Presentation is loading. Please wait.

Presentation is loading. Please wait.

Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10,

Published byHope Joseph Modified over 8 years ago

Similar presentations

Presentation on theme: "Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10,"— Presentation transcript:

1 Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10, 2003

2 Agenda Overview of Technology Supervision Top Security Concerns Recent Regulatory Efforts to Improve Guidance Other Initiatives Next Steps

3 Overview of Technology Supervision Financial Institutions supervised through the FFIEC –Member Agencies: OCC, FRB, FDIC, OTS & NCUA Interagency IT Sub-Committee responsible for: –Issuing information technology guidance –Supervising service providers & software vendors –Working w/government, industry & other bank supervisors (e.g., FBIC, BITS & BIS) Consistent lnteragency Rating System used by all agencies Reference: http://www.federalreserve.gov/boarddocs/srletters/

4 Top Security Concerns Identity Theft –Top concern among financial institutions –Additional customer protection requirements likely Quality of Software Issues –Virus abuse, offshore concerns, development in general DOS attacks Internal threats –Insider abuse of network access still a key concern Note: FIs beginning to be targeted/Incident reporting still low

5 Recent Efforts to Improve Guidance FFIEC Handbooks Recently revised FFIEC handbook into a set of “Booklets” –Issued Booklets on information security, business continuity & technology service providers –Others under development (IT outsourcing, development and acquisition, electronic banking, payments, etc.) Reference: http://www.ffiec.gov/ffiecinfobase/index.html

6 FFIEC Information Security Handbook Info Security Risk Assessment & Control Process Prevention Detection Recovery Investigation Code Reviews/Testing Firewalls/PKI Governance Policies ForensicAnalysis Monitoring & Updating EvidenceHandling IncidentManagement SoftwarePatching PolicyAmendment ReinstateService Virus Scan/Content Filtering Encryption Intrusion Detection CIRT Strategy Service Provider Oversight Threat & Vulnerability Risk Assessment Logging Testing Personnel Screening

7 Recent Efforts…. GLBA First step toward extending banks’ info security programs to specifically safeguard of customer information Banks security programs must comply w/6 requirements: –Board of Directors and management oversight –Risk assessment –Managing & controlling risk –Service provider oversight –Adjusting the security program –Reporting to the Board Banks generally in compliance Improvement needed in performing risk assessments and reporting to the Board

8 Recent Efforts...Incident Response Interagency “Incident Response” Letter distributed for public comment in August Proposed guidance: –Requires banks to develop a response program to protect against threats to customer information maintained the by the bank or its service provider –Further describes the components of a response program, which includes procedures for notifying customers about incidents of unauthorized customer information that could result in substantial harm or inconvenience to the customer Reference:http://a257.g.akamaitech.net/7/257/2422/12au g20030800/edocket.access.gpo.gov/2003/pdf/03- 20440.pdf

9 Other Internal Regulatory Initiatives Established Cyber-Security Working group within FRS to: –Identify emerging cyber security risk issues & business practices –Identify gaps in existing guidance –Improve communication throughout the System Working w/other Reserve banks & agencies to strengthen guidance Working w/other regulators to improve awareness through outreach

10 Other Internal Regulatory Initiatives Cyber-Security Awareness sessions w/industry experts Improve cyber awareness through via FRB Intranet Increase awareness of existing guidance (internal & external) Developed Cyber “Health Check & Strengthened reporting Collaborate on issues w/internal technology specialists Developing detailed examiner guidance in emerging areas

11 Next Steps….. Develop guidance to support emerging business practices Some areas that may warrant additional guidance include: –Vulnerability assessment –Penetration testing –IDS –Forensics

Download ppt "Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10,"

Similar presentations

MONITORING OF SUBGRANTEES

MONITORING OF SUBGRANTEES
Agenda What is Compliance? Risk and Compliance Management

Agenda What is Compliance? Risk and Compliance Management
Technology Supervision Branch New FFIEC Guidance on Strong Authentication ABA Webcast January 11, 2006.

Technology Supervision Branch New FFIEC Guidance on Strong Authentication ABA Webcast January 11, 2006.
1 ID Management in Financial Services – May 2005 Online Fraud Trends – Staying Ahead of the Threats Matthew Biliouris, Information Systems Officer – NCUA.

1 ID Management in Financial Services – May 2005 Online Fraud Trends – Staying Ahead of the Threats Matthew Biliouris, Information Systems Officer – NCUA.
Chapter 12: Regulatory Compliance for Financial Institutions.

Chapter 12: Regulatory Compliance for Financial Institutions.
Auditing Corporate Information Security John R. Robles Tuesday, November 1, 2005 Tel: 787-647-396.

Auditing Corporate Information Security John R. Robles Tuesday, November 1, Tel:
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.

WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA By David Abbott, FDIC IT Examiner.

Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA By David Abbott, FDIC IT Examiner.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.
Step 1: A.User enters id/pw for FI: encrypted in Quicken PIN vault B.Id/pw transmitted to Intuit CustomerCentral Servers at NCR using 128 bit SSL Step.

Step 1: A.User enters id/pw for FI: encrypted in Quicken PIN vault B.Id/pw transmitted to Intuit CustomerCentral Servers at NCR using 128 bit SSL Step.

Similar presentations

Ads by Google