CHIEF EXECUTIVE OFFICER (also of interest to Chief Information Officer)
Guidance on Developing an Effective Computer Virus Protection Program
The FDIC is issuing guidance to financial institutions about the importance of maintaining an effective computer virus protection program. The guidance provides information on the risks associated with computer viruses and how these risks can be mitigated.
The Federal Deposit Insurance Corporation (FDIC) has prepared the attached guidance to assist financial institutions in developing an effective computer virus protection program in order to mitigate the risks associated with computer viruses and other types of malicious software codes. Financial institutions rely on the Internet to conduct business transactions and to communicate with customers, vendors and other business partners. Commonly used electronic mail applications are susceptible to computer viruses that may be embedded in e-mails and e-mail file attachments. Therefore, it is important that management understand the risks of computer viruses and take appropriate action to protect computer systems.
Customer information security guidelines require periodic risk assessments and status reports be provided to the Board of Directors. The effectiveness of the institution’s computer virus protection program should be addressed in these periodic assessments and reports. Any control weaknesses should be identified and addressed during the normal course of business.
This guidance is designed to complement the FFIEC Information Security IT Examination Handbook, issued December 2002, and to supplement Financial Institution Letter 68-99, “Risk Assessment Tools and Practices for Information System Security.”
For more information about computer virus protection programs, please contact your FDIC Division of Supervision and Consumer Protection Regional Office or Kathryn M. Weatherby, Examination Specialist, at (202) 898-6793.
Distribution: FDIC-Supervised Banks (Commercial and Savings)
NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC’s Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342 or (703) 562-2200).