Information Security Program
E-banking introduces information security risk management challenges. Financial institution directors and senior management should ensure the information security program addresses these challenges and takes the appropriate actions.
- Ensure compliance with the "Guidelines Establishing Standards for Safeguarding Customer Information" (as issued pursuant to section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA).
- Ensure the institution has the appropriate security expertise for its e-banking platform.
- Implement security controls sufficient to manage the unique security risks confronting the institution. Control considerations include:
- Ongoing awareness of attack sources, scenarios, and techniques;
- Up-to-date equipment inventories and network maps;
- Rapid identification and mitigation of vulnerabilities;
- Network access controls over external connections;
- Hardened systems with unnecessary or vulnerable services or files disabled or removed;
- Use of intrusion detection tools and intrusion response procedures;
- Physical security of all e-banking computer equipment and media; and
- Baseline security settings and usage policies for employees accessing the e-banking system or communicating with customers.
- Use verification procedures sufficient to adequately identify the individual asking to conduct business with the institution.
- Use authentication methods sufficient to verify individuals are authorized to use the institution's systems based on the sensitivity of the data or connected systems.
- Develop policies for notifying customers in the event of a security breach effecting their confidential information.
- Monitor and independently test the effectiveness of the institution's security program.
Information security is essential to a financial institution's ability to deliver e-banking services, protect the confidentiality and integrity of customer information, and ensure that accountability exists for changes to the information and the processing and communications systems. Depending on the extent of in-house technology, a financial institution's e-banking systems can make information security complex with numerous networking and control issues. The IT Handbook's "Information Security Booklet" addresses security in much greater detail. Refer to that booklet for additional information on security and to supplement the examination coverage in this booklet.
Oversight and Monitoring of Third Parties