WIXLIB

FFIEC Information Technology Examination HandbookInformation SecuritySEPTEMBER 2016

FFIEC IT Examination HandbookInformation SecurityContentsINTRODUCTION . 1IGOVERNANCE OF THE INFORMATION SECURITY PROGRAM . 3I.ASecurity Culture . 3I.BResponsibility and Accountability . 3I.CResources . 5IIINFORMATION SECURITY PROGRAM MANAGEMENT . 6II.ARisk Identification. 7II.A.1Threats . 8II.A.2Vulnerabilities . 8II.A.3Supervision of Cybersecurity Risk and Resources for CybersecurityPreparedness . 9II.BRisk Measurement . 10II.CRisk Mitigation . 11II.C.1Policies, Standards, and Procedures. 11II.C.2Technology Design . 12II.C.3Control Types . 12II.C.4Control Implementation . 13II.C.5Inventory and Classification of Assets . 14II.C.6Mitigating Interconnectivity Risk . 14II.C.7User Security Controls. 15II.C.8Physical Security . 18II.C.9Network Controls . 19II.C.10Change Management Within the IT Environment . 21II.C.11End-of-Life Management . 25II.C.12Malware Mitigation. 25II.C.13Control of Information . 26II.C.14Supply Chain . 29II.C.15Logical Security . 30II.C.16Customer Remote Access to Financial Services . 35II.C.17Application Security . 38II.C.18Database Security . 40II.C.19Encryption . 40II.C.20Oversight of Third-Party Service Providers . 42September 2016i

FFIEC IT Examination HandbookInformation SecurityII.C.21Business Continuity Considerations . 43II.C.22Log Management. 44II.DII.D.1IIIRisk Monitoring and Reporting . 45Metrics . 45SECURITY OPERATIONS . 46III.AThreat Identification and Assessment . 47III.BThreat Monitoring . 48III.CIncident Identification and Assessment . 49III.DIncident Response. 50IVINFORMATION SECURITY PROGRAM EFFECTIVENESS . 52IV.AAssurance and Testing . 53IV.A.1Key Testing Factors. 53IV.A.2Types of Tests and Evaluations . 54IV.A.3Independence of Tests and Audits . 56IV.A.4Assurance Reporting . 56APPENDIX A: EXAMINATION PROCEDURES . 57APPENDIX B: GLOSSARY . 75APPENDIX C: LAWS, REGULATIONS, AND GUIDANCE . 89September 2016ii

FFIEC IT Examination HandbookInformation SecurityIntroductionThis “Information Security” booklet is an integral part of the Federal Financial InstitutionsExamination Council (FFIEC) 1 Information Technology Examination Handbook (IT Handbook)and should be read in conjunction with the other booklets in the IT Handbook. This bookletprovides guidance to examiners and addresses factors necessary to assess the level of securityrisks to a financial institution’s 2 information systems. 3 It also helps examiners evaluate theadequacy of the information security program’s integration into overall risk management. 4Information security is the process by which a financial institution protects the creation,collection, storage, use, transmission, and disposal of sensitive information, including theprotection of hardware and infrastructure used to store and transmit such information.Information security promotes the commonly accepted objectives of confidentiality, integrity,and availability of information and is essential to the overall safety and soundness of aninstitution. Information security exists to provide protection from malicious and non-maliciousactions that increase the risk of adverse effects on earnings, capital, or enterprise value. Thepotential adverse effects can arise from the following: Disclosure of information to unauthorized individuals.Unavailability or degradation of services.Misappropriation or theft of information or services.Modification or destruction of systems or information.Records that are not timely, accurate, complete, or consistent.1The FFIEC was established on March 10, 1979, pursuant to Title X of the Financial Institutions Regulatory andInterest Rate Control Act of 1978, Public Law 95-630. The FFIEC is composed of the principals of the following:the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC),the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), the StateLiaison Committee (SLC), and the Consumer Financial Protection Bureau (CFPB).2The term “financial institution” includes national banks, federal savings associations, state savings associations,state member banks, state nonmember banks, and credit unions. The term is used interchangeably with “institution”in this booklet.3Examiners should also use this booklet to evaluate the performance by third-party service providers, includingtechnology service providers, of services on behalf of financial institutions.4This booklet addresses regulatory expectations regarding the security of all information systems and informationmaintained by or on behalf of a financial institution, including a financial institution’s own information and that ofall of its customers. An institution’s overall information security program must also address the specific informationsecurity requirements applicable to “customer information” set forth in the “Interagency Guidelines EstablishingInformation Security Standards” implementing section 501(b) of the Gramm–Leach–Bliley Act and section 216 ofthe Fair and Accurate Credit Transactions Act of 2003. See 12 CFR 30, appendix B (OCC); 12 CFR 208, appendixD-2 and 225, appendix F (FRB); 12 CFR 364, appendix B (FDIC); and 12 CFR 748, appendix A (NCUA)(collectively referenced in this booklet as the “Information Security Standards”).September 20161

