Skip to content

Developing an Information Security Program

Answered by: 

Question: 
I would appreciate any advice on where to start when developing our information security program.
Answer: 

This short excerpt from the American Bank Systems 12 Step Privacy Compliance Program should help provide a beginning point.

You'll need to start by identifying risks to data security, confidentiality, or integrity. The first step is to assess risk. This is perhaps also the most challenging task. You are required to identify reasonably foreseeable threats - both internal and external - that could result in

  • unauthorized disclosure,
  • misuse,
  • alteration, or
  • destruction

of either customer information or customer information systems.

It may be helpful for you to take one category of threat at a time and identify the risks within that category.

For example, on the risk of unauthorized disclosure, your privacy team could brainstorm about all the threats you can think of. Here's one way to identify and document the threats:
Unauthorized Disclosure Type of Threat Internal External Loose lips X X (service providers) Files left on desks X Computer monitors viewable by outsiders X Emails containing customer information or references sent to wrong recipients X X Disclosures to government authorities without following the Right to Financial Privacy Act X Sending mail containing customer information to the wrong address (Example: bank receives fraudulent request for change of address and, believing it to be legitimate, changes the address for the account.) X Inadvertent disclosure to a pretext caller X X (can occur externally when, for example, someone employed by the service provider releases customer data to someone whom they believe to be acting on behalf of the financial institution) Hacker gains access to your network X Firewall proves inadequate X X Necessary security patches not installed X X Former users not removed from system X X Password system faulty X X Records misfiled X Service provider has inadequate information security X Institution's trash falls out of truck on way to shredder X X Unshredded trash is left where janitorial staff can access it. X X

First published on BankersOnline.com 5/7/01

First published on 05/07/2001

Banker Store View All

From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

Banker Store

hot right now

image description

Looking for effective, convenient training on a particular subject?

BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

Search Topics