Skip to content
BOL Conferences
Thread Options
#615033 - 09/19/06 04:30 PM Board Approval
BankMan88 Offline
New Poster
BankMan88
Joined: Nov 2003
Posts: 19
Is the Board of Directors required to sign off on IT related policies such as End User, Information Security, Internet and e-mail, Remote Access, etc? These policies make up part of our over all 'Information Security Program' for GLB. Does the Board need to 'approve' a bank's information security program? We do give them status reports of Information Security related measures and incidents. Any guidance is appreciated. Thanks!

Return to Top
eBanking / Technology
#615034 - 09/19/06 05:13 PM Re: Board Approval
Ms Auditor Offline
100 Club
Joined: Oct 2001
Posts: 148
Upstate NY
IMO - The board needs to approve all of the policies but does not need to approve the procedures contained in the IS Program.

Return to Top
#615035 - 09/19/06 06:37 PM Re: Board Approval
Dazed and Confused Offline
Gold Star
Dazed and Confused
Joined: Feb 2006
Posts: 250
Big XII South
I agree with Ms Auditor. The board should approve higher-level policies (such as the information security program) ... but the other policies you listed appear to be management-level policies that are more procedural in nature (and they may not need to be approved by the board).

Board-level IT policies should outline the overall objectives and goals to establish and maintain effective security and controls over the entire IT function and services (e.g., data processing, networked systems and platforms, end-user computing, etc). The management-level policies/procedures should then be developed to support and carry-out the board-level objectives and goals (and mgmt.-level policies would not have to be submitted to the board for approval).

Return to Top
#615036 - 09/24/06 07:26 PM Re: Board Approval
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
If the board doesn't approve them and some management level does, be sure you're covered under Reg. O as to who is and is not an insider.

Personally, if it warrants a policy and is guidance on how you'll operate, I think the board should be involved.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top

Moderator:  Andy_Z