Candidates for the CCSE designation must provide evidence of all of the following:
- Full-time Cyber Examiners: Completion of a minimum of three (3) years IS/IT/cyber security examination experience. Equivalent industry experience may be substituted on a case-by-case basis.
- Bank Safety & Soundness Examiners: Completion of a minimum of five (5) years examination experience, which may include a combination of IS/IT/cyber security examination and bank safety and soundness examination experience. Equivalent industry experience may be substituted on a case-by-case basis.
- Participation in a minimum of ten (10) IS/IT/cyber security examinations over the applicable period of A- or B-rated financial institutions or third-party service providers as defined by the FDIC's InTREx Program.
- Completion of at least ninety-six (96) hours of advanced relevant education courses over the three years immediately preceding application for certification, as follows:
- At least fifty percent (50%) of the completed education courses must reflect training on technical security risks. Technical risk mastery classes include topics such as ethical hacking, digital forensics, incident response, penetration testing, physical security, information security controls, electronic banking, and computer/network/security audit.
- At least five (5) hours of the completed education courses must be focused on effective risk management awareness. Managerial competency classes include effective presentations, legal awareness of digital issues, writing, readable technical reports, working as a team leader, and clearly presenting examination-based results.
- Note: The completed education requirements, and the education requirements outlined below, ensure that IT examiners seeking certification are and remain current in their training in the constantly changing cyber security landscape. If an examiner is unable, based upon geographic, budgetary, scheduling, or other issues, to complete the required training but is otherwise qualified, he/she is encouraged to request a waiver of the education requirements. The applicant will be required to set forth in detail his/her reasons for seeking certification, and how he/she fulfills the required competency in the five areas listed below.
Supervisor Ratings & Narrative Assessment
A minimum rating of "meets expectations" and a detailed narrative assessment justifying the rating, indicating successful job performance and mastery of appropriate job-related skills, is required. When adjudicating a certification application, a high degree of reliance is placed on the narrative assessment for each competency. For that reason, the individual signing the form should be familiar with the applicant's experience, performance, and skills/abilities, and should be confident that the applicant meets all requirements.
The attestation form addresses the following categories:
TECHNICAL - Determine the effectiveness of an institution's cyber security risk identification and management process:
- Understand the terms "data at rest" and "data in transit/motion" and the technology used to secure both
- Assess institution's mitigating controls and implementation plan
- Assess institution's risk monitoring and reporting processes
- Assess institution's corrective action processes
- Make appropriate control recommendations to reduce institutional risk
CONCEPTUAL - Provides effective and accurate evaluation of the overall activities of the institution's IT/IS/cyber security function:
- Effectively applies knowledge of policies, procedures, laws, rules and regulations
- Effectively follows established examination procedures to collect and analyze data
- Effectively evaluates the adequacy of security policies and standards relative to the risk profile of an institution
- Develops correct conclusions from collected data
- Effectively reviews reports for accuracy, content, conclusions, and proper grammar
- Effectively evaluates and adjusts scope of examination as each situation requires
- Effectively demonstrates understanding of recommendations and is able to provide source documentation to address issue or practice
- Working knowledge of cyber security frameworks
ORGANIZATIONAL - Provides effective organization to the examination process:
- Effectively adheres to agency and federal examination procedures and policies
- Effectively recommends and organizes examination tasks
- Ensures pre-examination planning and requests are successfully completed in a timely manner
- Organizes and effectively documents work papers according to prescribed procedures
LEGAL/COMPLIANCE - Demonstrated knowledge of application laws/regulations and ability to apply knowledge to the examination process:
- Knowledge of the Interagency Guidelines establishing Information Security Standards (Part 364B).
HUMAN RELATIONS - Provides effective oral and written communications:
CYBER SECURITY RECERTIFICATION
In order to be recertified, participants will be required to provide evidence of the successful completion of:
- a minimum of sixty-three (63) continuing education hours (CEHs) over the three year certification term and
- at least five (5) CEHs each year focused solely on ethical hacking, digital forensics, incident response, penetration testing, physical security, computer/network/security audit, and forensic training.
Examples of qualifying programs and activities are listed below. Other programs and activities submitted will be considered on a case-by-case basis.
CSBS and Federally Sponsored Courses and Seminars
- CSBS Cyber & Technology Risk Management Forum
- FFIEC IT Conference and IT Symposium
- FDIC Information Technology Examination Course and other IT-related training
Commercial Training Providers
Courses and seminars such as those provided by the MIS Training Institute (MISTI), ISACA, CERT/Carnegie Mellon, National Initiative for Cybersecurity Careers and Studies (NICCS), SANS, and SecureNinja, or other nationally recognized training qualify for continuing education credits depending upon the nature and content of the course. Evidence regarding applicability of course content to IS/IT/cyber security examinations and length of the training must be provided to obtain credit when applying for recertification.
Colleges and University Courses
Courses and seminars provided by accredited colleges and universities qualify for continuing education credits depending upon the nature and content of the course. Evidence regarding applicability of course content to IS/IT/cyber security examinations and length of the training must be provided to obtain credit when applying for recertification.
Other Certification Designations
Sixty-three (63) CEHs will be awarded for each approved technology-related certification received or renewed during the three-year certification period. A copy of the certificate or renewal confirmation, and a detailed record of the continuing education completed in support of the certification, must be provided.
Accepted certifications include the following:
- Certified Information Systems Security Professional (CISSP)
- Systems Security Certified Practitioner (SSCP)
- Certified Cloud Security Professional (CCSP)
- Certified Cyber Forensics Professional (CCFP)
- CSX Practitioner or CSX Specialist (CSXP,CSXS)
- Certified Information Systems Auditor (CISA)
- Certified in Risk and Information Systems Control (CRISC)
- Certified in the Governance of Enterprise IT (CGEIT)
- Certified in Information Assurance (CIA)
- Sensitive Security Information, Certified (SSI)
- Certified in Cyber Warfare (CCW)
- Certified Ethical Hacker (CEH)
If your certification is not listed here, please request approval by email to [email protected].
Time spent speaking, authoring, and teaching will be accepted towards continuing education requirements. A maximum of twenty (20) CEHs may be awarded in a three-year term for this type of nontraditional credit.
ACCEPTANCE OF EQUIVALENT CERTIFICATION
Examiners who have attained certification from other agencies (federal or state) and/or associations in related skills may apply for consideration of equivalent certification in the Program. See "Other Certification Designations" for a list of acceptable equivalent certifications. An abbreviated application form is available for those applicants requesting consideration under equivalent certification criteria.