III.C.3     Information Security

Financial institutions are critically dependent on their information and technology assets-hardware, software, and data. Management should protect information and technology assets to ensure operational continuity, financial viability, and the trust of customers. The unauthorized loss, destruction, or disclosure of confidential information can adversely affect a financial institution's reputation, earnings, and capital.

The board of directors is responsible for overseeing the development, implementation, management, and maintenance of the institution's information security program. This oversight includes assigning specific responsibility and accountability for the program's implementation and reviewing reports from management. The board should provide management with guidance, review the effectiveness of management's actions, and annually approval written information security policies and a written information security program. Key elements that should be addressed in the information security program include the following:

  • Central oversight and coordination.
  • Areas of responsibility.
  • Risk measurement.
  • Implementation of controls.
  • Monitoring and testing of effectiveness of controls.
  • Reporting.
  • Acceptable residual risk.

The information security program should be coordinated across the institution. To ensure the effectiveness of the information security program throughout the institution, management should have a process to hold staff accountable for complying with the information security program. Institution management should perform the following:

  • Develop and implement processes to identify and protect against security events and incidents.
  • Develop, implement, and periodically test incident response procedures, which should address escalation, remediation, and reporting of events and incidents.
  • Develop and implement a threat intelligence and collaboration process to identify and respond to information on threats and vulnerabilities.
  • Consider information security risks when developing, implementing, or updating products.
  • Ensure that products are developed or updated in accordance with established information security policies and procedures.
  • Perform penetration tests before launching or making significant changes to critical systems, including Internet- and client-facing applications. Management should review all findings and develop processes to ensure the timely remediation of issues identified by the tests.
  • Conduct initial due diligence and ongoing monitoring to fully understand the types of connections and mitigating controls in place between the financial institution and its third-party providers. In conjunction with this, management should require by contract that the third-party providers notify the institution of the use of any subcontractors or changes to subcontractor relationships. Refer to the FFIEC IT Handbook's " Outsourcing Technology Services" booklet.
  • Implement a governance process to establish, monitor, maintain, and test controls to mitigate interconnectivity risk.
  • Develop a policy for escalating and reporting security incidents to the board, government agencies, law enforcement, and the institution's primary federal and state regulator based on thresholds defined by the financial institution and applicable legal requirements. Relevant thresholds could include significant financial impact, significant operational downtime, operational or system breach, or loss of critical infrastructure.

Refer to the IT Handbook's "Information Security" booklet for more information.

III.C.3(a)              Protecting Sensitive Customer Information

The Information Security Standards require management to develop, and the board to approve, an information security program to protect the security and confidentiality of customer information. This program may be a component of the institution's overall information security program.

The institution should protect customer information from threats to security or integrity. The institution should also protect customer information from unauthorized access or use that would result in substantial harm or inconvenience to any customer. The board should also annually review a written report, prepared by management, regarding the financial institution's actions toward GLBA compliance.

III.C.3(b)              Cybersecurity

Institutions should take a comprehensive approach to maintain the security and resilience of their IT infrastructure, including the establishment of cybersecurity controls. Although an institution is not required to have a separate cybersecurity policy or program, its information security program should identify, measure, mitigate, monitor, and report on the heightened risks associated with cybersecurity. To address cybersecurity risk, the information security program should consider the following:

  • Cyber risk management and oversight.
  • Threat intelligence and collaboration.
  • Cybersecurity controls.
  • External dependency management.
  • Cyber incident management and resilience.

Additional information on these topics is available in the FFIEC Cybersecurity Assessment Tool. Refer to the  FFIEC Cybersecurity Assessment Tool, June 2015. Use of the Cybersecurity Assessment Tool by institutions is optional.


Previous Section
III.C.2 Personnel
Next Section
III.C.4 Business Continuity