Risk Assessment Tools And Practices For Information System Security
TO: | CHIEF EXECUTIVE OFFICER |
SUBJECT: | FDIC Issues Paper on Information System Security Issues |
The Federal Deposit Insurance Corporation (FDIC) is providing financial institutions the attached paper on information system security issues entitled "Risk Assessment Tools and Practices for Information System Security." Bank management is responsible for ensuring that systems and data are protected against risks associated with emerging technology and computer networks.
An ever-increasing number of financial institutions are using the Internet or other computer networks as an information resource or delivery channel. In 1997, the FDIC instituted safety and soundness electronic banking examination procedures, and provided guidance on security risks associated with the Internet. Information security issues continue to arise, and information gathered through the FDIC's electronic banking examination process indicates the need for additional guidance on information system security issues.
The attached paper emphasizes three primary components of a sound information security program: prevention, detection, and response. The extent of an institution's information security program will depend on the nature of its activities and should be based on a comprehensive risk assessment. A variety of tools are described in the paper that can facilitate the risk assessment process. The guidance does not specifically recommend which tools and practices an institution should use. These will depend on each institution's risk assessment, including the identification of potential threats to and vulnerabilities of its information systems. The guidance is intended to provide useful information to financial institutions, not to create new examination standards, impose new regulatory requirements, or recommend a specific course of action.
The issues discussed in the paper are also relevant to institutions that contract with third-party providers for information system services. Institutions that contract for such services should have a sound vendor management program that generally incorporates the items discussed in the guidance.
This guidance is designed to supplement Financial Institution Letter 131-97, "Security Risks Associated With the Internet," issued December 18, 1997, and to complement the FDIC's safety and soundness electronic banking examination procedures. Related guidance can be found in the FFIEC Information Systems Examination Handbook.
For more information, please contact your Division of Supervision Regional Office or Examination Specialist Cynthia A. Bonnette at (202) 898-6583.
James L. Sexton
Director
Distribution
FDIC-Supervised Banks (Commercial and Savings)
Note
Paper copies of FDIC financial institutions letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (800-276-6003 or (703) 562-2200).