skip to main navigation skip to secondary navigation skip to content
Board of Governors of the Federal Reserve System
skip to content
Board of Governors of the Federal Reserve System

International Training & Assistance (ITA)
for Bank Supervisors

Technology Risk Supervision SeminarFederal Reserve System Courses

Type of Participant Targeted

The Technology Risk Supervision Seminar is an intermediate-level course designed primarily for information technology (IT) examiners. The seminar is also appropriate for safety and soundness examiners who are exposed to IT-related issues during examinations and who have a basic understanding of IT concepts, supervision, and risks for financial institutions.

Prerequisites

None.

Course Overview

The goal of this 4 1/2-day seminar is to provide training in IT supervision of financial institutions.

Course Objectives

The course builds on foundational concepts of networks and operating systems and covers applied topics of risks including system management, controls, data management, and emerging technologies.  At the conclusion, participants should be able to 

  • Recognize and understand more advanced concepts of bank technology and architecture
  • Identify business and supervision risks related to a financial institution's IT environment
  • Assess the impact of identified risks on the institution's operations
  • Discuss examination results and concerns with the financial institution's management
  • Analyze and assess the impact of the risks and exposures of existing and emerging technologies including, but not limited to virtualization; network, security and log management solutions; "Bring Your Own Device (BYOD)"; cloud computing; vendor management; data loss prevention; mobile devices, payments, and risks; and social media risks
  • Make relevant control recommendations to the financial institution's management

Post-Course Intervention

After completing the Technology Risk Supervision Seminar, the participant should be given on-the-job IT assignments that will increase the retention of the competencies presented during class. Such on-the-job assignments include

  • Completing the evaluation and identifying key risks of a non-complex financial institution's IT environment with the assistance of a more senior IT examiner
  • Preparing, or assisting in the preparation of, examination findings concerning a financial institution's technology risks
  • Conducting or participating in a discussion with bank management regarding IT examination findings and concerns

Curriculum Overview

Subject

Approx.
Class Hours

Learning Objectives

Course Overview, Risk Management Framework, IT Audit and Exam

1.25

  • Fundamental concepts of risk management
  • Framework for IT audits and exams

IT Governance and Risk Assessment

1.25

  • Difference between risk assessment and management
  • Methodology, structure, and approach for IT Governance
  • How to conduct and evaluate a risk assessment

Network Concepts, Security, and Design

1.50

  • Open Systems Interconnection (“OSI”) Model
  • Specific risks related to networks

Network Diagrams, Firewalls, and other Controls

1.25

  • Elements of layered security and network devices to separate zones of risk
  • Firewall controls, monitoring, and management

Operating Systems: Introduction, Role, and Directories

1.75

  • OS security parameters relative to Enterprise-wide Active Directory implementation
  • Use of Group Policy to enforce Access Controls

Operating Systems: Servers and Clients

1.50

  • Overview of security similarities and differences across multiple OS platforms

Virtualization and  Bring Your Own Device ("BYOD")

2.75

  • Concepts of virtualized systems
  • Impact of BYOD on traditional infrastructures

Security Threat Vectors and Vulnerability Management

1.25

  • Most common threat vectors impacting banks
  • Elements and role of a vulnerability management and penetration testing program

Security: Patch Management

1.50

  • Patch management terminology, process, and tools

Security: Change Management, Data Integrity, and Data Loss Prevention

1.50

  • Identification and classification of an organization's information and data stream
  • Preventing the loss of sensitive information in a security breach
  • Different phases of change management and assessment of key controls

Security Information and Event Management (“SIEM”)

1.25

  • Using all IT information sources to facilitate successful security monitoring
  • Link between log/information monitoring and incident response planning

Cloud Computing and Vendor Management

1.25

  • Technical controls for managing cloud computing risks
  • Assessing the vendor risk matrix and cloud vendor's security and compliance capabilities

Business Continuity Planning and Disaster Recovery

1.50

  • Best practices for disaster recovery planning, testing, and implementation

Mobile Topics Overview, Mobile Banking/Payments, Authentication

2.75

  • Mobile payment risks and mechanisms for limiting this risk

Social Media and Risks

1.25

  • Exposures and risks involved with social media applications and strategies for mitigating those risks

TOTAL

24.75

 

Return to topReturn to top

Last update: March 18, 2013