Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Financial Institution Letter

Risk Assessment Tools And Practices For Information System Security

SUBJECT: FDIC Issues Paper on Information System Security Issues 

The Federal Deposit Insurance Corporation (FDIC) is providing financial institutions the attached paper on information system security issues entitled "Risk Assessment Tools and Practices for Information System Security." Bank management is responsible for ensuring that systems and data are protected against risks associated with emerging technology and computer networks.

An ever-increasing number of financial institutions are using the Internet or other computer networks as an information resource or delivery channel. In 1997, the FDIC instituted safety and soundness electronic banking examination procedures, and provided guidance on security risks associated with the Internet. Information security issues continue to arise, and information gathered through the FDIC's electronic banking examination process indicates the need for additional guidance on information system security issues.

The attached paper emphasizes three primary components of a sound information security program: prevention, detection, and response. The extent of an institution's information security program will depend on the nature of its activities and should be based on a comprehensive risk assessment. A variety of tools are described in the paper that can facilitate the risk assessment process. The guidance does not specifically recommend which tools and practices an institution should use. These will depend on each institution's risk assessment, including the identification of potential threats to and vulnerabilities of its information systems. The guidance is intended to provide useful information to financial institutions, not to create new examination standards, impose new regulatory requirements, or recommend a specific course of action.

The issues discussed in the paper are also relevant to institutions that contract with third-party providers for information system services. Institutions that contract for such services should have a sound vendor management program that generally incorporates the items discussed in the guidance.

This guidance is designed to supplement Financial Institution Letter 131-97, "Security Risks Associated With the Internet," issued December 18, 1997, and to complement the FDIC's safety and soundness electronic banking examination procedures. Related guidance can be found in the FFIEC Information Systems Examination Handbook.

For more information, please contact your Division of Supervision Regional Office or Examination Specialist Cynthia A. Bonnette at (202) 898-6583.

James L. Sexton



FDIC-Supervised Banks (Commercial and Savings)


Paper copies of FDIC financial institutions letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (800-276-6003 or (703) 562-2200).

Last Updated: July 7, 1999