Information Technology Supervisory Resources

Supervisory Guidance

Federal Reserve offsite link SR 00-03
In order to facilitate the integration of information technology supervision within the overall risk-focused supervisory process, the separate frequency guidelines for information technology examinations were eliminated. Instead, all safety and soundness examinations (or examination cycles) of banking organizations conducted by the Federal Reserve now include an assessment and evaluation of information technology risks and risk management.

Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbooks offsite link
FFIEC is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS) and to make recommendations to promote uniformity in the supervision of financial institutions.

Uniform Rating System for Information Technology (URSIT) SR 99-08 (PDF) offsite link
The URSIT is an internal rating system used by federal and state regulators to uniformly assess financial institution and service provider risks introduced by IT. It also allows the regulators to identify those insured institutions and service providers whose information technology risk exposure or performance requires special supervisory attention. (URSIT Implementation Guide) (PDF) offsite link

IT Audit and Control

Control Objectives for Information and Related Technology (COBIT) offsite link
COBIT has been developed as a generally applicable and accepted standard for good information technology security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners.

Information Systems Audit and Control Association, Inc. (ISACA) offsite link
ISACA has become a pace-setting global organization for information governance, control, security and audit professionals. Its IS auditing and IS control standards are followed by practitioners worldwide.

National Institute of Standards and Technology (NIST) - Information Technology Laboratory (ITL) offsite link
NIST's ITL works with industry, research, and government organizations to make this technology more usable, more secure, more scalable, and more interoperable than it is today.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance.

The Institute of Internal Auditors (IIA) offsite link
The IIA also provides internal audit practitioners, executive management, boards of directors and audit committees with standards, guidance, and information on best practices in internal auditing.

Information Technology Management

National Institute of Standards and Technology (NIST) (PDF) offsite link
Risk Management Guide for Information Technology Systems. The National Institute of Standards and Technology (NIST) provides both definitional and practical guidance regarding the concept and practice of managing IT-related risks. The approach presented will help in identifying risks based on potential threats and the consequences of those threats as well as the associated risk mitigation techniques. In addition, the document provides information on the selection of security controls based on cost and the degree of risk reduction.

CIO - Six Sigma Comes on Information Technology offsite link
A big part of what we use Six Sigma for is business-focused. Typically IT staff is part of a team trying to improve a business process.

NIST - Security Consideration in the Information System Development Life Cycle (PDF)
This document helps organizations include security requirements in their planning for every phase of the system life cycle, and to select, acquire, and use appropriate and cost-effective security controls.

Contingency Planning

Department of Homeland Security (DHS) offsite link
DHS has three primary missions: Prevent terrorist attacks within the United States, reduce America's vulnerability to terrorism, and minimize the damage from potential attacks and natural disasters.

Disaster Recovery Institute International (DRII)
DRII was founded in 1988 to provide a base of common knowledge in contingency planning, a rapidly growing industry. DRII is a group of professionals from the industry and from Washington University in St. Louis forecast the need for comprehensive education in business continuity. Alliances with academia helped shape early research and curriculum development.

Network Security Management

FDIC - Security Monitoring of Computer Networks offsite link
FDIC suggests some practices for maintaining secure network operating systems and certain application programs run by such operating systems.

GAO - Effective Patch Management is Critical to Mitigating Software Vulnerabilities (PDF)
Patch management is one means of dealing with these increasing vulnerabilities to cyber security. Critical elements to the patch management process include management support, standardized policies, dedicated resources, risk assessment, and testing.

NIST - Guidelines on Firewalls and Firewall Policies (PDF) offsite link
This document contains numerous recommendations for choosing, configuring, and maintaining firewalls.

NIST - Guidance on Network Security Testing (PDF)
This document is to provide guidance on network security testing and identifies network testing requirements and how to prioritize testing activities with limited resources.

NIST - Information Technology Security Awareness, Training, Education, and Certification (PDF) offsite link
Topics documented within the awareness and training program policy should include roles and responsibilities, development of program strategy and a program plan, implementation of the program plan, and maintenance of the awareness and training program.

NIST - Information Technology Security Metrics (PDF) offsite link
IT security metrics provide a practical approach to measuring information security. Evaluating security at the system level, IT security metrics are tools that facilitate decision making and accountability through collection, analysis, and reporting of relevant performance data.

NIST - Secure Interconnections for Information Technology Systems (PDF) offsite link
Interconnected IT systems can expose the participating organizations to risks. In planning for interconnected systems, organizations should apply risk management procedures.

NIST - Security Patches and the CVE Vulnerability Naming Scheme (PDF)
This document describes and recommends the use of a systematic, accountable, and documented process for handling security patches and vulnerabilities. In addition, the document provides specific advice for obtaining, testing, distributing, and installing security patches.

