Protecting the information collected by, stored, and used by your financial institution has increased in importance with the passing of the Gramm-Leach-Bliley Act. How to safeguard your information and prevent misuse is vital to the financial institution's financial and regulatory health.
In addressing this subject, BANKERS' HOTLINE advisor Mary Beth Guard has put together some questions that may help you get a handle on what you should be doing to protect your information and prevent its compromise.
- Who can get to the computers/files and how and when can they get to them?
- What about your servers?
- Do you physically limit access?
- Do you limit permissions?
- Do you have a prohibition against password sharing? Do you enforce it? What are the consequences for violation of this prohibition?
- Do you have a system that requires passwords to be changed on a scheduled basis?
- Do you have appropriate guidelines for password selection?
- Do you have safeguards against circumvention of your procedures?
- Do you punish those who engage in circumvention?
- Do you eliminate users from the system when they leave your company or cease to do business with you as a contractor?
- Do you modify permissions when someone's job responsibilities change?
- Do you require users to log out of the system when they are away from their desks?
- Do you prohibit unescorted access by non-employees?
- Do you require all users to log out at the end of the day?
- How do you guard against access by maintenance and/or janitorial personnel who work in the office outside normal business hours?
- Is there a penalty if an employee's password information is discovered in an insecure place, (such as written on the desk pad)?
- Do you have virus detection software properly implemented? Is it updated regularly? Do you have systems in place to prevent (or at least deter) employees from circumventing this protection?
- Do you allow employees to access your network from remote locations? Have you taken adequate precautions for this activity, such as considering whether the employee is using his own private computer or using one in the household shared by other family members or roommates who could introduce viruses or become privy to confidential data? Build in provisions for employee accountability, data encryption, virus protection.
- Do you have a system in place for monitoring developments in viruses, worms, Trojan horses, newly-identified security flaws and breaches in software you use? Do you make a priority of finding security patches and quickly implementing them?
- Are you utilizing appropriate software and hardware solutions for security?
- Do you have a firewall? Do you know the right questions to ask when you choose one?
- Do you do penetration testing? How? Who does it? Do you try to penetrate your network, as well as your firewall? Do you use methods other than purely technological ones?
- Does your computer security system support report generation, control and alarms?
Copyright © 2002 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 12, No. 7, 9/02
First published on 09/01/2002