Thread Options
#299239 - 01/06/05 04:17 PM Help- Privacy Issues!
J2C Offline
Diamond Poster
Joined: May 2004
Posts: 1,475
Big Brother knows and that's a...
So, I just finished the privacy audit and had some issues...surprise. Anyway, the Privacy Officer does not beleive that the Data Classification issues belong in his audit report. They have been in there before, it is just that there are some repeat issues which makes his audit rating worse. Now, in order for me to revise the report so that he can't argue with me I need some further information.

Is information security training REQUIRED? I know privacy training is suggessted to be ongoing...but we have not had info security/ data classification training in quite some time. Regular Reg. P training has occurred.

I am starting to get really frustrated with this audit. I am tired of management constantly dancing around repeat issues and then saying that it shouldn't be a MAJOR FINDING. Our grading policy states that a major finding is anything that is repeat, includes violations of bank policy, improper accounting procedures, violations of internal control and security problems, violations of regulations, potential loss of income, extreme deviations from the expected error rate on sample testing, and wasteful use of assets. The PO is arguing that this is NOT a violation of law and therefore should not be repeat!

Sorry for the rant.......but thanks for listening.
_________________________
My opinion is mine only- not my employer's!


Return to Top
Audit
#299240 - 01/10/05 06:09 PM Re: Help- Privacy Issues!
EdOils Offline
Platinum Poster
EdOils
Joined: Jan 2004
Posts: 553
Louisiana
I don't know if this is "required". I skimmed the FFIEC's IT booklets and didn't see it anywhere. You may want to go and read them further.

However, this may fall under how the bank "manages" the IT function. Examiners love to see training in all areas. I also have the philosophy that "if you don't know, you can't do." I would think that this would be "highly recommended."

Another issue is the repeat suggestion. IMO, if mgmt agreed to your recommendations last year that training should be conducted annually, then this year would be a repeat suggestion, if nothing was done. Repeat write-ups are a problem, no matter how minor. They told you they would do something and didn't. Not a good thing.
_________________________
You gain education by reading the fine print. You gain experience by not.

Return to Top
#299241 - 01/11/05 09:40 PM Re: Help- Privacy Issues!
Roun Offline
Member
Joined: Apr 2003
Posts: 79
southeast
Customer Information Security Training is required under Appendix B of Part 364 of the FDIC's Rules and Regs or Section 501(b) of the Gramm-Leach-Bliley Act. Part 364 states, "Train staff to implement the bank's information security program". Hope this helps!!!

Return to Top

Moderator:  Andy_Z