OCC to Banks: Don't Forget Application Security

Agency Issues Guidance re: Risk Assessment and Vendors
OCC to Banks: Don't Forget Application Security
As financial institutions continue to migrate their services and operations online, the Office of the Comptroller of the Currency reminds national banks and their technology service providers about the importance of application security as a component of an information security program.

A new OCC bulletin underscores the need for banks to conduct appropriate security risk assessment and mitigation on all applications, regardless of whether developed internally, by a vendor or by outside developers. The OCC's bulletin points to the need for focus on banks using these applications for automation of data processing and increased use of web-based applications in online banking, cash management and brokerage accounts. The OCC points out that all of these are facing increased attacks from external and inside sources to commit identity theft and other fraud.

The agency says the FFIEC's information technology examination handbooks on information security, development and acquisition give banks basic guidance about application security. The bulletin expands on existing guidance and points to the need for banks to have comprehensive application development and assurance processes integrating security for all applications.

Key Considerations

The bulletin lists key factors bank management should consider in risk management of its applications, and notes national banks should include application security in their risk assessments, including those required by FFIEC guidelines establishing standards to protect customer information. Key factors listed in the bulletin that bank management should consider in their risk assessment of an application include:

Accessibility of the application via the Internet;
Whether the application provides the ability to process or provide access to sensitive data;
Source of application's development such as in-house, purchased or contracted;
Extent that secure practices are used in the application's development process;
Existence of an effective, recurring process to monitor, identify remediate or correct vulnerabilities;
Existence of a periodic assurance process to validate independently the security of the application.

For banks that develop their own software applications in-house, the OCC says they should consider following an enterprise-wide security effort that is coordinated across business lines to protect the bank from attack; set appropriate controls on the application, vetting the use of open source applications; provide appropriate training of bank staff on the security of these applications; and set periodic application testing and validation parameters.

The bulletin also lists in two appendices the 10 most common vulnerabilities in web-based applications and considerations for request for information and request for proposal when banks purchase application software or services.

The increased scrutiny of application security by agencies such as the OCC should be of no surprise to financial institutions, as the Payment Card Industry's Data Security Standard's requirements have increased focus on the security of web based applications as well.

To read the full OCC Bulletin: OCC Bulletin Released on Application Security for OCC-Regulated Banks

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.