To see the BOL Banker Tools page Security index page, click here.
Alerts & Counterfeits
The BankersOnline team has gone through all of the FDIC alerts for the past two years dealing with counterfeit, fictitious, and stolen cashier's checks, certified checks, official checks, money orders, and similar items, and we have compiled an easy to print, easy to use chart which features the items in alphabetical order. We believe it will be an indispensable tool (which we will update every few weeks, as new alerts warrant) for your frontline personnel to use to help them spot fraudulent items.
Annual Security Program Report - How to Prepare
BOL Guru Dana Turner has graciously consented to allow us to post an excerpt from his Security Program Manual. This Tool is from the Workbook section of Dana's book, and it provides guidance on how to prepare your annual security program report.
FFIEC FAQ on their Guidance on Authentication in an Internet Banking Environment
On August 15, 2006, the Agencies published an FAQ document to respond to questions concerning their October 12, 2005, Guidance, which is often referred to as their "Multifactor Authentication" guidance. The FAQ clarifies several issues, including controversy over whether the Guidance applies to telephonic voice response units (VRUs), and which sorts of risks the agencies are concerned about. It also makes clear the agencies' expectations on what needs to be completed by the December 31, 2006, target date in the Guidance document.
Review this FAQ to resolve questions you might have about whether systems your bank has deployed or may consider deploying need to be reviewed for risks of data compromise, what steps you need to take to conform to the Guidance, and your deadline for completing them.
Assessment of Unauthorized Access To Sensitive Customer Information Worksheet
Cindy Williams of Community State Bank, N.A, Ankeny, Iowa created this form in response to the "Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice."
You may use this to guide the process for the required assessment when a suspected compromise may have occurred to "sensitive customer information". It would also serve as documentation of the steps that were taken. Information here can support your position to file or not file a SAR as well.
This tool could be used by a management team responsible for responding to a possible information compromise. Information from this group would be used to complete the form.
Branch Security Review Checklist
- Assessment of Unauthorized Access To Sensitive Customer Information Worksheet - PDF version
Assessment of Unauthorized Access To Sensitive Customer Information
- Worksheet - Word .doc format (Right click on the link to save the file)
From Bankers' Threads user PBM (Harry Shayhorn) comes two versions of a checklist to help you perform a branch security review.
Check Guide, UCC 3 & 4 Training
Gene R. Elerding of Manatt, Phelps & Phillips, LLP in Los Angeles has provided us with a 127 page review of UCC 3 and 4, entitled "The Check Guide." This detailed review will assist anyone needing a better understanding of the rules involved with checks. There is a table of contents so you can find information on any of the 13 major sections.
Checklist for Information Security Steps
The GAO report on information security at the FDIC contains a number of "best practices" for information security that are just as pertinent to financial institutions as they are to the federal regulator. We've studied the report and extracted from it information security steps in the categories of Access Controls and User Permissions, Network Security, and Computer Security Program and used the GAO's comments to construct a checklist that can be customized for your institution's needs to guide you in ensuring you have the bases covered.
Counterfeit Check Scams 101 - Training to Avoid Losses
Thomas Ammerman AKA thomasj has been a real asset in the threads sharing information so others can improve their security programs and reduce their losses. One request he has had was for training information he authored to train new hires and to remind the experienced staff about losses and scams. Recognizing these scams and bogus items early in the transaction process can save your bank money, and your customers too.
"Counterfeit Check Scams 101" is a six page training document. Used to train all staff to recognize many of the common scams that threaten your bottom line. There is background information and then a review of eight scams and seven counterfeit check scenarios. These are followed by eight common faults to watch for in identifying bogus items and contact information used to verify items.
A more complete description is here.
(see the Operational Accessories section) for Disaster Recovery tools
Guru Dana Turner provided us with this Disaster Recovery Guidelines and Test.
Employee Guide to Information Security
Jesse Torres, CIA, CISA, CISSP, of The California National Bank in Los Angeles has written an excellent guide to help address security issues in your institution, from safeguarding the information assets of the bank down to the confidential information of customers. Jesse reviews the Gramm-Leach Bliley Act and its practical implications as well as identity theft, use of passwords and email, and other issues that will immediately impact everyone's business operations.
Employee Information Form
Sharon Lewis from COCHA supplied this form to be kept on file by bank security and H.R. personnel to be used in the event of an incident involving an employee -- whether it's suffering a heart attack at work, or being the possible target of a kidnapping. We've provided it in two formats to customize as you see fit.
Employee Personal Profile Form
Dana Turner has supplied this Employee Personal Profile Form.
Guide for Brainstorming for Risk Analysis
Ray Muth is a CPA, CISA, CISSP and CITP with BankLogic.Net. When he goes into a bank to help it develop its own risk analysis, he takes this template to use. It's basically a guide for brainstorming for risk analysis. It works best when facilitated, but whether it is facilitiated or not, members from all bank departments should be included and the risk analysis should be broken out by lines of business.
Hold Harmless Letter
Guru Barb Hurst has provided this hold harmless (indemnification) letter:
Information Security Program Checklist
BOL Guru Karen Garrett of Bryan Cave devised this useful checklist for your information security program.
InfoSec Contract Provisions Monitoring Chart
You must have a written contractual agreement with all your service providers who have access to nonpublic personal information on customers as a result of rendering a service to you. The contract provision must require the service provider to implement and maintain an information security program designed to achieve the objectives of the Information Security Guidelines. This chart, prepared by BOL Guru Mary Beth Guard, aids you in documenting that you have obtained those contractual agreements. (See related article.)
InfoSec Service Provider Risk Assessment Matrix
The extent to which you must monitor the information security practices of a service provider will depend upon the type of entity it is and the sensitivity of the information to which it has access. Mary Beth Guard created this matrix to aid in the analysis of what level of scrutiny is necessary. (See related article.)
Information Security Best Practices Guide
This report explores the nature of the threats facing executives tasked with CMA (Computer-Managed Assets) protection, and discusses ways that the risks associated with those threats can be managed and mitigated.
Night Inspection Evaluation Form
Barry Thompson provides this useful form for documenting night inspections.
Release of Claim Forms
Greg Goss of Valley Ridge Bank has provided a sample of release forms you may find helpful. When a customer has filed a forgery or ATM/debit card claim, but later wants to withdraw that claim, how do you document it and reduce your liability? Greg has provided one form for each type of claim so you can CYA.
Robbery Deterrent Signs
Remind would-be criminals coming in to your institution that they're likely to have their image captured on your surveillance cameras -- and that crimes against your institution are investigable by the FBI. These "print-it-yourself" signs from BOL provide another tool for deterring robbers.
Robbery, Before and After
Quick lists that make great hand-outs for your robbery training.
Sample Information Security Contract Language
BOL Guru Karen Garrett of Bryan Cave has provided a sample of what an information security contract provision might look like.
Sample Investigative Report
Dana Turner offers this tool to illustrate how to document your investigation. Sample Investigative Report
Suspicious Activity Investigative Report Forms
Offered in two varieties, one by Alan Virr and the other by Michelle Nuckols these Suspicious Activity Investigative Report forms should prove helpful in determining if there is sufficient cause to file a SAR, and to act as supporting evidence of your decision.