Booklet: Information Security
Section: Introduction
Subsection:


Introduction

Overview

Information is one of a financial institution’s most important assets.  Protection of information assets is necessary to establish and maintain trust between the financial institution and its customers, maintain compliance with the law, and protect the reputation of the institution.  Timely and reliable information is necessary to process transactions and support financial institution and customer decisions.  A financial institution’s earnings and capital can be adversely affected if information becomes known to unauthorized parties, is altered, or is not available when it is needed.

Information security is the process by which an organization protects and secures its systems, media, and facilities that process and maintain information vital to its operations.  On a broad scale, the financial institution industry has a primary role in protecting the nation’s financial services infrastructure.  The security of the industry’s systems and information is essential to its safety and soundness and to the privacy of customer financial information. These security programs must have strong board and senior management level support, integration of security activities and controls throughout the organization’s business processes, and clear accountability for carrying out security responsibilities.  This booklet provides guidance to examiners and organizations on assessing the level of security risks to the organization and evaluating the adequacy of the organization’s risk management.

Organizations often inaccurately perceive information security as the state or condition of controls at a point in time.  Security is an ongoing process, whereby the condition of a financial institution’s controls is just one indicator of its overall security posture.  Other indicators include the ability of the institution to continually assess its posture and react appropriately in the face of rapidly changing threats, technologies, and business conditions.  A financial institution establishes and maintains truly effective information security when it continuously integrates processes, people, and technology to mitigate risk in accordance with risk assessment and acceptable risk tolerance levels.  Financial institutions protect their information by instituting a security process that identifies risks, forms a strategy to manage the risks, implements the strategy, tests the implementation, and monitors the environment to control the risks.

Financial institutions may outsource some or all of their information processing.  Examiners may use this booklet when evaluating the financial institution’s risk management process, including the duties, obligations, and responsibilities of the service provider for information security and the oversight exercised by the financial institution.

COORDINATION WITH GLBA SECTION 501(B)

Member agencies of the Federal Financial Institutions Examination Council (FFIEC) implemented section 501(b) of the Gramm–Leach–Bliley Act of 1999 (GLBA)additional information by defining a process-based approach to security in the “Interagency Guidelines Establishing Information Security Standards” (501(b) guidelines) .  The 501(b) guidelines afford the FFIEC agenciesadditional information (agencies) enforcement options if financial institutions do not establish and maintain adequate information security programs.  This booklet follows the same process-based approach, applies it to various aspects of the financial institution’s operations and all related data, and serves as a supplement to the agencies’ GLBA 501(b) expectations.

SECURITY OBJECTIVES

Information security enables a financial institution to meet its business objectives by implementing business systems with due consideration of information technology (IT)-related risks to the organization, business and trading partners, technology service providers, and customers.  Organizations meet this goal by striving to accomplish the following objectives.additional information

  • Availability—The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information.  This objective protects against intentional or accidental attempts to deny legitimate users access to information or systems.
  • Integrity of Data or Systems—System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.
  • Confidentiality of Data or Systems—Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.
  • Accountability—Clear accountability involves the processes, policies, and controls necessary to trace actions to their source.  Accountability directly supports non-repudiation, deterrence, intrusion prevention, security monitoring, recovery, and legal admissibility of records.
  • Assurance—Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended.  Assurance levels are part of the system design and include availability, integrity, confidentiality, and accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions.

Integrity and accountability combine to produce what is known as non-repudiation.  Non-repudiation occurs when the financial institution demonstrates that the originators who initiated the transaction are who they say they are, the recipient is the intended counter party, and no changes occurred in transit or storage.  Non-repudiation can reduce fraud and promote the legal enforceability of electronic agreements and transactions.  While non-repudiation is a goal and is conceptually clear, the manner in which non-repudiation can be achieved for electronic systems in a practical, legal sense may have to wait for further judicial clarification.additional information

Regulatory Guidance, Resources, and Standards

Financial institutions developing or reviewing their information security controls, policies, procedures, or processes have a variety of sources upon which to draw.  First, federal laws and regulations address security, and regulators have issued numerous security related guidance documents.additional information  Institutions also have a number of third-party or security industry resources to draw upon for guidance, including outside auditors, consulting firms, insurance companies, and information security professional organizations.  In addition, many national and international standard-setting organizations are working to define information security standards and best practices for electronic commerce.  While no formal industry accepted security standards exist, these various standards provide benchmarks that both financial institutions and their regulators can draw upon for the development of industry expectations and security practices.  Some standard-setting groups include the following organizations:

  • The National Institute of Standards and Technology (NIST) at www.nist.gov;
  • The International Organization for Standardization (ISO) Information technology at www.iso.ch with specific standards such as
    • The code of practice for information security management (ISO/IEC 17799) and
    • Information technology—Security techniques—Evaluation criteria for IT security (ISO/IEC 15408); and
  • The Information Systems Audit and Control Association (ISACA)—Control Objectives for Information Technology (CobiT), at www.isaca.org/cobit.htm.