Welcome » What's New
This section is where all changes made to the
InfoBase are listed. Each change entry includes the effective
date and a brief description.
Below are the most recent updates to the
InfoBase. For a complete listing of all changes,
click here: Change History Log
Apr 29, 2016
Added Appendix E: Mobile Financial Services to the Retail Payment Systems Booklet
The update consists of the addition of a new appendix,
Appendix E: Mobile Financial Services. Appendix E
focuses on the risks associated with MFS and emphasizes an
enterprise-wide risk management approach to effectively manage and
mitigate those risks. The update included the following:
The other sections of the booklet remain unchanged.
Nov 10, 2015
Revised the Management Booklet
Full revision of the Management Booklet; replaces the June 2004
version. Includes revised workprogram.
Feb 6, 2015
Strengthening the Resilience of Outsourced Technology Services
The FFIEC members today issued a revised Business
Continuity Planning booklet. The update consists of the
addition of a new appendix, entitled Strengthening the
Resilience of Outsourced Technology Services.
The new appendix to the Business Continuity Planning booklet
stresses that a financial institution's reliance on third-party
service providers to perform or support critical operations does
not relieve a financial institution of its responsibility to ensure
that outsourced activities are conducted in a safe and sound
manner. An effective third-party management program should provide
the framework for financial institution management to identify,
measure, monitor, and mitigate the risks associated with
outsourcing. Specifically, a financial institution should
ensure that its third-party service providers do not
negatively affect a financial institution's ability to
appropriately recover IT systems and return critical functions to
normal operations in a timely manner. The appendix highlights and
strengthens the BCP Booklet in four specific areas:
Apr 2, 2014
Joint Statement: Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources
Added FFIEC Joint Statement, Distributed Denial-of-Service (DDoS)
Cyber-Attacks, Risk Mitigation, and Additional Resources .
This statement identifies the risk associated with Distributed
Denial of Service (DDoS) attacks and provides mitigation
Joint Statement: Cyber-attacks on Financial Institutions’ ATM and Card Authorization Systems
Added FFIEC Joint Statement, Cyber-attacks on Financial
Institutions' ATM and Card Authorization Systems. This
statement identifies the risk associated with current attack
vectors against ATM's and Card Authorization Systems and provides
Oct 7, 2013
Added FFIEC Joint Statement, End of Microsoft Support for Windows
XP Operating System. This statement identifies the risk
associated with the continuing use of the XP Operating System.
Mar 22, 2013
Information Technology Examination Handbook InfoBase Enhancements
The Federal Financial Institutions Examination Council (FFIEC)
member agencies today announced the addition of a new feature to
the Information Technology Examination Handbook InfoBase. This
feature provides bankers, agency personnel, and other interested
parties with the ability to register and receive notifications of
additions, changes, and deletions to the InfoBase. Users may elect
to receive messages by either email notification or a Real Simple
Syndication (RSS) feed through links on the Welcome page of the
online InfoBase at: ithandbook.ffiec.gov
The press release is at: http://www.ffiec.gov/press/pr032213.htm
Oct 31, 2012
Supervision of Technology Service Providers (TSP) booklet
The booklet replaces the March 2003 version and
includes the following revisions:
Reference Materials - Federal Regulatory Agencies' Administrative Guidelines: Implementation of Interagency Programs for the Supervision of Technology Service Providers
The Guidelines describe the process the FRS, FDIC,
and OCC (agencies) follow to implement the interagency supervisory
programs and include the reporting templates examiners use
throughout the supervisory cycle. The primary audience is the
agencies' management and field examiners.
Jul 10, 2012
Added the FFIEC Public Cloud Computing
Statement. The statement maps cloud computing risks to
the various FFIEC IT Handbook booklets.
May 7, 2012
Audit, BCP, E-Banking, Information Security, Operations, Outsourcing, and Retail Payments booklets.
Revised multiple booklets to address the transition
from SAS-70 to the SSAE-16
attestation review process and other third-party review
Apr 27, 2012
Information Security booklet
Added the FFIEC Supplement to the Authentication in
an Internet Banking Environment guidance for all agencies in
the Resource section, Appendix C.
Apr 9, 2012
Added Appendix D, Managed Security Service
Providers (MSSP). This appendix,
including examination procedures, addresses the unique risks
associated with outsourcing IT security functions.
Apr 2, 2012
Added examination procedures to address the
risks associated with cloud computing.