 |
 |
 |
 |
 |
|
In the first 10 months of 2006, over half of the 213 information security breaches reported by financial institutions to the FDIC involved technology service providers (TSP). In accordance with federal laws and regulations, financial institutions must safeguard sensitive customer information against unauthorized disclosure when outsourcing various information technology (IT) operations to TSPs. Interagency guidelines contained in Part 364 of the FDIC Rules and Regulations establish key controls over TSPs, noting that each bank shall (1) exercise due diligence in selecting TSPs, (2) have contractual arrangements with their TSPs that require appropriate measures to safeguard customer information, and (3) provide ongoing monitoring of TSPs to ensure they have satisfied their contractual obligations.
How a financial institution can create an effective incident response program to mitigate a data security breach is reported in the FDIC's winter 2006 edition of Supervisory Insights, released today. Other topics covered in today's edition are: an update on CRE lending nationwide, with a look at best practices in CRE concentrations, particularly for identifying, monitoring and controlling risk in this lending area; the increasing number of unfair or deceptive acts or practices, and how examiners identify and address those violations; and highlights of recent USA PATRIOT Act changes and the types of Bank Secrecy Act (BSA)-related violations that examiners are citing.
The Office of Thrift Supervision (OTS) announced the recent appointment of William H. Henley, Jr. as its Director of IT Risk Management. In this position, Henley is supporting the examination and supervision of savings associations for Information Technology (IT) issues. In particular, he is the principle advisor for development, implementation and maintenance of policies, procedures and guidelines in the IT area, including Technology Risk Management. Henley is also serving as the OTS representative to the FFIEC IT Subcommittee.
Every organization has a mission. In this digital era, as organizations use automated information technology (IT) systems1 to process their information for better support of their missions, risk management plays a critical role in protecting an organization's information assets, and therefore its mission, from IT-related risk. An effective risk management process is an important component of a successful IT security program. The principal goal of an organization's risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization.
The Federal Financial Institutions Examination Council (FFIEC) today released the revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (manual). The revised manual reflects the ongoing commitment of the federal banking agencies and the Financial Crimes Enforcement Network (FinCEN) to provide current and consistent guidance on risk-based policies, procedures, and processes for banking organizations to comply with the BSA and safeguard operations from money laundering and terrorist financing. The manual has been updated to further clarify supervisory expectations and incorporate regulatory changes since the manual's 2005 release. The revisions also draw upon feedback from the banking industry and examination staff.
The Federal Financial Institutions Examination Council today issued revised guidance for examiners and financial institutions to use in identifying information security risks and evaluating the adequacy of controls and applicable risk management practices of financial institutions. The Information Security Booklet is one of twelve that, in total, comprise the FFIEC IT Examination Handbook. In addition to the revised Information Security Booklet, the agencies also released an Executive Summary that contains high level synopses of each of the twelve booklets and describes the handbook development and maintenance processes. The security of financial institutions' systems and information is essential to maintaining the privacy of customer information and safe and sound operations. The Information Security Booklet describes how an institution should protect and secure the systems and facilities that process and maintain information. The booklet calls for financial institutions and technology service providers (TSPs) to maintain effective security programs tailored to the complexity of their operations.
The Offıce of Thrift Supervision (OTS), along with the other federal banking agencies, has released the revised Information Security Booklet and an Executive Summary of the Federal Financial Institutions Examination Council's (FFIEC) Information Technology Examination Handbook. The revised Information Security Booklet, which replaces the 2003 version of the booklet, provides updated guidance for examiners, savings associations, and technology service providers to use in identifying information security risks and evaluating the adequacy of controls and risk management practices. The revised guidance addresses changes in technology, risk assessments, mitigation strategies, and regulatory guidance.
