GLB: Exam Procedures for Information Security

In the final step of implementing the Gramm-Leach-Bliley customer information security requirements, the agencies have released examination procedures. As with other exam procedures, these contain almost as much information about compliance as the rules and guidelines themselves. The exam procedures clarify the detail level that will be required, the scope of information protection and the level of management and board involvement.

Purpose
The purpose of information security takes on additional meaning after September 11. Not only should the institution take steps to ensure the confidentiality of customer information, the institution should also protect against any anticipated threats or hazards to the security or integrity of the information and protect against unauthorized access or use of the information. Financial institutions need to consider the possibility that the information they possess and use to provide products and services may be a target for misuse by those who wish to harm our economy. One way to do that is to undermine confidence in the banking system.

Financial institutions should therefore do more than adopt a written program - which the guidelines require - and place it on the shelf. The program needs to function on a daily basis to protect both the institution and its customers from theft or mis-use of customer information.

The Management Process
Step one is the process of establishing and managing an information security program. This includes review and approval by the board or a designated committee. Expect examiners to look for and evaluate the level of board involvement and actual knowledge about customer information security.

Examiners will also look to see whether the board has assigned an individual to be responsible for information security and whether that individual has the necessary skills to manage the program.

Separate areas of the institution may have independent programs. If this is the case, an important part of program management is to ensure that the information security programs are coordinated across the institution to ensure that there are no gaps or slippage. Much like the Y2K process, this includes making sure that different information systems work compatibly and that controls are in place protect the information no matter how it is accessed.

As part of the procedures, examiners are asked to comment on the degree of the board's involvement as well as that of senior management. This step reflects the high level of management involvement that is expected in the current examination climate.

Reports
No management system is complete without reports and information security is no exception. Examiners will evaluate the usefulness of the reports from management to the board - and from throughout the organization to management. Examiners will consider who looks at reports to ensure that they are accurate. They will also need to consider the content of the reports and whether the reports describe the overall status of the program, including risks, decision-making, testing, and responses.

As for frequency, examiners will expect the board or its designated committee to review the reports at least annually. More often could gain positive points as long as both the reports and the board's review of them are sound.

Evaluating Risk
This is all about risk. Evaluating risk involves some core steps that should be a part of the institution's self assessment. For example, examiners will look at what the institution did "to identify reasonably foreseeable threats and the potential damage those threats could cause" in the context of the institution and how it conducts business.

This is more than computers and automated systems. Your information security program should account for non-automated systems, such as loan files, signature cards and similar information databases. Any method of compiling, using, and storing information is covered - right down to what sits on someone's desk when they go on a break.

Risk assessment should be a part of a formal process with timelines and milestones that management can use to evaluate the status of the program. The assessment should also identify the relative sensitivity of information and compare this to the risk that the information could be misused.

This process should include responses to something actually occurring. How quickly and effectively an institution is able to respond is an important measurement of the information security program.

Risk assessment also involves making clear decisions about how much risk to accept. A program that blindly ignores the possibility that things can go wrong has a fundamental weakness. The institution should know how it plans to respond to problems.

Controlling Risk
It isn't enough to have a great plan. The program should include specific controls to prevent problems. Examiners will ask to see your controls and evaluate them.

Training is another topic that will be reviewed in the examination. The primary question will be whether appropriate staff knows about the procedures and controls that apply to them - including what they should not be doing (like requesting a credit report to learn more about the new person in their neighborhood.)

Risk concerns include:

access controls to information, including methods to prevent hacking and identity theft;
access restrictions at locations where information is stored;
data encryption methods;
procedures to ensure information security during system modifications or changes;
dual controls for information;
monitoring and "white knight" hacking tests;
response programs including identification of the problem, leadership of and participation in the response, and reporting of the problem and the steps taken to prevent or cure the problem; and
steps to protect information from damage or harm, including fire, flood, electrical, and system problems.

Service Providers
No information security program should overlook service providers. Your program is no better than theirs. Any information security program should consider the vendor's information security and the security of information while being transmitted.

As with Y2K, this includes tracking information sent, information returned, and how information is used by the service provider. The provider should have procedures, training, and controls to protect information.

The contract with the vendor should provide for information security and for reports to you that enable you to evaluate that information security.

ACTION STEPS

Schedule an annual report to the board or its designated committee. This should be an automatically recurring event. If you are having problems getting the program running, schedule reports more frequently.
Audit yourself using the exam procedures to find out what your program is missing.
Put on your creative hat and think about how information can be misused. Then think about how to prevent that from happening.
Compare your privacy and information security training to the examiner's check list.
Review the status of information security with service providers. Check the contract provisions and also run a test.
Review the reports that you should be getting from the service provider and consider whether they contain what you need to know. Also consider how you can use them.
Are you ready to respond to a sudden problem that changes everything?