← Frameworks / Financial Regulation

FFIEC IT Examination Handbook — Information Security

US Federal Financial Institutions Examination Council handbook for examining information security at financial institutions. 51 examination objectives across governance, risk management, threat intelligence, security controls, network security, endpoint protection, access management, data security, resilience, incident response, and third-party security. Used by OCC, FDIC, Federal Reserve, NCUA, and state banking agencies for IT examinations.

Clauses: 51

Avg Coverage: 85.6%

Publisher: Federal Financial Institutions Examination Council (FFIEC) Version: 2024

FFIEC IS → SP 800-53 SP 800-53 → FFIEC IS Coverage Analysis

Clause	Title	SP 800-53 Controls
Appendix A	Examination Procedures	CA-01 CA-02 CA-05 CA-06 PM-01 PM-04 PM-06
I.A	Security Culture	AT-01 AT-02 AT-03 AT-04 AT-05 AT-06 PM-01 PM-02 PM-13 PM-14 PL-04
I.B	Responsibility and Accountability	PM-01 PM-02 PM-03 PM-10 PM-13 PM-29 PL-01 PL-02 PL-04 PS-01 PS-02 PS-07 AT-01 RA-01
I.C	Resources	PM-03 PM-13 PM-16 SA-01 SA-02 SA-03 AT-01 AT-02 AT-03
II.A	Risk Identification	RA-01 RA-02 RA-03 RA-05 RA-07 RA-09 RA-10 PM-08 PM-09 PM-11 PM-12 PM-15 PM-16 CA-02 CA-07
II.A.1	Threats	RA-03 RA-10 PM-12 PM-15 PM-16 SI-05 SR-07
II.A.2	Vulnerabilities	RA-05 RA-07 CA-02 CA-07 CA-08 SI-02 CM-04 CM-06
II.B	Risk Measurement	RA-01 RA-02 RA-03 RA-07 RA-09 PM-09 PM-28 CA-02
II.C.1	Policies, Standards, and Procedures	PL-01 PL-02 PL-03 PL-04 PL-07 PL-08 PM-01 PM-04 PM-05 PM-06 AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PS-01 RA-01 SA-01 SC-01 SI-01 SR-01 PT-01
II.C.2	Technology Design	PL-08 PL-09 SA-03 SA-04 SA-08 SA-17 SC-02 SC-03 SC-07 SC-32 SC-39 CM-02
II.C.3	Control Types	PL-02 PL-08 CA-02 CA-05 PM-04 SA-08
II.C.4	Control Implementation	CA-02 CA-05 CA-06 CA-07 PM-04 PM-06 PM-14 PL-02
II.C.5	Inventory and Classification of Assets	CM-08 CM-09 CM-12 CM-13 PM-05 RA-02 RA-09 MP-04 SC-16
II.C.6	Mitigating Interconnectivity Risk	SC-07 SC-08 SC-10 SC-20 SC-21 SC-22 SC-23 CA-03 CA-09 AC-04 AC-20 SA-09
II.C.7	User Security Controls	PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 PS-08 PS-09 AC-02 AC-05 AC-06 PL-04 AT-02 AT-03
II.C.7(a)	Security Screening in Hiring Practices	PS-02 PS-03 PS-06 PS-07 PS-09
II.C.7(b)	User Access Program	AC-01 AC-02 AC-03 AC-05 AC-06 AC-24 IA-01 IA-02 IA-04 IA-05 IA-12
II.C.7(c)	Segregation of Duties	AC-05 CM-05 PS-02
II.C.7(d)	Confidentiality Agreements	PS-06 PS-07 PL-04
II.C.7(e)	Training	AT-01 AT-02 AT-03 AT-04 AT-06 PM-13 PM-14
II.C.8	Physical Security	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-07 PE-08 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-16 PE-17 PE-18 PE-19 PE-20
