Thread Options
#1197196 - 06/08/09 01:23 PM Information Security
biz Offline
Diamond Poster
Joined: Nov 2005
Posts: 1,032
Midwest
I know there have been many posts on "clean desk" policy. And I already know the answer to this question. However, to make a long story short, I audited customer information, after hours. Found many open drawers with reciept books containing names and account numbers of customers. Found drawers open that contain the customer names, delinqent loan reports. What would your response to this comment by management be? "It is off putting to the staff to know that someone has gone through their personal things looking for mistakes."

Thank you. I will be using your comments in my defense-I know-I shouldn't have to have a "defense. Thanks

Return to Top
Audit
#1197323 - 06/08/09 04:19 PM Re: Information Security biz
califgirl Offline
Diamond Poster
califgirl
Joined: Mar 2002
Posts: 2,355
The O.C., California
1. Desk drawers and file cabinets are bank property, not personal property.

2. The auditor is not "looking for mistakes." The auditor is fulfilling his/her duty to protect bank customer information, to verify staff compliance with info security policy, as well as to protect the bank's image and reputation from any breach of customer data.
_________________________
I can explain it to you. I can't understand it for you.

Return to Top
#1197366 - 06/08/09 05:20 PM Re: Information Security califgirl
Ms Auditor Offline
100 Club
Joined: Oct 2001
Posts: 148
Upstate NY
I agree with califgirl. As an Internal Auditor I am never looking for mistakes. I am verifying that the bank adheres to it's own policies and procedures. This is what I'm paid to do.

Return to Top
#1208947 - 06/26/09 08:31 PM Re: Information Security Ms Auditor
Gandalf Offline
New Poster
Joined: Jan 2006
Posts: 7
I would respond that I did not go thru personal belongings in their desk drawers. I simply opened the unlocked drawer and saw customer information at the top. For myself, I perform this test but do NOT open any desk drawers because of this possible situation. I scan for customer information lying on someone's desk, copier, printer, etc.

Return to Top
#1209121 - 06/27/09 04:19 PM Re: Information Security biz
RBanker Offline
Power Poster
RBanker
Joined: Jul 2003
Posts: 2,675
Austin Texas
You stated that you 'audited' customer information - if you are the auditor, or a compliance officer, and you were performing your duties to ensure that the bank is in compliance with its Information Security Policy, its Privacy Act Policy, etc - then you are doing your job - it would be offputting to me, as it likely is to you, that management is not supporting an endeavor to educate staff and protect both the bank and it's customers from identity theft.

Sounds like training is necessary all the way to the top levels.

Understanding your job responsibilities would help in commenting - feel free to add to the post here, or PM me for information about working with the Audit Committee, etc.
_________________________
My comments are absolutely no reflection of, nor influenced by, my employer - take them at your own risk.

Return to Top

Moderator:  Andy_Z