Last week the U.S. Federal Deposit Insurance Corporation (FDIC) released an updated version of their IT officer’s risk management program questionnaire for banks and financial organizations to use to prepare for regulator audits.
Information security, privacy and IT pros in all types of organizations can benefit by looking through the questionnaire, even if they are not in a regulated industry. Auditors of all types often take such questionnaires and modify them for their use, so if internal or external auditors are looking at your IT risk management program, chances are they will be looking for similar types of information.
I wish they had included a definitions section to level-set for the document readers the many terms they use within the document that are open to interpretation without being defined.
And, even though it is an IT risk management questionnaire, non-IT risks to information should not be overlooked, such as handling and disposing of printed confidential information. Banks and other financial companies handle and mail a huge amount of printed sensitive information, and many have experienced significant privacy breaches through incidents involving printed materials and improper disposal.
I think it is great they added a section specifically for vendor management and outsourcing; although the section could have included even more issues. Almost all banks and financials outsource significant processing activities, so these issues definitely need to be included in any risk assessment that occurs for an organization’s information security program.
Two other sections added include one for credit card and automated clearing house (ACH) payment risks, and another for the institution’s overall information security program.
Do you think the TJX breach and the ongoing fallout had anything to do with the updates? Umm…well, looking at the types of items added to the questionnaire…ya, probably!!
Tags: awareness and training, FDIC, Information Security, information security policies, IT compliance, policies and procedures, risk management, security risk, security training, TJX breach