The FDIC's Board of Directors today approved for public comment two proposed rules governing deposit insurance assessments under the Federal Deposit Insurance Reform Act of 2005. One proposal would create a new system that would more closely tie what banks pay for deposit insurance to the risks they pose. It also would adopt a new base schedule of rates that the FDIC Board could adjust up or down, depending upon the revenue needs of the insurance fund. The second proposal issued today would continue to set the designated reserve ratio (DRR) for the fund at 1.25 percent of estimated insured deposits. "The proposed new system of risk-based assessments would allow the FDIC to adhere more closely to sound insurance principles because the safer an institution is, the less it will pay for deposit insurance," said FDIC Chairman Sheila Bair. "We hope that most FDIC-insured institutions will find our proposals reasonable and fair, and we look forward to receiving comments."
Summary: This Regulatory Bulletin transmits Examination Handbook Section 341, Information Technology Risks and Controls. The Office of Thrift Supervision substantially revised and reorganized this section of the Examination Handbook. This handbook section replaces existing guidance found in Thrift Activities Handbook Section 341, Technology Risk Controls. This bulletin rescinds RB 32-21 dated January 7, 2002.
The rapid growth and extensive deployment of information technology (IT) requires a thorough assessment of the risks inherent in such activities. The Examination Handbook section issued today outlines OTS expectations that savings associations fully address the risks and challenges posed by using technlology, and establish effective risk management practices commensurate with the association's size and complexity. Use this Handbook section and its examination procedures in conjunction with other Handbook sections that provide guidance for reviewing an association's internal control environment.
The quality of security controls can significantly influence all categories of risk.additional information. Traditionally, examiners and bankers recognize the direct impact on operational/transaction risk from incidents related to fraud, theft, or accidental damage. Many security weaknesses, however, can directly increase exposure in other risk areas. For example, the GLBA introduced additional legal/compliance risk due to the potential for regulatory noncompliance in safeguarding customer information. The potential for legal liability related to customer privacy breaches may present additional risk in the future. Effective application access controls can reduce credit and market risk by imposing risk limits on loan officers or traders. If a trader were to exceed the intended trade authority, the institution may unknowingly assume additional market risk exposure.
I. INTRODUCTION Purpose and Scope of the Guide This Small-Entity Compliance Guide1 is intended to help financial institutions2 comply with the Interagency Guidelines Establishing Information Security Standards (Security Guidelines).3 The guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations. The appendix lists resources that may be helpful in assessing risks and designing and implementing information security programs. Although this guide was designed to help financial institutions identify and comply with the requirements of the Security Guidelines, it is not a substitute for the Security Guidelines. Moreover, this guide only addresses obligations of financial institutions under the Security Guidelines and does not address the applicability of any other federal or state laws or regulations that may pertain to policies or practices for protecting customer records and information.
Summary: The FDIC has updated its risk-focused information technology (IT) examination procedures for FDIC-supervised financial institutions. Highlights: * The FDIC ‘s new risk-focused IT examination procedures focus on the financial institution’s information security program and risk-management practices for securing information assets. * The IT Examination Officer‘s Questionnaire must be completed and signed by an officer of the financial institution and returned to the FDIC examiner-in-charge prior to the on-site portion of the examination.
Summary: The FDIC is providing guidance to financial institutions on implementing a fraud hotline to minimize potential and actual fraud risks as part of a bank‘s governance and enterprise risk management program.
Highlights: .
The FDIC encourages financial institutions to consider the benefits of implementing a fraud hotline as a confidential communication channel to identify fraud and reduce fraud-related losses.
The Association of Certified Fraud Examiners – in its “2004 Report to the Nation” – stated that organizations without mechanisms to report fraud suffered financial losses that were more than twice as high as organizations with anonymous fraud-reporting mechanisms.
Summary: On September 30, 2005, the FDIC implemented the Relationship Manager Program (RMP) for all FDIC-supervised financial institutions. The RMP is designed to strengthen lines of communication between bankers and the FDIC, as well as improve the coordination, continuity and effectiveness of FDIC supervision. Highlights:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS SyndicationCopyright © 2007 BankInfoSecurity.com