Tool 3: Managing and Controlling Risk
Safeguarding Customer Information
Setting Employee Responsibility
Policy Statement
[Your Institution] has implemented basic security policies and controls that govern end
user computing operations, and management has the authority to evaluate the risks
associated with end user computing. The purpose of this policy is to establish general
guidelines for maintaining an end user computing environment within the bank that is
controlled, consistent, and secure and that will enhance the productivity of end users. The
board intends that the institution adhere to the guidelines set forth in the Joint Interagency
Policy Statement on End User Computing Risks issued January 25, 1988. The board of
directors adopts the following policies, standards, and controls as the bank’s end user
computing policy.
End User Computing Policy And Procedure Responsibility
The board of directors delegates the day-to-day management of the use of
microcomputers to the functional managers. They are responsible for ensuring that their
employees adhere to the bank’s policies and procedures.
End User Computing Committee
The board appoints the following staff members to the end user computing committee.
The purpose of this group is to assist bank management in developing and implementing
policies and procedures for the end user computing environment and for reviewing these
policies and procedures for feasibility, enforceability, and usability.
Information Systems Department
The information systems department is responsible for supporting and coordinating the
day-to-day operation of the end user computing environment in a manner that is
consistent and in compliance with the approved policies and procedures. Additionally,
the information systems department should monitor and review the activities of end users
AMERICAN BANKERS ASSOCIATION
to ensure that they are adhering to the institution’s microcomputing policies and
procedures.
Internal Audit Department
The internal audit department is responsible for conducting periodic reviews of the end
user computing environment to ensure that policies and procedures are adequate to
properly control the environment and that all end users consistently follow these policies
and procedures.
The internal audit department also has the responsibility to evaluate the level of
compliance with the institution’s end user computing standards, policies, and procedures
and to report any discrepancies to the appropriate department manager for correction and
enforcement and to the board of directors through the audit committee in their regularly
scheduled reports.
The internal audit department will be available to management, users, and the end user
computing committee to provide input and recommendations in certain circumstances,
including, but not limited to, the following:







Purchase of new software
Automation of procedures
Access control issues
Termination of employees
Development and testing of systems/procedures
Suspicion of fraud or misuse of software and/or hardware
Implementation of new controls and/or testing
Acquisition of Hardware and Software
The acquisition of all hardware, software, and peripherals must be properly justified and
must comply with the Institution’s capital expenditure policies.
 All acquisitions, installations, and implementations require review and
coordination by the information systems department and approval by the
appropriate department executive(s).
 Acquisitions of local area networks (LANs) or more complex systems may
require a feasibility study or evaluation prior to the approval of the acquisition.
The end user computing committee will determine any additional requirements
needed for the acquisition of more complex systems.
 The purchasing department will acquire all approved microcomputer (PC)
hardware and software.
AMERICAN BANKERS ASSOCIATION
2
 The information systems department will maintain a complete inventory of
hardware, software, and peripherals.
 All department systems will be equipped with standardized hardware and
software. The end user computing committee will be responsible for reviewing
and determining appropriate standardized hardware and software to be used by
bank personnel.
Licensed Use of Packaged Software
Employees are required to read and comply with commercial software license
agreements. Managers must be certain that employees understand that modifying, selling,
or duplicating commercial software packages is illegal and expressly against the Bank’s
policy. The bank may be held liable for anyone illegally obtaining or copying commercial
software. Civil damages for the unauthorized copying or use of software can be $50,000
or more, and criminal penalties can include fines and imprisonment. Duplicating software
includes but may not be limited to the following:
 Making a copy of a software program from the employee’s hard drive or from a
diskette.
 Using the master diskette on an employee’s home computer when the software is
already installed on one of the bank’s computers.
 Installing software that currently resides on an employee’s home computer on a
bank computer.
 Receiving an upgrade for a software package and installing the version on a
different computer.
 The information systems department must review and audit any public domain
software (e.g., Internet software) prior to installation on any bank-owned
microcomputer.
Physical Protection and Security of Hardware/Software
Managers in each user area are responsible for proper and adequate physical security and
protection of the hardware and software assigned to their departments. Department
managers are responsible for developing and implementing appropriate physical security
controls and protection of hardware and software and for ensuring compliance with
established physical security policies. In addition, department managers are responsible
for the following:
 Ensuring sensitive reports and information are properly safeguarded and disposed
of in a proper manner.
