Risk Assessment Tools And Practices For Information System Security
July 7, 1999
CHIEF EXECUTIVE OFFICER
FDIC Issues Paper on Information System Security Issues
The Federal Deposit Insurance Corporation (FDIC) is providing
financial institutions the attached paper on information system security issues entitled
"Risk Assessment Tools and Practices for Information System Security." Bank
management is responsible for ensuring that systems and data are protected against risks
associated with emerging technology and computer networks.
An ever-increasing number of financial institutions are using the Internet or other
computer networks as an information resource or delivery channel. In 1997, the FDIC
instituted safety and soundness electronic banking examination procedures, and provided
guidance on security risks associated with the Internet. Information security issues
continue to arise, and information gathered through the FDIC's electronic banking
examination process indicates the need for additional guidance on information system
The attached paper emphasizes three primary components of a sound information security
program: prevention, detection, and response. The extent of an institution's information
security program will depend on the nature of its activities and should be based on a
comprehensive risk assessment. A variety of tools are described in the paper that can
facilitate the risk assessment process. The guidance does not specifically recommend which
tools and practices an institution should use. These will depend on each institution's
risk assessment, including the identification of potential threats to and vulnerabilities
of its information systems. The guidance is intended to provide useful information to
financial institutions, not to create new examination standards, impose new regulatory
requirements, or recommend a specific course of action.
The issues discussed in the paper are also relevant to institutions that contract with
third-party providers for information system services. Institutions that contract for such
services should have a sound vendor management program that generally incorporates the
items discussed in the guidance.
This guidance is designed to supplement Financial Institution Letter 131-97,
"Security Risks Associated With the Internet," issued December 18, 1997, and to
complement the FDIC's safety and soundness electronic banking examination procedures.
Related guidance can be found in the FFIEC Information Systems Examination Handbook.
For more information, please contact your Division of Supervision Regional
Office or Examination Specialist Cynthia A. Bonnette at (202) 898-6583.
Distribution: FDIC-Supervised Banks (Commercial and Savings)
NOTE: Paper copies of FDIC financial institutions letters may be obtained through the
FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC
20434 (800-276-6003 or (703) 562-2200).