This section is where all changes made to the InfoBase are listed. Each change entry includes the effective date and a brief description.
Below are the most recent updates to the InfoBase. For a complete listing of all changes, click here: Change History Log
Nov 14, 2019
Revised the Business Continuity Planning Booklet and Changed Name to Business Continuity Management
The FFIEC members updated and renamed the Business Continuity Planning booklet to Business Continuity Management (BCM) to reflect updated information technology risk practices and frameworks. The members developed the booklet using a principles-based approach to IT risk management to allow the booklet’s central tenets to remain relevant to examiners even as innovation and technological changes in the financial services sector occur. Changes included in this booklet include:
- Changed name to Business Continuity Management to reflect an increased focus on ongoing, enterprise-wide business continuity and resilience.
- Replaced the term “financial institutions” with the term “entities.”
- Clearer references back to NIST, FEMA, and other authoritative sources.
- Clarified the linkage between enterprise risk management (ERM) and BCM.
- Eliminated the redundant pandemic planning section.
- Discussed supply-chain risk with respect to single points of failure.
- Clarified the distinction between exercises and tests.
- Elevated maintenance and improvement as an important component of the BCM lifecycle.
- Integrated relevant concepts from Appendix J into the body of the booklet.
- Aligned definitions and terminology with authoritative standards organizations (e.g., NIST and ISO), where appropriate.
Sep 9, 2016
Revised the Information Security Booklet
The updates included the removal of redundant management
material and a refocus on IT risk management and an update of
information security processes. The revision reflects changes in
the industry, it streamlined and reordered information security
concepts throughout the booklet. The updates are consistent with
the FFIEC Cybersecurity Assessment Tool (CAT) and the NIST
Cybersecurity Frameworkasappropriate. Thebooklet contains updated
examination procedures to help examiners measure the adequacy
of an institution's culture, governance,
information security program, security operations, and
Apr 29, 2016
Added Appendix E: Mobile Financial Services to the Retail Payment Systems Booklet
The update consists of the addition of a new appendix,
Appendix E: Mobile Financial Services. Appendix E
focuses on the risks associated with MFS and emphasizes an
enterprise-wide risk management approach to effectively manage and
mitigate those risks. The update included the following:
- A workprogram specific to MFS.
- An update to the glossary to incorporate terminology in the
The other sections of the booklet remain unchanged.
Nov 10, 2015
Revised the Management Booklet
Full revision of the Management Booklet; replaces the June 2004
version. Includes revised workprogram.
Feb 6, 2015
Strengthening the Resilience of Outsourced Technology Services
The FFIEC members today issued a revised Business
Continuity Planning booklet. The update consists of the
addition of a new appendix, entitled Strengthening the
Resilience of Outsourced Technology Services.
The new appendix to the Business Continuity Planning booklet
stresses that a financial institution's reliance on third-party
service providers to perform or support critical operations does
not relieve a financial institution of its responsibility to ensure
that outsourced activities are conducted in a safe and sound
manner. An effective third-party management program should provide
the framework for financial institution management to identify,
measure, monitor, and mitigate the risks associated with
outsourcing. Specifically, a financial institution should
ensure that its third-party service providers do not
negatively affect a financial institution's ability to
appropriately recover IT systems and return critical functions to
normal operations in a timely manner. The appendix highlights and
strengthens the BCP Booklet in four specific areas:
- Third-party management
- Third-party capacity
- Testing with third-party technology service providers
- Cyber resilience
Apr 2, 2014
Joint Statement: Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources
Added FFIEC Joint Statement, Distributed Denial-of-Service (DDoS)
Cyber-Attacks, Risk Mitigation, and Additional Resources .
This statement identifies the risk associated with Distributed
Denial of Service (DDoS) attacks and provides mitigation
Apr 2, 2014
Joint Statement: Cyber-attacks on Financial Institutions’ ATM and Card Authorization Systems
Added FFIEC Joint Statement, Cyber-attacks on Financial
Institutions' ATM and Card Authorization Systems. This
statement identifies the risk associated with current attack
vectors against ATM's and Card Authorization Systems and provides
Oct 7, 2013
Added FFIEC Joint Statement, End of Microsoft Support for Windows
XP Operating System. This statement identifies the risk
associated with the continuing use of the XP Operating System.
Mar 22, 2013
Information Technology Examination Handbook InfoBase Enhancements
The Federal Financial Institutions Examination Council (FFIEC)
member agencies today announced the addition of a new feature to
the Information Technology Examination Handbook InfoBase. This
feature provides bankers, agency personnel, and other interested
parties with the ability to register and receive notifications of
additions, changes, and deletions to the InfoBase. Users may elect
to receive messages by either email notification or a Real Simple
Syndication (RSS) feed through links on the Welcome page of the
online InfoBase at: ithandbook.ffiec.gov
The press release is at: http://www.ffiec.gov/press/pr032213.htm
Oct 31, 2012
Supervision of Technology Service Providers (TSP) booklet
The booklet replaces the March 2003 version and
includes the following revisions:
- Rescinds Supervisory Policy 1, "Interagency EDP
Examination, Scheduling, and Distribution Policy", September 1991,
and Supervisory Policy 11, "Enhanced Supervision Program for
Multidistrict Data Processing Services (MDPS), January 1995.
- Outlines the agencies' risk-based supervisory
- Sets forth the agencies' expectation that financial
institutions have in place a comprehensive, enterprise-wide risk
management process that addresses vendor management for
relationships with TSPs.
Oct 31, 2012
Reference Materials - Federal Regulatory Agencies' Administrative Guidelines: Implementation of Interagency Programs for the Supervision of Technology Service Providers
The Guidelines describe the process the FRS, FDIC,
and OCC (agencies) follow to implement the interagency supervisory
programs and include the reporting templates examiners use
throughout the supervisory cycle. The primary audience is the
agencies' management and field examiners.
Jul 10, 2012
Added the FFIEC Public Cloud Computing
Statement. The statement maps cloud computing risks to
the various FFIEC IT Handbook booklets.
May 7, 2012
Audit, BCP, E-Banking, Information Security, Operations, Outsourcing, and Retail Payments booklets.
Revised multiple booklets to address the transition
from SAS-70 to the SSAE-16
attestation review process and other third-party review
Apr 27, 2012
Information Security booklet
Added the FFIEC Supplement to the Authentication in
an Internet Banking Environment guidance for all agencies in
the Resource section, Appendix C.
Apr 9, 2012
Added Appendix D, Managed Security Service
Providers (MSSP). This appendix,
including examination procedures, addresses the unique risks
associated with outsourcing IT security functions.
Apr 2, 2012
Added examination procedures to address the
risks associated with cloud computing.