 Assessing their department’s physical control needs and implementing controls
necessary to ensure proper security and protection.
 Monitoring and maintaining control over the use of laptop microcomputers.
AMERICAN BANKERS ASSOCIATION
3
 Maintaining inventories of hardware and software and periodically auditing these
inventories.
 Securing the work areas housing microcomputers.
 Assessing the need for locks and keys.
 Establishing proper housekeeping rules.
 Maintaining adequate environmental controls.
 Training users on proper use and care of microcomputers.
 Although ultimate responsibility for the physical protection and security of
hardware and software rests with the department manager, each user is
responsible for the physical security and protection of his or her own
microcomputer. In addition, end users are responsible for the following:
o Abiding by all housekeeping policies established by management;
o Keeping a maintenance list identifying all maintenance done to their
equipment;
o Securing any laptop microcomputer while in their possession;
o Being aware of and reporting any suspicious individuals or activity to
management and
o Ensuring that all software is backed up and maintained in a secure area.
Restricted Access to Data and Software
It is the policy of the Institution to protect the processing, storage, and use of data on
microcomputers, LANs or wide area network (WAN) systems based on the level of the
data’s sensitivity and value to the bank. Each department manager will establish and
implement proper and adequate access controls to restrict access to data and software.
This is to prevent unauthorized access that could result in confidential data being
accessed, improper loading of software posing the risk of viruses and use of unauthorized
software, and improper downloading of programs and files that could result in
unauthorized copying.
Misuse of corporate data will be reported to management and the board of directors
through appropriate channels.
Each department is responsible for identifying and establishing the proper procedures to
ensure that hardware, software, and documentation is adequately backed up to ensure
timely recovery in the event of a disaster. The department manager will perform a risk
assessment of each department to determine the impact that loss of data would have on
the institution due to the following reasons:





Incorrect management decision
Improper disclosure of information
Fraud
Financial loss
Competitive disadvantage
AMERICAN BANKERS ASSOCIATION
4
Based on the results of the risk assessment, each department manager will be responsible
for ensuring that appropriate microcomputer backup procedures are included in each
department’s respective section of the disaster recovery plan for [Your Institution].
Data Integrity
Each department manager is responsible for implementing security measures and controls
to ensure that all data are adequately evaluated, tested, and validated prior to transfer or
release. This includes, but is not limited to, data that:
 Reside on microcomputers, LANs, and WANs and are downloaded or uploaded to
the mainframe or to another system.
 Reside on a microcomputer from which critical business decisions are made
and/or financial reporting for the bank is based.
Each department is responsible for developing and maintaining a list of all sensitive data
and of programs used to process the data. The manager or supervisor of the department is
responsible for updating the information and communicating the information to
employees.
Virus detection software will be installed on each microcomputer in the bank to help
ensure that no viruses are introduced into the bank’s systems.
Program Development, Documentation, and Testing
All developed software, applications, and programs must be fully tested and adequately
documented before becoming part of a system that processes the institution’s data.
Prior to the development of any new software application or program, the end user
computing committee will review the request for the new application or program and
perform a cost/benefit analysis.
Managers are responsible for overseeing new projects and ensuring management control
of the development process. Management control will encompass all phases including the
initial development phase, development of appropriate data editing controls, proper
input/output controls, report design, adequate testing, and documentation.
Training And Support
The board of directors understands that the increase in microcomputer use requires that
employees are properly trained and informed on the policies and procedures endorsed by
the institution with regard to end user computing. The ability of employees to enter, move
around, and leave the institution with ease increases the risk to the bank. Therefore,
management and the board plan to address these issues through policies, education, and
training of users on security and use of microcomputers.
AMERICAN BANKERS ASSOCIATION
5
The institution will provide end user computer training to all employees. All users will be
trained before they use institution-owned hardware and software. The training department
of the institution is responsible for developing end user training materials and providing
information and classes for all employees. Training will cover the bank’s policies and
procedures relating to end-user computing. The programs developed will increase
employees’ awareness about microcomputer security risks and vulnerabilities and the
appropriate preventive controls. The training department will maintain documentation
concerning training of all employees for review by department managers, internal audit,
the board of directors, and regulators.
The board of directors approved and adopted this policy on (date).
AMERICAN BANKERS ASSOCIATION
6