1 / 11

Supervision of Information Security and Technology Risk

Supervision of Information Security and Technology Risk. Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10, 2003. Agenda . Overview of Technology Supervision Top Security Concerns Recent Regulatory Efforts to Improve Guidance

orsen
Download Presentation

Supervision of Information Security and Technology Risk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10, 2003

  2. Agenda • Overview of Technology Supervision • Top Security Concerns • Recent Regulatory Efforts to Improve Guidance • Other Initiatives • Next Steps

  3. Overview of Technology Supervision • Financial Institutions supervised through the FFIEC • Member Agencies: OCC, FRB, FDIC, OTS & NCUA • Interagency IT Sub-Committee responsible for: • Issuing information technology guidance • Supervising service providers & software vendors • Working w/government, industry & other bank supervisors (e.g., FBIC, BITS & BIS) • Consistent lnteragency Rating System used by all agencies Reference: http://www.federalreserve.gov/boarddocs/srletters/

  4. Top Security Concerns • Identity Theft • Top concern among financial institutions • Additional customer protection requirements likely • Quality of Software Issues • Virus abuse, offshore concerns, development in general • DOS attacks • Internal threats • Insider abuse of network access still a key concern • Note: FIs beginning to be targeted/Incident reporting still low

  5. Recent Efforts to Improve GuidanceFFIEC Handbooks • Recently revised FFIEC handbook into a set of “Booklets” • Issued Booklets on information security, business continuity & technology service providers • Others under development (IT outsourcing, development and acquisition, electronic banking, payments, etc.) • Reference: http://www.ffiec.gov/ffiecinfobase/index.html

  6. FFIEC Information Security HandbookInfo Security Risk Assessment & Control Process Prevention Recovery Policy Amendment Governance Strategy Policies Software Patching Testing Threat & Vulnerability Risk Assessment Reinstate Service Firewalls/PKI Logging Encryption Monitoring & Updating Code Reviews/Testing Personnel Screening Evidence Handling Forensic Analysis Virus Scan/Content Filtering Service Provider Oversight Incident Management CIRT Intrusion Detection Investigation Detection

  7. Recent Efforts….GLBA • First step toward extending banks’ info security programs to specifically safeguard of customer information • Banks security programs must comply w/6 requirements: • Board of Directors and management oversight • Risk assessment • Managing & controlling risk • Service provider oversight • Adjusting the security program • Reporting to the Board • Banks generally in compliance • Improvement needed in performing risk assessments and reporting to the Board

  8. Recent Efforts...Incident Response • Interagency “Incident Response” Letter distributed for public comment in August • Proposed guidance: • Requires banks to develop a response program to protect against threats to customer information maintained the by the bank or its service provider • Further describes the components of a response program, which includes procedures for notifying customers about incidents of unauthorized customer information that could result in substantial harm or inconvenience to the customer • Reference:http://a257.g.akamaitech.net/7/257/2422/12aug20030800/edocket.access.gpo.gov/2003/pdf/03-20440.pdf

  9. Other Internal Regulatory Initiatives Established Cyber-Security Working group within FRS to: • Identify emerging cyber security risk issues & business practices • Identify gaps in existing guidance • Improve communication throughout the System • Working w/other Reserve banks & agencies to strengthen guidance • Working w/other regulators to improve awareness through outreach

  10. Other Internal Regulatory Initiatives • Cyber-Security Awareness sessions w/industry experts • Improve cyber awareness through via FRB Intranet • Increase awareness of existing guidance (internal & external) • Developed Cyber “Health Check & Strengthened reporting • Collaborate on issues w/internal technology specialists • Developing detailed examiner guidance in emerging areas

  11. Next Steps….. • Develop guidance to support emerging business practices • Some areas that may warrant additional guidance include: • Vulnerability assessment • Penetration testing • IDS • Forensics

More Related