Federal regulatory agencies have issued new guidelines for banks on information security policies. The guidelines, issued in the form of a booklet by the Federal Financial Institutions Examination Council (FFIEC), call on banks and other financial institutions to identify information security risks and to evaluate the adequacy of controls and risk management practices.
The booklet describes how institutions should protect and secure the systems and facilities that process and maintain information. It calls for financial institutions and technology service providers to maintain effective security programs, tailored to the complexity of their operations.
To be effective, an information security policy must include processes, policies, and controls that achieve the objectives of availability, integrity of data or systems, confidentiality, accountability and assurance.
Availability requires that authorized users have prompt access to information, to protect against intentional or accidental attempts to deny legitimate users access to information and/or systems.
Integrity of data or systems requires that information isn't altered in an unauthorized manner, and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.
Confidentiality requires that information be protected against unauthorized access or use.
Accountability requires that actions be traceable to their source. Accountability directly supports nonrepudiation, deterrence, intrusion prevention, intrusion detection, recovery, and legal admissibility of records.
Assurance requires that technical and operational security measures work as intended. Assurance levels are part of the system design and include availability, integrity, confidentiality, and accountability.
The booklet on information security is the first in a series which together will update the 1996 FFIEC Information Systems (IS) Examination Handbook. The updates will ultimately replace all chapters of the 1996 Handbook.
Future booklets will address business continuity planning, supervision of technology service providers, electronic banking, IT audit, payment systems, outsourcing, IT management, computer operations, and systems development and acquisition.
The electronic version of the Information Security booklet is available at www.ffiec.gov/guides.htm.
The FFIEC updates clearly establish information security as mission-critical for financial institutions, according to GartnerGroup analyst Richard De Lotto. "These updates were developed before the latest series of malicious code attacks-such as the Sapphire worm outbreak, which recently caused serious service interruptions for a number of financial services providers. FSPs should therefore consider these guidelines only the starting point for an intensified examination of their security practices."
De Lotto recommends that banks closely monitor processes for identifying and evaluating security risks. Outside parties with malicious intent or electronic vandals seeking targets of opportunity could target all of a bank's data, not just nonpublic personal information.
Banks should take threats to information security as seriously as threats to physical assets, including threats to data processed by outside parties.
Equally important, notes De Lotto, is the need to obtain buy-in for strong security practices from senior management. "Executives may fear the potential impact of threat reduction measures on the bottom line. Obtain their buy-in by establishing scenarios showing the bottom-line impact of best-case, worst-case and most likely attacks."
Security administrators must apply random, unannounced testing procedures that replicate real-world attack conditions. Tests should include physical threats to information security as well as electronic threats.
Banks also need to establish formal information security processes, according to De Lotto. "FSPs must treat information security as a formal, ongoing process-with appropriate budgets-to ensure that they can adapt rapidly to an evolving risk environment."