Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« FTC Settlement For Marketing Via Pop-up Ads: Lessons For All Marketers Regarding Consent & Consumer Complaints | Main | Domain Name Maintenance and Customer Service Lessons »

FDIC Releases Updated IT Officer’s Risk Management Program Questionnaire

Last week the U.S. Federal Deposit Insurance Corporation (FDIC) released an updated version of their IT officer's risk management program questionnaire for banks and financial organizations to use to prepare for regulator audits.

Information security, privacy and IT pros in all types of organizations can benefit by looking through the questionnaire, even if they are not in a regulated industry. Auditors of all types often take such questionnaires and modify them for their use, so if internal or external auditors are looking at your IT risk management program, chances are they will be looking for similar types of information.

I wish they had included a definitions section to level-set for the document readers the many terms they use within the document that are open to interpretation without being defined.

And, even though it is an IT risk management questionnaire, non-IT risks to information should not be overlooked, such as handling and disposing of printed confidential information. Banks and other financial companies handle and mail a huge amount of printed sensitive information, and many have experienced significant privacy breaches through incidents involving printed materials and improper disposal.

I think it is great they added a section specifically for vendor management and outsourcing; although the section could have included even more issues. Almost all banks and financials outsource significant processing activities, so these issues definitely need to be included in any risk assessment that occurs for an organization's information security program.

Two other sections added include one for credit card and automated clearing house (ACH) payment risks, and another for the institution's overall information security program.

Do you think the TJX breach and the ongoing fallout had anything to do with the updates? Umm...well, looking at the types of items added to the questionnaire...ya, probably!!

Tags:                    
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on December 10, 2007 7:38 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/598

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.