Board Approval

Is the Board of Directors required to sign off on IT related policies such as End User, Information Security, Internet and e-mail, Remote Access, etc? These policies make up part of our over all 'Information Security Program' for GLB. Does the Board need to 'approve' a bank's information security program? We do give them status reports of Information Security related measures and incidents. Any guidance is appreciated. Thanks!

IMO - The board needs to approve all of the policies but does not need to approve the procedures contained in the IS Program.

I agree with Ms Auditor. The board should approve higher-level policies (such as the information security program) ... but the other policies you listed appear to be management-level policies that are more procedural in nature (and they may not need to be approved by the board).

Board-level IT policies should outline the overall objectives and goals to establish and maintain effective security and controls over the entire IT function and services (e.g., data processing, networked systems and platforms, end-user computing, etc). The management-level policies/procedures should then be developed to support and carry-out the board-level objectives and goals (and mgmt.-level policies would not have to be submitted to the board for approval).

If the board doesn't approve them and some management level does, be sure you're covered under Reg. O as to who is and is not an insider.

Personally, if it warrants a policy and is guidance on how you'll operate, I think the board should be involved.