Thread Options
|
Tools
|
#18479 - 05/23/02 04:55 AM
Customer Information Security
|
Anonymous
Unregistered
|
I felt really good about being prepared for the GLBA, we did our privacy policy, sent out our notices, we did a risk assessment on our IS systems and created a new policy regarding our Information Security Policies and procedures. Now I find out that in addition to the above, we are required to have a separate Customer Information Security Program with it's own risk assessment. Our examiners say it needs to be separate from our Privacy and Information Security policies and should stand alone. What are other financial institutions doing and how did I miss this?
|
Return to Top
|
|
|
|
#18480 - 05/23/02 12:59 PM
Re: Customer Information Security
|
Anonymous
Unregistered
|
In my opinion the Information Security Program is made up of several things..........all your policies, procedures,etc. How can it "stand alone" when the program encompasses so many factors of privacy? I did an "outline" of the Information Security Program that named all the different policies, procedures, etc.but have not been audited.
|
Return to Top
|
|
|
|
#18481 - 05/23/02 01:40 PM
Re: Customer Information Security
|
Diamond Poster
Joined: Feb 2001
Posts: 2,245
US of A
|
Your examiner is correct. For more information you need to take a look at the guidelines that were published last year. Unfortunately, this is an issue that slipped under many bank radar screens.
You can get the guidelines from the FDIC here: FDIC FIL 22-2001
Good Luck!
_________________________
"If you want to tell people the truth, make them laugh, otherwise they'll kill you." ~ Oscar Wilde
|
Return to Top
|
|
|
|
#18482 - 05/23/02 01:48 PM
Re: Customer Information Security
|
Anonymous
Unregistered
|
I just had an exam (OCC) and I had a separate Customer Information Policy - part of my Safety and Soundness and Procedures Policy - and a separate Privacy policy. They were ok with that - I use Banker's Systems Pringle program.
|
Return to Top
|
|
|
|
#18483 - 05/23/02 02:44 PM
Re: Customer Information Security
|
Power Poster
Joined: May 2002
Posts: 3,608
Near the Land of Enchantment
|
We also just completed an OCC IT exam. They asked for the separate program, and we committed to preparing it. They backed off of any criticism, however, when we pointed out that all aspects were covered in other policies, etc.
_________________________
Opinions my own.
|
Return to Top
|
|
|
|
#18484 - 05/23/02 03:58 PM
Re: Customer Information Security
|
Anonymous
Unregistered
|
In answer to "how you missed it," the timing of this Guideline was very difficult. After banks spent months of focusing on GLB Privacy requirements, trying to get ready by the July 1, 2001 deadline, the Guidelines were published in February 2001. Because they too were under the heading of "GLB," and we were all so focused on ensuring compliance with the GLB/Privacy requirement, it was easy to gloss over the fact that references to GLB/Information Security were for a substantially different set of requirements. And because the effective date was also July 1, 2001, the amount of time to develop the program was quite short.
It took me a while to realize how substantial the requirements for this Program were. Hopefully, you will be able to leverage the work you've done for Privacy and Information Security in putting together your Customer Information Security Program.
|
Return to Top
|
|
|
|
#18485 - 05/23/02 04:31 PM
Re: Customer Information Security
|
100 Club
Joined: Oct 2001
Posts: 120
|
Are you guys saying that in addition to our privacy policy and program and our separate information security policy and program that we need a third policy and program for customer information security???????????????????
|
Return to Top
|
|
|
|
#18488 - 05/23/02 07:28 PM
Re: Customer Information Security
|
Anonymous
Unregistered
|
Ted, plus FTC now (16 CFR 314)
|
Return to Top
|
|
|
|
#18490 - 05/24/02 01:54 AM
Re: Customer Information Security
|
Anonymous
Unregistered
|
There's a sample policy in the Tools Section that was contributed by Wayne Barnett. I've copied three of his policies from the tools section, and FDIC gave us good comments on all of them.
|
Return to Top
|
|
|
|
#18491 - 05/28/02 03:55 PM
Re: Customer Information Security
|
New Poster
Joined: May 2002
Posts: 1
Anchorage, AK
|
The FDIC conducted our Customer Information Security exam earlier this month. In spite of the significant amount of work we did to prepare for the exam, the examiner spent about 2.5 hours with me explaining the additional work I still needed to do. The main areas we are required to focus additional time on are the vendor/service provider oversight program (that is a BIG one), and the risk analysis part. We now have to go back and rate each risk we'd already identified, regardless of the fact that we already had (or had created) procedures to reduce the risks to an acceptable level. The exam covered our bank-wide program, not just Information Systems.
_________________________
Julie Bailey
VP, Community Development & Compliance
Northrim Bank
Anchorage, AK
|
Return to Top
|
|
|
|
#18492 - 05/28/02 09:08 PM
Re: Customer Information Security
|
Anonymous
Unregistered
|
If auditing the compliance of the Privacy "program", is the risk assessment done for compliance with Privacy or the Information Security Program? Should evidence of the risk assessment be included in the Privacy "file"?
|
Return to Top
|
|
|
|
#18493 - 05/29/02 10:00 PM
Re: Customer Information Security
|
Anonymous
Unregistered
|
The Privacy component is being treated separately, we are regulated by the FDIC and they tell us that Privacy will be included in the Compliance exam, Customer Information Security is being covered by the IT people. The things the examiners are looking for are: risk assessment of where any non-public customer information can be found throughout the bank along with a hi-med-low rating, controls and resulting rating after mitigating the existing risks. They are also looking for bank-wide training, monitoring and testing. We were also told that we also need to perform a separate risk assessment of our vendors, (even if exempt under the Privacy regulations) and perform "due diligence" as to how secure they keep our customer's data and were even told we should get copies of their audits/examinations or send our internal auditors out to our service providers to perform our own audits! Where will it end?!
|
Return to Top
|
|
|
|
|
|