Standards, Regulations & Compliance
Information Technology Risk Management Program (IT-RMP) Examination Procedures: How to Satisfy Regulatory Demands
Register for this updated webinar to receive:
See Also: Live Webinar | Navigating the Difficulties of Patching OT
- A heads-up on key examination issues
- Review of the IT Risk Management Program Examination Process
- Overview of IT Examination Officer's Questionnaire
- What to expect, and how to respond
Banking regulatory agencies regularly examine banking practices -- including Information Technology -- at the institutions they oversee. In this presentation, you will hear about the basic tenants behind the Information Technology (IT) examinations conducted by the Federal Deposit Insurance Corporation (FDIC) using Information Technology Risk Management Program (IT-RMP).
Among the key elements examiners are focusing on:
- Vendor management and outsourcing topics;
- An institution's overall information security program.
An important component of IT-RMP framework is the IT Examination Officer's Questionnaire, which was updated in Dec. 2007. This questionnaire must be completed and signed by an officer of the institution and returned to the FDIC examiner-in-charge prior to onsite activities.
During this presentation, we will address amendments to this Officer's Questionnaire, then how the preliminary information gathered via the questionnaire is applied - i) in choosing appropriate work programs suitable for the institution being examined and ii) in identifying the necessary examiner IT skill and experience necessary for conducting each exam. This presentation will prepare the attendees in responding to the pre-examination IT Questionnaire in the most appropriate and accurate manner.
Based on the preliminary information provided by an institution on the technology in use and the applicable practices, and the information available on the previous examinations, bank examiners develop an initial scope for each IT exam. However, examiners have considerable discretion to expand or contract the scope once onsite, and to utilize any agency-specific or FFIEC approved work program targeting specific technologies or functions (wire transfer systems, ACH, etc.).
During the course of this presentation, the attendees will gain an understanding of how the regulatory examinations are based on the concepts and guidance provided by the regulatory agencies, information provided in FFIEC IT Examination Handbook and by industry best-practices.