Home > News & Events > Financial Institution Letters




Financial Institution Letters


COMPUTER SOFTWARE PATCH MANAGEMENT

FIL-43-2003
May 29, 2003

TO: CHIEF EXECUTIVE OFFICER (also of interest to Chief Information Officer)
SUBJECT: Guidance on Developing an Effective Software Patch Management Program
Summary: The FDIC is providing guidance to financial institutions about the importance of maintaining an effective computer software patch management program. This guidance provides institutions with background information on the risks associated with software vulnerabilities and how they can be mitigated through an effective patch management program.

The Federal Deposit Insurance Corporation (FDIC) has prepared the attached guidance to assist financial institutions in developing an effective computer software patch management program in order to mitigate risks associated with commercial software vulnerabilities.

Many financial institutions rely on commercially developed software to support business processes and to provide an information technology (IT) infrastructure. Common types of software include operating systems, core processing systems, business applications (e.g., word processing programs), and system services (e.g., anti-virus programs). Commercially developed software may contain flaws that create security and performance vulnerabilities. Although software vendors often develop an update - or a "patch" - to correct identified weaknesses, it is the software user's responsibility to update systems or install patches in a timely manner.

Software vulnerabilities can cause system unavailability, create security weaknesses, or corrupt critical system components or data. During the past year, many companies, including some financial institutions, have experienced security breaches that could have been prevented through the timely identification and patching of software vulnerabilities.

For more information about computer software patch management, please contact your FDIC Division of Supervision and Consumer Protection Regional Office.

For your reference, FDIC Financial Institution Letters may be accessed from the FDIC's Web site at http://www.fdic.gov/news/news/financial/2003/index.html.


Michael J. Zamorski
Director

Attachment: Guidance on Developing an Information System Patch Management Program to Address Software Vulnerabilities

Distribution: FDIC-Supervised Banks (Commercial and Savings)

NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342, option 5, or (703) 562-2200).

Last Updated 05/29/2003 communications@fdic.gov