Tool 3: Managing and Controlling Risk Safeguarding Customer Information Information Security Policy Sample 3 [Designed For An Institution With Internet Banking] Directive Management shall, through an effective Information Security Program (the Program): Assure the security and confidentiality of customer records and information as well as the proprietary records and information of the bank; Protect against any anticipated threats or hazards to the security or integrity of such records and information; and Protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer or the bank. The Program shall use appropriate administrative, technical, and physical safeguards to protect customer records and information as well as the institutions own proprietary information. Additionally, the Program shall meet standards mandated by The Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Guidelines) issued pursuant to section 39 of the Federal Deposit Insurance Act (section 39, codified at 12 U.S.C. 1831p-1), and sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act. Responsibility and Reporting The Chief Information Officer (CIO) is assigned primary responsibility for the development, implementation, and maintenance of the Program. To assist, the CIO may convene a committee of other managers from various divisions or departments of the bank, including Operations, Lending, Retail, and Compliance. At least annually, the CIO will report to the Board of Directors the overall status of the Program. The report shall discuss material matters related to the Program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; AMERICAN BANKERS ASSOCIATION results of testing; security breaches or violations and management's responses; and recommendations for changes in the Program. Identifying Risks Management shall identify the reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of information or information systems. Further, management shall develop and implement procedures and other controls that take into account the likelihood and potential damage of these threats. Managing and Controlling Identified Risks Management shall develop, implement, and maintain the Program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the bank's activities. Management has, as of today, identified the following security measures appropriate for the bank and either has or will shortly adopt those measures that management concludes are appropriate. Testing methods are also listed. Security Measures Control Purpose/Description Bank Policy or Procedure Cross-Reference Access controls on customer information systems Includes controls to: The following Bank policies and Authenticate and permit procedures address controls on access only to authorized access: individuals and PC/LAN Security Policy Controls to prevent employees Internet/Email Policy from providing customer information to unauthorized Firewall Policy individuals who may seek to Network Security obtain this information through Administrator’s fraudulent means. Procedures AMERICAN BANKERS ASSOCIATION Testing Review by Outside Audit Firm of Firewall and On-Line Banking – last conducted ______. Outside Audit Firm annual review of Internal Security and Controls. Annual penetration testing by third party, (name them). Ethics and Employee Conduct for Personal Use of DP Resources CBS Administrator Procedures 2 Security Measures Control Purpose/Description Bank Policy or Procedure Cross-Reference Testing Encryption of electronic customer information Includes information while in transit or in storage on networks or systems to which unauthorized individuals may have access. The following provide methods of encryption of electronic customer information: During the annual Outside Audit Firm Controls Review audit, the SSL connections will be tested along with a review of emails for PGP usage. SSL technology for online banking PGP password procedures for internal communications The use of Cisco routers on data Customer information system modifications Procedures designed to ensure that customer information system modifications are consistent with the bank's information security program. Change control procedure for LANs, etc., to be added to PC/LAN Security Policy and Firewall Policy Monitoring systems and procedures To detect actual and attempted Net Prowler attacks on or intrusions into Monthly Log Reviews by Network customer information systems. Security Administrator The annual Outside Audit Firm audit of I.S. Controls will review the log sheet of the Network Security Administrator showing what servers were reviewed and when the reviews occurred. Response programs That specify actions to be Added to Firewall Policy (date) taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies. The Network Security Administrator will update the response procedures. Contingency and Disaster Recovery Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures. Testing of the disaster recovery plan and the business continuity plan will be performed and documented by I.S. Department on an annual basis. Disaster Recovery Plan Business Continuity Plan (Systems) with mirrored system capability by (date) Outside Audit Firm will review during the annual Controls Review Audit. Service Provider Oversight Management shall exercise appropriate due diligence in selecting service providers. When applicable, contracts with service providers shall specifically require them to protect the security, confidentiality, and integrity of all customer information that is under their control. Contractual performance shall be monitored. AMERICAN BANKERS ASSOCIATION 3 Training Appropriate initial and periodic ongoing training shall be provided to all associates who carry out policies and procedures adopted within the Program. The Training Department shall maintain records of all such training. The Institution will approve the Customer Information Security Policy initially and annually. The board of directors approved and adopted this policy on ____________________. AMERICAN BANKERS ASSOCIATION 4