II.C.9	Network Controls	SC-07 SC-08 SC-10 SC-11 SC-23 SC-44 AC-04 AC-17 AC-18 SI-04 CA-03
II.C.10	Change Management Within the IT Environment	CM-01 CM-02 CM-03 CM-04 CM-05 CM-06 CM-07 CM-09 SA-10
II.C.11	End-of-Life Management	SA-22 CM-07 CM-08 CM-11 SI-02 RA-05
II.C.12	Malware Mitigation	SI-03 SI-04 SI-07 SI-08 SI-16 SC-07 SC-18 SC-44 AT-02
II.C.13	Control of Information	MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 MP-07 SC-08 SC-28 AC-04 AC-21 AC-22 SI-12
II.C.13(a)	Storage	SC-28 MP-02 MP-04 AC-03 AC-06 PE-03
II.C.13(b)	Electronic Transmission of Information	SC-08 SC-12 SC-13 SC-23 AC-04 AC-17
II.C.13(c)	Disposal of Information	MP-06 SI-12 MP-05
II.C.13(d)	Transit of Physical Media	MP-05 MP-07 PE-16
II.C.13(e)	Rogue or Shadow IT	CM-07 CM-08 CM-10 CM-11 AC-20 PM-05 AT-02
II.C.14	Supply Chain	SR-01 SR-02 SR-03 SR-04 SR-05 SR-06 SR-07 SR-08 SR-09 SR-10 SR-11 SR-12 SA-04 SA-09 SA-22
II.C.15	Logical Security	AC-01 AC-02 AC-03 AC-06 AC-07 AC-08 AC-09 AC-10 AC-11 IA-01 IA-02 IA-03 IA-04 IA-05 IA-06 IA-07 IA-08 IA-11 IA-12 AU-02 AU-03 AU-06 AU-12
II.C.15(a)	Operating System Access	AC-03 AC-06 IA-02 IA-05 CM-06 CM-07 SC-39 SC-03
II.C.15(b)	Application Access	AC-03 AC-06 AC-24 IA-02 IA-08 SC-02 SA-11
II.C.15(c)	Remote Access	AC-17 AC-18 AC-19 AC-20 IA-02 IA-08 SC-08 SC-10 SC-12 SC-13
II.C.16	Customer Remote Access to Financial Services	AC-17 AC-20 IA-02 IA-08 SC-07 SC-08 SC-12 SC-13 SC-23 SI-04 PT-01 PT-02 PT-03
II.C.17	Application Security	SA-03 SA-04 SA-08 SA-10 SA-11 SA-15 SA-17 SI-10 SI-11 CM-04 CM-14
II.C.18	Database Security	AC-03 AC-06 SC-28 AU-02 AU-03 AU-06 AU-12 CM-06 SC-04
II.C.19	Encryption	SC-08 SC-12 SC-13 SC-17 SC-28 IA-07
II.C.20	Oversight of Third-Party Service Providers	SA-04 SA-09 SR-01 SR-02 SR-03 SR-06 PS-07 CA-03 CA-09 PM-30 PM-31
II.D	Risk Monitoring and Reporting	CA-07 CA-02 PM-06 PM-14 AU-06 AU-13 RA-03 RA-07 SI-04
III.A	Threat Identification and Assessment	RA-03 RA-05 RA-10 PM-12 PM-15 PM-16 SI-04 SI-05 CA-07
III.B	Threat Monitoring	SI-04 SI-05 SI-07 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-11 AU-12 AU-13 AU-14 CA-07 IR-04
III.C	Incident Identification and Assessment	IR-01 IR-04 IR-05 IR-06 IR-09 SI-04 SI-05 AU-06
III.D	Incident Response	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 CP-02 CP-10 PM-14 SI-05
IV.A	Assurance and Testing	CA-01 CA-02 CA-05 CA-07 CA-08 PM-06 PM-14 SA-11 RA-05
IV.A.1	Key Testing Factors	CA-02 CA-08 PM-06 PM-14 AT-03
IV.A.2	Types of Tests and Evaluations	CA-02 CA-08 RA-05 SA-11 PM-14
IV.A.3	Independence of Tests and Audits	CA-02 CA-08 CA-07 PM-14
IV.A.4	Assurance Reporting	CA-02 CA-05 PM-06 AU-06 AU-07 PL-02