This short excerpt from the American Bank Systems 12 Step Privacy Compliance Program should help provide a beginning point.
You'll need to start by identifying risks to data security, confidentiality, or integrity. The first step is to assess risk. This is perhaps also the most challenging task. You are required to identify reasonably foreseeable threats - both internal and external - that could result in
- unauthorized disclosure,
- misuse,
- alteration, or
- destruction
of either customer information or customer information systems.
It may be helpful for you to take one category of threat at a time and identify the risks within that category.
For example, on the risk of unauthorized disclosure, your privacy team could brainstorm about all the threats you can think of. Here's one way to identify and document the threats:
Unauthorized Disclosure Type of Threat Internal External Loose lips X X (service providers) Files left on desks X Computer monitors viewable by outsiders X Emails containing customer information or references sent to wrong recipients X X Disclosures to government authorities without following the Right to Financial Privacy Act X Sending mail containing customer information to the wrong address (Example: bank receives fraudulent request for change of address and, believing it to be legitimate, changes the address for the account.) X Inadvertent disclosure to a pretext caller X X (can occur externally when, for example, someone employed by the service provider releases customer data to someone whom they believe to be acting on behalf of the financial institution) Hacker gains access to your network X Firewall proves inadequate X X Necessary security patches not installed X X Former users not removed from system X X Password system faulty X X Records misfiled X Service provider has inadequate information security X Institution's trash falls out of truck on way to shredder X X Unshredded trash is left where janitorial staff can access it. X X
First published on BankersOnline.com 5/7/01