Toolbox User Guide - American Bankers Association

advertisement
Tool 3: Managing and Controlling Risk
Safeguarding Customer Information
Information Security Policy Sample 3
[Designed For An Institution With Internet Banking]
Directive
Management shall, through an effective Information Security Program (the Program):
 Assure the security and confidentiality of customer records and information as
well as the proprietary records and information of the bank;
 Protect against any anticipated threats or hazards to the security or integrity of
such records and information; and
 Protect against unauthorized access to or use of such records or information that
could result in substantial harm or inconvenience to any customer or the bank.
The Program shall use appropriate administrative, technical, and physical safeguards to
protect customer records and information as well as the institutions own proprietary
information.
Additionally, the Program shall meet standards mandated by The Interagency Guidelines
Establishing Standards for Safeguarding Customer Information (Guidelines) issued
pursuant to section 39 of the Federal Deposit Insurance Act (section 39, codified at 12
U.S.C. 1831p-1), and sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b),
of the Gramm-Leach-Bliley Act.
Responsibility and Reporting
The Chief Information Officer (CIO) is assigned primary responsibility for the
development, implementation, and maintenance of the Program. To assist, the CIO may
convene a committee of other managers from various divisions or departments of the
bank, including Operations, Lending, Retail, and Compliance. At least annually, the CIO
will report to the Board of Directors the overall status of the Program. The report shall
discuss material matters related to the Program, addressing issues such as: risk
assessment; risk management and control decisions; service provider arrangements;
AMERICAN BANKERS ASSOCIATION
results of testing; security breaches or violations and management's responses; and
recommendations for changes in the Program.
Identifying Risks
Management shall identify the reasonably foreseeable internal and external threats that
could result in unauthorized disclosure, misuse, alteration, or destruction of information
or information systems. Further, management shall develop and implement procedures
and other controls that take into account the likelihood and potential damage of these
threats.
Managing and Controlling Identified Risks
Management shall develop, implement, and maintain the Program to control the
identified risks, commensurate with the sensitivity of the information as well as the
complexity and scope of the bank's activities.
Management has, as of today, identified the following security measures appropriate for
the bank and either has or will shortly adopt those measures that management concludes
are appropriate. Testing methods are also listed.
Security Measures
Control
Purpose/Description
Bank Policy or Procedure
Cross-Reference
Access
controls on
customer
information
systems
Includes controls to:
The following Bank policies and
Authenticate and permit
procedures address controls on
access only to authorized
access:
individuals and
 PC/LAN Security Policy
Controls to prevent employees
 Internet/Email Policy
from providing customer
information to unauthorized
 Firewall Policy
individuals who may seek to
 Network Security
obtain this information through
Administrator’s
fraudulent means.
Procedures


AMERICAN BANKERS ASSOCIATION
Testing
Review by Outside Audit Firm
of Firewall and On-Line
Banking – last conducted
______.
Outside Audit Firm annual
review of Internal Security and
Controls.
Annual penetration testing by
third party, (name them).
Ethics and Employee
Conduct for Personal
Use of DP Resources
CBS Administrator
Procedures
2
Security Measures
Control
Purpose/Description
Bank Policy or Procedure
Cross-Reference
Testing
Encryption of
electronic
customer
information
Includes information while in
transit or in storage on
networks or systems to which
unauthorized individuals may
have access.
The following provide methods of
encryption of electronic customer
information:
During the annual Outside
Audit Firm Controls Review
audit, the SSL connections
will be tested along with a
review of emails for PGP
usage.



SSL technology for online banking
PGP password
procedures for internal
communications
The use of Cisco routers
on data
Customer
information
system
modifications
Procedures designed to ensure
that customer information
system modifications are
consistent with the bank's
information security program.
Change control procedure for
LANs, etc., to be added to
PC/LAN Security Policy and
Firewall Policy
Monitoring
systems and
procedures
To detect actual and attempted Net Prowler
attacks on or intrusions into
Monthly Log Reviews by Network
customer information systems. Security Administrator
The annual Outside Audit
Firm audit of I.S. Controls will
review the log sheet of the
Network Security
Administrator showing what
servers were reviewed and
when the reviews occurred.
Response
programs
That specify actions to be
Added to Firewall Policy (date)
taken when the bank suspects
or detects that unauthorized
individuals have gained access
to customer information
systems, including appropriate
reports to regulatory and law
enforcement agencies.
The Network Security
Administrator will update the
response procedures.
Contingency
and Disaster
Recovery
Measures to protect against
destruction, loss, or damage of
customer information due to
potential environmental
hazards, such as fire and water
damage or technological
failures.
Testing of the disaster
recovery plan and the
business continuity plan will
be performed and
documented by I.S.
Department on an annual
basis.
Disaster Recovery Plan
Business Continuity Plan
(Systems) with mirrored system
capability by (date)
Outside Audit Firm will review
during the annual Controls
Review Audit.
Service Provider Oversight
Management shall exercise appropriate due diligence in selecting service providers.
When applicable, contracts with service providers shall specifically require them to
protect the security, confidentiality, and integrity of all customer information that is under
their control. Contractual performance shall be monitored.
AMERICAN BANKERS ASSOCIATION
3
Training
Appropriate initial and periodic ongoing training shall be provided to all associates who
carry out policies and procedures adopted within the Program. The Training Department
shall maintain records of all such training.
The Institution will approve the Customer Information Security Policy initially and
annually.
The board of directors approved and adopted this policy on ____________________.
AMERICAN BANKERS ASSOCIATION
4
Download