Answer by Mary Beth Guard:
The Interagency Guidelines for Safeguarding Customer Information ("the InfoSec Guidelines") require each financial institution to put into place a program of appropriate administrative, technical and physical safeguards to protect customer information. Those safeguards may, depending upon the size of the institution, the nature of its information storage and usage, and other factors, include such things as intrusion detection systems, logical access controls and more. It is not enough to put those safeguards into place, however. The InfoSec Guidelines also require you to test the efficacy of the safeguards. Specifically, the Guidelines state that you should:
Regularly test the key controls, systems and procedures ofthe information security program. The frequency and nature of suchtests should be determined by your risk assessment. Tests should beconducted or reviewed by independent third parties or staffindependent of those that develop or maintain the security programs.
This would include penetration testing of your network, trying to get around firewalls (software and hardware), identifying weaknesses in passwords or other access codes.
Answer by Clayton Hoskinson:
To my knowledge there is no "authorization" from any federal or state regulatory agency for the pen-testing firms. Self-Testing is possible, as long as the institution can convince their regulators that the testing that was done was independent of the operations unit who administers that part of the operation. As to your question on testing of wired or wireless networks, there is certainly no exemption from the testing requirement for either wired or wireless networks.
First published on BankersOnline.com 1/6/03