1 / 17

Information Security Guidelines

Information Security Guidelines. ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002. Background- 501(b) Guidelines. Required by GLBA

beth
Download Presentation

Information Security Guidelines

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002

  2. Background- 501(b) Guidelines • Required by GLBA • Purpose: to ensure security & confidentiality of customer information • Effective July 1, 2001 • Effective July 1, 2003, for contracts entered into on or before March 5, 2001 • Guidelines, FIL 22-2001 (3/14/01) • Exam Procedures, FIL 68-2001 (8/24/01)

  3. What Do Guidelines Require • Identify & assess risks to customer information • Design & implement program to control risks • Board review & approval • Test key controls (at least annually) • Train personnel • Adjust the plan on a continuing basis to account for changes in technology, the sensitivity of customer information, and internal/external threats to information security.

  4. Types of Information to be Protected • Customer’s nonpublic personal information (uses Privacy regulation definition) • Does not apply to business customers • Does not apply to consumers with no ongoing relationship (e.g., purchase a cashier’s check, use your ATM network)

  5. Key #1- Risk Assessment Each bank shall: • Identify reasonably foreseeable internal & external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information; • Assess the likelihood & potential damage of these threats taking sensitivity of information into consideration; and • Assess sufficiency of procedures in place to control these risks.

  6. Key #2- Security Program Each bank shall: • Design an information security program to control identified risks, commensurate with the sensitivity of the information as well as the complexity & scope of the bank’s activities • Consider the eight security measures listed in §III.C.1, and adopt if appropriate

  7. The “Laundry List” • Logical access controls • Physical access controls • Encryption • System modification procedures • Dual controls, segregation of duties, background checks • IDS • Incident response program • Emergency plan

  8. Key #3- Oversee Service Providers Each bank shall: • Exercise appropriate due diligence in selecting service providers; • Require service providers by contract to implement appropriate measures designed to meet the guideline’s objectives; and • Monitor (where indicated by bank’s risk assessment) its service providers to confirm they have satisfied their obligations.

  9. FDIC Examiner Survey • DOS follow-up usually done within 1 year of new requirement • Survey sent to every field office in all 8 regional offices • 5 questions • Informal survey, not intended to be “scientific”

  10. FDIC Examiner Survey • Survey Questions: • 3 most common deficiencies • Most common question asked by bankers • Is there confusion between privacy regulation and security guidelines? • How much time have banks spent complying? • How long for examiners to complete this part of exam?

  11. Three Most Common Deficiencies 1. Inadequate risk assessment -Slightly more than half of responses noted banks with no assessment 2. Inadequate security policy/program -About one-third of responses noted banks with no written security policy 3. Inadequate: Board involvement, testing, training

  12. Most Common Banker Question 1. How should a bank perform & document a risk assessment? 2. Does FDIC have any further guidance on what an acceptable risk assessment & security policy should look like? • What guidelines? • Am I in compliance? • What are other banks doing?

  13. Confusion With Privacy Regulation • YES • Overall, very large percentage of survey forms said that bankers confuse privacy regulation & security guidelines • Some bankers think they are same thing • Some bankers think compliance with privacy regulation means compliance with security guidelines

  14. Time Spent Complying • No significant expenditure of time so far (see previous slides) • Banks anticipate significant time going forward • Large v. small banks • Some $ spent, mostly time • Some are comparing burden to Y2K

  15. Time Spent by Examiners • Nationwide overall average: about 1-1/2 days • Significantly less for banks with no security program and very small banks • More time for banks with a security program and large banks

  16. Recommendations • Become familiar with what the guidelines require • Conduct & document a formal, comprehensive risk assessment • Develop a written security policy/program • Brief the Board of Directors and get their approval

  17. Jeffrey M. KopchikSenior Policy Analystjkopchik@fdic.gov

More Related