Skip to content

Surprises in the Final Information Security Guidelines

Answered by: 

Question: 
The federal banking regulators have agreed to on final Interagency Guidelines Establishing Standards for Safeguarding Customer Information ("Guidelines"). You previously wrote two articles for us on the proposed guidelines. (See <a href="gurus_technology1211.html">Part 1</a> and <a href="gurus_technology1218.html">Part 2</a>.) Were there any surprises for you in the final version of Interagency Guidelines Establishing Standards for Safeguarding Customer Information? And could you give us a quick heads-up on what the final guidelines provide?
Answer: 

Actually, yes, there were a few surprises for me, but most of them were pleasant ones. First, I was surprised by the sheer number of alterations to the proposed Guidelines. However, while there were many changes, the vast majority resulted in additional clarity and a significant amount of streamlining. I believe the final Guidelines are a significant improvement over the proposal because the streamlining makes them easier to follow and understand. In terms of substantive changes from the proposal, there are very few.

A second surprise for me was the additional flexibility provided for banks in the finalized Guidelines. For example, in the proposed Guidelines, the Board of Directors and Management of institutions were each provided specific duties. For example, in the proposed Guidelines, the board of directors of each bank were given oversight responsibilities for the creation, implementation and maintenance of the bank's information security program. Specifically, the Guidelines required the duties of the board of directors of each bank to:

1. Approve the bank's written information security policy and program that complies with these Guidelines; and
2. Oversee efforts to develop, implement, and maintain an effective information security program.

In the final version of the Guidelines, it is no longer required that the entire board perform any duty. Instead, all bank board of directors have been given the additional flexibility of appointing a committee of the board to perform the duties previously assigned to the board as a whole. The Guidelines now provide that the board of directors or an appropriate committee of the board of each bank shall:

1. Approve the bank's written information security program; and
2. Oversee the development, implementation, and maintenance of the bank's information security program, including assigning specific responsibility for its implementation and reviewing reports from management.

Additional flexibility was also provided regarding the responsibilities previously assigned to management. In the proposed Guidelines, a bank's management was specifically required to develop, implement, and maintain an effective information security program. Additionally, in conjunction with its responsibility to implement the bank's information security program, management was required to do three things on regular basis:

1. Evaluate the impact on the bank's security program of changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems;
2. Document its compliance with these Guidelines; and
3. Report to the board on the overall status of the information security program.

In the final Guidelines, while the bank is still required to perform these duties and others, these responsibilities are no longer specifically assigned to management. Instead, a bank may now determine who will be responsible for these duties. For example, the board could appoint a committee of directors, management or employees to perform some of the duties and the remainder could be outsourced. However, for cost reasons most banks may want to perform as many of their responsibilities as possible in-house. The bottom line is that the Guideline's requirements for an information security program have not been significantly changed, but under the final Guidelines there is more flexibility regarding who is responsible for the various requirements.

Under the final Guidelines, the bank as a whole is assigned responsibilities in six areas: assessing risk, managing and controlling risk, overseeing service provider arrangements, adjusting of the program, reporting to the board, and implementation of the bank's program by July 1, 2001.

Which leads to the last real surprise for me in the finalized Guidelines. . . . I thoroughly expected the deadline for implementation to be postponed six months. Some of the comments received by the agencies on the proposed Guidelines recommended an additional 18 months(!) be added to the implementation date in order to allow banks adequate time to achieve compliance. There is a great deal for banks to do in the way of education and training, as well as the creation and implementation of the information security program. July 1 doesn't provide much time, considering the amount of work that needs to be done. The Agencies explained, however, that they believed that the deadline for compliance with the Guidelines needed to be the same as for the final Privacy Rule which had already been established as July 1, 2001. The Agencies reasoned that the disclosure which banks must make under the privacy rule (which may be satisfied by advising customers that the bank maintains physical, electronic, and procedural safeguards that comply with federal standards to guard customer's nonpublic personal information) can only be meaningful if the bank's information security program is already implemented prior to the notice. Otherwise, there would be a need for an initial disclosure and then a subsequent disclosure after the program is implemented.

First published on BankersOnline.com 1/15/01
Copyright, 2001. Secure MIS, Inc. All rights reserved.

First published on 01/15/2001

Search Topics