OCC - Network Security Vulnerabilities offsite link
In an OCC alert the Network Security Vulnerabilities (Alert 2001-4) is intended to raise awareness regarding potential threats in electronic banking systems and to remind banks and service providers to identify and correct network security vulnerabilities.

Security Alert US-CERT
The US-CERT Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT.

The Global Council of CSOs (Chief Security Officers) offsite link
The Global Council of CSOs was recently formed to raise awareness of online security issues. The council brings together expertise from academic, corporate, and government backgrounds to address the broader issues of national security, business continuity, and technology development, emphasizing the need for partnership in the area of cyber security.

The System Administration, Networking and Security Institute (SANS) offsite link
A cooperative research and education organization through which more than 96,000 system administrators, security professionals, and network administrators share the lessons they are learning and find solutions for challenges they face.

Wireless Network Risk Management

FDIC - Wireless Networks & Customer Access offsite link
Financial institutions are actively evaluating and implementing wireless technology as a means to reach customers and reduce the costs of implementing new networks. In light of this fast-developing trend, FDIC is providing financial institutions with the following information about the risks associated with wireless technology and suggestions on managing those risks.

ISACA - Wireless LAN Risks and Vulnerabilities offsite link
This document provides an overview of how wireless LANs work, along with a review of the risks, vulnerabilities, and threats that affect wireless networks differently than their wired brethren.

NIST - Security for Wireless Networks and Devices (PDF)
While wireless networks are exposed to many of the same risks as wired networks, they are vulnerable to additional risks as well. Wireless networks transmit data through radio frequencies, and are open to intruders unless protected.

OCC - Risk Management of Wireless Networks offsite link
This advisory letter highlights risks associated with wireless networks and provides guidance for managing those risks.

Incident Response Procedures

Computer Security Incident Response Team (CSIRT) offsite link
CSIRT is a service organization that is responsible for receiving, reviewing, and responding to computer security incident reports and activity.

Federal Reserve - Suspicious Activity Report (SAR) Form (PDF)
State member banks and bank holding companies and their nonbank subsidiaries and the U.S. offices of foreign banking organizations supervised by the Federal Reserve must file SARs to report known or suspected violations of law and activities relating to suspected money laundering or violations of the Bank Secrecy Act (BSA).

NIST - Computer Security Incidents: Assessing, Managing, and Controlling the Risks (PDF) offsite link
This document helps organizations detect incidents rapidly, minimize losses and destruction, identify weaknesses, and restore information technology operations speedily.

NIST - Special Publication on Intrusion Detection Systems (PDF)
This document contains numerous recommendations for choosing, configuring, and maintaining intrusion detection systems.

NIST - Testing Intrusion Detection Systems (IDSs) (PDF) offsite link
Despite the expansion of IDS technology in recent years, the accuracy, performance, and effectiveness of these systems is largely untested, due to the lack of a comprehensive and scientifically rigorous testing methodology.

OCC - How to Prevent, Detect, and Respond to Intrusions
The Infrastructure Threats - Intrusion Risks (OCC Bulletin 2000-14) provides guidance to financial institutions on how to prevent, detect, and respond to intrusions into bank computer systems. Intrusions can originate either inside or outside of the bank and can result in a range of damaging outcomes, including the theft of confidential information, unauthorized transfer of funds, and damage to an institution's reputation.

TruSecure offsite link
TruSecure conducts research, testing and certification programs for computer systems, and provides information on current industry events, security vulnerabilities, and technical papers.

National Infrastructure Protection Center (NIPC)
NIPC serves as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity.

Payment Systems

Evolving Operational Risk Management for Retail Payments - Federal Reserve Bank of Chicago (PDF)
Payment systems are an integral component of banking that is undergoing material change. Industry trends and discussions with key banking personnel highlighted four issues that are top concerns for banks engaged in emerging payments: changing delivery channels and safeguards, fraud, vendor oversight, and operational risk measurement and reporting.

Network Vulnerabilities and Risks in the Retail Payment System - Federal Reserve Bank of Chicago
This document provides a more in-depth discussion of the ramifications these changes have for bank supervision and policy makers. In addition to operational risk concerns identified by previous researchers, this paper identifies network vulnerabilities as a potential resiliency concern. (PDF)

OCC - Bulletin: Risks associated with automated clearing house (ACH) transactions (PDF) offsite link
The guidance applies to banks acting as the originating or receiving depository institution for ACH payments and to third-party service providers acting on behalf of the originating or receiving depository institution.

Payment Systems - Federal Reserve Bank of New York
Payment systems can present a variety of risks to the Federal Reserve Banks, the banking system and other sectors of the economy. Risks can arise from transactions that are processed in Federal Reserve payment systems and in private sector payment systems.

Retail Payments Innovations and the Banking Industry - Federal Reserve Bank of Chicago (PDF)
This document examines the impact of new payments technologies on the value of the banking industry.

