Would it be appropriate to combine the two programs for examiner review since there is some duplication? I have read the threads discussing exam experience, anything else lately?

SusyG,
I don't know what kind of financial institution you are, but we are examined by the Federal Reserve. We are currently undergoing our first exam since Privacy was rolled out last year. The Fed examined our IS Policy as part of their IT exam, and will look at Privacy under Safety and Soundness. They did want to see our Privacy Policy during the IT exam, but not our Privacy Notice or our Identity Theft/Pretext Calling Policies. Therefore, combining the two would not have worked for us. Was that your question? I'm not sure I understood it completely.
Leslie

That's exactly what I needed to know. Thanks for the info!!!!Hope your exam went well.

[This message has been edited by SusyG (edited 01-22-2002).]

Leslie: I'm not surprised that the examiners didn't look at the Privacy Notice, but are you sure that they didn't deal with the issue of preventing pretext calling? Section III(C)(1)(a) of the Information Security Guidelines lists "...controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means" as one of the issues that should be addressed in an IS program. I realize that you aren't responsible for what the Fed examiners did or didn't do, but I can't imagine how the above quoted language doesn't require consideration of pretext calling.

------------------
This is a personal observation that should not be taken as legal advice nor relied upon for any purpose.