Would we meet the multifactor authentication requirements by adding a second password requirement to the logon page of internet banking?
We feel that our network is very secure against attacks that originate on the Internet. Are there other areas about which we should be concerned?
In the past, we sent mortgage loan closing documents to the title company via the internet. We stopped this practice because we feel that without having a secured e-mail line, and without encrypting the data, we would be in violation of GLB. Same with sending our Good Faith Estimates, or other disclosures. We stopped sending via e-mail to customers because of GLB issues. Are we correct in that it would be a violation of GLB to send non-public financial information electronically over a non-secure line?
Just completed listening to a CD that we purchased from you titled Multi-Factor Authentication. Unfortunately, I don't get a chance to ask questions, so I'm sending this one off to you in hopes that either Mary Beth Guard or someone familiar with the topic can answer. It was never mentioned whether adding another ID/password challenge is an acceptable form of additional authentication and where appropriate would satisfy the FFIEC directive for end of this year?
Several employees are carrying "take home" bank keys on their personal key rings - along with house and car keys. I would like to stop this practice to keep the keys separate and not in use when out of the bank. I cannot find any reference material on this. What do you think of stopping this practice?
I would like to develop an Information Security Compliance Assurance Framework and program for my organization. Could you please suggest some reference sources for the same?
We are in the process of developing a more comprehensive IT/Information Security policy for our growing institution. What recommendations can you make regarding content that will ensure compliance with regulations? Are you aware of any sample policies that meet regulatory criteria that we can refer to for guidance? We are most interested in sucessful ways of incorporating GLBA requirements.
What must be done if a tape containing loan customer information is lost in transit to the credit bureau? The tape is encrypted and contains minimal sensitive information.
We are considering making loans via the internet. I know CIP and internet security need to be arduous. What other considerations and compliance issues are there?
We use outside vendors to do our IT penetration testing. Is it written anywhere how often this should be done? Can we use the same vendor each time?