As of July 1, 2016 all institutions supervised by the Federal Deposit Insurance Corporation (FDIC) are subject to comply with updated IT examination procedures. The Information Technology Risk Examination (InTREx) Program is designed to provide a risk-based approach for conducting IT examinations. InTREx is based on the Uniform Rating System for Information Technology (URSIT), which consists of four components: Audit, Management, Development and Acquisition, and Support and Delivery. InTREx adds an Expanded Analysis section for both Management and Support and Delivery as well as a summary section for both Information Security Standards and Cybersecurity.
About 90 days before the scheduled exam, the financial institution will receive an Information Technology Profile (ITP) questionnaire. The ITP questionnaire includes 26 questions covering the following six categories:
- Core Processing (4 questions)
- Network (6 questions)
- Online Banking (4 questions)
- Development and Programming (1 question)
- Software and Services (2 questions)
- Other (9 questions)
The questionnaire is designed to assist the lead examiner in determining the appropriate scope of the exam and the documentation that will be required.
As noted above, the examination will consist of four major categories, two summary sections, and two expanded analysis sections. It should be noted that cybersecurity elements are now included in the assessment. The Cybersecurity Assessment Tool’s (CAT) declarative statements are similar to those used in InTREx. Another major item examiners are focusing on is the “triangle” of asset management/patch management/vulnerability management, and how they’re all related.
Asset management is knowing everything you have in the environment. This includes hardware, software, applications, vendors, databases, data, etc. In particular, they were focusing on Internet of Things (IoT). The expectation is to track absolutely everything network-addressable, from the cash counters to the thermostats. The asset inventories can incorporate end-of-life tracking – again, this needs to encompass all systems, not just Microsoft – and can dovetail with their system acquisition procedures.
From there, we have patch management. Once you have a comprehensive asset inventory, you can think about patching them. This should be done according to formal policies that define your critical systems, patch testing/deployment windows based on asset type and patch type, etc. Of course, this needs to encompass all systems, not just Microsoft servers and workstations. Patch management can’t just be something that the server admin checks off once a month. It needs to involve formalized reporting, tracking, exceptions, approval of exceptions, monitoring remediation status, segregation of duties, adequate oversight, etc.
Lastly, there’s vulnerability management. An annual third-party test is not sufficient. Regular, in-house vulnerability scanning as an integral part of the process to validate asset and patch management needs to be performed. As with the patch management, this needs to be a process with appropriate reporting, oversight, remediation tracking, segregation of duties, etc. Vulnerability results may also identify new systems (hardware, software, websites, etc) that need to be added to the asset inventory, or systems that are going EOL. And so the cycle goes back to asset management and repeats.
A summary of the IT environment and URSIT composite ratings will be included in the Risk Management Report. Additionally, an assessment of cybersecurity preparedness will be included.