Does Gramm, Leach, Bliley state a bank's Information Security Policy & Program should be reviewed annually by the Board of Directors? If so where.

Appendix B to part 570 of the OTS regulations contains the "Interagency Guidelines Establishing Information Security Standards." The following text came from this document.

"F. REPORT TO THE BOARD. You shall report to your board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and your compliance with these Guidelines. The reports should discuss material matters related to your program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management's responses; and recommendations for changes in the information security program."