Skip to content
BOL Conferences
Thread Options Tools
#52061 - 01/03/03 05:58 PM GLB Exam
Miss Kitty Offline
Platinum Poster
Joined: Mar 2002
Posts: 721
California
Has anyone had a recent exam where a full fledged Privacy Exam was done by your regulator? We're expecting our regulators the first part of next week, and it appears one item that has popped up alot yesterday is under Appendix B of Part 364.

What the focus is on is the appointment by the board of a responsible party for Privacy. We've formed the committee,(which I Chair), I've gone before the board on many occassions, we've got the policy approved by the board, identified the risk areas, done the education, self assessments, notices - I'm confident we're covered but... no formal appointment from the board is documented, only discussion of the formation of the committee and who chairs the committee. We're well documented in every area, including the IS Dept. Should we have a special telephone meeting from the committe of the board appoint a responsibile party?

Any thoughts or suggestions will be greatly appreciated, our President is expecting a follow-up from me asap.

Thanks,
Cheryle

Return to Top
General Discussion
#52062 - 01/03/03 06:13 PM Re: GLB Exam
Anonymous
Unregistered

We had our Privacy Exam a little over a month ago. I was surprised at how low key it was. I can't speak for your regulator, but our exam was done very quickly and with little or no questions after we submitted the information which had been requested. The examiner also said that he had not written recommendations as a result of any Privacy exam he had done so far.

That said however, I would probably go ahead if you can, and make it official naming you as the Privacy Officer. There is no sense in asking for trouble.

Return to Top
#52063 - 01/03/03 06:14 PM Re: GLB Exam
straw Offline
Power Poster
straw
Joined: Nov 2002
Posts: 9,121
I went through a Privacy exam this summer; had an apppointed person at the holding company level, but not at the bank level. Had to have bank board appoint a privacy officer at the bank level.

Did this to comply with an internal audit recommendation that the examiners concurred with.

I would suggest having a person appointed by the board i.e. BSA officer, with clearly defined duties and responsibilites.

This will probably help the examiners maintain focus and scope of exam.

Return to Top
#52064 - 01/03/03 06:15 PM Re: GLB Exam
PABanker Offline
Gold Star
PABanker
Joined: Dec 2000
Posts: 491
Blue Ball, PA 17506
We had our exam for Privacy from the OCC. Our bank has several areas where a person is designated for different functions of Privacy. I am the Privacy Officer for the compliance area. We have IS personel defined as Information Security Officer. We have policies for different functions and employee training especially covering information security as the latest thrust in the training.

One area we are really looking into is the GLBA requirements for vendor review and what is being required by July 2003. We found out that our efforts must be better coordinated and a central location for the files is a must.

Return to Top
#52065 - 01/03/03 07:41 PM Re: GLB Exam
Ted Dreyer Offline
Diamond Poster
Ted Dreyer
Joined: Apr 2001
Posts: 2,245
Cheryle: The regulators asked for comment on whether a specific designation of an "Information Security Officer" should be required. The section-by-section analysis preceding the Information Security Guidelines indicates that a new position with a specific title was not necessary, according to the regulators, as long as there were adequate staff and the lines of authority and responsibility for the InfoSec program are well defined and clearly articulated. Check to make sure that your board-approved policy sets out lines of authority and responsibility that are "well defined and clearly articulated".

Return to Top
#52066 - 01/03/03 09:48 PM Re: GLB Exam
Anonymous
Unregistered

We've long had a Chief Privacy Officer, so I can't speak to that specific point. This summer, however, when the OTS did our IT exam, they were not satisfied with the approval of the Customer Info Security Program by a committee of the Board of D's. Although the Guidelines provide for approval by a Board committee, the OTS required us to have the full Board approve the CIS Program.

The OTS also spoke to the importance of having consistent, enterprise-wide management of the vendor oversight process. Each department managing its own vendor oversight was not considered satisfactory.

Good luck!

Return to Top
#52067 - 01/06/03 09:43 PM Re: GLB Exam
Miss Kitty Offline
Platinum Poster
Joined: Mar 2002
Posts: 721
California
Anonymous -
Regarding:"Although the Guidelines provide for approval by a Board committee, the OTS required us to have the full Board approve the CIS Program." So can this be interpreted that the board should appoint a responsible party to oversee the GLBA as a whole?

Also, regarding your comment "The OTS also spoke to the importance of having consistent, enterprise-wide management of the vendor oversight process. Each department managing its own vendor oversight was not considered satisfactory. " were any recommendations given as to how to mange vendor oversight?

Return to Top
#52068 - 01/07/03 02:49 PM Re: GLB Exam
Anonymous
Unregistered

1. Re: can this be interpreted that the board should appoint a responsible party to oversee the GLBA as a whole? The narrow answer is--I don't think so. I don't see anything in the Privacy Reg or the Info Sec Guidelines that require appointment of an overall responsible person or that the Board approve such appointment.

The broader answer is, your Customer Info Sec Pgm should describe how the bank is handling info security. If a person or committee has overall responsibility for the program (such as the person who is responsible for annual reports to the board), that management structure should probably be described in your Program. And the Program should be approved by the Board. So if your Program describes who has responsibility for GLBA, and the Board approves the Program, in effect, the Board is approving the appointment.

That is not to say that your regulator won't want to see formal appointment of a Privacy Officer. As I said, we had done that several years ago, so the issue did not come up for us.

2. Re: any recommendations given as to how to manage vendor oversight? I took what OTS said to mean that someone, e.g., the compliance officer, should keep track of the reviews the lines of business were doing. At a minimum, verifying the reviews were done w/the proper frequency. Preferably, the review should include (1) looking at whether the appropriate type of review was done, based on the nature of the risks, and (2) looking at the results of the review to ensure the risks are appropriately addressed.

If you want more info, please post your phone number and I'll give you a call.

Return to Top