INFORMATION SECURITY PROGRAM DIRECTIVE
INFORMATION SECURITY PROGRAM
Bank management shall, through an effective Information Security Program (the Program):
- assure the security and confidentiality of customer records and information as well as the proprietary records and information of the bank;
- protect against any anticipated threats or hazards to the security or integrity of such records and information; and
- protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer or the bank.
The Program shall use appropriate administrative, technical, and physical safeguards to protect customer records and information as well as the bank's own proprietary information.
Additionally, the Program shall meet standards mandated by The Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Guidelines) issued pursuant to section 39 of the Federal Deposit Insurance Act (section 39, codified at 12 U.S.C. 1831p-1), and sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act.
RESPONSIBILITY AND REPORTING
The bank?s Chief Information Officer (CIO) is assigned primary responsibility for the development, implementation, and maintenance of the Program. To assist, the CIO may convene a committee of other bank managers from various divisions or departments of the bank, including Operations, Lending, Retail, and Compliance. At least annually, the CIO will report to the Board of Directors the overall status of the Program. The report shall discuss material matters related to the Program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management's responses; and recommendations for changes in the Program.
Management shall identify the reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of information or information systems. Further, management shall develop and implement procedures and other controls that take into account the likelihood and potential damage of these threats.
MANAGING AND CONTROLLING IDENTIFIED RISKS
Management shall develop, implement, and maintain the Program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the bank's activities.
Management has, as of today, identified the following security measures appropriate for the bank and either has or will shortly adopt those measures that management concludes are appropriate. Testing methods are also listed.
Bank Policy or Procedure Cross-Reference
Access controls on customer information systems
Includes controls to:
Authenticate and permit access only to authorized individuals and
Controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means.
The following Bank policies and procedures address controls on access:
- PC/LAN Security Policy
- Internet/Email Policy
- Firewall Policy
- Network Security Administrator?s Procedures
- Ethics and Employee Conduct for Personal Use of DP Resources
- CBS Administrator Procedures
Review by Outside Audit Firm of Firewall and On-Line Banking ? last conducted ______.
Outside Audit Firm annual review of Internal Security and Controls.
Annual penetration testing by third party, (name them).
Encryption of electronic customer information
Includes information while in transit or in storage on networks or systems to which unauthorized individuals may have access.
The following provide methods of encryption of electronic customer information:
- SSL technology for on-line banking
- PGP password procedures for internal communications
- The use of Cisco routers on data
During the annual Outside Audit Firm Controls Review audit, the SSL connections will be tested along with a review of emails for PGP usage.
Customer information system modifications
Procedures designed to ensure that customer information system modifications are consistent with the bank's information security program.
Change control procedure for LANs, etc. to be added to PC/LAN Security Policy and Firewall Policy
Outside Audit Firm will review during the annual Controls Review Audit.
Monitoring systems and procedures
to detect actual and attempted attacks on or intrusions into customer information systems
Monthly Log Reviews by Network Security Administrator
The annual Outside Audit Firm audit of I.S. Controls will review the log sheet of the Network Security Administrator showing what servers were reviewed and when the reviews occurred.
that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies;
Added to Firewall Policy (date)
The Network Security Administrator will update the response procedures.
Contingency and Disaster Recovery
Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures
Disaster Recovery Plan
Business Continuity Plan (Systems) with mirrored system capability by (date)
Testing of the disaster recovery plan and the business continuity plan will be performed and documented by I.S. Department on an annual basis.
SERVICE PROVIDER OVERSIGHT
Management shall exercise appropriate due diligence in selecting service providers. When applicable, contracts with service providers shall specifically require them to protect the security, confidentiality, and integrity of all customer information that is under their control. Contractual performance shall be monitored.
Appropriate initial and periodic ongoing training shall be provided to all associates who carry out policies and procedures adopted within the Program. The Training Department shall maintain records of all such training.
First published on BankersOnline.com 7/23/01
First published on 07/23/2001