We're an OCC regulated bank and we're having a pre-exam exam from a consulting firm we hired. They want to see a "comprehensive" list covering the all-encompassing GLBA, from record retention to privacy polices and everything in between. The say that it is beneficial to have one document that annually summarizes/certifies GLBA compliance for the Board. Two questions: 1) Is this a requirement? 2) Has anyone done something similar they would be willing to share? Thank you.

Unfortunately I can't help you here. We are an FDIC regulated bank and are at the tail end of a safety and soundness audit. We got reamed b/c we didn't have this in place. They wanted to see EVERY piece of paper surrounding GLBA. We gave them our Privacy Policy, Info Security Policy and privacy notices and they said that they wanted a "binder" of all the documentation that went into creating those documents. What a mess. If someone is willing to share their information that would be extremely helpful.

Our OCC examiners made lots of noise about having one comprehensive document. They backed off when we asked to see the requirement, though. Everything was covered, just required looking through lots of paper to find it. We did summarize the info going forward - just to make things easier on the examiners (always better to keep them happy!).

I went through a GLBA exam this summer. I attempted to prepare one all inclusive binder, which turned into 4 binders, trying to cover everything from notice to opt out procedures, info sharing, info proteciton, etc.

At exit interview, comment was the extensive documentation did not tie back to the regulation and they wanted to see how each point of the reg was covered in the binders.

They were very insistent on this. I think because this is new to them as well, they are groping to develop good examination procedures.

Here's a list of some elements you may want to put in your binder, largely based on what's in the Customer Information Security Guidelines

1. Executive Summary
2. Risk Management Methodology
(what operating management is responsible for, what compliance is responsible for, your process--implementing risk controls, assessing their sufficiency, testing key controls, reporting violations)
3. Corporate level risk controls
(privacy awareness training, privacy notices, Security Dept's role, Code of Conduct, Data Security practices, change management, segregation of duties, response to violations, contingency planning, physical security, due diligence regarding service providers)
4. Operating Management's risk controls
(What they do to protect data on hard copy (locking things up, shredding), what they do to protect electronic data, privacy awareness, (e.g., knowing to report suspected violations appropriately), due diligence in selecting/monitoring service providers)
Appendices
A. Privacy notice
B. Privacy training
C. Schedule of events
D. Risk assessment questionnaire
E. Due diligence for service providers
F. Testing results
G. Management responses to security breaches

Of course, you have to have a lot of stuff in place before you can say it is part of your program.

What a helpful post! When I get to work tomorrow I am going to print this off. Welcome to BOL!

MackenzieS (from home)

What FDIC region are you in?

We're regulated by FDIC, and are currently going throug a S/S exam. We gave them a Binder I put together about a year and a half ago. Seems as though in some areas it was Y2K all over again, which was helpful in regards to assessing risk with our vendors. What helped me review the standards was a "CBA Summary of Interagency Data Protection Guidelines" by Leland Chan. It really helped with the clarification under Information Security Program, meaning that there is no requirement that the comprehensive plan be contained in a single overall document. If the elements of the program are maintained in separate documents, you should have the ability to retrieve them.
I did learn recently that one of our competitors, who is regulated by OCC is required to document all vendors/software etc. and assign a risk rating for each one, they're required to monitor, and have a review by audit and report I think annually to their board.
I've heard that OCC is tougher than FDIC.