and some that were renamed.

Let’s start with the most important term: Information Security (which should not be confused with Information Technology) is the process by which a financial institution protects the creation, collection, storage, use, transmission, and disposal of sensitive information. The potential adverse effects that can arise from improperly managing information security are:

  • Disclosure of information to authorized individuals
  • Unavailability or degradation of services
  • Misappropriation or theft of information or services
  • Modification or destruction of systems or information
  • Records that are not timely, accurate, compete, or consistent

There were over 20 terms eliminated from the 2006 Information Security booklet. Here are the top 10 we were surprised to see go:

  1. Buffer overflow
  2. Data mining
  3. Dictionary attack
  4. Full duplex
  5. Peer-to-peer (P2P)
  6. Red Team
  7. Remote deposit capture (RDC)
  8. Trusted zone
  9. Vulnerability scanning
  10. Warehouse attack

Do not feel too bad for these terms and do not try to unlearn them as most of the eliminated terms are still part of the master glossary which is made up of all the defined terms in the 11 FFIEC booklets.

Here are the top 10 new defined terms we found interesting to learn about:

  1. Homing beacons
  2. Integrity
  3. Internal “trusted” zone
  4. Middleware
  5. Non-public personal information, term from Regulation P, 12 C.F.R. § 1016.3(p)
  6. Out-of-band
  7. Personally identifiable financial information, term from Regulation P, 12 C.F.R. § 1016.3(q)
  8. Positive pay
  9. Secure shell
  10. Shadow IT

Test yourself and see if you can define these terms without looking at the glossary. For example, I thought Shadow IT was a secret ninja cadre from the geek squad, but in reality it is “a term used to describe IT systems or applications used inside institutions without explicit approval.” FFIEC’ s Information Security booklet, Appendix B. And out-of-band is not what happened to most 90s boy bands; it is instead a method of interacting with the member that is outside of the primary means of interfacing. For example, if a member is attempting to send money to a friend online for the first time, the credit union may authenticate the member through a one-time text.

Finally, here are some of the terms that were renamed or redefined:

  1. Due diligence for service provider selection
  2. End-point security (new definition)
  3. Utility program
  4. Vulnerability assessment analysis

Examiners are expected to use this revised handbook to assess the level of security risks to a credit union’s information systems and the performance of third-party service providers. The revisions implemented in this handbook are already incorporated into the FFIEC'S Cybersecurity Assessment tool. If you haven't already, make sure to read the revised and semi condensed Information Security booklet and prepare yourself to talk the same language as your examiner during your next examination.

To conclude this discussion, here is the Cookie Monster and his take on another IT term:



Programming Note. In recognition of Monday's federal holiday, NAFCU offices will close at noon today and we will be closed on Monday, October 10. We shall reopen on Tuesday and be back to blogging on Wednesday. Have a wonderful long weekend!

  • tags