FFIEC Security

The Federal Financial Institutions Examination Council (FFIEC) specifies the principles, standards, and report forms for federal examinations of financial institutions. These standards provide uniformity in the supervision of financial institutions, and for bank systems, the FFFIEC Information Technology Handbook details standards for audits, e-banking, and information security.

FFIEC specifies that a financial institution's audit program be used for evaluating risk management practices and for internal control systems compliance with corporate policies. An audit program needs to identify risk exposure for the institution; confidentiality, integrity, and availability of information systems; the effectiveness of management planning; operating processes evaluation; sufficiency of compliance efforts for information technology; and appropriate corrective action and follow up.

Information technology falls inside the scope of business continuity planning (BCP) specified by FFIEC. This standard requires a financial institution develop a thorough BCP that is consistent with the business strategy, minimizes financial losses, serves customers with few distractions, and reduces any negative effects. BCP needs to take threat scenarios of all types physical and technical in risk assessment and management.

E-banking is another aspect detailed by the FFIEC Information Technology Handbook. Exposing financial institutions to greater security risks, e-banking must have controls in place for protecting customer information, needs an authentication process for customers, and makes financial institutions liable for unauthorized transactions, losses from fraud, and violations of laws or regulations pertaining to customer data and privacy.

Information security is specified by the FFIEC's Information Technology Handbook. Information security needs to protect systems, media, facilities, and the overall national financial services infrastructure. The Information Security section specifies how a financial institution's network should react with changing threats, technologies, and business conditions; requires the institution to reduce risk in accordance with risk assessment and acceptable tolerance levels; and requires the institution to develop a strategy to identify risks, manage risks, implement a strategy, test implementation, and monitor the environment.

The Gramm-Leach-Bliley Act of 1999 (GLBA) applies to a financial institution's information security, and section 501(b) is referenced as a standard in this section of the FFIEC Information Technology Handbook. GLBA 501(b) lists the requirements a system needs for Interagency Guidelines Establishing Information Security Standards. GLBA 501(b) specifies that financial institutions protect the security and confidentiality of non-public personal information; institute administrative, technical, and physical safeguards; protect against anticipated security threats; guard against unauthorized access or use of information; and establish a risk-based security program with board oversight, assessment of threats and vulnerabilities, risk management and controls, training and testing, vendor oversight, monitoring, auditing, adjusting, and reporting.

In terms of referencing specific IT standards, the FFIEC Information Technology Handbook lists for financial institutions the following federal laws or regulations: National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) for Information Technology, and ISACA-CobiT.

Back to Main