by Heath Stanley / Security Consultant

If you aren’t getting better then you are falling behind, and we feel that this applies to the current FFIEC guidelines we use to conduct our controls reviews and risk assessments. So instead of waiting on the FFIEC to release updated guidelines (that probably wouldn’t be as extensive as the scope we use) we are going to improve them ourselves. In the past, we have always audited beyond the scope of FFIEC guidelines, but now we will document it in improved fashion. To do this we have created a Framework Committee for the following reasons:

1. The FFIEC guidelines aren’t good enough. There are sections of these guidelines that have not been updated for several years and the guidelines don’t cover increasingly popular technologies such as VOIP or merchant capture. We will incorporate these best practices as well as any new technologies in our new framework.

2. Improved transparency. With our new framework our controls review will be laid out in plain English where our clients will be able to see the control that should be in place versus what control is actually in place. This way our clients will see exactly what we were trying to accomplish by looking at specific controls, as well as added flexibility for our consultants to decide which controls apply to which networks.

3. Added efficiencies. At every kickoff meeting we tell our clients that they may be asked the same question from several consultants. Well, we are trying to avoid this by removing redundancies within our current framework. This will reduce time on-site, reduce report sizes, increase transparencies in our reporting and most importantly, take up less of our clients’ valuable time.

4. Ongoing enhancements. As mentioned before we will now be able to incorporate new technologies into our framework as we see fit as well as improving our document request list, making E-Reviews possible and basically just improving the overall controls review process. This will be an ongoing process that doesn’t end with a new framework.

Don’t worry, we will still incorporate every line item of the FFIEC guidelines as well as some COBIT objectives and other (FedAdvantage, GLBA) auditing guidelines from the regulators. But now it will just be in an improved format that your auditors, executives and especially your examiners will like more.

Any suggestions for our reporting and new framework? Post up a comment and we’ll bring it up in our next meeting.