What's New

What's New

This section is where all changes made to the InfoBase are listed.  Each change entry includes the effective date and a brief description.

Below are the most recent updates to the InfoBase.  For a complete listing of all changes, click here: Change History Log

Nov 14, 2019

Revised the Business Continuity Planning Booklet and Changed Name to Business Continuity Management

The FFIEC members updated and renamed the Business Continuity Planning booklet to Business Continuity Management (BCM) to reflect updated information technology risk practices and frameworks.  The members developed the booklet using a principles-based approach to IT risk management to allow the booklet’s central tenets to remain relevant to examiners even as innovation and technological changes in the financial services sector occur. Changes included in this booklet include:

  • Changed name to Business Continuity Management to reflect an increased focus on ongoing, enterprise-wide business continuity and resilience.
  • Replaced the term “financial institutions” with the term “entities.”
  • Clearer references back to NIST, FEMA, and other authoritative sources.
  • Clarified the linkage between enterprise risk management (ERM) and BCM.
  • Eliminated the redundant pandemic planning section.
  • Discussed supply-chain risk with respect to single points of failure.
  • Clarified the distinction between exercises and tests.
  • Elevated maintenance and improvement as an important component of the BCM lifecycle.
  • Integrated relevant concepts from Appendix J into the body of the booklet.
  • Aligned definitions and terminology with authoritative standards organizations (e.g., NIST and ISO), where appropriate.

Sep 9, 2016

Revised the Information Security Booklet

The updates included the removal of redundant management material and a refocus on IT risk management and an update of information security processes. The revision reflects changes in the industry, it streamlined and reordered information security concepts throughout the booklet. The updates are consistent with the FFIEC Cybersecurity Assessment Tool (CAT) and the NIST Cybersecurity Frameworkasappropriate. Thebooklet contains updated examination procedures to help examiners measure the adequacy of an institution's culture, governance, information security program, security operations, and assurance processes.

Apr 29, 2016

Added Appendix E: Mobile Financial Services to the Retail Payment Systems Booklet

The update consists of the addition of a new appendix, Appendix E: Mobile Financial Services. Appendix E focuses on the risks associated with MFS and emphasizes an enterprise-wide risk management approach to effectively manage and mitigate those risks. The update included the following:

  • A workprogram specific to MFS.
  • An update to the glossary to incorporate terminology in the appendix.

The other sections of the booklet remain unchanged.

Nov 10, 2015

Revised the Management Booklet

Full revision of the Management Booklet; replaces the June 2004 version.  Includes revised workprogram.

Feb 6, 2015

Strengthening the Resilience of Outsourced Technology Services

The FFIEC members today issued a revised Business Continuity Planning booklet. The update consists of the addition of a new appendix, entitled Strengthening the Resilience of Outsourced Technology Services.

The new appendix to the Business Continuity Planning booklet stresses that a financial institution's reliance on third-party service providers to perform or support critical operations does not relieve a financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner. An effective third-party management program should provide the framework for financial institution management to identify, measure, monitor, and mitigate the risks associated with outsourcing.  Specifically, a financial institution should ensure that its third-party service providers do not negatively affect a financial institution's ability to appropriately recover IT systems and return critical functions to normal operations in a timely manner. The appendix highlights and strengthens the BCP Booklet in four specific areas:

  • Third-party management
  • Third-party capacity
  • Testing with third-party technology service providers
  • Cyber resilience

Apr 2, 2014

Joint Statement: Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources

Added FFIEC Joint Statement, Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources .  This statement identifies the risk associated with Distributed Denial of Service (DDoS) attacks and provides mitigation strategies.

Apr 2, 2014

Joint Statement: Cyber-attacks on Financial Institutions’ ATM and Card Authorization Systems

Added FFIEC Joint Statement, Cyber-attacks on Financial Institutions' ATM and Card Authorization Systems.  This statement identifies the risk associated with current attack vectors against ATM's and Card Authorization Systems and provides mitigation strategies

Oct 7, 2013

Reference Materials

Added FFIEC Joint Statement, End of Microsoft Support for Windows XP Operating System.  This statement identifies the risk associated with the continuing use of the XP Operating System.

Mar 22, 2013

Information Technology Examination Handbook InfoBase Enhancements

The Federal Financial Institutions Examination Council (FFIEC) member agencies today announced the addition of a new feature to the Information Technology Examination Handbook InfoBase. This feature provides bankers, agency personnel, and other interested parties with the ability to register and receive notifications of additions, changes, and deletions to the InfoBase. Users may elect to receive messages by either email notification or a Real Simple Syndication (RSS) feed through links on the Welcome page of the online InfoBase at: ithandbook.ffiec.gov

The press release is at:  http://www.ffiec.gov/press/pr032213.htm

Oct 31, 2012

Supervision of Technology Service Providers (TSP) booklet

The booklet replaces the March 2003 version and includes the following revisions:

  • Rescinds Supervisory Policy 1, "Interagency EDP Examination, Scheduling, and Distribution Policy", September 1991,  and Supervisory Policy 11, "Enhanced Supervision Program for Multidistrict Data Processing Services (MDPS), January 1995.
  • Outlines the agencies' risk-based supervisory program
  • Sets forth the agencies' expectation that financial institutions have in place a comprehensive, enterprise-wide risk management process that addresses vendor management for relationships with TSPs.

Oct 31, 2012

Reference Materials - Federal Regulatory Agencies' Administrative Guidelines: Implementation of Interagency Programs for the Supervision of Technology Service Providers

The Guidelines describe the process the FRS, FDIC, and OCC (agencies) follow to implement the interagency supervisory programs and include the reporting templates examiners use throughout the supervisory cycle.  The primary audience is the agencies' management and field examiners.

Jul 10, 2012

Reference Materials

Added the FFIEC Public Cloud Computing Statement.  The statement maps cloud computing risks to the various FFIEC IT Handbook booklets.

May 7, 2012

Audit, BCP, E-Banking, Information Security, Operations, Outsourcing, and Retail Payments booklets.

Revised multiple booklets to address the transition from SAS-70 to the SSAE-16 attestation review process and other third-party review processes.

Apr 27, 2012

Information Security booklet

Added the FFIEC Supplement to the Authentication in an Internet Banking Environment guidance for all agencies in the Resource section, Appendix C.

Apr 9, 2012

Outsourcing booklet

Added Appendix D, Managed Security Service Providers (MSSP). This appendix, including examination procedures, addresses the unique risks associated with outsourcing IT security functions.

Apr 2, 2012

Outsourcing booklet

Added examination procedures to address the risks associated with cloud computing.