IT Examiner School, Palm Springs, CA

Development and Acquisition

• Management needs to ensure all D&A activities have adequate policies and procedures • D&A activities need to be linked to the Vendor Management Program, especially where there is “heavy” vendor reliance • Any hardware and software changes should be appropriately reviewed, tested, and approved • IT Projects should follow industry/FFIEC standards • Customization should be appropriate/suitable • They need to implement appropriate controls to detect and respond to any improper activity, e.g. Shadow IT

Support and Delivery Overview • FFIEC IT Examination Handbook – Operations, Information Security, and Business Continuity Planning Booklets • Interagency Guidelines Establishing Standards for Safety and Soundness • Interagency Guidelines Establishing Information Security Standards • Interagency Statement on Pandemic Planning • FFIEC Guidance on Authentication in an Internet Banking Environment (2005 and 2011) • Electronic Funds Transfers