Has anyone gone through a Privacy Examination lately. We had one last year...of course when things for Privacy were heating up. The examiner told me that we did great, but it was a "baby" examination. Next time they were coming in with a fine-toothed comb. I'm just wondering if any one of you experienced such a search....

Thanks for the input

Our compliance exam was just after GLBA went into effect - that one was just a general review of how we assessed our risk, etc., and the notice we sent out.

Our safety and soundness this year included an extensive IT audit - and they went over the privacy reg quite thoroughly. You'll find lots of threads about what the different agencies and examiners are asking for - but ours wanted it all in one document.

Look out for password security, penetration testing, system access security, and physical items - like data on computer screens, docs on desks, etc.

We are an FDIC regulated bank. Privacy is examined during a Compliance Exam. Information Security (safeguards) is examined during the Safety & Soundness exam. We have not had either exam yet, but will have soon. I, too, would like to hear about exam experiences.

Thanks for the help. I did go to the threads and the information there was great.

Response to STU:

Our Compliance and CRA exam did touch on Privacy. They looked at our notice, policy, and testing. However, it was not to the extent that Safety and Soundness did when the IT audit was performed. During that exam, they looked at everything. In fact..I was surprised that they called it "baby-step" testing. If that was the baby then: That was one big baby.......!!!!!!!!

We went through an FDIC exam 4 months ago - the issues/questions relating to privacy (all listed under Graham, Leach, Bliley Act) follow:

In reply to:

---

Section I – Management
1.1 Provide a written Corporate Information Security Policy (our Information Technology Policy)
1.2 Provide a list of reports management and the Board use to monitor the banks GLBA program.
1.3 Provide the name of the individual responsible for coordinating GLBA for the bank.
1.4 Indicate if the Board or a designated committee is responsible for GLBA activities.

Section II – Risk Assessment
2.1 Provide information on how the institution assesses risk to its customers information systems and non-public customer information.
2.2 Provide a listing of monitoring tools used to assess/test risk.

Section III – Manage/Control Risk
3.1 Provide the methodologies used to protect customer data.
3.2 If encryption is used, provide details of its use and encryption method used (indicate if used for storage, transmission, or both).
3.3 Describe monitoring systems and procedures used to detect actual and attempted attacks and/or intrusions into customer information systems.
3.4 Provide methods used to train staff to protect customer data. Indicate the date(s) training was given to the institution’s staff.
3.5 Indicate how the process is reviewed to ensure compliance with GLBA requirements.

Section IV – Service Providers
4.1 Describe the process management uses to select service providers.
4.2 Describe the information and format used when supplying customers information to service providers.
4.3 Provide a copy of the contracts with service providers.
4.4 Describe the method(s) use to monitor the service providers financial condition.

Section V – Program Adjustment
5.1 Describe how management makes adjustments to the GLBA program.
5.2 Provide procedures used when the institution makes technological changes to systems to ensure it is in compliance with GLBA requirements.

---

You had better be in the providing and describing mode when they arrive next time. I was left with the impression that they are allowing a one exam, "let's discuss - take a look," with the next one real hardnosed. By the way, this issue was covered within Safety and Soundness, not Compliance.

We had both and S&S and Compliance exams this summer with similar results as Grist. In the compliance exam, they were more interested in our policy/procedures/notice but in the S&S exam, it was the yucky stuff (risk assessments, testing, addressing administrative, technical and physical safeguards of customer information). Yeah, this was our first one on the GLBA too and I think you get round one for a heads up on what to have in place in more detail next time.

Risk Assessment for Customer Data seems to be the big one. Have an assessment for ways that information can be access without authorization and the Risk Level Assigned to it. Use FDIC FIL 68-99.

We had an OCC exam and the vendor risk was a major recommendation. Look at having procedures in place for GLBA part due by July 2003. We are in the process of revamping our vendor procedures.

Can you elaborate on "vendor procedures"?