Security Testing

The is_testing entry in the FFIEC IT Examination Handbook outlines the examiner's expectations for an institution's security testing program. It requires documented processes for planning, conducting, and reviewing vulnerability assessments, penetration tests, and other security evaluations to verify that technical controls function as intended and that identified weaknesses are promptly mitigated. Non-compliance can signal gaps in the overall cybersecurity risk management framework.