Electronic Banking, Web Site, and E-mail Protection

Basel - Risk Management Principles for Electronic Banking (PDF) offsite link
This document contains fourteen Risk Management Principles for Electronic Banking identified by the Basel Committee on Banking Supervision to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities.

FDIC - Electronic Signature offsite link
The Electronic Signatures in Global and National Commerce Act (E-Sign Act), signed into law on June 30, 2000, provides a general rule of validity for electronic records and signatures for transactions in or affecting interstate or foreign commerce.

FDIC - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes offsite link
E-mail and Internet-related fraudulent schemes, such as "phishing" (pronounced "fishing"), are being perpetrated with increasing frequency, creativity and intensity.

FDIC - Protecting Internet Domain Names
The Bank Technology Bulletin - Protecting Internet Domain Names alerts senior bank management to potential domain name-related problems, and highlights actions that may help to avoid or resolve such problems.

Federal Deposit Insurance Corporation (FDIC) – "Tips for Safe Banking Over the Internet," offsite link
Brochure designed to assist consumers when banking online, with tips on how to confirm that an online bank is legitimate, verify deposit insurance status, and determine the amount insured. In addition, consumers can learn about protection of personal private information and ways to maintain secure transactions online. Information on how and where to file a complaint on suspicious or fraudulent banks, where to find information on consumer protection laws and regulations, and where to seek assistance from banking regulators is also provided.

NIST - Guidelines on Securing Public Web Servers (PDF) offsite link
This document has been developed to assist Federal departments and agencies, state agencies and commercial organizations in installing, configuring, and maintaining a secure public Web server.

NIST - Guidelines on Electronic Mail Security
The document is intended primarily for a technical audience. It provides detailed guidance on setting up and maintaining a secure e-mail system, and includes pointers to related material.

OCC - Protecting Internet Addresses of National Banks offsite link
Highlights the need for banks to carefully select and protect their Internet addresses. Several banks discovered Internet Web sites with Internet addresses similar to the addresses of their national bank Web sites.

Outsourcing Risk Management

FDIC offsite link
The Bank Technology Bulletin on Technology Outsourcing (June 4, 2001) guidance focused on four key areas: risk assessment, service provider selection, contract terms, and oversight of outsourcing arrangements. Because community banks may face particular challenges in engaging and supervising their technology providers, the FDIC has talked with bankers and other experts to identify areas where assistance might be useful.

Federal Reserve - SR 00-4 offsite link
Outsourcing of Information and Transaction Processing (SR 00-4) reiterates and clarifies the Federal Reserve's expectations regarding the management of risks that may arise from the outsourcing of critical information and transaction processing activities by banking organization.

FFIEC offsite link
The Risk Management of Outsourced Technology Services guidance is intended to assist financial institutions in effectively managing the risks of outsourcing arrangements.

OCC
This bulletin provides guidance to national banks on managing the risks that may arise from their business relationships with third parties. It supplements, but does not replace, previous guidance on third-party risk.

Outsourcing IT and Business Processes: A Supervisory Primer offsite link
Banking organizations' use of third-party service providers is not new. However, recent trends--such as an increase in the scope of IT outsourcing arrangements, the growth of business process outsourcing and the rise in cross-border arrangementsâ€”have generated increased focus on outsourcing.

Compliance

AICPA - Sarbanes-Oxley Act offsite link
Sarbanes-Oxley makes corporate executives explicitly responsible for establishing, evaluating and monitoring the effectiveness of internal control over financial reporting.

Federal Reserve - The Standards for Safeguarding Customer Information (SR 01-15)
The Standards for Safeguarding Customer Information (SR 01-15) guidance was developed to assist examiners in documenting a financial institution's compliance with the Safeguarding Customer Information Guidelines (Gramm-Leach-Bliley Act of 1999).

Federal Reserve – Interim Final Rules offsite link
The Fed published interim final rules establishing uniform standards for the electronic delivery of federally mandated disclosures under five consumer protection regulations: B (Equal Credit Opportunity), E (Electronic Fund Transfers), M (Consumer Leasing), Z (Truth in Lending), and DD (Truth in Savings).

Federal Reserve – Press Release of August 3, 2001 offsite link
The Board announced the lifting of the October 1, 2001 mandatory compliance date for interim rules governing the electronic delivery of certain consumer disclosures.

Federal Reserve - Identity Theft and Pretext Calling (SR 01-11)
Consistent with section 525 of the Gramm-Leach-Bliley Act (15 U.S.C. 6825), Identity Theft and Pretext Calling (SR 01-11) addresses how state member banks and other banking organizations supervised by the Federal Reserve that provide products or services to the public or that maintain customer account information should protect customer information against identity theft.

IT Governance Institute (ITGI) IT Control Objectives for Sarbanes-Oxley Act offsite link
This new research document from the ITGI reflects the latest thinking on this increasingly global topic that has the greatest impact on an organization in the short to medium term.