Help- Privacy Issues!

Posted By: J2C

Help- Privacy Issues! - 01/06/05 04:17 PM

So, I just finished the privacy audit and had some issues...surprise. Anyway, the Privacy Officer does not beleive that the Data Classification issues belong in his audit report. They have been in there before, it is just that there are some repeat issues which makes his audit rating worse. Now, in order for me to revise the report so that he can't argue with me I need some further information.

Is information security training REQUIRED? I know privacy training is suggessted to be ongoing...but we have not had info security/ data classification training in quite some time. Regular Reg. P training has occurred.

I am starting to get really frustrated with this audit. I am tired of management constantly dancing around repeat issues and then saying that it shouldn't be a MAJOR FINDING. Our grading policy states that a major finding is anything that is repeat, includes violations of bank policy, improper accounting procedures, violations of internal control and security problems, violations of regulations, potential loss of income, extreme deviations from the expected error rate on sample testing, and wasteful use of assets. The PO is arguing that this is NOT a violation of law and therefore should not be repeat!

Sorry for the rant.......but thanks for listening.
Posted By: EdOils

Re: Help- Privacy Issues! - 01/10/05 06:09 PM

I don't know if this is "required". I skimmed the FFIEC's IT booklets and didn't see it anywhere. You may want to go and read them further.

However, this may fall under how the bank "manages" the IT function. Examiners love to see training in all areas. I also have the philosophy that "if you don't know, you can't do." I would think that this would be "highly recommended."

Another issue is the repeat suggestion. IMO, if mgmt agreed to your recommendations last year that training should be conducted annually, then this year would be a repeat suggestion, if nothing was done. Repeat write-ups are a problem, no matter how minor. They told you they would do something and didn't. Not a good thing.
Posted By: Roun

Re: Help- Privacy Issues! - 01/11/05 09:40 PM

Customer Information Security Training is required under Appendix B of Part 364 of the FDIC's Rules and Regs or Section 501(b) of the Gramm-Leach-Bliley Act. Part 364 states, "Train staff to implement the bank's information security program". Hope this helps!!!