Information Security for Networks
December 16, 1997
Circular No. 11008

To the Chief Executive Officers of All Bank Holding Companies, State Member Banks, U.S. Branches and Agencies of Foreign Banks, and Edge Corporations, in the Second Federal Reserve District:

The letter from the Federal Reserve Board's Division of Banking Supervision and Regulation, and the accompanying paper prepared by supervision staff of the Federal Reserve Bank of New York, contain guidance on sound information security practices to address risks associated with computer networks. A version of this paper was distributed at a security conference sponsored by the Federal Reserve Bank of New York on September 24, 1997. Presentation materials from the conference are available at this Bank's web site.

The guidance presented in the paper does not constitute a regulation and should not be interpreted as such. However, the paper outlines the types of prudent and effective measures that financial services institutions have implemented, are in the process of implementing, or plan to implement to protect information and ensure its integrity, availability, and confidentiality. In this connection, the paper may provide insights and assistance in designing an effective information security program and secure automation systems.

It is suggested that the letter and the paper be distributed within your organization to senior management and others with responsibility for network security.

Should you or your staff have any questions regarding this topic, please contact, at this Bank, George R. Juncker, Vice President, or the paper's principal authors, Robert W. Dabbs, Assistant Vice President and Joseph J. Galati II, Examining Officer.