Has anyone had an audit on Information Security Audit (not an IT Audit)of customer information? We have enacted audit procedures performed by our Security Officer and his findings have not been pleasing, to say the least. His area of concern is in the back office areas, where there is no customer contact, with information(reports) and credit files that are not totally secure (under lock & key). This is mostly due to storage room. The only unauthorized access, if you will, is the cleaning personnell who have signed a confidentiality agreement. Does anyone know how the examiners will view these areas?

They (at least FRB and FDIC) review and expect good security controls over these types of areas.

GLBA wants you to establish an Information Security Program (ISP). Part of the ISP should be a classification of information - where you evaluate the exposure risk of the information and assign handling standards for the different levels of information.

A credit file and most information processed in the back room would contain non-public customer information and should therefore require the most protective handling standards. This means physically securing the information, when not in use, by lock and key.

I have seen the OCC and OTS review this topic in 2003 Safety and Soundness exams.

It caused quite a bit of grumbling (and some folks still grumble), but we have required all backroom processing areas to store confidential information under lock and key at night. In some areas, we had to get smaller locking carts that roll under a desk at night.

Putting in some sort of locked drawer is better than leaving it out and accessible. While a locked drawer may not prevent the most determined of theives, it is a commercially reasonable procedure.

The whole idea is that, if someone were to break into a cabinet or cart to copy/steal information, you would at least be aware of it. If information is just left out, it could be copied or compromised, and you would have no idea.

We had an OCC examination and were cited for certain deficiencies despite our best efforts to comply with GLBA.

The OCC wants a formal risk assessment of your privacy program, written documentation of your internal control procedures, an annual audit of Privacy, and an annual report to the Board of Directors. We are in the process of engaging a consultant to help us in those areas. Despite our best efforts to mail annual notices and keep the Board informed they were very critical. So good luck and heed the advice of your security person who seems to be on the same path as the examiners we had. Also, area banks have had similar exam comments so we are not alone. GOOD LUCK!!!

Often times it is useful to bring someone in from outside your bank (consultant, peer, etc - although remember confidentiality/NDA) to review your security and privacy measures. It is a lot easier for others not familiar with your environment and processes to find weaknesses. Addressing these weaknesses before the examiners arrive or there is a breach would be the end goal.

Bonnie, depending on the size and weight of your “rolling” carts, you may want to re-evaluate the type of information you allowed to be stored in them.

Is all of this scrutiny performed under the Information Security portion of the Safety and Soundess exam? Anyone been examined by the FDIC recently? We are expecting them in a couple of months.

MackenzieS,
I think STU might have some insight on the FDIC, see STU's post above. You may want to contact STU directly for details.

FYI... the OCC has a telephone/web seminar on Tuesday, May 6th and Wednesday May 7th regarding Information Security Management for Community Banks.

Near the end of last year we had a third party to come in an perform an "Internal Penetration Test". The information resulting from this was very interesting. We have a policy in which all bank information must be locked at night. There were numberous complaints at first, but they are used to it now. It's working quite well and I would highly recommend it.

Do you have problems with employees leaving their desks with information lying on them and without initiating a password protected screen saver?

We haven't ran into that problem yet. The only people we require do this is on customer areas. As the Auditor, I always lock my computer screen or my door every time I leave my office. A few other do the same.

I have had issues with tech support not wanting me to password protect my screen saver as it causes difficulty for them if they need to run upgrades etc.

I do it anyway. (My thought was I wouldn't be using the upgraded programs before I got back into my office anyway. )

I don't think they'll put up much fight. They generally don't wish ill will from internal audit and compliance people.

Are password protected screen savers necessary if we require our folks to logoff their terminals when away from desk or window?

IMHO, not as long as you cannot access information without logging on.

Here is some other "food for thought."

Previously when I reviewed our program, I found the biggest difficiencies to be management's knowledge level of how information is stored "off-sight." I am sure other institutions are like us and utilize a vendor to maintain information for retention. How much do you really know about how they maintain the info? Has anyone ever viewed the sight? Is the contract sufficient?

Another area of concern is vendor contracts. Are they really "solid" enough? Although we utilize service providers, we are still responsible for their actions. I think this one is a difficult one for management to get use to.

Hope this helps. Good luck!

Something else to consider – Prior to an exam, your regulator asks that you forward to them certain material that pertains to the subject of the examination. This could be policies, procedures, network maps, h/w s/w configurations, user lists, etc. Many times, the Examiner-in-charge asks that the information be e-mailed directly to them or an assistant.

As this specifically relates to information security, most bank information that an examiner would request should not be sent over e-mail, unless encrypted. While your Information Security Program should dictate what risk-classified data can be sent and how, be mindful to question your examiner and insist on proper handling.

You indicated an Information Security examination under safety and soundness but not an IT audit. The FDIC has separated the IT portion of safety and soundness for examination purposes but not for rating purposes. It is in fact an IT review through the perspective of Information Security. I would suggest to begin familiarizing yourself with the new FFIEC IT manual which covers the key IT Information Security elements.