Compliance

The FDIC IT Officer’s Questionnaire

On December 4, 2007, the FDIC issued a new IT Officer's Questionnaire that must be completed by banks prior to their next on-site IT examination. Containing questions that address a bank's IT function, the IT Officer's Questionnaire provides the bank's examiner with insight into a bank's IT operations, information security program and IT governance processes. A bank’s responses help their examiner to properly determine scope of examination and, in some cases, are used to assess the quality and content of the bank's IT operations, information security and IT governance programs. Because of the thoroughness of the questionnaire and the signature requirement for bank officers, it is expected to significantly increase the level of preparation needed prior to an examination.
(See the SecureWorks webcast discussing the IT Officers Questionnaire)

SecureWorks offers a broad and deep assortment of services to help banks manage risk and prepare for examination. With over 2,000 clients, including many banks regulated by the FDIC, SecureWorks has tremendous experience helping banks address their security and compliance needs. Our certified experts work extensively with banks of all sizes, providing security services tailored to their needs.

Services provided by SecureWorks range from helping banks gather information and provide accurate responses, to fulfilling the control requirements referenced in the IT Officer's Questionnaire. Below is a detailed mapping of how SecureWorks helps banks address the requirements of the IT Officer's Questionnaire.

Part 1 – Risk Assessment

Key Requirements
This section of the IT Officer's Questionnaire is intended to help your examiner assess your risk management practices, including the extent to which you have acted upon the results of any recent risk assessments.

Summarized, this section asks:

  • Does your information security program include a comprehensive risk assessment in accordance with FDIC regulations and FFIEC guidance?
  • What steps have you taken to address the risks identified in the assessment?
  • Is your risk assessment program approved by your Board of Directors and have they reviewed and accepted a report of findings?

How SecureWorks Can Help
SecureWorks can perform comprehensive risk assessments, covering all aspects recommended by the FDIC from high-level policies review to detailed analysis of threats and vulnerabilities. We can also supplement your risk assessment program in places not covered by your internal efforts with customized services that are aligned with regulatory guidance.

Should your bank not have a formal IT risk assessment process, or if yours has not been updated recently, SecureWorks can also work with you to develop, implement and execute a formal IT risk assessment process that is aligned with FDIC expectations. Our security and compliance experts will help you develop a tailored process that meets your business needs and fulfills FDIC requirements.

Part 2 – Operations Security and Risk Management

Key Requirements
With questions regarding specific policy, process and technical controls for the systems deployed in your IT environment, this section of the Questionnaire intended to give your examiner insight into how you manage risk to your organization.

Summarized, this section asks:

  • Do you have written policies, procedures and guidelines for securing, maintaining and monitoring the systems in your IT environment?
  • What technical controls do you have in place to protect customer information?
  • Do you have procedures in place to manage risk introduced by changes to your environment?
  • How do you detect, prevent and respond to intrusions?
  • How are you managing risk associated with your employees’ use of IT systems?
  • What controls are in place to manage risk when acquiring and deploying new technology?

How SecureWorks Can Help
Leveraging our deep understanding of IT compliance and risk management in the banking industry, our experts can work with you to develop and implement controls that meet FDIC requirements for securing, maintaining and monitoring your IT systems. Our Managed Security Services provide robust technical controls that fulfill many of the requirements described in this section, including:

SecureWorks can provide Professional Services to help you develop and implement sound policies and procedures to address the FDIC's Operations Security and Risk Management questions. Our security and compliance experts can also assess your controls and provide detailed recommendations to better manage risk and comply with FDIC requirements.

Part 3 – Audit/Independent Review Program

Key Requirements
This section helps your examiner to assess how you monitor operations and compliance with your information security program.

Summarized, this section asks:

  • What audits/independent reviews have been recently performed at your bank?
  • How comprehensive were the audits in regards to FDIC guidance?
  • How did you use the audit results in your information security program?

How SecureWorks Can Help
As an unbiased third-party, SecureWorks can perform independent audits and reviews of your information security program. Our professionals are highly skilled in both audit and technical review, and we offer a full array of security and compliance services ranging from high-level policy and procedure review to in-depth technical security assessment. Since we perform hundreds of engagements for financial institutions in the U.S., we have up-to-date field data on FDIC expectations and we can tailor our services to ensure proper audit coverage for your organization.

SecureWorks can also review your procedures for acting on audit findings and tracking progress in your information security program.  

Part 4 – Disaster Recovery and Business Continuity Management

Key Requirements
The questions in this section assist your examiner in determining how prepared your bank is to respond to and recover from a disaster.

Summarized, this section asks:

  • How comprehensive are your disaster recovery and business continuity plans?
  • Are you able to adequately recover from a disaster?

How SecureWorks Can Help?
SecureWorks can work with you to align your disaster recovery and business continuity plans with your risk management program and FFIEC guidance. Our experts can evaluate your plans and help you design and implement measures to ensure an acceptable level of business continuity and the confidentiality, integrity and availability of your business assets should disaster strike.

Part 5 – Vendor Management and Service Provider Oversight

Key Requirements
This section helps your examiner to evaluate the controls you have in place to manage the risk introduced by relying on outside firms for technology-related products and services.

Summarized, this section asks:

  • What risk does leveraging service providers and other outside firms pose to your bank?
  • Do you require them to have adequate measures to mitigate risk?
  • What due diligence does your firm exercise to monitor its service provider to confirm and validate their efforts?

How SecureWorks Can Help?
SecureWorks can review your vendor management policies and procedures to assess their effectiveness and compliance with FFIEC guidelines. As a security services provider, we understand the risks associated with outsourcing technology processes. Our experts can identify the risks introduced by outside firms and help you address those risks through appropriate vendor management controls.

Additional Resources:

 

Next Steps
Start With SecureWorks Request More Information Now
Call SecureWorks Call Us Today
877-905-6661

Join Newsletter