In its Winter 2006 edition of Supervisory Insights released on January 3, 2007, the Federal Deposit Insurance Corporation has set forth information related to incident response programs to be utilized when a security breach or data compromise occurs.
As stated in the materials, “banks are increasingly becoming prime targets for attack because they hold valuable data that, when compromised, may lead to identity theft and financial loss.” Moreover, the guidance notes that, “despite the industry’s efforts at identifying and correcting security vulnerabilities, every bank is susceptible to weaknesses such as improperly configured systems, software vulnerabilities, and zero-day exploits.”
The guidance notes that the federal regulators addressed incident response programs in April 2005 with interpretive guidance. That guidance involved two areas: reaction and notification. As described by the regulators, the reaction procedures are those that are the “initial actions taken once a compromise has been identified.” The notification procedures are those processes involved in “communicating the details or events of the incident to interested parties and may sometimes involve reporting requirements.”
Aside from developing policies and procedures with respect to those requirements, this guidance suggests the following best practices: (i) preparation, which includes establishing an incident response team and defining what constitutes an “incident”; (ii) detection, which includes identifying indicators of unauthorized system access and involving legal counsel; (iii) containment, which involves establishing notification escalation procedures and organizing a public relations program; (iv) recovery, which includes determining whether configurations or processes should be changed and testing affected systems or procedures prior to implementation; and (v) follow-up, which includes conducting a “lessons learned” meeting at the conclusion of the incident.