FFIEC IT Examination HandbookInformation SecurityInstitutions should maintain effective information security programs commensurate with theiroperational complexities. 5 Information security programs should have strong board and seniormanagement support, promote integration of security activities and controls throughout theinstitution’s business processes, and establish clear accountability for carrying out securityresponsibilities. In addition, because of the frequency and severity of cyber attacks, theinstitution should place an increasing focus on cybersecurity controls, a key component ofinformation security.Institutions should also assess and refine their controls on an ongoing basis. The condition of afinancial institution’s controls, however, is just one indicator of its overall security posture. Otherindicators include the ability of the institution’s board and management to continually review theinstitution’s security posture and react appropriately in the face of rapidly changing threats,technologies, and business conditions. Information security is far more effective whenmanagement does the following: Integrates processes, people, and technology to maintain a risk profile that is in accordancewith the board’s risk appetite. 6Aligns the information security program with the enterprise risk management program andidentifies, measures, mitigates, and monitors risk.Because risk mitigation frequently depends on institution-specific factors, this booklet describesprocesses and controls that an institution can use to protect information and supporting systemsfrom various threats. Management should be able to identify and characterize the threats, assessthe risks, make decisions regarding the implementation of appropriate controls, and provideappropriate monitoring and reporting.Financial institutions may outsource some or all of their IT-related functions. Although the useof outsourcing may change the location of certain activities from financial institutions to thirdparty service providers, outsourcing does not change the regulatory expectations for an effectiveinformation security program. Examiners should use this booklet when evaluating a financialinstitution’s risk management process, including the duties, obligations, and responsibilities ofthe third-party service provider regarding information security and the oversight exercised by thefinancial institution.5See also Information Security Standards, section II.A, requiring each financial institution to have a comprehensivewritten information security program, appropriate to its size and complexity, designed to (1) ensure the security andconfidentiality of “customer information”; (2) protect against any anticipated threats or hazards to the security orintegrity of such information; (3) protect against unauthorized access to or use of such information that could resultin a substantial harm or inconvenience to any customer; and (4) ensure the proper disposal of both “customerinformation” and any “consumer information.”6Risk appetite can be defined as the amount of risk a financial institution is prepared to accept when trying toachieve its objectives.September 20162

FFIEC IT Examination HandbookIInformation SecurityGovernance of the Information Security ProgramAction SummaryManagement should promote effective IT governance by doing the following: Establishing an information security culture that promotes an effective information securityprogram and the role of all employees in protecting the institution’s information and systems.Clearly defining and communicating information security responsibilities and accountabilitythroughout the institution.Providing adequate resources to effectively support the information security program. While IT governance is generally addressed in the IT Handbook’s “Management” booklet, thisbooklet addresses specific governance topics related to information security, including thefollowing: Implementation and promotion of security culture.Assignment of responsibilities and accountability.Effective funding and use of resources.I.ASecurity CultureAn institution’s security culture contributes to the effectiveness of the information securityprogram. The information security program is more effective when security processes are deeplyembedded in the institution’s culture.The board and management should understand and support information security and provideappropriate resources for developing, implementing, and maintaining the information securityprogram. The result of this understanding and support is a program in which management andemployees are committed to integrating the program into the institution’s lines of business,support functions, and third-party management program.The introduction of new business initiatives (such as new service offerings or applications) canreveal the maturity of and degree to which information security is part of the institution’s culture.An institution with a stronger security culture generally integrates information security into newinitiatives from the outset and throughout the life cycles of services and applications. Anotherindicator of an effective culture is whether management and employees are held accountable forcomplying with the institution’s information security program.I.BResponsibility and AccountabilityThe board, or designated board committee, should be responsible for overseeing thedevelopment, implementation, and maintenance of the institution’s information security programand holding senior management accountable for its actions. The board should reasonablySeptember 20163