FDIC InTREx Program Examination Support
As part of managed compliance services from CISO Global, our team can help you meet, maintain, and demonstrate FDIC compliance, providing support ahead of and throughout your InTREx examination.
The FDIC has several resources that help financial institutions comply with its IT cybersecurity-related regulations. The Federal Institution Letter (FIL) Information Technology (IT) and Cybersecurity states the following:
“Financial institutions depend on [Information Technology] to deliver services. Disruption, degradation, or unauthorized alteration of information and systems can affect the financial condition, core processes, and risk profile of an institution. Further, because of the increasing volume and sophistication of cyber threats, it is imperative that financial institutions and their critical third-party service providers maintain diligence in identifying, assessing, and mitigating cybersecurity risks.”
One such resource is the FDIC’s Information Technology Risk Examination (InTREx) Program, a risk-based approach for conducting IT examinations.
FDIC’s InTREx Program
InTREx applies to FDIC-supervised institutions that have total assets of less than $1 billion. It is designed to:
- Enhance identification, assessment and validation of IT and operations risk.
- Make sure that institutional management effectively addresses identified risks.
What to Expect from CISO Global’s FDIC Audit Support
The InTREx program includes a pre-examination scoping process to help institutions focus on their risks and prepare to pass their audit. Using guidance outlined in the Federal Financial Institutions Examination Council (FFIEC) Information Technology (IT) Examination Handbook, CISO Global’s Risk Advisory team will go through this pre-exam scoping process with you to identify your current risks and evaluate the effectiveness of your risk mitigation strategies around each. Our resulting report will provide you with a list of any identified gaps as well as recommended strategies to address them.
Pre-Exam Scoping Process
90 Days Ahead of Your Audit:
The FDIC will send the Information Technology Profile (ITP), an FDIC questionnaire you fill out to provide the examiner with an overview of your existing environment that allows FDIC-approved examiners to scope your upcoming assessment and assign their resources accordingly. The CISO Global Risk Advisory team will assist you in completing the ITP.
The IT examiner-in-charge will use your ITP and other available documentation (such as previous audit reports, changes or updates to your environment, etc.) to design your audit.
At Least 45 Days Ahead of Your Audit:
The FDIC will send an IT Request Letter through FDIConnect. This is a more focused questionnaire based on your IT profile that you need to complete and submit within the requested timeframe. This step allows your IT examiner-in-charge to obtain as much additional information as possible before your audit date, minimizing the amount of time they will need to spend interviewing and gathering documentation from your team on-site.
During Your FDIC Audit:
CISO Global’s Risk Advisory team will assist with the audit process, providing documentation to the FDIC’s assigned examiner and answering questions on your behalf. When engaged in an ongoing, managed compliance capacity with your team, we will be with you throughout the process. If you are required to undergo additional questioning, having our information security professionals as part of your team can be key to a successful examination.
Topics you can expect your audit to cover:
- Policies and Procedures
- Cybersecurity Awareness Training Programs
- Access Management
- Vulnerability Management
- Destructive Malware, Spyware, and Ransomware Prevention
- Pharming Attack Prevention
- Phishing Prevention
- VOIP Security Strategies
- Credential Theft Prevention
- Email Security
- Fraud Prevention
- Wireless and Wireless Customer Access Security
- Domain Name Protection
- Client/Server Environment Security
- Identity Theft Protection
- Third-Party Risk Management (Supply Chain Attack Prevention)
- Payment Security
- Remote Deposit Capture Risk Management
- ATM and Card Authorization Security
- Disaster Recovery and Business Continuity Plans
- Incident Response Plans
We want to hear from you!
To start a conversation with one of our experts, give us a call or Request a Consultation.
We look forward to speaking with you about your goals and unique needs.