Thread Options
|
#77333 - 05/01/03 05:11 PM
Re: Information Security Audit
|
Anonymous
Unregistered
|
GLBA wants you to establish an Information Security Program (ISP). Part of the ISP should be a classification of information - where you evaluate the exposure risk of the information and assign handling standards for the different levels of information.
A credit file and most information processed in the back room would contain non-public customer information and should therefore require the most protective handling standards. This means physically securing the information, when not in use, by lock and key.
I have seen the OCC and OTS review this topic in 2003 Safety and Soundness exams.
|
Return to Top
|
|
|
|
#77335 - 05/01/03 07:00 PM
Re: Information Security Audit
|
Anonymous
Unregistered
|
We had an OCC examination and were cited for certain deficiencies despite our best efforts to comply with GLBA.
The OCC wants a formal risk assessment of your privacy program, written documentation of your internal control procedures, an annual audit of Privacy, and an annual report to the Board of Directors. We are in the process of engaging a consultant to help us in those areas. Despite our best efforts to mail annual notices and keep the Board informed they were very critical. So good luck and heed the advice of your security person who seems to be on the same path as the examiners we had. Also, area banks have had similar exam comments so we are not alone. GOOD LUCK!!!
|
Return to Top
|
|
|
|
#77336 - 05/01/03 07:15 PM
Re: Information Security Audit
|
Anonymous
Unregistered
|
Often times it is useful to bring someone in from outside your bank (consultant, peer, etc - although remember confidentiality/NDA) to review your security and privacy measures. It is a lot easier for others not familiar with your environment and processes to find weaknesses. Addressing these weaknesses before the examiners arrive or there is a breach would be the end goal.
Bonnie, depending on the size and weight of your “rolling” carts, you may want to re-evaluate the type of information you allowed to be stored in them.
|
Return to Top
|
|
|
|
#77338 - 05/02/03 02:28 PM
Re: Information Security Audit
|
Anonymous
Unregistered
|
MackenzieS, I think STU might have some insight on the FDIC, see STU's post above. You may want to contact STU directly for details.
|
Return to Top
|
|
|
|
#77339 - 05/02/03 05:05 PM
Re: Information Security Audit
|
Diamond Poster
Joined: Sep 2002
Posts: 1,117
On the road...
|
FYI... the OCC has a telephone/web seminar on Tuesday, May 6th and Wednesday May 7th regarding Information Security Management for Community Banks.
_________________________
Michelle CRCM
"What would you attempt to do if you knew you could not fail?" ~ unknown
|
Return to Top
|
|
|
|
#77341 - 05/02/03 06:35 PM
Re: Information Security Audit
|
Diamond Poster
Joined: Jan 2003
Posts: 1,454
metsuretsu
|
Do you have problems with employees leaving their desks with information lying on them and without initiating a password protected screen saver?
_________________________
I have many opinions; some are good, some are bad, and some don't contradict.
|
Return to Top
|
|
|
|
#77343 - 05/02/03 07:54 PM
Re: Information Security Audit
|
Diamond Poster
Joined: Jan 2003
Posts: 1,454
metsuretsu
|
I have had issues with tech support not wanting me to password protect my screen saver as it causes difficulty for them if they need to run upgrades etc. I do it anyway. (My thought was I wouldn't be using the upgraded programs before I got back into my office anyway. ) I don't think they'll put up much fight. They generally don't wish ill will from internal audit and compliance people.
_________________________
I have many opinions; some are good, some are bad, and some don't contradict.
|
Return to Top
|
|
|
|
#77344 - 05/02/03 08:04 PM
Re: Information Security Audit
|
Diamond Poster
Joined: Sep 2002
Posts: 1,117
On the road...
|
Are password protected screen savers necessary if we require our folks to logoff their terminals when away from desk or window?
_________________________
Michelle CRCM
"What would you attempt to do if you knew you could not fail?" ~ unknown
|
Return to Top
|
|
|
|
#77345 - 05/02/03 08:12 PM
Re: Information Security Audit
|
Diamond Poster
Joined: Jan 2003
Posts: 1,454
metsuretsu
|
IMHO, not as long as you cannot access information without logging on.
_________________________
I have many opinions; some are good, some are bad, and some don't contradict.
|
Return to Top
|
|
|
|
#77346 - 05/05/03 01:40 PM
Re: Information Security Audit
|
Platinum Poster
Joined: Apr 2001
Posts: 502
Sylacauga, Al, United States
|
Here is some other "food for thought."
Previously when I reviewed our program, I found the biggest difficiencies to be management's knowledge level of how information is stored "off-sight." I am sure other institutions are like us and utilize a vendor to maintain information for retention. How much do you really know about how they maintain the info? Has anyone ever viewed the sight? Is the contract sufficient?
Another area of concern is vendor contracts. Are they really "solid" enough? Although we utilize service providers, we are still responsible for their actions. I think this one is a difficult one for management to get use to.
Hope this helps. Good luck!
|
Return to Top
|
|
|
|
#77347 - 05/06/03 05:33 PM
Re: Information Security Audit
|
Anonymous
Unregistered
|
Something else to consider – Prior to an exam, your regulator asks that you forward to them certain material that pertains to the subject of the examination. This could be policies, procedures, network maps, h/w s/w configurations, user lists, etc. Many times, the Examiner-in-charge asks that the information be e-mailed directly to them or an assistant.
As this specifically relates to information security, most bank information that an examiner would request should not be sent over e-mail, unless encrypted. While your Information Security Program should dictate what risk-classified data can be sent and how, be mindful to question your examiner and insist on proper handling.
|
Return to Top
|
|
|
|
#77348 - 05/09/03 06:15 PM
Re: Information Security Audit
|
Anonymous
Unregistered
|
You indicated an Information Security examination under safety and soundness but not an IT audit. The FDIC has separated the IT portion of safety and soundness for examination purposes but not for rating purposes. It is in fact an IT review through the perspective of Information Security. I would suggest to begin familiarizing yourself with the new FFIEC IT manual which covers the key IT Information Security elements.
|
Return to Top
|
|
|
|
|
|