I felt really good about being prepared for the GLBA, we did our privacy policy, sent out our notices, we did a risk assessment on our IS systems and created a new policy regarding our Information Security Policies and procedures. Now I find out that in addition to the above, we are required to have a separate Customer Information Security Program with it's own risk assessment. Our examiners say it needs to be separate from our Privacy and Information Security policies and should stand alone. What are other financial institutions doing and how did I miss this?

In my opinion the Information Security Program is made up of several things..........all your policies, procedures,etc. How can it "stand alone" when the program encompasses so many factors of privacy? I did an "outline" of the Information Security Program that named all the different policies, procedures, etc.but have not been audited.

Your examiner is correct. For more information you need to take a look at the guidelines that were published last year. Unfortunately, this is an issue that slipped under many bank radar screens.

You can get the guidelines from the FDIC here: FDIC FIL 22-2001

Good Luck!

I just had an exam (OCC) and I had a separate Customer Information Policy - part of my Safety and Soundness and Procedures Policy - and a separate Privacy policy. They were ok with that - I use Banker's Systems Pringle program.

We also just completed an OCC IT exam. They asked for the separate program, and we committed to preparing it. They backed off of any criticism, however, when we pointed out that all aspects were covered in other policies, etc.

In answer to "how you missed it," the timing of this Guideline was very difficult. After banks spent months of focusing on GLB Privacy requirements, trying to get ready by the July 1, 2001 deadline, the Guidelines were published in February 2001. Because they too were under the heading of "GLB," and we were all so focused on ensuring compliance with the GLB/Privacy requirement, it was easy to gloss over the fact that references to GLB/Information Security were for a substantially different set of requirements. And because the effective date was also July 1, 2001, the amount of time to develop the program was quite short.

It took me a while to realize how substantial the requirements for this Program were. Hopefully, you will be able to leverage the work you've done for Privacy and Information Security in putting together your Customer Information Security Program.

Are you guys saying that in addition to our privacy policy and program and our separate information security policy and program that we need a third policy and program for customer information security???????????????????

We have what we call in Information Security Program, but it follows the guidelines set out by the FDIC. It also encompasses our Privacy Policy and incorporates, by reference, all of our existing policies and procedures in our Operations area, Loan area, IT area, etc.

Since most of what the guidelines required already existed in our Bank (it's been a part of banking since the begining of time!), I wasn't about to reinvent the wheel. The Information Security Policy is more of an umbrella and discusses risks at that level. Detailed risks and procedures are addressed in the different procedure manuals for each area of the Bank.

Every financial institution is supposed to have an Information Security Program for customer information that meets the following guidelines from their regulator.
For OCC it's Appendix B to 12 CFR part 30
For Federal Reserve it's Appendix D-2 to 12 CFR part 208 for state member banks and Appendix F to 12 CFR part 225 for bank holding companies.
For FDIC it's Appendix B to 12 CFR part 364.
For OTS: Appendix B to 12 CFR part 570.
For NCUA: Appendix A to 12 CFR part 748.

Ted, plus FTC now (16 CFR 314)

Also, don't forget about the ongoing employee training program and audit functions to test programs.

There's a sample policy in the Tools Section that was contributed by Wayne Barnett. I've copied three of his policies from the tools section, and FDIC gave us good comments on all of them.

The FDIC conducted our Customer Information Security exam earlier this month. In spite of the significant amount of work we did to prepare for the exam, the examiner spent about 2.5 hours with me explaining the additional work I still needed to do. The main areas we are required to focus additional time on are the vendor/service provider oversight program (that is a BIG one), and the risk analysis part. We now have to go back and rate each risk we'd already identified, regardless of the fact that we already had (or had created) procedures to reduce the risks to an acceptable level. The exam covered our bank-wide program, not just Information Systems.

If auditing the compliance of the Privacy "program", is the risk assessment done for compliance with Privacy or the Information Security Program? Should evidence of the risk assessment be included in the Privacy "file"?

The Privacy component is being treated separately, we are regulated by the FDIC and they tell us that Privacy will be included in the Compliance exam, Customer Information Security is being covered by the IT people. The things the examiners are looking for are: risk assessment of where any non-public customer information can be found throughout the bank along with a hi-med-low rating, controls and resulting rating after mitigating the existing risks. They are also looking for bank-wide training, monitoring and testing. We were also told that we also need to perform a separate risk assessment of our vendors, (even if exempt under the Privacy regulations) and perform "due diligence" as to how secure they keep our customer's data and were even told we should get copies of their audits/examinations or send our internal auditors out to our service providers to perform our own audits! Where will it end?!