Let's start with your first question: "What are the information security needs of a bank?" The answer depends on your perspective. If you're looking at the issue strictly from a regulatory compliance standpoint, the answer is outlined in the guidelines for safeguarding customer information and other regulatory issuances. As a security professional, however, I consider the information security needs of a bank to be significantly broader than what is actually required by the current regulatory issuances because the guidelines only specifically address the protection of information relating to consumer customers. I think financial institutions should give serious consideration to implementing the information security protections for all nonpublic customer information (whether the customer is an individual or a business entity) and as to all the institution's ownproprietary information. An outline of the actual requirements is provided.
I. Interagency Guidelines Establishing Standards for Safeguarding Customer Information
- Were mandated by Title V of the Gramm-Leach-Bliley Act;
- Final rules were published in the Federal Register on February 1, 2001, more than eight months after the consumer privacy rules.
- Required each bank to implement, by July 1, 2001, a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities.
- Affect all "customer" information, regardless of whether it is stored in electronic or paper form.
II. Goals/Objectives of the required information security program:
- Ensure the security and confidentiality of customer information;
- Protect against any anticipated threats or hazards to the security or integrity of such information; and
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
III. Four things you need to understand up front about the information security guidelines:
- The guidelines are extremely task-oriented. There are specific assignments you were required to accomplish by the 7/1/2001 deadline, from identifying threats to customer information security to training your personnel, and specific tasks you must continue to perform on an ongoing basis;
- Although you may delegate the performance of certain tasks, you cannot delegate ultimate responsibility and potential liability in this area. Senior management and the board have specific responsibilities under these guidelines;
- This is not a one-time entry on a bank's to-do list. The obligation to protect the accuracy, integrity and confidentiality of customer information is a continuing one and you will have ongoing responsibilities for monitoring and evaluation.
IV. Five main tasks were required to be completed by July 1, 2001:
- Identify and assess risks to customer information security. Assess the likelihood of each of the threats/risks. [Examples: unauthorized disclosures; misuse of customer information; misuse of customer information systems; risk of alteration; risk of destruction.]
- Evaluate each of the eight specific security measures suggested in the Guidelines in order to determine if they are appropriate for your institution. (This is required, not just suggested.) Those eight security measures are:
a. Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means.
b. Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals;
c. Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access;
d. Procedures designed to ensure that customer information system modifications are consistent with the bank's information security program;
e. Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information;
f. Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems;
g. Response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and
h. Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.
- Implement the security measures that are appropriate.
- in order to evaluate and implement these, you must understand them.
- you'll need to understand your current information collection, storage and retrieval procedures.
- you may need to call in outside experts to help in the evaluation.
- Draft an information security program that is thorough, prudent, and consistent with the guidelines. Avoid language that could be used against you later in the event of litigation.
- Get the board involved. The board (or an appropriate committee of the board) must oversee the development, implementation, and maintenance of the program and must review reports from management. (The reports are required to be made no less than annually.)
V. You must also address service provider issues
The regulators are particularly concerned about the information security risks that exist when customer information is accessed by, or disseminated to, third party service providers.
There are three service provider issues you'll need to grapple with:
- you must perform due diligence on all your service providers who will have access to customer information;
- you will need to build in a contract provision (except for grandfathered contracts) that requires your service providers to have information security programs designed to achieve the objectives of the guidelines;
- in some cases, you will be required to monitor the information security practices of service providers. This would entail reviewing audits, summaries of test results or other evaluations. You'll need to develop (or hire) the necessary expertise to conduct such monitoring.
VI. Ongoing responsibilities
- The Guidelines require you to regularly test controls and monitor your procedures/program on an ongoing basis. There are several triggers for when additional work is required -- such as when you acquire another institution, change or implement a new system, etc.
You must provide information security training for your employees on an ongoing basis.
Which laws/guidelines deal with information security needs of the bank?
The Interagency Guidelines Establishing Standards for Safeguarding CustomerInformation are the controlling authority.
Note: the Interagency Guidelines Establishing Standards for Safeguarding Customer Information only mandate information security measures relating to nonpublic customer information. Customer is defined therein to mean individuals, as opposed to corporations and business. This means that while a bank has information security needs for its own information, and would be well advised to also provide information security protections for its corporate customers' information, there is no requirement in the regulation to protect these types of information.
What are the steps involved in designing a security policy for a bank?
In addition to the above information, the single best document I have found on point is: NIST Special Publication 800-18; Guide for Developing Security Plans for Information Technology Systems. This document can be obtained from the following link: http://csrc.nist.gov/publications/nistpubs/index.html
First published on BankersOnline.com 2/4/02