How will examiners review the information security programs of financial institutions?

Revised guidance from the Federal Financial Institutions Examination Council (FFIEC) provides help to banks by articulating the expectations of federal regulators in an update to the "Information Security" booklet originally released by the interagency body in 2006.

What happened

Information security "is the process by which a financial institution protects the creation, collection, storage, use, transmission, and disposal of sensitive information, including the protection of hardware and infrastructure used to store and transmit such information," the FFIEC explained, and is "essential" to the overall safety and soundness of an institution.

To help guide banks through the process of examinations focused on information security, the updated guidance begins with some general rules. Information security policies and processes should be "commensurate with [a bank's] operational complexities," with strong board and senior management support, clear accountability for carrying out security responsibilities, and review on an ongoing basis to "assess and refine" program controls.

The guidance set forth four overarching areas of an institution's information security program that examiners will be taking a closer look at, beginning with effective corporate governance. Banks should establish a "culture" of information security, with clearly defined information security responsibilities and adequate resources to support the information security program, the FFIEC said.

"Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program," the guidance stated, independent of the IT operations staff and reporting directly to the board or senior management.

With regard to information security management policies and procedures, banks should identify threats, measure risk, define information security requirements, and implement controls, the booklet advised. Consistent with the FFIEC Cybersecurity Assessment Tool, the guidance reminded financial institutions to address each phase of the information life cycle, from risk identification to risk measurement to risk mitigation and risk monitoring and reporting.

In addition, the policies should integrate with other parts of the bank like support functions and lines of business, making sure to consider third-party service provider activities. "Although the use of outsourcing may change the location of certain activities from financial institutions to third-party service providers, outsourcing does not change the regulator expectations for an effective information security program," the guidance noted.

Examiners will also review the security operations of a financial institution's information security program. Strong operations should be broad enough to encompass all security-related functions with appropriate staffing levels as well as the technology necessary for continual incident detection and response activities.

Policies should address the "timing and extent" of security operations activities, reporting, escalation triggers, and response actions, the FFIEC said, adding that many institutions use an issue tracking system to record and manage requests and events.

Finally, the guidance discussed the need for testing. Self-assessments, tests, and audits of the overall program are essential, and should have appropriate coverage, depth, and independence, the FFIEC explained. As part of the testing regime, a reporting process—including the creation and distribution of "timely, complete, transparent, and relevant to management decision" reports—should be followed.

To read the FFIEC's booklet, click here.

Why it matters

The FFIEC guidance offers a road map to information security program compliance and is required reading for financial institutions.