information security booklet - · pdf filedata center security.....53 cabinet and vault...
If you can't read please download the document
TRANSCRIPT
Information Security Booklet July 2006
TABLE OF CONTENTS
INTRODUCTION................................................................................ 1 Overview...............................................................................................................1 Coordination with GLBA Section 501(b) ...............................................................2 Security Objectives ...............................................................................................2 Regulatory Guidance, Resources, and Standards................................................3
SECURITY PROCESS....................................................................... 4 Overview...............................................................................................................4 Governance ..........................................................................................................5
Management Structure...............................................................................5 Responsibility and Accountability ...............................................................5
INFORMATION SECURITY RISK ASSESSMENT............................ 9 Overview...............................................................................................................9 Key Steps ...........................................................................................................10
Gather Necessary Information .................................................................10 Identification of Information and Information Systems..............................11 Analyze the Information ...........................................................................11 Assign Risk Ratings .................................................................................14
Key Risk Assessment Practices..........................................................................15
INFORMATION SECURITY STRATEGY ........................................ 17 Key Concepts .....................................................................................................18 Architecture Considerations................................................................................19
Policies and Procedures...........................................................................19 Technology Design ..................................................................................20 Outsourced Security Services ..................................................................21
SECURITY CONTROLS IMPLEMENTATION................................. 22 Access Control....................................................................................................22
Access Rights Administration...................................................................22 Authentication ..........................................................................................25 Network Access .......................................................................................37 Operating System Access........................................................................46 Application Access ...................................................................................48
Information Security Booklet July 2006
Remote Access ........................................................................................50 Physical and Environmental Protection...............................................................52
Data Center Security................................................................................53 Cabinet and Vault Security.......................................................................54 Physical Security in Distributed IT Environments .....................................54
Encryption...........................................................................................................56 How Encryption Works.............................................................................57 Encryption Key Management ...................................................................57 Encryption Types .....................................................................................58 Examples of Encryption Uses ..................................................................59
Malicious Code Prevention .................................................................................60 Controls to Protect Against Malicious Code .............................................61
Systems Development, Acquisition, and Maintenance .......................................63 Software Development and Acquisition....................................................63 Systems Maintenance..............................................................................67
Personnel Security..............................................................................................70 Background Checks and Screening .........................................................71 Agreements: Confidentiality, Non-Disclosure, and Authorized Use..........71 Job Descriptions.......................................................................................72 Training ....................................................................................................72
Data Security ......................................................................................................72 Theory and Tools .....................................................................................73 Practical Application.................................................................................73
Service Provider Oversight .................................................................................76 Trust Services ..........................................................................................77 SAS 70 Reports .......................................................................................77
Business Continuity Considerations....................................................................78 Insurance ............................................................................................................79
SECURITY MONITORING............................................................... 81 Architecture Issues .............................................................................................82 Activity Monitoring...............................................................................................82
Network Intrusion Detection Systems ......................................................83 Honeypots ................................................................................................85 Host Intrusion Detection Systems ............................................................86 Log Transmission, Normalization, Storage, and Protection......................87
Condition Monitoring ...........................................................................................87
Information Security Booklet July 2006
Self Assessments.....................................................................................87 Metrics......................................................................................................88 Independent Tests ...................................................................................88
Analysis and Response ......................................................................................90 Security Incidents.....................................................................................91 Intrusion Response ..................................................................................92
Outsourced Systems...........................................................................................93
SECURITY PROCESS MONITORING AND UPDATING................ 95 Monitoring ...........................................................................................................95 Updating .............................................................................................................96
APPENDIX A: EXAMINATION PROCEDURES.................. A-1
APPENDIX B: GLOSSARY................................................. B-1
APPENDIX C: LAWS, REGULATIONS, AND GUIDANCE C-1
Information Security Booklet July 2006
INTRODUCTION OVERVIEW Information is one of a financial institutions most important assets. Protection of infor-mation assets is necessary to establish and maintain trust between the financial institution and its customers, maintain compliance with the law, and protect the reputation of the institution. Timely and reliable information is necessary to process transactions and sup-port financial institution and customer decisions. A financial institutions earnings and capital can be adversely affected if information becomes known to unauthorized parties, is altered, or is not available when it is needed.
Information security is the process by which an organization protects and secures its sys-tems, media, and facilities that process and maintain information vital to its operations. On a broad scale, the financial institution industry has a primary role in protecting the nations financial services infrastructure. The security of the industrys systems and in-formation is essential to its safety and soundness and to the privacy of customer financial information. Individual financial institutions and their service providers must maintain effective security programs adequate for their operational complexity. These security programs must have strong board and senior management level support, integration of security activities and controls throughout the organizations business processes, and clear accountability for