Specialty Certification

Objectives of the CISE Certification Program:
1.    To recognize advanced knowledge and skills required for examining information technology (IT) and cybersecurity operations in financial institutions and service providers of varying sizes and complexities.
2.    To promote ongoing education in IT and cybersecurity supervision, ensuring examiners remain informed about evolving technologies, threats, and regulatory standards.
3.    To emphasize professionalism and continuous improvement in IT and cybersecurity examination practices to strengthen oversight in a rapidly evolving digital landscape.
4.    To enhance and maintain the quality of job performance and technical expertise among IT/cybersecurity examiners.

Candidates for the CISE designation must provide evidence of all of the following:

• Must have met the requirements for the ACISE.
• Completion of a minimum of 15 IS/IT/cybersecurity examinations of B-rated or higher financial institutions or third-party service providers as defined by the FDIC InTREx Program’s Information Technology Profile (ITP) or Enhanced Nonbank examinations as defined by the CSBS Enhanced Nonbank Exam Program over 5 years. Size of the state and available examinations may also be factored into the number of required examinations.
• Equivalent experience may be substituted on a case-by-case basis.
• Completion of at least ninety-six (96) hours of intermediate and/or advanced IT and cybersecurity relevant education courses over the three years immediately preceding application for certification.

Applicants must ensure that they meet all certification requirements and will then complete an attestation of successful job performance and mastery of job-related skills, providing a thorough written response for each competency category. Their supervisor will then review and affirm the attestation to ensure accuracy and completeness. The core competencies are an integral part of the certification, and a high degree of reliance is placed on the attestation for determining compliance with these skill areas. The supervisor reviewing the application form should be familiar with the applicant’s experience, performance, and skills/abilities and be confident that the applicant meets all the requirements outlined in the form.

TECHNICAL - Provides effective leadership and organization to the examination process. Has advanced knowledge of IT and cybersecurity examination policies and procedures.

• Effectively adheres to examination procedures, practices and expectations established by the state.
• Develops appropriate and accurate conclusions from collected data.
• Supervises, organizes, and effectively documents workpapers according to prescribed procedures.
• Ensures all components are adequately reviewed when delegating portions of the examination.
• Understands and correctly utilizes the following examination approaches as appropriate to applicant’s role:
  • Information Technology Risk Examination (InTREx)
  • FFIEC Uniform Rating System for Information Technology (URSIT)
  • FFIEC IT Examination Handbook
  • CSBS Baseline Nonbank Cybersecurity Exam Program
• Examiners should have substantial experience leading the IT portion of an examination
   

CONCEPTUAL - Provides effective and accurate evaluation of the overall activities of the IS/IT/cybersecurity function of a financial institution and/or third-party service provider. Has in-depth knowledge of information technology (IT) and cybersecurity topics including:

• Advanced Cybersecurity Frameworks:
  • In-depth training on frameworks like NIST Cybersecurity Framework, ISO/IEC 27001, and CRI Profile and CIS Critical Security Controls.
• Incident Response and Digital Forensics:
  • Handling cyber incidents, evidence preservation, and forensic investigations.
  • Analysis of malware, intrusion attempts, and ransomware.
• Penetration Testing and Ethical Hacking:
  • Identifying vulnerabilities in systems and networks through simulated attacks.
  • Differentiate types and uses of various tests (i.e. internal, external, red team, black box, etc.).
• Cloud Security:
  • Evaluating risks in cloud-based solutions.
  • Familiarity with cloud platforms like AWS, Azure, and Google Cloud.
  • Understanding shared responsibility models for cloud environments.
• Emerging Technology Risks:
  • Blockchain and cryptocurrency examination (e.g., understanding decentralized finance risks).
  • Artificial intelligence and machine learning security concerns.
  • Internet of Things (IoT) risks in financial institutions.
• Advanced Data Security and Encryption:
  • Encryption standards and cryptographic key management.
  • Secure handling of "data at rest" and "data in transit."
• Third-Party Vendor Management:
  • Assessing cybersecurity risks in outsourcing and third-party IT relationships.
  • FFIEC Guidance on Outsourcing Technology Services.
• IT Governance, Risk, and Compliance (GRC):
  • Assess institution's mitigating controls and implementation plan.
  • Assess institution's risk monitoring and reporting processes.
  • Understanding and assessing enterprise risk management frameworks.
  • Evaluating IT governance structures in institutions of varying sizes.
  • Make appropriate control recommendations to reduce institutional risk.
• Business Continuity and Disaster Recovery Planning:
  • Assessing institution readiness for IT and operational disruptions.
  • Testing and auditing business continuity and disaster recovery plans.
  • Assess institution's corrective action processes.

LEGAL/COMPLIANCE - Demonstrated knowledge of applicable laws/regulations and ability to apply knowledge to the examination process.

