This "Information Security" booklet is an integral part of the Federal Financial Institutions Examination Council (FFIEC)The FFIEC was established on March 10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978, Public Law 95-630. The FFIEC is composed of the principals of the following: the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), the State Liaison Committee (SLC), and the Consumer Financial Protection Bureau (CFPB).Information Technology Examination Handbook (IT Handbook) and should be read in conjunction with the other booklets in the IT Handbook. This booklet provides guidance to examiners and addresses factors necessary to assess the level of security risks to a financial institution'sThe term "financial institution" includes national banks, federal savings associations, state savings associations, state member banks, state nonmember banks, and credit unions. The term is used interchangeably with "institution" in this booklet. information systems.Examiners should also use this booklet to evaluate the performance by third-party service providers, including technology service providers, of services on behalf of financial institutions. It also helps examiners evaluate the adequacy of the information security program's integration into overall risk management.This booklet addresses regulatory expectations regarding the security of all information systems and information maintained by or on behalf of a financial institution, including a financial institution's own information and that of all of its customers. An institution's overall information security program must also address the specific information security requirements applicable to "customer information" set forth in the "Interagency Guidelines Establishing Information Security Standards" implementing section 501(b) of the Gramm-Leach-Bliley Act and section 216 of the Fair and Accurate Credit Transactions Act of 2003. See 12 CFR 30, appendix B (OCC); 12 CFR 208, appendix D-2 and 225, appendix F (FRB); 12 CFR 364, appendix B (FDIC); and 12 CFR 748, appendix A (NCUA) (collectively referenced in this booklet as the "Information Security Standards").

Information security is the process by which a financial institution protects the creation, collection, storage, use, transmission, and disposal of sensitive information, including the protection of hardware and infrastructure used to store and transmit such information. Information security promotes the commonly accepted objectives of confidentiality, integrity, and availability of information and is essential to the overall safety and soundness of an institution. Information security exists to provide protection from malicious and non-malicious actions that increase the risk of adverse effects on earnings, capital, or enterprise value. The potential adverse effects can arise from the following:

  • Disclosure of information to unauthorized individuals.
  • Unavailability or degradation of services.
  • Misappropriation or theft of information or services.
  • Modification or destruction of systems or information.
  • Records that are not timely, accurate, complete, or consistent.

Institutions should maintain effective information security programs commensurate with their operational complexities.See also Information Security Standards, section II.A, requiring each financial institution to have a comprehensive written information security program, appropriate to its size and complexity, designed to (1) ensure the security and confidentiality of "customer information"; (2) protect against any anticipated threats or hazards to the security or integrity of such information; (3) protect against unauthorized access to or use of such information that could result in a substantial harm or inconvenience to any customer; and (4) ensure the proper disposal of both "customer information" and any "consumer information." Information security programs should have strong board and senior management support, promote integration of security activities and controls throughout the institution's business processes, and establish clear accountability for carrying out security responsibilities. In addition, because of the frequency and severity of cyber attacks, the institution should place an increasing focus on cybersecurity controls, a key component of information security.

Institutions should also assess and refine their controls on an ongoing basis. The condition of a financial institution's controls, however, is just one indicator of its overall security posture. Other indicators include the ability of the institution's board and management to continually review the institution's security posture and react appropriately in the face of rapidly changing threats, technologies, and business conditions. Information security is far more effective when management does the following:

  • Integrates processes, people, and technology to maintain a risk profile that is in accordance with the board's risk appetite.Risk appetite can be defined as the amount of risk a financial institution is prepared to accept when trying to achieve its objectives.
  • Aligns the information security program with the enterprise risk management program and identifies, measures, mitigates, and monitors risk.

Because risk mitigation frequently depends on institution-specific factors, this booklet describes processes and controls that an institution can use to protect information and supporting systems from various threats. Management should be able to identify and characterize the threats, assess the risks, make decisions regarding the implementation of appropriate controls, and provide appropriate monitoring and reporting.

Financial institutions may outsource some or all of their IT-related functions. Although the use of outsourcing may change the location of certain activities from financial institutions to third-party service providers, outsourcing does not change the regulatory expectations for an effective information security program. Examiners should use this booklet when evaluating a financial institution's risk management process, including the duties, obligations, and responsibilities of the third-party service provider regarding information security and the oversight exercised by the financial institution.


Next Section
I Governance of the Information Security Program