Strengthening Your Customer Information Policy & Procedures by Mary Beth Guard, BOL Guru BIO AND CONTACT INFO
Question: We have a policy and procedures on Safeguarding Customer Information. My problem is, FDIC EDP examiner wants more meat on it, such as; address logical and physical access controls to CIF. No incident response policies? I can't find the information in the Federal Register. Vendor oversight requirements have not been formalized, Can you direct me to any site that will have examples or answers to these questions?
Answer: Take a look at the 8 different security measures your institution is required to evaluate and, if you determine them appropriate, adopt, under the Information Security Guidelines.
Logical access controls is the way they are referring to the first category of security measures. It includes things ranging from call verification procedures to passwords. Physical access controls includes things like key controls and inventories, and restricting access to areas and files within your institution (such as the server room) and outside storage facilities.
In Banker Tools, you will find a matrix I created to help determine how much oversight you need to give to a particular vendor's information security program, based upon the sensitivity of the customer information to which they are privy and whether they are already directly subject to the guidelines.
There are a number of articles on the site relating to these requirements. There is also an on-demand seminar "Can your information security program pass the test?" available for purchase in the BOL Banker Store.
BankersOnline is a free service made possible by the generous support of our
advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all
banking professionals. Support our advertisers and sponsors by clicking
through to learn more about their products and services.
Print Friendly!
Email This Article!
Discuss NOW!
