OCC to Banks: Don't Forget Application Security
Agency Issues Guidance re: Risk Assessment and VendorsA new OCC bulletin underscores the need for banks to conduct appropriate security risk assessment and mitigation on all applications, regardless of whether developed internally, by a vendor or by outside developers. The OCC's bulletin points to the need for focus on banks using these applications for automation of data processing and increased use of web-based applications in online banking, cash management and brokerage accounts. The OCC points out that all of these are facing increased attacks from external and inside sources to commit identity theft and other fraud.
The agency says the FFIEC's information technology examination handbooks on information security, development and acquisition give banks basic guidance about application security. The bulletin expands on existing guidance and points to the need for banks to have comprehensive application development and assurance processes integrating security for all applications.
Key Considerations
The bulletin lists key factors bank management should consider in risk management of its applications, and notes national banks should include application security in their risk assessments, including those required by FFIEC guidelines establishing standards to protect customer information. Key factors listed in the bulletin that bank management should consider in their risk assessment of an application include:
For banks that develop their own software applications in-house, the OCC says they should consider following an enterprise-wide security effort that is coordinated across business lines to protect the bank from attack; set appropriate controls on the application, vetting the use of open source applications; provide appropriate training of bank staff on the security of these applications; and set periodic application testing and validation parameters.
The bulletin also lists in two appendices the 10 most common vulnerabilities in web-based applications and considerations for request for information and request for proposal when banks purchase application software or services.
The increased scrutiny of application security by agencies such as the OCC should be of no surprise to financial institutions, as the Payment Card Industry's Data Security Standard's requirements have increased focus on the security of web based applications as well.
To read the full OCC Bulletin: OCC Bulletin Released on Application Security for OCC-Regulated Banks