Encrypting Customer Data

Answered by:

Question:

In reviewing the Interagency Examiner Guidance on Information Security, Section 5d concerning Risk Management and the encryption of electronic information in STORAGE on network or system in case of unauthorized access...does this mean we are expected to keep stored customer data encrypted that we access day to day?

Answer:

I think the guidance indicates that this may be warranted depending on your risk assessment. If, in the process ofdoing your risk assessment, you find that the data is deemed to be extrememly sensitive and the system is deemed to be vulnerable to unauthorized access, then encryption of the data while stored on the internal system may be called for.

First published on BankersOnline.com 7/2/01