Information Security: Here's How

The bank regulatory agencies have produced the final rule on information security. These guidelines took effect on July 1, 2001, the same date as the privacy regulations. There is a two-year lag time for adjusting service provider contracts. This is as much guidance as we're going to get. There is plenty of plenty of built-in leeway for institutions. This is the result of a conscious choice by the agencies to allow each institution to develop security standards and procedures that are appropriate for its situation and its customers. So don't ask for clearer guidance. That will only result in detailed regulation that may work for some but would pose problems - if not nightmares - for others. The agencies are trying hard to avoid this kind of regulatory burden.

The guidelines should look familiar if you were around for Y2K. The issues of data safety and integrity are fundamentally similar. And so are the management processes.

On the basic level, your information security program must enable you to provide customers with the assurance that their information is safe with the bank. This means that the information security program must do more than simply comply with the privacy rules. It must also anticipate a variety of events and disasters that could have an effect on customer information. These hazards include security breaches and natural disasters.

Although the standards are published specifically to provide guidance on compliance with customer privacy rules, the agencies encourage institutions to develop broad information security systems to protect all bank and customer records.

Process over detail
The guidance stresses the process of developing and maintaining an information security system. As with Y2K, the agencies expect banks to develop a system for managing information security. The guidelines specifically advise institutions that they need to maintain ongoing management of information security in addition to implementing a program. Unlike the New Year's celebration last year, information security issues do not have an end-point.

In fact, the guidelines emphasize that the management process should give attention to change over time. In this respect, the project management and board oversight involves different thinking and a different on-going attention level than was required for Y2K. Privacy and information security will never fall into a "been there, done that" category.

Responsibilities
The guidelines spell out specific responsibilities, beginning with the board of directors. According to the guidelines, the board of directors is responsible for approving the banks written information security program. It doesn't stop here.

The board is also responsible for "overseeing the program's development, implementation, and maintenance, including assigning responsibility for its implementation." This means that the policy approved by the board should specify who is responsible for what. The policy can use either names or job titles, but it must be specific.

The guidelines identify specific board responsibilities including approving the written information security policy and program, overseeing the bank's efforts to develop, implement, and maintain the program, and receiving and reviewing regular (at least once a year) reports from management. The agencies have specified the board's responsibilities because failures in the information security program can threaten the institution's safety and soundness.

Managing the risk
The guidelines ask banks to start by assessing risks that information systems may be breached. This process is much like the Y2K process of identifying vulnerabilities. It involves a review and assessment of every information system in the bank - from file drawers to the most sophisticated computer systems.

This is the point at which the guidelines allow some variation in how banks design their programs. The guidelines direct banks to consider "reasonably foreseeable" threats, both internal and external. They advise banks to consider the likelihood and potential damage of these threats.

While this is clearly a more relaxed standard than the absolute certainty required of Y2K, it should not be read as an invitation to treat this issue casually. It is intended to provide banks with the ability to develop programs that are suitable and effective in their working environment. Information security programs should also take into account the need to protect the bank from private lawsuits. This may actually require a higher standard than the standard set by the regulatory agencies. This becomes a risk-based decision for bank management and the board of directors.

Testing
An essential component of managing the risk is periodic testing and auditing of the information security procedures. These should be conducted by independent third parties. An independent party is anyone - either inside of or outside of the bank - who is not involved in the design or management of information security. The importance of independence in the testing function is that a truly independent third party is most likely to identify weaknesses in the system simply because they have no vested interest in the success of the system.

It doesn't end in-house. You should be overseeing the security measures taken by your vendors. The requirements in the information security guidelines are strikingly similar to those in privacy. Any third-party service provider should be required through the contract to protect the privacy of all bank customer information. Similarly, the contract should enable the bank to take appropriate steps to ensure that the vendor complies.

Service providers include any person or entity - including attorneys and appraisers - who may handle or have access to customer information. The agencies note that disclosing information to such parties, as when closing a mortgage loan, creates additional risk to the security of information. It is up to the bank to ensure that the information remains secure.

The criteria for reviewing servicers are not necessarily the same as for reviewing in-house security measures. The bank may take into account the nature of the service provider's business and the privacy standards of that business. For example, a law firm or an accounting firm should have high standards for protecting any information concerning their clients. The same standard of care, however, might not be followed in a less privacy-sensitive business.

Some specifics
The guidelines incorporate many of the concepts and definitions contained in the privacy regulations. For example, the definition of "customer" is the same. Similarly, the guidelines apply to the non-public customer information identified in the privacy regulations.

Although the privacy regulations specifically protect any non-public personal information, the information security guidelines are broader. Information security must protect any file which contains non-public personal information. This may mean a data file, and it may mean a file containing a signature card or loan application. This term and "customer information system" are construed broadly to ensure that the bank provides adequate information security for customer information.

Note also that an information system includes the process of disposing of information. Shredding and other disposal methods are part of the information system that should be covered by these procedures.

The guidelines incorporate some familiar techniques, such as dual controls. Implementation of information security measures is the perfect time to insert the compliance department as a dual control. This could give compliance the specific responsibility to review web-site changes and other procedural changes that have compliance implications.

Training should also be a part of the program. All new employee training should now incorporate privacy training and procedures involving information security. Everyone in the bank needs to know about this.

ACTION STEPS

Dust off your Y2K materials and scan them for anything that can be re-used in the information security context. At a minimum, your lists of systems and participants should be similar.
If you haven't already started, get going on information security. Use the Y2K information and also the third party contracts you are reviewing for purposes of privacy compliance.
Prepare an information security policy that ties to your privacy program. The two should work together. You might even want to combine them.
Review your institution's use of dual controls with special attention to the Internet site and any e-banking. Now is the time to put dual controls into place.
Have a copy of these guidelines handy to show management the next time you are asked whether the board really has to review and adopt policies annually.