Thread Options
#118636 - 09/29/03 09:49 PM Laptop Security Policy
Red Offline
Gold Star
Red
Joined: Dec 2002
Posts: 345
New England
Our auditors cited us for not having a laptop security policy. We are trying to draft one but we are having difficulty since we don't want to go "too far" with it. We want it to encompass the use of handhelds/PDAs, etc. Does anyone have a sample they'd be willing to share with me? Do you require personal firewalls be installed? Does your bank pay for handhelds for on-the-road personnel? Do you have safeguards over what information is contained on those laptops and handhelds? Any input would be helpful.
_________________________
Its risky business, but someone has to do it.

Return to Top
eBanking / Technology
#118637 - 09/30/03 10:37 PM Re: Laptop Security Policy
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,485
On the Net
I've never written a policy on this, but you'll have decide if it applies to personal laptops, PDAs and home PCs the staff use. Technically, if you allow them to put bank info on them, they should be subjected to the bank rules. There should be encryption requirements, firewalls, virus protection and periodic inspections.

Regrettably all of this ties the employees hands much like restricting them from taking work home. You decide.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#118638 - 09/30/03 11:55 PM Re: Laptop Security Policy
SJB Offline
Diamond Poster
SJB
Joined: Jun 2002
Posts: 1,210
California
Something else to consider is customer information security. Are employees keeping loan applications, spreadsheets and other customer info (or bank info) on the laptop's hard drive? Hope not, I had a laptop stolen from checked baggage a few months ago.
_________________________
My opinions are not legal advice and are worth what you paid for them.

Return to Top
#118639 - 10/07/03 02:25 PM Re: It's part of the Information Security Policy
Anonymous
Unregistered

It would appear that any criticism that cites the need for a device-specific policy is unreasonable. One assumes that your organization has an information security policy that covers physical controls over all hardware, computing devices and storage media. A small section could be targeted to the mitigation of those risk issues which are primarily associated with laptop thefts, losses, etc. The new FFIEC Information Security booklet, in Appendix A, directs examiners to "...determine whether adequate policies and procedures exist to address the loss of equipment, including laptops and other mobile devices." This can be addressed in your overall information protection policy. Too many separate IT-related policies soon creates an unmanageable and unwieldy policy framework; employees become confused and the policies become "bookshelf". The next thing you know you'll be creating separate policies for wireless networking, server time-outs, how patches are handled, media handling, and on and on. A single, well-written and comprehensive information security policy will accomplish your objective.

Return to Top
#118640 - 10/07/03 09:50 PM Re: It's part of the Information Security Policy
SJB Offline
Diamond Poster
SJB
Joined: Jun 2002
Posts: 1,210
California
A-Non -

Well stated!

Thank you.
_________________________
My opinions are not legal advice and are worth what you paid for them.

Return to Top
#118641 - 10/10/03 12:52 PM Re: It's part of the Information Security Policy
K8T Offline
100 Club
K8T
Joined: Sep 2003
Posts: 196
I have fallen down the rabbit ...
We have been told by our internal auditors to update our Information technology policies as well. They state what is missing, but certainly don't include all that must be present for a good policy. Where can I direct the IT staff to in order to create a good policy? I have printed the FFIEC Information Technology Examination Handbook but this is so massive that no one has time to filter through it, what other references can i give them? We are not against paying for templates or guidance at this point. Technology is not my strongest point!
_________________________
Some days, it is all a mystery to me.

Return to Top
#118642 - 10/10/03 06:14 PM Re: It's part of the Information Security Policy
Red Offline
Gold Star
Red
Joined: Dec 2002
Posts: 345
New England
I would point you to Alex Information books. I have a Risk Management Policies book (which does not contain anything about a LAPTOP security policy, which is why I originally posted this post) from them on my desk which is very helpful. I think they publish a book just for Technology policies, etc. They'll cost you about $475, but you will get a risk free 30 day review, so you can send it back if its not helpful. I find that these books usually contain most everything you need to keep in the regulators' good graces. But, make sure you customize it. You can get a CD with the book, too, so you don't have to retype everything. Beware, once they get your name and phone number they call frequently to try to sell the newest publication.

And to those of you who have responded, thanks for the input. I went back to our outsourced internal auditor and asked if they could provide us with a sample (from their many clients) and they could not. Can you believe it? "You should have it, but, by the way, none of our other clients have it either, and we can't help you write it."
_________________________
Its risky business, but someone has to do it.

Return to Top
#118643 - 10/10/03 07:34 PM Re: Go to this website location
Anonymous
Unregistered

Red, go to www.netIQ.com/products/pub/author.asp and you'll see a consultant/author named Charles Cresson Wood, CISA, CISSP. Click the "policies" box to the right. Wood is an IT security consultant who appears at many banking-related IT security workshops. His focus is on policy development, and he basically sells a policy-type manual (I don't know if it's an online thing, a CD, or an actual physical manual). Good luck.

Return to Top
#118644 - 10/14/03 02:31 PM Re: Go to this website location
Red Offline
Gold Star
Red
Joined: Dec 2002
Posts: 345
New England
Thanks for the hint!
_________________________
Its risky business, but someone has to do it.

Return to Top

Moderator:  Andy_Z