Click to return to BOL home page
Banker Store Read A Reg Vendor Connect Career Connect Learning Connect Bankers Information Network
Home Compliance Lending Operations Security Marketing Technology/eBanking
Top Stories Bankers' Threads Background Checks BOL Conferences CrimeDex FREE Briefings Banker Tools

   

















    Site Map

    Our Sponsors

    Home





Compliance Gurus
Lending Gurus
Operations Gurus
Security Gurus
Marketing Gurus
eBanking Gurus

Print Friendly! Email This Article! Discuss NOW!


Developing an Information Security Program
Answer by Sam Ott
BIO AND CONTACT INFO

QUESTION: I would appreciate any advice on where to start when developing our information security program.

ANSWER: This short excerpt from the American Bank Systems 12 Step Privacy Compliance Program should help provide a beginning point.

You'll need to start by identifying risks to data security, confidentiality, or integrity. The first step is to assess risk. This is perhaps also the most challenging task. You are required to identify reasonably foreseeable threats - both internal and external - that could result in
  • unauthorized disclosure,
  • misuse,
  • alteration, or
  • destruction
of either customer information or customer information systems.

It may be helpful for you to take one category of threat at a time and identify the risks within that category.

For example, on the risk of unauthorized disclosure, your privacy team could brainstorm about all the threats you can think of. Here's one way to identify and document the threats:
Unauthorized Disclosure
Type of Threat
Internal
External
Loose lips X X (service providers)
Files left on desks X  
Computer monitors viewable by outsiders X  
Emails containing customer information or references sent to wrong recipients X X
Disclosures to government authorities without following the Right to Financial Privacy Act X  
Sending mail containing customer information to the wrong address (Example: bank receives fraudulent request for change of address and, believing it to be legitimate, changes the address for the account.) X  
Inadvertent disclosure to a pretext caller X X (can occur externally when, for example, someone employed by the service provider releases customer data to someone whom they believe to be acting on behalf of the financial institution)
Hacker gains access to your network   X
Firewall proves inadequate X X
Necessary security patches not installed X X
Former users not removed from system X X
Password system faulty X X
Records misfiled X  
Service provider has inadequate information security   X
Institution's trash falls out of truck on way to shredder X X
Unshredded trash is left where janitorial staff can access it. X X


First published on BankersOnline.com 5/7/01
Home | Compliance | Lending | Operations | Security | Marketing | Technology | eBanking
BOL Archives    Privacy Policy    Important Disclaimer   Recommend This Site !   Contact Us


BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.