See "Information Security Guidelines Surprises" for a quick summary of the oversight responsibilities of the board of directors, or a committee of the board, since those would be key points regarding the implementation of the program.
Other than those responsibilities, the major points of the information security program are as follows:
The first key element is that a bank must assess the risks its customer information and customer information systems are exposed to. This involves identifying all reasonably foreseeable threats to the information and the information systems. Then, both the likelihood of the threats and potential damage that could result from them must be assessed. Finally, the bank will need to assess the sufficiency of its current policies, procedures, customer information systems, and other arrangements in place to adequately control the risks it has identified.
The second key element is that a bank's program must be designed to manage and control the identified risks. The Guidelines provide eight specific security measures which banks must consider and include in their program if the bank determines them to be appropriate. It should be noted that no bank is required to incorporate any of the measures; all that is required is that banks take them into consideration when developing their program. However, a bank's information security programs must include training and testing components. Regardless of what else may be included in the program, staff will have to be trained to implement all aspects of the program. Furthermore, the program will need to require regular testing of the key controls, systems and procedures of the information security program, and there is a further requirement that the test results receive independent third party review. The periodic testing is to insure both the adequacy of the policies and to determine if staff follows the policy and procedures properly.
The third key element of an information security program involves overseeing service provider arrangements. Banks are required by the Guidelines to exercise appropriate due diligence in selecting their service providers. Due diligence should include a review of the measures taken by a service provider to protect customer information, and a review of the controls the service provider has to ensure that any subservicer will be able to meet the objectives of the Guidelines as well.
The final Guidelines also require that a financial institution have a contract with each of its service providers that requires each provider to 1) implement appropriate measures designed to meet the objectives of these Guidelines and 2) when warranted, to receive copies of the service provider's audits and test result information sufficient to assure the bank that the service provider implements information security measures that are consistent with its contract provisions regarding the security of customer information. This means that while the service providers do not necessarily have to follow the Guidelines, they will have to have comprehensive means to protect the bank's customer's information. (Note: The regulators declined to provide model language for this, believing that the formulation of contract terminology is best left to the parties involved.)
The final key element of an information security program is periodic review and adjusting of the program. The program should require that the institution's policies and procedures be reviewed, evaluated and adjusted on a regular basis for any needed updating due to changes in internal or external threats, relevant changes in technology, the sensitivity of its customer information, and the bank's changing business arrangements.
First published on BankersOnline.com 1/15/01
Copyright, 2001. Secure MIS, Inc. All rights reserved.
Key Elements of an Information Security Program
Answered by:
Question:
What are the key elements of an information security program under the Guidelines?
Answer: