Home | Newsletter | Contact Us

FDIC IT Exam - IT Officer’s Questionnaire

January 30, 2008

Background

On December 7, 2007, the FDIC announced that it had updated the IT examination procedures for FDIC-supervised institutions (FIL-105-2007).

As part of this update, the IT Officer’s questionnaire was updated and will be used to determine the IT examination scope. The questionnaire includes 58 questions covering the following parts:

  1. Risk Assessment
  2. Operations Security and Risk Management
  3. Audit/Independent Review Program
  4. Disaster Recovery and Business Continuity Management
  5. Vendor Management and Service Provider Oversight

The IT Officer’s questionnaire requires an executive officer’s signature attesting to the accuracy and completeness of the information provided; and carries stiff penalties for providing false information including fines or imprisonment.

Highlights

Below is a summary of the updates to the FDIC IT Officer’s Questionnaire:

1. References to regulation – The questionnaire provides references to applicable regulation or guidance for each of the questions making it convenient to obtain additional information. Below is an example:

“Do you have a written information security program designed to manage and control risk (Y/N)?” Part 2-a

FDIC Rules and Regulations Part 364 Appendix B Section II (A) and Section III (C)(1)]

2. Vendor Management – Service Provider Oversight – This section was added to the questionnaire to reflect potential reliance on outside firms for technology-related products and services. This section asks questions related to key vendors including:

  • Due Diligence
  • Contractual Obligations, Terms and Conditions
  • Domestic v. Foreign Providers
  • Security Controls
  • Compliance with Interagency Guidelines
  • Reporting of Relationships to FDIC

3. Payment Systems Risk – New questions were added to assess how the bank manages the risks associated with Originating Depository Financial Institutions (ODFI), wire transfer, credit card merchant processing and remote deposit capture.

4. Interagency Guidelines for Establishing Information Security Standards – A reference document that maps the applicable questionnaire items to the requirements under FDIC Rules and Regulations Part 364, Appendix B is included to serve as a guide for conducting self-assessments.

You can download the entire IT Officer's Questionnaire at: http://www.fdic.gov/news/news/financial/2007/fil07105a.pdf

How Assurity River Group Can Help

Assurity River Group can work with you prepare for the IT Exam and develop a strategy for addressing deficiencies. Our IT exam preparation service includes consultation that will walk through each of the examination areas and will include a “gap assessment” that includes:

  • Top 10 deficiencies report
  • Scorecard for each of the 5 areas
  • Recommended roadmap for corrective action

This preparation service is reasonably priced and will provide you the confidence you need going into the exam.

Contact Jeff Olejnik (jolejnik@assurityriver.com) at 651.259.6888 for more information.