Thread Options
|
Tools
|
#52061 - 01/03/03 05:58 PM
GLB Exam
|
Platinum Poster
Joined: Mar 2002
Posts: 721
California
|
Has anyone had a recent exam where a full fledged Privacy Exam was done by your regulator? We're expecting our regulators the first part of next week, and it appears one item that has popped up alot yesterday is under Appendix B of Part 364.
What the focus is on is the appointment by the board of a responsible party for Privacy. We've formed the committee,(which I Chair), I've gone before the board on many occassions, we've got the policy approved by the board, identified the risk areas, done the education, self assessments, notices - I'm confident we're covered but... no formal appointment from the board is documented, only discussion of the formation of the committee and who chairs the committee. We're well documented in every area, including the IS Dept. Should we have a special telephone meeting from the committe of the board appoint a responsibile party?
Any thoughts or suggestions will be greatly appreciated, our President is expecting a follow-up from me asap.
Thanks, Cheryle
|
Return to Top
|
|
|
|
#52062 - 01/03/03 06:13 PM
Re: GLB Exam
|
Anonymous
Unregistered
|
We had our Privacy Exam a little over a month ago. I was surprised at how low key it was. I can't speak for your regulator, but our exam was done very quickly and with little or no questions after we submitted the information which had been requested. The examiner also said that he had not written recommendations as a result of any Privacy exam he had done so far. That said however, I would probably go ahead if you can, and make it official naming you as the Privacy Officer. There is no sense in asking for trouble.
|
Return to Top
|
|
|
|
#52066 - 01/03/03 09:48 PM
Re: GLB Exam
|
Anonymous
Unregistered
|
We've long had a Chief Privacy Officer, so I can't speak to that specific point. This summer, however, when the OTS did our IT exam, they were not satisfied with the approval of the Customer Info Security Program by a committee of the Board of D's. Although the Guidelines provide for approval by a Board committee, the OTS required us to have the full Board approve the CIS Program.
The OTS also spoke to the importance of having consistent, enterprise-wide management of the vendor oversight process. Each department managing its own vendor oversight was not considered satisfactory.
Good luck!
|
Return to Top
|
|
|
|
#52067 - 01/06/03 09:43 PM
Re: GLB Exam
|
Platinum Poster
Joined: Mar 2002
Posts: 721
California
|
Anonymous - Regarding:"Although the Guidelines provide for approval by a Board committee, the OTS required us to have the full Board approve the CIS Program." So can this be interpreted that the board should appoint a responsible party to oversee the GLBA as a whole?
Also, regarding your comment "The OTS also spoke to the importance of having consistent, enterprise-wide management of the vendor oversight process. Each department managing its own vendor oversight was not considered satisfactory. " were any recommendations given as to how to mange vendor oversight?
|
Return to Top
|
|
|
|
#52068 - 01/07/03 02:49 PM
Re: GLB Exam
|
Anonymous
Unregistered
|
1. Re: can this be interpreted that the board should appoint a responsible party to oversee the GLBA as a whole? The narrow answer is--I don't think so. I don't see anything in the Privacy Reg or the Info Sec Guidelines that require appointment of an overall responsible person or that the Board approve such appointment.
The broader answer is, your Customer Info Sec Pgm should describe how the bank is handling info security. If a person or committee has overall responsibility for the program (such as the person who is responsible for annual reports to the board), that management structure should probably be described in your Program. And the Program should be approved by the Board. So if your Program describes who has responsibility for GLBA, and the Board approves the Program, in effect, the Board is approving the appointment.
That is not to say that your regulator won't want to see formal appointment of a Privacy Officer. As I said, we had done that several years ago, so the issue did not come up for us.
2. Re: any recommendations given as to how to manage vendor oversight? I took what OTS said to mean that someone, e.g., the compliance officer, should keep track of the reviews the lines of business were doing. At a minimum, verifying the reviews were done w/the proper frequency. Preferably, the review should include (1) looking at whether the appropriate type of review was done, based on the nature of the risks, and (2) looking at the results of the review to ensure the risks are appropriately addressed.
If you want more info, please post your phone number and I'll give you a call.
|
Return to Top
|
|
|
|
|
|