SR 19-13:
FFIEC Information Technology Examination Handbook
OF THE FEDERAL RESERVE SYSTEM
WASHINGTON, D.C. 20551
DIVISION OF
SUPERVISION AND REGULATION
November 15, 2019
Revised December 12, 2019
Note: On December 12, 2019, the HTML version of this letter was revised to reflect a corrected applicability amount. The correct applicability amount is $10 billion and not $1 billion.
THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK AND TO INSTITUTIONS SUPERVISED BY THE FEDERAL RESERVE
FFIEC Information Technology Examination Handbook
Applicability: This letter applies to all institutions supervised by the Federal Reserve, including those with $10 billion or less in consolidated assets.
The Federal Financial Institutions Examination Council (FFIEC) has revised the February 2015 version of the "Business Continuity Management" (BCM) booklet of the FFIEC Information Technology Examination Handbook (IT Handbook). The BCM booklet is one of 11 booklets that make up the IT Handbook.
This booklet discusses BCM governance and its related components, including resilience; strategies, and plan development; training and awareness; exercises and tests; maintenance and improvement; and reporting for the board of directors. Additionally, this booklet outlines the principles of BCM to help examiners determine whether management adequately manages risk related to the availability of critical financial products and services. The booklet includes examination procedures, addressing:
- BCM concepts as part of information security.
- Various management-related concepts from other booklets of the IT Handbook.
- Elements related to BCM such as the identification of critical business functions, interdependency issues, and training programs.
The BCM booklet and the other booklets in the IT Handbookare available on the FFIEC website at: http://ithandbook.ffiec.gov/it-booklets.aspx.
Reserve Banks are asked to distribute this SR letter to the Federal Reserve-supervised institutions in their districts, as well as to their supervisory and examination staff. Questions regarding the revised guidance should be addressed to the staff in the Board's Systems and Operational Resiliency Policy section. In addition, questions may be sent via the Board's public website.1
signed by
Michael S. Gibson
Director
Division of
Supervision and Regulation
- SR letter 16-14, "FFIEC Information Technology Examination Handbook – Information Security Booklet"