Does anyone have a policy for Standards of Safeguarding Customer Information (GLBA Section 501)? We are a small 66m bank and the FDIC examiners are requesting this policy. Would like to find a policy to help get me started. My email is frststbk@rea-alp.com. Thanks

Wayne Barnett posted a policy in the Bankers Tools section, under policies. I used this as my starting point and made revisions to reflect what our bank is actually doing.

I have sent this request to our IT departement. She should be contacting you via the email you have left.

Just as an added note, Customer Information Security is not an IT issue only. We were criticized at our recent FDIC exam in that we had treated this as an IT issue, when in reality the entire bank needed to be involved. Remember that Customer Information Security not only involves IT security, but also deals with everything that includes customer information, from signature cards, new account applications, loan documents, internal reports, etc. Physical and electronic security needs to be addressed in your Policy and programs.

Is anyone willing to share their audit report of this area?

With respect to the IT portion of it, the FDIC put out excellent information this week regarding how it will be approaching IT examinations. You can link to it from the BOL Launch Pad under the Technology Regulatory Guidance section.

While it is geared toward IT risk assessment, it actually overlaps substantially with information security concerns.

This link will take you there:
Tech links on the Launch Pad

Tina:

You probably already know that IT is one part with non-computerized privacy issues the other part, e.g. stuff on desks, whether or not a screen saver is being used, whether or not the screen savers have access codes, is customer information available on the monitor prior to a screen saver coming on, access to documents to be shredded, etc.

Yes, but thank you for following up, just in case I didnt. We actually ahd all parts of 501 in place, except we did not have them in one package. We had to complete all of this from our exam within 60 days. It was easy since we had completed the work already.

I've heard several people comment that the regulators 'found' the same thing at their bank and we received similar comments. I guess it's great that the banks all implemented all the aspects of GLBA - but if so many missed the part about putting it together in one program, maybe the instructions weren't so clear!

Semantics!!! If you have a very thorough IT Security Policy, why oh why do you have to then either duplicate it or mash it into your overall GLBA policy?

Okay - what we did - our GLBA program is very broad. In that program, we refer to specific department policies and procedures to cover all the different aspects of Information Security. And finally, at the end of our Information Security Program and Policy, we have an Appendix. In the Appendix, we have a Reference Table. The Reference Table lists policies and procedures and shows what area of Information Security is addressed in that policy or procedure, what department is responsible for that policy or procedure, and the last time it was updated.

One of my LEAST FAVORITE activities is re-inventing the wheel. Other one is - duplicating efforts.