Categories: FDIC

Information Technology Risk Examination (InTREx) Program

FIL-43-2016
June 30, 2016

Information Technology Risk Examination (InTREx) Program

Printable Format:

FIL-43-2016 – PDF (PDF Help)

Summary:

The FDIC updated its information technology and operations risk (IT) examination procedures to provide a more efficient, risk-focused approach. This enhanced program also provides a cybersecurity preparedness assessment and discloses more detailed examination results using component ratings.

Statement of Applicability to Institutions with Total Assets Under $1 Billion: This Financial Institution Letter applies to all FDIC-supervised institutions.

Highlights:

  • The InTREx Program is an enhanced, risk-based approach for conducting IT examinations. The Program helps to ensure that financial institution management promptly identifies and effectively addresses IT and cybersecurity risks.
  • All Uniform Rating System for Information Technology (URSIT) component and composite ratings assigned at each IT examination will be included in the Risk Management Report of Examination.
  • An assessment of the financial institution’s cybersecurity preparedness will be included on the Information Technology and Operations Risk Assessment Page of every Risk Management Report of Examination.
  • The InTREx Program includes a streamlined IT Profile that financial institutions will complete in advance of examinations that replaces the IT Officer’s Questionnaire (ITOQ). The IT Profile is intended to provide examination staff with more focused insight on a financial institution’s IT environment and includes 65 percent fewer questions than appeared on the FDIC’s legacy ITOQ.

Continuation of FIL-43-2016

Financial Institution Letters
FIL-43-2016
June 30, 2016

Information Technology Risk Examination (InTREx) Program

Enhanced Information Technology and Operations Risk Examination Procedures

On July 1, 2016, the Federal Deposit Insurance Corporation (FDIC) implemented the Information Technology Risk Examination (InTREx) Program for conducting information technology and operations risk (IT) examinations of FDIC-supervised financial institutions. The InTREx Program is designed to enhance identification, assessment, and validation of IT in financial institutions and ensure that identified risks are effectively addressed by FI management. FIL-81-2005, Information Technology Risk Management Program (IT-RMP), has been rescinded.

InTREx uses a work program based on the Uniform Rating System for Information Technology1 (URSIT) and includes Core Modules for the Audit, Management, Development and Acquisition, and Support and Delivery component ratings. The Core Modules incorporate procedures to assess compliance with Appendix B to Part 364 of the FDIC Rules and Regulations entitled Interagency Guidelines Establishing Information Security Standards2,3 as well as procedures to assess cybersecurity preparedness. The results of these assessments will be embedded in the Risk Management Report of Examination.

Other features of the InTREx program are:

  • Enhanced Pre-Examination Process. The pre-examination scoping process has been revised and streamlined to focus on emerging risks and technologies.
    • Approximately 90 days before a scheduled IT examination, the financial institution will receive an Information Technology Profile (ITP) questionnaire through FDICconnect to be completed and returned to the FDIC. The ITP is designed to determine the resources needed to perform the IT examination and assist with scoping the examination. The ITP includes 65 percent fewer questions than the Officer’s Questionnaire used in the previous IT examination program.
    • The IT examiner-in-charge will risk focus the IT examination based on responses to the ITP and other available information (e.g., prior examination reports, new products or services, etc.). At least 45 days before the scheduled examination start date, an IT Request Letter reflecting the IT profile of the institution will be sent to the financial institution through FDICconnect. Management should upload requested information within the requested time frame to minimize on-site information requests.
  • Examination Procedures. Examiners will complete the InTREx Core Modules, the Cybersecurity Workpaper, and the Information Security Standards Workpaper to assess risk and to document examination procedures, findings, and recommendations. For financial institutions with a higher IT profile, examiners can use expanded examination procedures, supplemental workprograms, and the FFIEC Information Technology Examination Handbook.
  • Report Presentation. A summary of the overall condition of the IT function supporting the URSIT composite rating will be included on the Examiner Conclusions and Comments page. The Information Technology Assessment page will document URSIT component ratings, examination findings, recommendations, management’s responses, including timeframes for corrective action, and supporting comments for cybersecurity preparedness and compliance with information security standards.

For further information about the FDIC’s revised IT examination procedures, please contact your FDIC Regional Office.

Doreen Eberley
Director
Division of Risk Management Supervision

IR Press

Share
Published by
IR Press

Recent Posts

Treasury Issues Final Rule Expanding CFIUS Coverage of Real Estate Transactions Around More Than 60 Military Installations

WASHINGTON – Today, the U.S. Department of the Treasury (Treasury), as Chair of the Committee…

2 days ago

U.S. Department of the Treasury’s CDFI Fund and Federal Housing Finance Agency Collaborate to Bolster CDFI Access to Capital

WASHINGTON—Today, the U.S. Department of the Treasury’s Community Development Financial Institutions Fund (CDFI Fund) and…

2 days ago

Report on U.S. Portfolio Holdings of Foreign Securities at Year-End 2023

Washington – The findings from the annual survey of U.S. portfolio holdings of foreign securities…

3 days ago

READOUT: U.S. Department of the Treasury Hosts Roundtable Discussion on the Financial Sector’s Response to Recent Hurricanes

WASHINGTON – The U.S. Department of the Treasury hosted a roundtable on October 30 with…

3 days ago

READOUT: Sixth Meeting of the Financial Working Group Between the United States and the People’s Republic of China

WASHINGTON – The United States and the People’s Republic of China held the sixth meeting…

3 days ago

Treasury Sanctions Key Members of La Linea, a Group Involved in Trafficking Fentanyl into the United States

WASHINGTON — Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned…

3 days ago