I. INTRODUCTION
The FDIC, in June of 2004, issued a guidance to financial institutions on Developing an Effective Computer Virus Protection Program (FIL-62-2004), designed to assist financial institutions in developing a program to mitigate risks associated with computer viruses and other types of malicious software codes. While financial institutions increasingly rely on the Internet to conduct business transactions and to communicate with customers, vendors and other business partners, e-mail applications remain susceptible to computer viruses that may be imbedded in e-mails received or in their file attachments. The FDIC advises that financial institution management understand the risks of computer viruses, such as the costs of lost business or opportunities, the threat of confidentiality of data and the adverse affect on an institution’s reputation. Therefore, management must take appropriate action to protect computer systems. This FDIC guidance is designed to complement the FFIEC Information Security IT Examination Handbook (December 2002) and to supplement FIL 68-99, Risk Assessment Tools and Practices for Information System Security.
The FDIC also prepared a guidance, issued July 21, 2004, on Instant Messaging (FIL-84-2004) to assist financial institutions in protecting against vulnerabilities of instant messaging (IM) and establishing policies and procedures concerning IM usage. The FDIC noted that IM technology is being used at work by financial institution employees both officially (as approved by senior management) and unofficially (where users access IM directly from the Internet) and warned that IM access may expose financial institutions to security, privacy and legal liability risks.
II. VIRUS PROTECTION PART OF INFORMATION SECURITY PROGRAM
A computer virus protection program should be an integral part of an institution’s overall information security program. While oversight and accountability should be assigned to an appropriate party, the virus protection program should involve management, information security and systems operations personnel.
Customer information security guidelines require that periodic risk assessments be provided to the Board of Directors. In such assessments, management details measures taken to mitigate risks. The effectiveness of a financial institution’s virus protection program should be addressed in the periodic risk assessments and status reports. Any control weaknesses should be identified and addressed during the normal course of business. An inadequate virus protection program may adversely affect certain components of a financial institution’s IT examination ratings.
III. DEVELOPING AN EFFECTIVE VIRUS PROTECTION PROGRAM
An effective computer virus protection program must include installation and maintenance of virus protection software for all hosts and clients on desktop and laptop computers, servers and gateways and must provide for automatic updates and version tracking.
A qualified individual, with sufficient knowledge and training to manage virus software and patches and able to assist users when possible infections occur, should be responsible for a financial institution’s computer virus protection program. In many circumstances, institutions may rely upon an outside entity for assistance with anti-virus software and related services.
The FDIC recommends that policies and procedures be established to inform and train employees on protecting a financial institution’s systems from becoming infected by viruses, including caution when opening e-mail attachments from both known and unknown sources.
Management should perform and document an assessment to determine what type of anti-virus software solution to use. Virus detection practices should include protection for servers and workstations.
IV. IMPLEMENTING AN EFFECTIVE VIRUS PROTECTION PROGRAM
Since viruses and worms exploit commercial, off-the-shelf (COTS) software and operating system weaknesses, the FDIC guidance lists basic steps that may be taken to protect systems:
Individuals responsible for anti-virus programs should check with their anti-virus vendors or vendor websites at least daily to determine if any recent viruses require immediate updating of virus protection software. Most vendors have a system to alert subscribers or users to perform a software update. When an alert is received, financial institutions should update virus protection software immediately.
Alert services are available on viruses and worms to warn users of their existence before anti-virus programs are updated to prevent them. Awareness and education of their characteristics can be critical in protecting a computer before new anti-virus programs are made available.
There are various steps that a financial institution may take when a system becomes infected. Employees should know who to contact if they suspect a virus infection has occurred. Employees should also be advised to inform the institution’s virus protection support group or security department of the events that occurred prior to the possible infection.
Polices should be established to determine what virus detection software to use and to ensure that the distribution process provides for virus prevention. Management should maintain sufficient controls to prevent the corruption of data or software and to correct problems caused by computer viruses or operating system vulnerabilities.
V. INSTANT MESSAGING RISK ASSESSMENT AND POLICY
Instant Messaging may be utilized from a computer connected to the Internet by either accessing a web browser or by downloading IM software. IM has become a popular communication alternative for “real time” communication between connected computer users. The latest IM versions allow users to share files in addition to messaging. Since IM access may expose financial institutions to security, privacy and legal liability risks, the FDIC advises that financial institution management should assess the risks and business necessity for IM and establish policies to allow, restrict or deny IM usage based upon such risk assessments and business needs.
Once again, the FDIC notes that customer information security guidelines require that periodic risk assessments and status reports be submitted to the board of directors and advises that these periodic assessments and reports should include the financial institution’s position on IM. Any control weaknesses should be identified and addressed during the normal course of business.