Alert 2011-4| April 18, 2011
Incident Prevention and Detection: Incident Prevention and Detection-Protecting Information Security of National Banks
Chief Executive Officers of All National Banks, Federal Branches and Agencies, Technology Service Providers, Department and Division Heads, and All Examining Personnel
As of January 6, 2012, this guidance applies to federal savings associations in addition to national banks.*
This alert highlights the need for national banks and their technology service providers (TSP) to take steps to ensure their enterprise risk management is sufficiently robust to protect and secure the bank’s own and their customers’ information.
Several recent security breaches have highlighted the need for national banks and their TSPs to perform periodic risk assessments of their information security programs with respect to the prevention and detection of security incidents. Most security-related incidents occur because of the lack or failures of basic controls that allow attackers to gain entry into a target environment through phishing, spear-phishing, drive-by malware injection, and other techniques. Once attackers have entered an environment, they typically use sophisticated tools and techniques to gain access to sensitive data or systems. Successful attacks often compromise sensitive customer information or create fraud. The increasing sophistication of the tools and techniques attackers use often includes stealth or other means that make their detection more difficult.
The Office of the Comptroller of the Currency (OCC) expects national banks and their TSPs to review carefully the National Security Agency’s Information Assurance Advisory (March 28, 2011) and the United States Computer Emergency Readiness Team’s (US-CERT) Early Warning and Indicator Notice (EWIN) 11-077-01A Update, both associated with one of the recent events. The NSA advisory provides detailed recommendations consistent with previously issued OCC and Federal Financial Institution Examination Council guidance. Access to sensitive information, systems, and control components should be highly restricted and carefully monitored. National banks should ensure that their information security program or that of their TSPs includes the evaluation and appropriate disposition of the above-mentioned recommendations based upon their environment and risk profile. The US-CERT EWIN contains a list of domains associated with malicious activity. National banks and their TSPs should prohibit network traffic, inbound and outbound, within those domains.
You may direct questions regarding this alert to the Bank Information Technology Division at (202) 874-4740.
Timothy W. Long
Senior Deputy Comptroller for Bank Supervision Policy
and Chief National Bank Examiner
*References in this guidance to national banks or banks generally should be read to include federal savings associations (FSA). If statutes, regulations, or other OCC guidance is referenced herein, please consult those sources to determine applicability to FSAs. If you have questions about how to apply this guidance, please contact your OCC supervisory office.