Information Security - Risk Assessment

by Mary Beth Guard, Esq.

Each regulatory agency is required by Section 501(b) of the Gramm Leach Bliley Act to establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards. The goals of those safeguards are:

1) to insure the security and confidentiality of customer records and information;
2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

Identify Types of Information
The first step in formulating an information security program and coming into compliance with the information security guidelines is to identify all of the different types of customer information you collect and store.

Customer information means any record containing nonpublic personal information about a customer whether in paper, electronic, or any other form that is maintained by or on behalf of the financial institution.

You'll have to look at what you collect, how you store it, how you use it, how you transmit it, how you protect it and how you dispose of it.

Take into consideration that some types of information may exist in multiple forms at your institution. For example, you may take a written loan application from a customer, then create an imaged copy for your electronic files. You would then have both the paper and the electronic copy of that customer information.

For each type of information - and each type of customer information system (which means any methods used to access, collect, store, use, transmit, protect or dispose of customer information) - you will need to have safeguards in place.

Develop the Program
Once you have made an assessment of the types of customer information you collect and maintain and you have identified all your customer information systems, then you can begin the development of your information security program.

Assessing risk is perhaps the most challenging task you have to do. You are required to identify reasonably foreseeable threats - both internal and external that would result in unauthorized disclosure, misuse, alteration, or destruction of either customer information or customer information systems.

Unauthorized Disclosure
Types of threats to guard against can include: careless talk by employees; files left on desks; computer monitors viewable by outsiders; emails containing customer information or references sent to the wrong recipients; disclosures to government authorities without following the Right to Financial Privacy Act; sending mail containing customer information to the wrong address (example - accepting fraudulent change of address); inadvertent disclosure to a pretext caller. Other threats: hacker gains access to your network; firewall proves inadequate; necessary security patches not installed; former users not removed from system; password system faulty; records misfiled; service provider has inadequate information security; institution's trash falls out of truck on way to shredder; unshredded trash is left where janitorial staff can access it.

Misuse of Customer Information
Consider if there is a risk of: a director who serves on loan committee using information in a business competitor's loan application to gain a business advantage; your customer database being used by a dual employee of your institution and an affiliate to gain information that goes beyond transactions and experiences data to use for the benefit of the affiliate and you have not given an opt out right; data other than customer information is loaded onto your institution's computers, causing possible risk of virus infection.

Alteration
What is the danger of: a loan file altered to make it appear borrower is current, rather than delinquent; a dormant account being tampered with; a deposit record changed to reflect a smaller deposit than what was actually made; fractional interest accruals on deposits shaved off to divert small amounts to a dummy account; deposit ownership records modified to show someone as a joint owner who is not; safe deposit records altered to show an additional renter; an electronic bill payment fraudulently set up on customer's account?

Risk of Destruction
What is your exposure if a disgruntled employee plants a time bomb in the computer system? (A small computer program is designed to check the electronic employee roster file each day. If, at any time, the employee's name no longer appears on the roster, the time bomb is set to activate a destructive worm which will destroy all data on the network) What if: a tornado destroys the institution's office; an electrical fire damages all computers on the network; backup tapes are stored next to a strong magnetic field; computer virus infects the network; inadequately trained employee or contractor inadvertently deletes customer files; records are erroneously marked for destruction; customer information accidentally falls into the trash at the teller station?

After you have performed a thorough assessment of the risks, adding to our list as you realize the need, you must turn to the task of assessing the likelihood and potential damages of the threats you have identified. Then turn to your code of conduct or employee handbook provisions relating to information disclosure, and, if necessary, call upon the advice of an expert who is familiar with such things as computer network intrusions, firewall penetrability, etc. Determine how you might need to amend your current policies and procedures to construct a workable and compliant information security system.

Mary Beth Guard, Esq., is Executive Editor of www.BankersOnline.com. She has spent close to 20 years teaching bankers and writing about banking laws and regulations. She is an Advisor and a regular columnist for the Bankers' Hotline.

Copyright © 2002 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 12, No. 8, 10/02