Strengthening Your Customer Information Policy & Procedures

Answered by:

Question:

We have a policy and procedures on Safeguarding Customer Information. My problem is, FDIC EDP examiner wants more meat on it, such as; address logical and physical access controls to CIF. No incident response policies? I can't find the information in the Federal Register. Vendor oversight requirements have not been formalized, Can you direct me to any site that will have examples or answers to these questions?

Answer:

Take a look at the 8 different security measures your institution is required to evaluate and, if you determine them appropriate, adopt, under the Information Security Guidelines.

Logical access controls is the way they are referring to the first category of security measures. It includes things ranging from call verification procedures to passwords. Physical access controls includes things like key controls and inventories, and restricting access to areas and files within your institution (such as the server room) and outside storage facilities.In Banker Tools, you will find a matrix I created to help determine how much oversight you need to give to a particular vendor's information security program, based upon the sensitivity of the customer information to which they are privy and whether they are already directly subject to the guidelines.

There are a number of articles on the site relating to these requirements. There is also an ondemand seminar "Can your information security program pass the test?" available for purchase in the BOL Banker Store.

First published on BankersOnline.com 1/20/03