Specialty Certification

Associate Certified Information Systems Examiner (ACISE)  

Objectives of the ACISE Certification Program:
1.    To recognize foundational knowledge and skills required for examining information technology (IT) and cybersecurity operations in financial institutions and service providers.
2.    To promote ongoing education in IT and cybersecurity supervision, ensuring examiners remain informed about evolving technologies, threats, and regulatory standards.
3.    To emphasize professionalism and continuous improvement in IT and cybersecurity examination practices to strengthen oversight in a rapidly evolving digital landscape.
4.    To enhance and maintain the quality of job performance and technical expertise among IT/cybersecurity examiners.

Candidates for the ACISE designation must provide evidence of all of the following:

  • Completion of a minimum of 9 IS/IT/cybersecurity examinations over three years of C-rated or higher financial institutions or third-party service providers as defined by the FDIC InTREx Program’s Information Technology Profile (ITP) and/or covering at a minimum the Baseline Nonbank Exam Program for IT and Cybersecurity. Size of the state and available examinations may also be factored into the number of required examinations. Equivalent experience may be substituted on a case-by-case basis.
  • Satisfactory completion of the following course offerings or their equivalent (courses submitted for equivalency will be considered on a case-by-case basis):
    • CSBS IT Examiner School or
    • FDIC Information Technology Examination Course

Applicants must ensure that they meet all certification requirements and will then complete an attestation of successful job performance and mastery of job-related skills, providing a thorough written response for each competency category. Their supervisor will then review and affirm the attestation to ensure accuracy and completeness. The core competencies are an integral part of the certification, and a high degree of reliance is placed on the attestation for determining compliance with these skill areas. The supervisor reviewing the application form should be familiar with the applicant’s experience, performance, and skills/abilities and be confident that the applicant meets all the requirements outlined in the form.

TECHNICAL - Provides effective organization to the examination process. Has a foundational knowledge of IT examination policies and procedures:

  • Effectively adheres to examination procedures, practices and expectations established by the state. 
  • Develops appropriate and accurate conclusions from collected data.
  • Effectively evaluates and adjusts scope of examination as each situation requires.
  • Supervises, organizes, and effectively documents workpapers according to prescribed procedures.
  • Ensures all components are adequately reviewed when delegating portions of the examination. 
  • Understands and correctly utilizes the following examination approaches as appropriate to applicant’s role:
    • Information Technology Risk Examination (InTREx)
    • FFIEC Uniform Rating System for Information Technology (URSIT)
    • FFIEC IT Examination Handbook
    • CSBS Baseline Nonbank Cybersecurity Exam Program
  • Should have experience leading the IT portion of an examination.

CONCEPTUAL - Provides effective and accurate evaluation of the information technology (IT) activities of financial institutions and/or third-party service providers. Has a foundational knowledge of IT and cybersecurity:

  • Demonstrates understanding and comfort with information technology-related concepts and terminology.
  • Demonstrates knowledge of fundamental security principles, including:
    • Confidentiality, integrity, availability (CIA triad)
    • Risk management (risk identification, assessment, and mitigation)
    • Authentication and authorization
    • Baseline understanding of encryption techniques
    • End-of-life management
    • Architecture, infrastructure, and network topology
  • Effectively assesses the security governance of institutions of varying sizes, complexities, and risk profiles, including:
    • Information security policies
    • Business continuity, disaster recovery, and incident response plans
  • Demonstrates understanding of IT-related audit processes, including:
    • Audit risk assessments, scope and frequency
    • Types, differences, and uses of IT-related audits and assessments
      • Audits
      • Penetration Tests
      • Vulnerability Scans
      • SOC reports
    • Findings reporting, tracking and remediation
  • Third-party risk management principles:
    • Vendor selection processes
    • Contracting
    • Ongoing due diligence and service level agreement (SLA) monitoring
  • Demonstrates working knowledge of both current and emerging cyber threats.
  • Understands the principles of governance, risk & compliance (GRC).
  • Demonstrates knowledge of common threats and vulnerabilities.
  • Demonstrates familiarity with identifying protected assets and asset sensitivity classification principles.
  • Fundamental knowledge of cybersecurity frameworks.

