Skip to content
 

Information Security Exam Guidelines Released

by Mary Beth Guard

The Federal Reserve Board became the first banking regulator to issue examination guidelines for compliance with the Interagency Guidelines for Safeguarding Customer Information.

Here's what the examiners will be looking for:

  • First, do you have a written information security program or policy? If so (and you'd better!):
    • It needs to have been approved by the board of directors or an appropriate committee of the board;
    • It needs to be appropriate for your size and for the complexity of your institution and your operations.
    • It needs to spell out its objectives, assign responsibility for implementation, and provide methods for compliance and enforcement.
  • Next, they'll look to see if you are updating the program periodically to reflect changes in your operations and systems and to respond to changes in the threats or risks to your customers' information. (Unless your initial exam under these Guidelines is many months from now, this won't be as big of a focus initially, unless changes in your operations and systems are significant or some major new threat or risk to customer information security arises.)



  • They'll look at how you have approached the task of assessing risk to customer information. Keep in mind that it's not just digital information that is protected, although electronic information may be most vulnerable. Be sure you have analyzed the risk to data stored in paper form as well.



  • They'll want to see that you have gone through and actually identified where and how customer information is located and the systems and methods you use to store, process, transmit and dispose of that customer information.



  • Your identification of internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information and customer information systems will be scrutinized and you will be expected to have assessed the likelihood and potential damage posed by the threats you have identified.



  • Your risk management processes for implementing effective measures to protect customer information will be dissected. The examiners will be looking for evidence/documentation that you have carefully considered the appropriateness of all of the eight information security measures outlined in the Guidelines, and they'll be looking at whether you properly determined which ones are appropriate for your institution. In any instance where your deliberation concluded a security measure should be implemented, the regulators will look to see that it has been implemented properly.



  • Your employees are required to be trained on implementing your information security program. Be ready to brief the examiners on when training was conducted, what it consisted of, and who was in attendance.



  • Post-program adoption issues will also be evaluated. Do you regularly test the effectiveness of key controls, systems, and procedures of your program? Depending on the size of your institution and the complexity of your systems, this might include penetration testing, system security audits, tests of operational contingency plans, for example. Examiners will look at who conducts the tests. Are they performed by independent staff or are the tests results reviewed by independent staff? Do the staff members performing the tests (or reviewing the results) have sufficient expertise in the subject matter?



  • In terms of service providers who will be provided customer information, or who will have access to customer information, through service provided directly to the bank, the examiners will want to find out if you have conducted appropriate due diligence into the information security practices of the service providers. They will also want you to provide evidence that on service provider contracts entered into after March 5, 2001, you have built in a requirement for the service provider to maintain information security procedures designed to meet the objectives of the Guidelines. In addition, you will need to demonstrate that you provide an appropriate level of monitoring of your service provider's information security safeguards, based upon the level of risk. (How do you monitor? You may conduct or review the results of audits, security reviews or tests, or other evaluations.)



  • Reports to the board are the final item the examiners will be looking for. They will want to make sure the bank is reporting on the overall status of the information security program, including the bank's compliance with the Guidelines, to the Board, or an appropriate committee thereof, at least once a year.



Examiners will assess compliance with the Guidelines during each safety and soundness examination or examination subsequent to the July 1, 2001 effective date of the Guidelines and will monitor ongoing compliance as needed during the risk-focused examination process.

Documentation is the key!
Keep records of your research into the different security measures and the discussions regarding which ones would be appropriate for your bank. Supplement the initial research with new fact-finding and discussion as circumstances change.

Track employee training - and make sure everyone is trained.

Make sure your board minutes properly reflect the adoption of the security program and the assignment of responsibility for implementation.

Identify the program's objectives.

Calendar your next annual report, so that it won't be forgotten.

Make a list of service provider contracts that will need to have the additional contract language added. Divide it into those executed after March 5, 2001 and those executed prior to that date. Take steps to ensure those executed after March 5, 2001 are compliant now.

Create a risk matrix for your service providers. Rank them in order of risk and decide what you will do to monitor their efforts to safeguard your customers' information. Establish a file for each service provider to keep track of contract copies, tests, evaluations, audits, and other security reviews.

Decide how frequently you will test the effectiveness of your security measures. Calendar the testing and document it when it's done.

Construct a workable method for performing due diligence on prospective new service providers. Consider developing a checklist of questions to ask and facts to check. Three new documents are available from FDIC under FIL 50-2001 to help you manage technology outsourcing risks:

Effective Practices for Selecting a Service;
Tools to Manage Technology Providers' Performance Risk: Service Level Agreements; and
Techniques for Managing Multiple Service

Circulate a memo around the bank to remind management and employees that when they implement new products or services, enter into new service provider contracts, change hardware or software, or engage in any type of activity that could alter or increase risks to customer information security, they must coordinate with the head of your bank's information security program and make sure the security implications are thoroughly evaluated and understood and properly prepared for.

Plug in to an informational source that will keep you apprised of new information security risks and threats.

Originally appeared in the Oklahoma Bankers Association Compliance Informer.

First published on BankersOnline.com 11/19/01

First published on 11/19/2001

Filed under: 
Security
Filed under security as: 
Compliance/Compliance Management
Customer Information
FDIC
Security
Technology
Tools

Report a problem with this page

Search Topics