FRB: Supervisory Letter SR 97-32 (SUP) on sound practices guidance for information security for networks -- December 4, 1997

TO THE OFFICER IN CHARGE OF SUPERVISION AND APPROPRIATE
    SUPERVISION AND EXAMINATION PERSONNEL AT EACH FEDERAL
    RESERVE BANK AND TO DOMESTIC AND FOREIGN BANKING
    ORGANIZATIONS SUPERVISED BY THE FEDERAL RESERVE

SUBJECT:

Sound Practices Guidance for Information Security for Networks

Growth in the use of computer networks has heightened the interest of supervisors and managers of banking organizations in the quality and integrity of information security systems. The Federal Reserve System recognizes that effective and reliable information security policies and procedures are essential to maintaining public trust and confidence in our banking and financial system. Thus, it has a vital interest in encouraging banking organizations to take appropriate precautions as they increasingly provide services and information in electronic form and especially in the open environment of the Internet. Adverse financial, operational, reputational, and legal consequences can result from ineffectively managing the security of these networks and computers. Active board and management oversight are needed to ensure that risks are adequately assessed, that spending on information security is appropriate to reduce the risks, and that a comprehensive information security program is in place to provide protection.

In 1996, the Federal Reserve Bank of New York formed a team to benchmark sound information security policies and practices. The team interviewed a cross-section of Second District financial services institutions as well as security firms, service providers, common carriers, CPA firms, and other industry-related organizations. In addition, thirteen selected institutions were interviewed by teams from the Federal Reserve Banks of Chicago and San Francisco to validate the team's initial findings. The results are contained in the attached paper entitled "Sound Practices Guidance for Information Security for Networks." This SR letter and the sound practices paper should be distributed to appropriate examination personnel, and to the chief executive officer of each domestic and foreign banking organization supervised by the Federal Reserve.

The guidance presented in the paper does not constitute a regulation and should not be interpreted as such. Rather, the paper outlines the types of prudent and effective measures that financial services institutions have implemented, are in the process of implementing, or plan to implement to protect information and ensure its integrity, availability, and confidentiality. The key points made in the paper are:

A strong information security program is essential. A strong comprehensive information security program establishes the necessary structure and accountability to manage risks, and fosters awareness throughout the organization that information security is an important cultural value. A strong information security program includes active board and management oversight, policies and procedures, measurement and monitoring systems and ongoing internal controls. Boards of directors and senior management are responsible for ensuring that spending on information security is appropriate to the magnitude and nature of the risks.

Internal network security issues need special attention. The vulnerabilities of internal networks may be less obvious to banking organizations than networks connected to the Internet, yet these internal systems are vulnerable to a wide variety of intrusion tactics. Internal attacks are potentially the most damaging because an institution's personnel, which can include consultants as well as employees, may have authorized access to critical computing resources.

Confidential information needs to be encrypted. The confidentiality of data transmitted over public networks is vulnerable to risks in addition to those identified for internal networks. "Dedicated" or "leased" lines may provide an inappropriate sense of security. These lines use the infrastructure of public networks and therefore are vulnerable to the same attacks as the public networks themselves.

Internet connections need to be carefully constructed. An institution's Internet site is exposed to worldwide attack. As more products and services are offered via the Internet, the opportunities for attack increase. The greatest risk is associated with sites that have a path to the institution's internal network, thereby providing unauthorized individuals with a link, however convoluted, to attack internal networks and gain access to an institution's information assets.

The backgrounds of employees in especially sensitive positions need to be checked. Information technology personnel such as systems administrators, telecommunications support staff, systems programmers and others may have access to sensitive information, detailed knowledge about security methods and procedures, or both. Therefore, it is important to subject them to rigorous background checks.

Management must decide on benefits and costs. Protecting networks to minimize financial, operational, reputational, and legal risks can require the dedication of significant resources. Senior management is responsible for evaluating the costs and benefits of alternative security measures and deciding the best allocation of the institution's resources.

Although there are risks associated with private local and wide area networks and the Internet, they can be managed by a comprehensive information security program. Institutions should view sound practices in the context of their own needs and budgets and implement those that are appropriate.

Questions on the Federal Reserve Board's supervisory approach to information security matters may be addressed to Mr. Michael G. Martinson, Deputy Associate Director, Federal Reserve Board (202-452-3640). Questions on the contents of the paper may be addressed to Mr. George R. Juncker, Vice President (212-720- 6491), or its principal authors, Mr. Robert W. Dabbs, Assistant Vice President (212-720- 5937), and Mr. Joseph L. Galati, II, Examining Officer (212-720-7946), at the Federal Reserve Bank of New York.

Richard Spillenkothen
Director

ATTACHMENT TRANSMITTED ELECTRONICALLY BELOW

Suggested Transmittal Letter
to the Chief Executive Officer or General Manager of
Each Bank Holding Company, State Member Bank,
U.S. Branch and Agency of a Foreign Bank, and Edge Corporation

Subject: Sound Practices for Information Security for Networks

Dear ____________________:

The enclosed letter from the Federal Reserve Board's Division of Banking Supervision and Regulation and the accompanying paper, prepared by supervision staff of the Federal Reserve Bank of New York, contain important information on sound information security practices to address risks associated with computer networks. A version of this paper was distributed at a security conference sponsored by the Federal Reserve Bank of New York on September 24, 1997. Presentation materials from the conference are available at the Bank's web site at www.newyorkfed.org/pihome/news/speeches.

The guidance presented in the paper does not constitute a regulation and should not be interpreted as such. However, the paper outlines the types of prudent and effective measures that financial services institutions have implemented, are in the process of implementing, or plan to implement to protect information and ensure its integrity, availability, and confidentiality. In this connection, the paper may provide insights and assistance in designing an effective information security program and secure automation systems.

It is suggested that the letter and the paper be distributed within your organization to senior management and others with responsibility for network security.

Should you or your staff have any questions regarding this topic, please contact ______________ at this Reserve Bank, or the contacts identified in the Board's letter.

Enclosures

Sound Practices Guidance for Information Security for Networks (146 KB PDF)