Application Security Draws Extra Attention from Feds

OCC Bulletin Focuses on Risk, Vendor Management TaKe this Survey Now Banking institutions must conduct appropriate security risk assessment and mitigation on all software applications, regardless of whether developed internally, by a vendor or by outside developers.

This is the key point of a recent bulletin from the Office of the Comptroller of the Currency (OCC Bulletin Released on Application Security for OCC-Regulated Banks), which regulates and supervises all national banks.

"This letter is just an outgrowth of the natural processes and efforts of the OCC," says Mark O'Dell, Deputy Comptroller of the OCC. "It reminds institutions that when developing applications, security needs to be baked in to that development process."

Noting that this letter could broadly apply to many other industries outside banking, O'Dell points to instances in the past couple of years where application security has been an issue (think of recent data breaches) where new threats, especially to Internet and web applications have occurred. "We just want to make sure we remind our institutions that these risks are real to them and that their application development process appropriately addresses security."

The OCC's focus on application security isn't something that should surprise financial institutions, says Doug Johnson, Vice President and Senior Advisor, Risk Management Policy at the American Bankers Association. "Application security is on the minds of many institutions, given the fact that no application really stands alone in our networked environment," he says. "While the new guidance applies only to national banks (those that fall under OCC review), it would not hurt any bank to review it."

Focus on Vendor Management
In terms of the OCC's guidance, and how this letter fits in with the bigger picture of compliance, O'Dell says "A great deal of our guidance deals with third-party service and vendor management issues and outsourcing activities and what our expectations are in terms of risk management."

While a bank may outsource processing or other activities, O'Dell says, "in terms of the risk management responsibilities that are associated with those activities, all those stay at the bank level."

O'Dell says in terms of this particular guidance, while banks may outsource a great deal of Internet application development or may purchase software from third party companies or technology service providers "We would still expect banks to understand the processes that those third parties or service providers have used to ensure that application security was again 'baked into' the application development processes of the applications that the bank is buying."

As to whether banks will be examined for compliance on these points, the answer is yes, he says, "We will as a matter of due course be looking for the processes that a bank has in place for ensuring application security -- that will be a part of the ongoing natural processes that we use when setting supervisory strategies."

O'Dell says the OCC expects most of its regulated banks already have these processes in place, "Security is already a part of the examination process in many different ways and many different perspectives."

Key Risk Factors
The bulletin, O'Dell says lists key factors bank management should consider in risk management of its applications, and notes national banks should include application security in their risk assessments, including those required by FFIEC guidelines establishing standards to protect customer information. Key factors listed include:

Accessibility of the application via the Internet;
Whether the application provides the ability to process or provide access to sensitive data;
Source of application's development such as in-house, purchased or contracted;
Extent that secure practices are used in the application's development process;
Existence of an effective, recurring process to monitor, identify remediate or correct vulnerabilities;
Existence of a periodic assurance process to validate independently the security of the application.

For banks that develop their own software applications in-house, O'Dell says they should consider following an enterprise-wide security effort that is coordinated across business lines to protect the bank from attack.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.