• Effectively demonstrates knowledge of policies, procedures, laws, rules, and regulations including but not limited to:
  • Gramm-Leach-Bliley Act (GLBA) – 15 U.S.C. §6801
  • Bank Service Company Act (BSCA)
  • Fair Credit Reporting Act (FCRA) – 15 U.S.C. §1681
  • Cybersecurity Information Sharing Act (CISA) – 2015
• Knowledge of the Interagency Guidelines establishing Information Security Standards (Part 364B).
• FTCs Safeguards Rule for nonbanks.
• Has knowledge of Fair and Accurate Credit Transactions Act ID Theft Red Flags Rule.
• Familiarity with General Data Protection Regulation (GDPR) and international data privacy regulations.
• Familiarity with Payment Card Industry Data Security Standard (PCI DSS) and understanding where applicable.
• Relevant BSA/AML/CFT laws including cybersecurity measures for suspicious activity reporting (SAR).
• IT examiner-specific legal implications of data breaches and regulatory fines.
• Applicable state information technology and cybersecurity laws.

COMMUNICATIONS - Provides effective oral and written communications and leadership where applicable:

• Effectively communicates assignments and expectations with assisting examination personnel and those leading examinations.
• Effectively supervises personnel to ensure adherence to examination procedures and policies.
• Effectively collaborates with other assisting examination personnel and those leading examinations to organize and analyze examination information and materials in a timely and professional manner.
• Effectively and clearly communicates with financial institution personnel to obtain information.
• Effectively and clearly escalates examination findings or concerns to agency supervisory personnel and/or EIC, as needed.
• Presents logical supporting documentation in response to any management concerns and moderates conclusions if presented with sufficiently supported data by management.
• Effectively prepares appropriate, accurate, and well-supported written work product in a timely manner, including examination findings, recommendations, comments, and supporting workpapers.
• Conducts all meetings in an organized and professional manner.
• Effectively prepares written comments which are accurate, grammatically correct, logically arranged, and factually support any conclusions drawn.
• Demonstrates ability to translate technical findings into actionable recommendations.
• Effectively conducts meetings with management and the boards of directors of financial institutions and third-party service providers.
• Effectively participates in exit meetings as appropriate.
• Effectively coordinates examination planning and execution with other state and federal supervisory authorities, as needed.
• Provides effective training to less experienced personnel.
• Effectively reviews reports for accuracy, content, conclusions, and proper grammar.

Recertification

Every three years, participants will be required to provide evidence of the successful completion of a minimum of 63 continuing education hours (CEH). If an examiner exceeds this requirement, up to 14 CEHs may be carried over into the new three-year term. Continuing education should be selected with the goal of maintaining, improving, or expanding the examiner’s knowledge, skills, and abilities. Participants are also required to review and remain in compliance with updates to certifications. Should a material change related to the certification occur, additional training may be required to maintain certification. Examiners must also participate in at least two IT examinations per year and/or oversee the examination process for IT examinations.

Examples of qualifying programs and activities are listed below. Other programs and activities submitted will be considered on a case-by-case basis.

Training Programs/Conferences

• CSBS Cyber & IT Supervisory Forum
• FDIC Incident Response
• FDIC Mainframe Security for Examiners
• FDIC Securing and Auditing Database Servers
• FDIC Cloud Computing II
• FDIC Network Architecture and Security
• FDIC Advanced Network Vulnerabilities Assessment
• FDIC Cyber Forensics
• FFIEC Information Technology Conference
• FFIEC Information Technology Symposium

Commercial Training Providers

Training programs and conferences such as those provided by the MIS Training Institute, ISACA, Sans, ISC2 or other nationally recognized training qualify for continuing education credits depending upon the nature and content of the course. Evidence regarding applicability of course content to IS examinations and length of the seminar must be provided to obtain credit when applying for recertification.

The following is a list of classes, which would provide continuing education from MIS Training Institute. The list is not all inclusive and other commercial sources may be utilized as long as they are nationally recognized training centers for IS education and documentation of applicability is provided when applying for credit for the course.

• Advanced Business Applications Auditing and Testing
• Advanced IT Audit and Security
• Audit and Security of Electronic Commerce
• How to Audit Automated Business Applications
• How to Audit the Application Development Process
• How to Perform a General Controls Review
• Intermediate IT Audit and Security
• Introduction to Auditing Networked Computers
• IT Auditing and Controls
• Making the Transition from IT to IT Audit

Colleges and University Courses

Courses and seminars such as those provided by colleges and universities qualify for continuing education credits depending upon the nature and content of the course. Evidence regarding applicability of course content to IS/IT examinations and length of the seminar must be provided to obtain credit when applying for recertification.

Other Technology Related Courses

• Web Training Courses
• Languages - Perl, Java, etc.
• E-Business
• Operating Systems
• Networking Classes

Other Advanced IS/IT relevant classes may be approved on a case-by-case basis