supervision of information security and technology risk n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Supervision of Information Security and Technology Risk PowerPoint Presentation
Download Presentation
Supervision of Information Security and Technology Risk

Loading in 2 Seconds...

play fullscreen
1 / 11

Supervision of Information Security and Technology Risk - PowerPoint PPT Presentation


  • 155 Views
  • Uploaded on

Supervision of Information Security and Technology Risk. Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10, 2003. Agenda . Overview of Technology Supervision Top Security Concerns Recent Regulatory Efforts to Improve Guidance

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Supervision of Information Security and Technology Risk


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
supervision of information security and technology risk

Supervision of Information Security and Technology Risk

Barbara Yelcich, Federal Reserve Bank of New York

Presentation to the World Bank

September 10, 2003

slide2

Agenda

  • Overview of Technology Supervision
  • Top Security Concerns
  • Recent Regulatory Efforts to Improve Guidance
  • Other Initiatives
  • Next Steps
overview of technology supervision
Overview of Technology Supervision
  • Financial Institutions supervised through the FFIEC
    • Member Agencies: OCC, FRB, FDIC, OTS & NCUA
  • Interagency IT Sub-Committee responsible for:
    • Issuing information technology guidance
    • Supervising service providers & software vendors
    • Working w/government, industry & other bank supervisors

(e.g., FBIC, BITS & BIS)

  • Consistent lnteragency Rating System used by all agencies Reference: http://www.federalreserve.gov/boarddocs/srletters/
top security concerns
Top Security Concerns
  • Identity Theft
    • Top concern among financial institutions
    • Additional customer protection requirements likely
  • Quality of Software Issues
    • Virus abuse, offshore concerns, development in general
  • DOS attacks
  • Internal threats
    • Insider abuse of network access still a key concern
  • Note: FIs beginning to be targeted/Incident reporting still low
recent efforts to improve guidance ffiec handbooks
Recent Efforts to Improve GuidanceFFIEC Handbooks
  • Recently revised FFIEC handbook into a set of “Booklets”
    • Issued Booklets on information security, business continuity & technology service providers
    • Others under development (IT outsourcing, development and acquisition, electronic banking, payments, etc.)
  • Reference: http://www.ffiec.gov/ffiecinfobase/index.html
slide6

FFIEC Information Security HandbookInfo Security Risk Assessment & Control Process

Prevention

Recovery

Policy

Amendment

Governance

Strategy

Policies

Software

Patching

Testing

Threat & Vulnerability

Risk Assessment

Reinstate

Service

Firewalls/PKI

Logging

Encryption

Monitoring & Updating

Code Reviews/Testing

Personnel Screening

Evidence

Handling

Forensic

Analysis

Virus Scan/Content Filtering

Service Provider Oversight

Incident

Management

CIRT

Intrusion Detection

Investigation

Detection

recent efforts glba
Recent Efforts….GLBA
  • First step toward extending banks’ info security programs to specifically safeguard of customer information
  • Banks security programs must comply w/6 requirements:
    • Board of Directors and management oversight
    • Risk assessment
    • Managing & controlling risk
    • Service provider oversight
    • Adjusting the security program
    • Reporting to the Board
  • Banks generally in compliance
  • Improvement needed in performing risk assessments and reporting to the Board
recent efforts incident response
Recent Efforts...Incident Response
  • Interagency “Incident Response” Letter distributed for public comment in August
  • Proposed guidance:
    • Requires banks to develop a response program to protect against threats to customer information maintained the by the bank or its service provider
    • Further describes the components of a response program, which includes procedures for notifying customers about incidents of unauthorized customer information that could result in substantial harm or inconvenience to the customer
  • Reference:http://a257.g.akamaitech.net/7/257/2422/12aug20030800/edocket.access.gpo.gov/2003/pdf/03-20440.pdf
other internal regulatory initiatives
Other Internal Regulatory Initiatives

Established Cyber-Security Working group within FRS to:

    • Identify emerging cyber security risk issues & business practices
    • Identify gaps in existing guidance
    • Improve communication throughout the System
  • Working w/other Reserve banks & agencies to strengthen guidance
  • Working w/other regulators to improve awareness through outreach
other internal regulatory initiatives1
Other Internal Regulatory Initiatives
  • Cyber-Security Awareness sessions w/industry experts
  • Improve cyber awareness through via FRB Intranet
  • Increase awareness of existing guidance (internal & external)
  • Developed Cyber “Health Check & Strengthened reporting
  • Collaborate on issues w/internal technology specialists
  • Developing detailed examiner guidance in emerging areas
next steps
Next Steps…..
  • Develop guidance to support emerging business practices
  • Some areas that may warrant additional guidance include:
    • Vulnerability assessment
    • Penetration testing
    • IDS
    • Forensics