Click to return to BOL home page
Banker Store BOL Vendor Connect BOL Career Connect BOL Learning Connect Bankers Information Network
Home Compliance Lending Operations Security Marketing Technology/eBanking
Top Stories Bankers' Threads Background Check CrimeDex Em@il Education ID Verification Record Retention
 


MAIN CONTENT 
Compliance

    Agency Road Maps

    Alphabet Soup

    Compliance Tools

    FACTA/FCRA

    OFAC

Lending

    Article 9

    FACTA/FCRA

    HMDA Heaven

    Lending Tools

    SCRA

Marketing

Operations

    Check 21

    Disaster Updates

    Disaster Recovery

    HR Corner

    IRA Season

    Money Matters

    Operations Tools

    SARResearchGuide

Security

    AML/BSA

    Bank Robbery

    Counterfeits

    ID Fraud/Phishing

    Security Tools

Technology/eBanking

    Disaster Updates

    Disaster Recovery

    Info Security


SPECIAL AREAS 
BOL Archives

BOL Blogs

Briefing Archive

Calendar

Court Watch

Disaster Issuances

Em@il Education

Examiner's Corner

Executive Briefing

Infovault

Launch Pad

Lessons Learned

Monthly Roundup

Risk Management

Site Map

Site Orientation

Top Stories


~ ~ ~
SERVICES 
Background Check
BOL Conferencing

CrimeDex

Em@il Education

ID Verification

Record Retention


~ ~ ~
SHOP 

Banker Store
Bankers Info Ntwk
Books
Vendor Connect

CONNECT 

Career Connect

Learning Connect

Vendor Connect

Guru Central

INTERACT 

Ask a Guru
Bankers Threads

Contact Us

Give Us Feedback


TOOLS 

60 Second Solutions

Alphabet Soup

Banker Tools

BOL Forms

FUN 

Banker Humor

Banker Memories

BOL Recipes

eCard Exchange

LEARN MORE 

About Advertising
About Our Sponsors
About Us

Print Friendly! Email This Article! Discuss NOW!

Managing Risk: Information Security

Risk is that four letter word that is most on our minds right now. In the context of information security, managing risk is a front burner issue. But what, exactly, is it? One of the problems in dealing with risk management is that it is such a slippery concept with very few clear, hard lines. In the area of information security, risk management challenges are compounded by the almost daily developments in software.

In the good old days, not very long ago, the concept of risk management boiled down to buying insurance. The agencies have made clear that insurance coverage is not risk management. "Insurance coverage is not a substitute for an information security program."

This instruction is consistent with another directive from the agencies: the information security program should be designed and maintained to protect customer information. The program is not simply designed to protect the institution, but to protect the information about customers that the institution holds as a custodian. With this focus, we need to look at the information security program from the perspective of the institution and the customer.

The guidance contains two key concepts: prevention through controls, and response preparedness. Prevention - the protection of information - must be the heart of the program. Security measures should be developed and maintained with the full realization that when it comes to information security, there is absolutely no passing the buck.

In designing a program, look constantly for loopholes. There are always people on the outside as well as employees who think freely and creatively and would like to play with your customer data. Be ready for them.

Information risk management is ongoing. Any information security program must be updated at least as often as Microsoft issues updates. Also remember that the program should include more than software and system concerns. Those paper records must also be protected.

With these principles in mind, you should be able to answer all of the following questions. While we have added a few, most come directly from the agencies' guidance. Consider these issues as an agenda for your information security meetings.

Prevention and Controls
  • Where are all your information systems, including service providers?
  • Who has access to information systems?
  • What limits are there on access?
  • What firewalls are in place?
  • What authentication steps are in place?
  • Is there a system for tracking access and determining that it was authorized?
  • Is access limited to specific locations?
  • What controls are at these locations?
  • Are encryption techniques for access, storage or transmission state of the art?
  • Can anyone modify information systems without proper authorization?
  • Are dual controls and segregation of duties in place?
  • Are background checks performed and regularly updated on employees who have access?
  • What monitoring systems are in place to identify possible hacking or system attacks?
  • What action will be taken against a person who accesses or attempts to access information without authorization? Is this action sufficient?
  • Are there adequate information protection and back-up systems so that information can be restored following a crisis or disaster?
  • If the system can be accessed through the Internet, what protections and firewalls are in place?
Responses
  • What tools and techniques are ready to identify problems and assess the extent of harm?
  • Are procedures in place to give prompt notification to your federal regulator?
  • Are procedures in place to give appropriate notification to law enforcement and, if appropriate, file the SAR?
  • What measures are in place to limit harm and reestablish information security?
  • What is in place to give prompt notification to customers?
Copyright © 2005 Compliance Action. Originally appeared in Compliance Action, Vol. 10, No. 15, 12/05



Print Friendly! Email This Article! Discuss NOW!


Privacy Policy    Disclaimer   Recommend This Site !   Contact Us


BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.