Application Security Draws Extra Attention from FedsOCC Bulletin Focuses on Risk, Vendor Management Banking institutions must conduct appropriate security risk assessment and mitigation on all software applications, regardless of whether developed internally, by a vendor or by outside developers.
This is the key point of a recent bulletin from the Office of the Comptroller of the Currency (OCC Bulletin Released on Application Security for OCC-Regulated Banks), which regulates and supervises all national banks.
"This letter is just an outgrowth of the natural processes and efforts of the OCC," says Mark O'Dell, Deputy Comptroller of the OCC. "It reminds institutions that when developing applications, security needs to be baked in to that development process."
Noting that this letter could broadly apply to many other industries outside banking, O'Dell points to instances in the past couple of years where application security has been an issue (think of recent data breaches) where new threats, especially to Internet and web applications have occurred. "We just want to make sure we remind our institutions that these risks are real to them and that their application development process appropriately addresses security."
The OCC's focus on application security isn't something that should surprise financial institutions, says Doug Johnson, Vice President and Senior Advisor, Risk Management Policy at the American Bankers Association. "Application security is on the minds of many institutions, given the fact that no application really stands alone in our networked environment," he says. "While the new guidance applies only to national banks (those that fall under OCC review), it would not hurt any bank to review it."
Focus on Vendor Management
In terms of the OCC's guidance, and how this letter fits in with the bigger picture of compliance, O'Dell says "A great deal of our guidance deals with third-party service and vendor management issues and outsourcing activities and what our expectations are in terms of risk management."
While a bank may outsource processing or other activities, O'Dell says, "in terms of the risk management responsibilities that are associated with those activities, all those stay at the bank level."
O'Dell says in terms of this particular guidance, while banks may outsource a great deal of Internet application development or may purchase software from third party companies or technology service providers "We would still expect banks to understand the processes that those third parties or service providers have used to ensure that application security was again 'baked into' the application development processes of the applications that the bank is buying."
As to whether banks will be examined for compliance on these points, the answer is yes, he says, "We will as a matter of due course be looking for the processes that a bank has in place for ensuring application security -- that will be a part of the ongoing natural processes that we use when setting supervisory strategies."
O'Dell says the OCC expects most of its regulated banks already have these processes in place, "Security is already a part of the examination process in many different ways and many different perspectives."
Key Risk Factors
The bulletin, O'Dell says lists key factors bank management should consider in risk management of its applications, and notes national banks should include application security in their risk assessments, including those required by FFIEC guidelines establishing standards to protect customer information. Key factors listed include:
For banks that develop their own software applications in-house, O'Dell says they should consider following an enterprise-wide security effort that is coordinated across business lines to protect the bank from attack.