Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10, 2003

Agenda Overview of Technology Supervision Top Security Concerns Recent Regulatory Efforts to Improve Guidance Other Initiatives Next Steps

Overview of Technology Supervision Financial Institutions supervised through the FFIEC –Member Agencies: OCC, FRB, FDIC, OTS & NCUA Interagency IT Sub-Committee responsible for: –Issuing information technology guidance –Supervising service providers & software vendors –Working w/government, industry & other bank supervisors (e.g., FBIC, BITS & BIS) Consistent lnteragency Rating System used by all agencies Reference:

Top Security Concerns Identity Theft –Top concern among financial institutions –Additional customer protection requirements likely Quality of Software Issues –Virus abuse, offshore concerns, development in general DOS attacks Internal threats –Insider abuse of network access still a key concern Note: FIs beginning to be targeted/Incident reporting still low

Recent Efforts to Improve Guidance FFIEC Handbooks Recently revised FFIEC handbook into a set of “Booklets” –Issued Booklets on information security, business continuity & technology service providers –Others under development (IT outsourcing, development and acquisition, electronic banking, payments, etc.) Reference:

FFIEC Information Security Handbook Info Security Risk Assessment & Control Process Prevention Detection Recovery Investigation Code Reviews/Testing Firewalls/PKI Governance Policies ForensicAnalysis Monitoring & Updating EvidenceHandling IncidentManagement SoftwarePatching PolicyAmendment ReinstateService Virus Scan/Content Filtering Encryption Intrusion Detection CIRT Strategy Service Provider Oversight Threat & Vulnerability Risk Assessment Logging Testing Personnel Screening

Recent Efforts…. GLBA First step toward extending banks’ info security programs to specifically safeguard of customer information Banks security programs must comply w/6 requirements: –Board of Directors and management oversight –Risk assessment –Managing & controlling risk –Service provider oversight –Adjusting the security program –Reporting to the Board Banks generally in compliance Improvement needed in performing risk assessments and reporting to the Board

Recent Efforts...Incident Response Interagency “Incident Response” Letter distributed for public comment in August Proposed guidance: –Requires banks to develop a response program to protect against threats to customer information maintained the by the bank or its service provider –Further describes the components of a response program, which includes procedures for notifying customers about incidents of unauthorized customer information that could result in substantial harm or inconvenience to the customer Reference: g /edocket.access.gpo.gov/2003/pdf/ pdf

Other Internal Regulatory Initiatives Established Cyber-Security Working group within FRS to: –Identify emerging cyber security risk issues & business practices –Identify gaps in existing guidance –Improve communication throughout the System Working w/other Reserve banks & agencies to strengthen guidance Working w/other regulators to improve awareness through outreach

Other Internal Regulatory Initiatives Cyber-Security Awareness sessions w/industry experts Improve cyber awareness through via FRB Intranet Increase awareness of existing guidance (internal & external) Developed Cyber “Health Check & Strengthened reporting Collaborate on issues w/internal technology specialists Developing detailed examiner guidance in emerging areas

Next Steps….. Develop guidance to support emerging business practices Some areas that may warrant additional guidance include: –Vulnerability assessment –Penetration testing –IDS –Forensics