When it comes to bank network security, financial institutions need to follow multiple standards: the Federal Financial Institutions Examination Council (FFIEC), the Gramm-Leach-Bliley Act of 1999 (GLBA), the Sarbanes-Oxley Act of 2002, and, for credit unions, the NCUA's Information Technology Plan.
FFIEC specifies principles, standards, and report forms for federal examination of financial institutions and sets uniform guidelines for the supervision of these businesses or organizations. The FFFIEC Information Technology Handbook lists expectations and standards for all financial institutions regarding auditing, information security, business continuity planning, and e-banking, in addition to other network security information.
FFIEC requires a financial institution have an audit program in place to evaluate risk management practices and internal control systems and to comply with corporate policies. An audit program needs to identify risk exposure for the institution; confidentiality, integrity, and availability of information systems; the effectiveness of management planning; operating processes evaluation; adequacy of compliance efforts for information technology; and appropriate corrective action and follow up.
Business continuity planning (BCP) is another aspect of the FFIEC guidelines and, although broad, encompasses information technology. A financial institution is required to develop a comprehensive BCP, which needs to be consistent with business strategy, minimize financial losses, serve customers with few disruptions, and reduce any negative effects. Taking threat scenarios into consideration in risk assessment is part of BCP, and physical and technical threats both need to be addressed.
E-banking, because it exposes financial institutions to more risks, also has a set of standards specified by FFIEC. With e-banking in place, a financial institution needs to support it with security controls for protecting customer information and an authentication process for customers and is liable for unauthorized transactions, losses from fraud, and violations of laws or regulations concerning customer privacy.
The FFIEC standards for information security cover protection for systems, media, and facilities and include the GLBA. A financial institution, in accordance with FFIEC standards, must consider how its system reacts to changing threats, technology, and business conditions; must reduce risks in accordance with risk assessment and acceptable tolerance levels; and needs a strategy in place to identify risks, manage risks, implement strategy, test implementation, and monitor the environment.
GLBA 501(b), the Interagency Guidelines Establishing Information Security Standards, is referenced by the FFIEC information security section. To be in accordance with GLBA 501 (b), a financial institution must protect the security and confidentiality of all non-public personal information; institute administrative, technical, and physical safeguards; protect against anticipated threats; guard against unauthorized access or use of information; and implement a risk-based security program with board oversight, assessment of threats and vulnerabilities, risk management and controls, training and testing, auditing, adjusting, and reporting.
In terms of meeting network security standards, a financial institution, according to FFIEC, should reference National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) for Information Technology, and ISACA-CobiT.
The Sarbanes-Oxley Act of 2002 pertains to the auditing process, and Section 404 (SOX 404) has guidelines for information technology and network security. Also known as the Public Company Accounting Reform and Protection Act of 2002, the Sarbanes-Oxley Act requires corporations to produce documents that show their financial and other information is reliable, verifiable, and secure.
SOX 404 sets standards for ensuring adequate controls are in place to prevent fraud, misuse, and loss of financial data and transactions. In order to meet these standards, the bank network security needs to enable quick and effective detection of threats and must be able to identify exceptions caught by system controls and take appropriate, corresponding action. A SOX 404 audit is part of a larger financial institution assessment.
For credit unions, the NCUA'S Information Technology Plan lists the means in which the NCUA uses information technology to meet and to support goals and achievements and is updated annually. Required by the President's Management Agenda and the Office of Personnel Management, the NCUA's Information Technology Plan has the following goals: to maintain a reliable, scalable, and secure infrastructure and architecture; to develop cost-effective and efficient information technology systems for achieving program support and business objectives; and to provide technologies that enhance current and future business operations. Strategies for achieving these goals include targeting personnel skills and skills training; obtaining and maintaining software, hardware, and applications; and maintaining an effective, efficient, and secure intranet and internet.