I would welcome any suggestions regarding how to conduct an information technology risk assessment.
I currently report to the Senior Manager in charge of Technology and Operations. There is discussion about me reporting to the Senior Retail Banking Manager. I am looking for some resources that provide a discussion about the area of the bank the security officer position should fall within.
Does the Bank have a responsibility to file a SAR on those individuals who attempt to "hack" into our computer system? If so, what if we do not have much information on them to complete the SAR with?
With the changing world of banking due to the infusion of information technology, what do you see as the role of the bank's security officer and the challenges ahead?
We have a message posted on our Web site that tells customers not to submit emails that contain sensitive or confidential information and that tells them not to use email for specific transaction-related requests. Our system gives us the capability of doing auto-responders to any email submitted. We have drafted an auto-responder that thanks the sender for their message, acknowledges that it was received, but basically reiterates our policy about how they shouldn't be sending confidential or sensitive information or anything about a specific transaction or account. It has been suggested that we might want to add something to it to say something like "We will not act upon email requests for funds transfers, stop payments, account closings, or fraud notifications. These must be done either in person, or by calling such and such number." I'd like to know whether you think this is a good approach or whether there's a better way to handle this. We almost considered not even posting an email address on our site at all to just stop the email.
How do banks intend to monitor their service providers to confirm that they are maintaining appropriate securitymeasures to safeguard the bank's customer information? We are looking for a practical, reasonable way to do this.
The federal banking regulators have agreed to on final Interagency Guidelines Establishing Standards for Safeguarding Customer Information ("Guidelines"). You previously wrote two articles for us on the proposed guidelines. (See <a href="gurus_technology1211.html">Part 1</a> and <a href="gurus_technology1218.html">Part 2</a>.) Were there any surprises for you in the final version of Interagency Guidelines Establishing Standards for Safeguarding Customer Information? And could you give us a quick heads-up on what the final guidelines provide?