Information Security
Risk Assessment

Financial institutions must maintain an ongoing information security risk assessment program that effectively:

• Gathers data regarding the information and technology assets of the organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;
• Analyzes the probability and impact associated with the known threats and vulnerabilities to its assets; and
• Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and testing necessary for effective mitigation.

Financial institutions should develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include:

• Cost comparisons of different strategic approaches appropriate to the institution's environment and complexity,
• Layered controls that establish multiple control points between threats and organization assets, and
• Policies that guide officers and employees in implementing the security program.

Financial Institutions should have an effective process to administer access rights. The process should include the following controls:

• Assign users and system resources only the access required to perform their required functions,
• Update access rights based on personnel or system changes,
• Periodically review users' access rights at an appropriate frequency based on the risk to the application or system, and
• Design appropriate acceptable-use policies and require users to sign them.

Financial institutions should use effective authentication methods appropriate to the level of risk. Steps include:

• Selecting authentication mechanisms based on the risk associated with the particular application or services;
• Considering whether multi-factor authentication is appropriate for each application, taking into account that multi-factor authentication is increasingly necessary for many forms of electronic banking and electronic payment activities; and
• Encrypting the transmission and storage of authenticators (e.g., passwords, PINs, digital certificates, and biometric templates).

Financial institutions should secure access to their computer networks through multiple layers of access controls to protect against unauthorized access. Institutions should:

• Group network servers, applications, data, and users into security domains (e.g., untrusted external networks, external service providers, or various internal user systems);
• Establish appropriate access requirements within and between each security domain; and
• Implement appropriate technological controls to meet those access requirements consistently.

Financial institutions should secure access to the operating systems of all system components by:

• Securing access to system utilities,
• Restricting and monitoring privileged access,
• Logging and monitoring user or program access to sensitive resources and alerting on security events,
• Updating the operating systems with security patches, and
• Securing the devices that can access the operating system through physical and logical means.

Financial institutions should control access to applications by:

• Using authentication and authorization controls appropriately robust for the risk of the application,
• Monitoring access rights to ensure they are the minimum required for the user's current business needs,
• Using time of day limitations on access as appropriate,
• Logging access and security events, and
• Using software that enables rapid analysis of user activities.

Financial institutions should secure remote access to and from their systems by:

• Disabling remote communications at the operating system level if no business need exists,
• Tightly controlling access through management approvals and subsequent audits,
• Implementing robust controls over configuration to disallow potential malicious use,
• Logging and monitoring remote access,· Securing remote access devices, and
• Using strong authentication and encryption to secure communications.

Financial institutions should define physical security zones and implement appropriate preventative and detective controls in each zone to protect against the risks of:

• Physical penetration by malicious or unauthorized people
• Damage of environmental contaminants, and
• Electronic penetration through active or passive electronic emissions.

Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit. Encryption implementations should include:

• Encryption strength sufficient to protect the information from disclosure until such time as disclosure poses no material risk,
• Effective key management practices,
• Robust reliability, and
• Appropriate protection of the encrypted communication's endpoints

Financial institutions should protect against the risk of malicious code by:

• Using anti-virus products on clients and servers;
• Using an appropriate blocking strategy on the network perimeter;
• Filtering input to applications; and
• Creating, implementing, and training staff in appropriate computing policies and practices.

Financial institutions should ensure that systems are developed, acquired, and maintained with appropriate security controls. The steps include:

• Defining security requirements before developing or acquiring new systems;
• Incorporating widely recognized standards in developing security requirements;
• Incorporating appropriate security controls, audit trails, and logs for data entry and data processing;
• Implementing an effective change control process;
• Hardening systems before deployment;
• Establishing an effective patch process for new security vulnerabilities; and
• Overseeing vendors to protect the integrity and confidentiality of application source code.

Financial institutions should mitigate the risks posed by internal users by:

• Performing appropriate background checks and screening of new employees;
• Obtaining agreements covering confidentiality, nondisclosure, and authorized use;
• Using job descriptions, employment agreements and training to increase accountability for security; and
• Providing training to support awareness and policy compliance.

Financial institutions should control and protect access to paper, film and computer-based media to avoid loss or damage. Institutions should:

• Establish and ensure compliance with policies for handling and storing information
• Ensure safe and secure disposal of sensitive media, and
• Secure media in transit or transmission to third parties.

Financial institutions should:

• Identify the system components that warrant logging,
• Determine the level of data logged for each component, and
• Establish policies for securely handling the analyzing log files.

Financial institutions should exercise their security responsibilities for outsourced operations through:

• Appropriate due diligence in service provider research and selection;
• Contractual assurances regarding security responsibilities, controls, and reporting;
• Nondisclosure agreements regarding the institution's systems and data;
• Third -party review of the service provider's security through appropriate audits and tests; and
• Coordination of incident response policies and contractual notification requirements.

Financial institutions should have the capability to detect and respond to an information system intrusion commensurate with risk. Risk mitigation practices include:

• Preparation, including analysis of data flows, decisions on the nature and scope of monitoring, consideration of legal factors, appropriate policies governing detection and response, and the formation and equipping of response teams;
• Detection implementation, including the proper use of technology; and
• Response to an intrusion, including the containment and restoration of systems and appropriate reporting.

Financial institutions should consider:

• Identification of personnel with key security roles during a continuity plan implementation, and training personnel in those roles; and
• Security needs for back-up sites and alternate communication networks.

Financial institutions should gain assurance of the adequacy of their risk mitigation strategy and implementation by:

• Basing their testing plan, test selection, and test frequency on the risk posed by potentially non-functioning controls;
• Establishing controls to mitigate the risks posed to systems from testing; and
• Using test results to evaluate whether security objectives are met.