Our auditors cited us for not having a laptop security policy. We are trying to draft one but we are having difficulty since we don't want to go "too far" with it. We want it to encompass the use of handhelds/PDAs, etc. Does anyone have a sample they'd be willing to share with me? Do you require personal firewalls be installed? Does your bank pay for handhelds for on-the-road personnel? Do you have safeguards over what information is contained on those laptops and handhelds? Any input would be helpful.

I've never written a policy on this, but you'll have decide if it applies to personal laptops, PDAs and home PCs the staff use. Technically, if you allow them to put bank info on them, they should be subjected to the bank rules. There should be encryption requirements, firewalls, virus protection and periodic inspections.

Regrettably all of this ties the employees hands much like restricting them from taking work home. You decide.

Something else to consider is customer information security. Are employees keeping loan applications, spreadsheets and other customer info (or bank info) on the laptop's hard drive? Hope not, I had a laptop stolen from checked baggage a few months ago.

It would appear that any criticism that cites the need for a device-specific policy is unreasonable. One assumes that your organization has an information security policy that covers physical controls over all hardware, computing devices and storage media. A small section could be targeted to the mitigation of those risk issues which are primarily associated with laptop thefts, losses, etc. The new FFIEC Information Security booklet, in Appendix A, directs examiners to "...determine whether adequate policies and procedures exist to address the loss of equipment, including laptops and other mobile devices." This can be addressed in your overall information protection policy. Too many separate IT-related policies soon creates an unmanageable and unwieldy policy framework; employees become confused and the policies become "bookshelf". The next thing you know you'll be creating separate policies for wireless networking, server time-outs, how patches are handled, media handling, and on and on. A single, well-written and comprehensive information security policy will accomplish your objective.

A-Non -

Well stated!

Thank you.

We have been told by our internal auditors to update our Information technology policies as well. They state what is missing, but certainly don't include all that must be present for a good policy. Where can I direct the IT staff to in order to create a good policy? I have printed the FFIEC Information Technology Examination Handbook but this is so massive that no one has time to filter through it, what other references can i give them? We are not against paying for templates or guidance at this point. Technology is not my strongest point!

I would point you to Alex Information books. I have a Risk Management Policies book (which does not contain anything about a LAPTOP security policy, which is why I originally posted this post) from them on my desk which is very helpful. I think they publish a book just for Technology policies, etc. They'll cost you about $475, but you will get a risk free 30 day review, so you can send it back if its not helpful. I find that these books usually contain most everything you need to keep in the regulators' good graces. But, make sure you customize it. You can get a CD with the book, too, so you don't have to retype everything. Beware, once they get your name and phone number they call frequently to try to sell the newest publication.

And to those of you who have responded, thanks for the input. I went back to our outsourced internal auditor and asked if they could provide us with a sample (from their many clients) and they could not. Can you believe it? "You should have it, but, by the way, none of our other clients have it either, and we can't help you write it."

Red, go to www.netIQ.com/products/pub/author.asp and you'll see a consultant/author named Charles Cresson Wood, CISA, CISSP. Click the "policies" box to the right. Wood is an IT security consultant who appears at many banking-related IT security workshops. His focus is on policy development, and he basically sells a policy-type manual (I don't know if it's an online thing, a CD, or an actual physical manual). Good luck.

Thanks for the hint!