We are a small community bank, I have written our Information Safeguarding Policy.

It is fairly brief-with few employees and a small building we pretty well know when someone is out of their area.

Are others having a dilemma about having a short policy? I really don't want to fill it full of useless and potentially critical information.

------------------
Jeff

Substance is all that matters.

I wouldn't worry that it is brief, does it cover what it needs to? Does it tie with any other policies to fill gaps? Have all the issues been addressed?

There may be some issues that simply do not apply to your small bank. Just ensure you reviewed the regulatory guidance, addressed the necessary issues and implemented what was said would be done.

------------------
Andy Zavoina
Opinions stated are not necessarily that of my employer.

Have tried to "marry" this policy with other related policies in existence. But my only worry is just how specific the examiners will be.

If Jane from new accounts is digging in a credit file Martha will ask her what she is doing there!

Well, the specificity of the examiners is an unknown. My advice is do the best you can now and adjust as you get feedback. There is nothing wrong with talking to your examiners now and asking what they anticpate the standards to be.

Reviews will vary in technical expectations from intrusion potential and testing on your systems, to LAN security, to time elapsed before a PC screensaver is kicked in and is a password required to get out of it to shred policies.

------------------
Andy Zavoina
Opinions stated are not necessarily that of my employer.