OCC BULLETIN 2006-31
Subject: FFIEC Information Security Booklet
Date: July 27, 2006
To: Chief Executive Officers of All National Banks, Federal Branches and Agencies, Technology Service Providers and Software Vendors, Department and Division Heads, and All Examining Personnel
Description: Information Security Guidance
The guidance attached to this bulletin continues to apply to federal savings associations.
The Federal Financial Institutions Examination Council (FFIEC) released an updated Information Security Booklet (booklet), which replaces the booklet issued in December 2002. The Information Security Booklet is one of 12 that, in total, comprise the FFIEC IT Examination Handbook. The FFIEC also released an Executive Summary that contains a high-level synopsis of each of the 12 booklets and describes the handbook development and maintenance processes.
The updated booklet addresses changes in technology, risk assessments, mitigation strategies, and regulatory guidance. The discussion on risk assessment has been expanded to reflect the maturation of that process. New or revised material is included regarding authentication, monitoring programs, and software trustworthiness. Many additional topics, including malicious code prevention, wireless, remote access, and trust services have also been revised.
The booklet continues to provide a comprehensive security framework for national banks and their technology service providers. The framework focuses on implementing a security risk management process that identifies risks, develops and implements a security strategy, and verifies the continued adequacy of risk mitigation through monitoring and testing. This framework also stresses the important roles that senior management and boards of directors play in this process by emphasizing their responsibility to recognize security risks in their banks and to assign appropriate roles and responsibilities to their managers and employees.
The attached FFIEC press release describes the handbook update process. An electronic version of the Information Security Booklet and Executive Summary is available. To accommodate banks with limited access to the Internet, the Office of the Comptroller of the Currency (OCC) will also include the booklet in the next release of e-files, the CD-based library of OCC publications provided to all national banks. Any bank that is not able to download the booklet may order a printed copy. Please send your request to the Office of the Comptroller of the Currency, 400 7th Street, SW, Washington, DC 20219.
For further information contact Bank Information Technology Operations (202) 649-6340.
Mark L. O'Dell