LEGAL/COMPLIANCE - Effectively demonstrates knowledge of policies, procedures, laws, rules and regulations as applicable to entities regulated:

  • Has knowledge of the Interagency Guidelines Establishing Information Security Standards (i.e., Appendix B to Part 364 of the FDIC Rules and Regulations).
  • Understands Gramm Leach Bliley Act (GLBA) - 501(b) and implications.
  • FTCs Safeguards Rule for nonbanks.
  • Applicable state information technology and cybersecurity laws.
  • Has knowledge of Fair and Accurate Credit Transactions Act ID Theft Red Flags Rule.

COMMUNICATIONS - Provides effective oral and written communications:

  • Effectively communicates assignments and expectations with assisting examination personnel and those leading examinations. 
  • Effectively collaborates with other assisting examination personnel and those leading examinations to organize and analyze examination information and materials in a timely and professional manner.
  • Effectively and clearly communicates with financial institution personnel to obtain information.
  • Effectively and clearly escalates examination findings or concerns to agency supervisory personnel and/or EIC, as needed.
  • Effectively and clearly communicates examination findings to financial institutions or third-party service providers, and to supervisory personnel.
  • Presents logical supporting documentation in response to any management concerns and moderates conclusions if presented with sufficiently supported data by management.
  • Effectively prepares appropriate, accurate, and well-supported written work product in a timely manner, including examination findings, recommendations, comments, and supporting workpapers.
  • Conducts all meetings in an organized and professional manner.
  • Effectively conducts meetings with management and the boards of directors/trustees of financial institutions and third-party service providers. 
  • Effectively participates in exit meetings where appropriate.
  • Effectively coordinates examination planning and execution with other state and federal supervisory authorities, as needed.
  • Effectively reviews reports for accuracy, content, conclusions, and proper grammar.

RECERTIFICATION

Every three years, participants will be required to provide evidence of the successful completion of a minimum of 63 continuing education hours (CEH). If an examiner exceeds this requirement, up to 14 CEHs may be carried over into the new three-year term. Continuing education should be selected with the goal of maintaining, improving, or expanding the examiner’s knowledge, skills, and abilities. Participants are also required to review and remain in compliance with updates to certifications. Should a material change related to the certification occur, additional training may be required to maintain certification. Examiners must also participate in at least two IT examinations per year and/or oversee the examination process for IT examinations.

Examples of qualifying programs and activities are listed below. Other programs and activities submitted will be considered on a case-by-case basis.

Training Programs/Conferences

  • CSBS Fundamentals of Cryptocurrency
  • CSBS Cyber & IT Supervisory Forum
  • FDIC Deploying Internet and Intranet Firewalls
  • FDIC Virtual Private Networks and Remote Access Systems
  • FDIC Storage Area Networks
  • FDIC Cloud Computing I
  • FDIC Virtualization
  • FDIC Auditing Applications Systems Development
  • FDIC Mobile Financial Services Security
  • FDIC Risk Management of Payment Systems
  • ABA Cybersecurity Management
  • FFIEC Information Technology Conference
  • FFIEC Information Technology Symposium

Commercial Training Providers
Training programs and conferences such as those provided by the MIS Training Institute, ISACA, Sans, ISC2 or other nationally recognized training qualify for continuing education credits depending upon the nature and content of the course. 
The following is a list of classes, which would provide continuing education from MIS Training Institute. The list is not all inclusive and other commercial sources may be utilized as long as they are nationally recognized training centers for IS education and documentation of applicability is provided when applying for credit for the course.

  • Advanced Business Applications Auditing and Testing
  • Advanced IT Audit and Security
  • Audit and Security of Electronic Commerce
  • How to Audit Automated Business Applications
  • How to Audit the Application Development Process
  • How to Perform a General Controls Review
  • Intermediate IT Audit and Security
  • Introduction to Auditing Networked Computers
  • IT Auditing and Controls
  • Making the Transition from IT to IT Audit

Colleges and University Courses
Courses and seminars such as those provided by colleges and universities qualify for continuing education credits depending upon the nature and content of the course. Evidence regarding applicability of course content to IS/IT examinations and length of the seminar must be provided to obtain credit when applying for recertification.
Other Technology Related Courses

  • Web Training Courses
  • Languages - Perl, Java, etc.
  • E-Business
  • Operating Systems
  • Networking Classes
  • Other Advanced IS/IT relevant classes may be approved on a case-by-case basis