Information Security Guidance
To assist institutions in their efforts to design and manage effective information security programs, the agencies have issued guidance especially designed for small entities, which appears to be anything other than a truly huge institution. The guidance expands upon the Interagency Guidelines Establishing Information Guidelines and is intended to help financial institutions understand and comply with the Guidelines. It is not a substitute for the Security Guidelines themselves so don't make the mistake of thinking that this new document is all that a smaller institution needs
to look at.
The guidance outlines how an institution should develop and maintain an information security program. The guidance is not detailed or absolute because each program must be tailored to the institution. The guidance also specifies that you must have contract agreements with all service providers to maintain an acceptable level of information security.
Ground Rules and Scope
The guidance contains several warnings about an institution's approach to information security. Perhaps the most important is to avoid thinking only about computers when designing an information security program. Information obtained and stored in other forms, such as the old familiar paper, are also covered by the Security Guidelines and must be included in your program.
Another warning is that the guidance applies to several federal laws, most notably the GLBA and the FACT Act. However, institutions should always consider whether there are other laws or regulations that should be included. In particular, you should watch for any state laws that regulate information security.
Next, don't look only within your institution. Your program should also include your service providers. You are responsible for your customer information when it sits on a vendor's server.And while looking outside, remember that your information security program must protect consumers as well as customers. For example, information in an application that was denied must be included in the security program.
The guidance deals not only with protecting existing customer information but also with the disposal of information. Your program should include policies and procedures for information disposal in a way that continues to protect your customers.
Finally, the goal of a security program is not measured by the institution, but by your customers. The purpose of a security program is not simply to have and maintain policies and procedures. Those policies and procedures should be specifically designed to protect your customers and information about them. So when evaluating the needs for and effectiveness of security programs, look at it from the customers' perspective.
Security programs should encompass administrative, technical and physical safeguards for customer information. The goal is to ensure the security, confidentiality, integrity and the proper disposal of information. These four goals are the standards by which you should measure the effectiveness of your program.
Development or review of the program should include several steps. First, identify and evaluate risks to your customer information. Think broadly. If you look only at your systems but ignore that box of adverse action files sitting in a back room, your program is incomplete.Second, develop and implement a plan to mitigate the risks. The plan should respond to the specific risks that you have identified.
Finally, test and update your plan as necessary. These guidelines stress that the risk to an information program is constantly changing and your program must move with these changes.As you work on your program, work with the differences between the safeguarding of customer information and the Privacy Rule's limitations on disclosure of nonpublic personal information to third parties. You need to keep several laws, rules, and guidelines on the table when you work with information security.
You may also have different programs for specific business units. For example, a trust department may identify different information security issues based on the information it collects and the systems it uses. Firewalls may affect the risk presented to customer information. The guidance permits different programs for business units, but warns that you should monitor these carefully.
There are four key steps to take. First, you must identify "reasonably foreseeable internal and external threats". This assessment should be performed for your internal systems and for your service providers.
When dealing with service providers, you cannot take their word for it - much as they might like you to. You must establish their responsibility and liability through contracts. If you are having trouble with the vendor, which is not uncommon because they write the contracts, contact other customers of that vendor. Ask for a user group list. If the vendor won't provide it, you can find other customers by posting a thread on www.bankersonline.com
Consider the possibilities of unauthorized disclosure, misuse of customer information, or alteration or destruction of information.
Second, assess the likelihood of each threat and the damage that could result. The guidance provides the example of a hacker who may not only access customer information but also alter or damage your records. As you assess damage, always consider the harm to your customers as well as to your systems.
Third, assess the adequacy of what you have in place or will put in place to control the risks. Of all the steps, this may be the most important. Your plan must be able to rise to the occasion. To consider whether your program is sufficient, use your imagination about what could happen if information is affected by a hacker, an Internet virus, a hurricane, a fire or something equally threatening. Consider several very different events or disasters when assessing your program.The guidance lists key controls to include systems to detect and respond to intrusions, physical security, and employee training. In short, think broadly.
Finally, run disposal of customer information through the same three tests.
- Review your information policies and procedures to be sure they are consistent with this guidance.
- Review - very carefully - all contracts with service providers to be sure the contract holds them to the same standard of care that you must maintain.
- Request a regular report on system protection. Also ask for reports on physical security issues.
- Make sure that information security, along with other privacy issues, are adequately covered in staff training.
Copyright © 2005 Compliance Action. Originally appeared in Compliance Action, Vol. 10, No. 15, 12/05
First published on 12/01/2005