Federal Financial Institutions Examination Council members on Tuesday released a revised management booklet, which is part of the “FFIEC Information Technology Examination Handbook.” The NCUA is a member of the FFIEC.

The booklet, which includes IT examination procedures, was substantially revised, the FFIEC said in a release. It outlines the principles of sound governance and IT governance, and explains how IT risk management relates to enterprise-wide risk management and governance.

The updated examination procedures assist examiners in evaluating IT governance as part of overall governance and IT risk management as part of enterprise-wide risk management, both tailored specifically to financial institutions.

Other relevant changes included:

• Incorporation of cybersecurity concepts as part of information security.
• Incorporation of management-related concepts from other booklets of the IT handbook.
• Augmentation and further delineation of the stages of the IT risk management process, including risk identification, measurement, mitigation, monitoring and reporting.

The IT handbook, which includes the updated management portion, can be accessed online at http://ithandbook.ffiec.gov/it-booklets/management.aspx.

In July, the FFIEC released a Cybersecurity Assessment Tool to help institutions identify their risks and assess cybersecurity preparedness. Appendices mapping the assessment's baseline maturity statements were added to the IT handbook.

CU Times and ERM Security released an NCUA IT Audit Survival Guide in September that addresses FFIEC and other regulatory requirements for credit unions. That guide, available for free to CU Times readers, can be downloaded here.