Home > News & Events > Financial Institution Letters
Financial Institution Letters
Guidance on Developing an Information System
As financial institutions become increasingly dependent on commercial software to support critical business processes, they also increase their exposure to software vulnerabilities. Most financial institutions use multiple commercial software packages. Therefore, it can be challenging to identify, test, and install all of the applicable patches that are necessary to maintain each software package.
A patch management program should be part of an institution's overall computer security program. Oversight and accountability should be assigned to an appropriate party; however, the patch management program should include management, information security, and systems operations personnel. Consumer privacy regulations require that periodic risk assessments be provided to the Board of Directors.1 In these assessments, management details measures taken to mitigate risks. The effectiveness of the institution's patch management program should be discussed in these periodic reports. An inadequate patch management program may adversely affect certain components of an institution's overall Information Technology (IT) examination rating.
Risks of Inadequate Patch Management
Inadequate patching of software vulnerabilities exposes a financial institution to significant risk. Software vulnerabilities can cause system unavailability, create security weaknesses, or corrupt critical system components or data. Software vulnerabilities that result in security weaknesses can leave computer systems unprotected and open to access and criminal misuse of bank information by unauthorized parties, such as computer hackers.
Many computer viruses and worms are designed to exploit known system vulnerabilities. For example, viruses such as "Nimda," "Code Red," "I Love You," "Melissa," and the "Slammer Worm" all take advantage of system and security vulnerabilities to disrupt computer systems. In each of these cases, software patches are available from the vendor to eliminate the vulnerability, thereby neutralizing the virus. In the case of "Nimda," "Code Red," and the "Slammer Worm," software patches were available for a significant period of time prior to the widespread release of the virus.
Developing an Effective Patch Management Program
An effective patch management program begins with appropriate organizational procedures, such as:
Additional procedures may also be warranted depending on the unique needs of the organization.
In developing an effective patch management program, it is important to have a comprehensive understanding of the institution's IT environment. An up-to-date inventory of hardware and software should be maintained, including the specific applications and their location. At a minimum, it is suggested that the inventory include a description of the system's hardware, main frame and mid-range computers, operating systems (versions and all patches installed), application software (versions and all patches installed), and storage devices. This inventory should reflect production servers, firewalls, network appliances, routers, and other network infrastructure.
Monitoring Software Vulnerabilities and Identifying Patch Information
Generally, effective patch management programs include specific information on monitoring software vulnerabilities and identifying patches. Depending on the complexity of the financial institution's IT environment, installed components, and current issues in the technology environment, patches can appear as frequently as several times a day or as seldom as once a year. The quality of vendor code may also influence patch frequency. Relevant patch information can be identified by subscribing to or reviewing the following sources of patch information:
Evaluating the Impact of Patches
After a patch has been identified, an impact assessment of the application of the patch should be performed on the institution's information system and business environment, including a technical evaluation, a business impact assessment, and a security evaluation.
Institutions that maintain their own internal computer networks, but utilize vendor supplied banking applications, may be reluctant to install patches to their operating system until the banking application vendor has assured them that the operating system patch will not interfere with the banking application software. Institutions should work closely with their vendors to ensure that new patches are evaluated as soon as possible.
Testing and Installing Software Patches
Each patch should be tested prior to installation to ensure that it will function as expected and be compatible with other systems. Patches should be tested at a system level as well as in a quality assurance environment prior to their installation in the production environment. This will ensure their compatibility with the system and with other components in the environment. Evaluation and testing should also ensure that the installation of a patch or software update does not open vulnerabilities previously corrected or produce new vulnerabilities. Application of patches in the production environment is subject to normal change management procedures to minimize the risk of disruption due to installation of the patch. Testing should also occur in the production environment after installation.
In some cases, systems may need to be shut down to test and install a patch, which makes the system unavailable for a period of time. In the case where multiple patches may need to be installed, care should be taken to ensure that they are installed in the proper order. Otherwise, the patches may not be effective or cause additional problems.
If an institution reinstalls software, previously installed patches may need to be reinstalled (in the original order) in order to be effective. The original install media for the reinstalled software (e.g., CD-ROM, tape, floppy disk) should be maintained as well as all subsequent patches that were installed in the production environment. To simplify the reinstallation process, the institution can maintain current and previous system version backups of all software. Those versions can then be used in lieu of installing the software from the original installation media. An accurate inventory of systems and patch levels is essential in ensuring the recovery process is comprehensive.
Financial institutions may find out about computer software vulnerabilities from several sources. These include the software vendor, security vendors, subscription alert services, other users, and hackers attempting to gain unauthorized access to a system. Effective patch management will assist financial institution management in mitigating the risks associated with software vulnerabilities and in ensuring that the security and availability of computer systems are not compromised.
1 The institution's patch management program should be discussed in its annual report to the Board of Directors pursuant to the Interagency Guidelines Establishing Standards for Safeguarding Customer Information, 12 CFR 364, Appendix B, Section III(F).
|Last Updated firstname.lastname@example.org|