E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Technology Supervision Branch New FFIEC Guidance on Strong Authentication ABA Webcast January 11, 2006.
CIP Cyber Security – Security Management Controls
SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Overview and Purpose of Market.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Auditing Computer Systems
Security Controls – What Works
Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA By David Abbott, FDIC IT Examiner.
Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.
Internal Control and Internal Audit
Purpose of the Standards
Supplier Ethics: Program Checklist
Wetlands Mitigation Policy Sudbury Wetlands Administration Bylaw April 27, 2015.
Section 1 Guidelines for Office of Inspector General Quality Control and Assurance Programs Peer Review Training – National Science Foundation August 16,
Division of Depositor and Consumer Protection Banker Teleconference Series Third-Party Compliance Risk Management Tuesday, June 5, 2012.
Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.
Training on Data Protection Roles of the Data Protection Office.
Building a Compliance Risk Monitoring Program HCCA Compliance Institute New OrleansApril 19, 2005 Lois Dehls Cornell, Esq. Assistant Vice President, Deputy.
E XAMINATION AND E NFORCEMENT I SSUES : B EYOND T HE P ILLARS The AMLA Third Annual Full Day BSA/AML Conference October 4, 2013 Presented by: John M. Geiringer.
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.
Vendor Risk: Effective Management is Essential
Internal Auditing and Outsourcing
Session No. 3 ICAO Safety Management Standards ICAO SMS Framework
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Due Diligence - The Regulator’s Perspective ABA Telephone/Webcast Briefing August 14, 2001 Cynthia Bonnette, Assistant Director FDIC Bank Technology Group.
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,
An Educational Computer Based Training Program CBTCBT.
2015 ANNUAL TRAINING By: Denise Goff
SMS Operation.  Internal safety (SMS) audits are used to ensure that the structure of an SMS is sound.  It is also a formal process to ensure continuous.
Effective Management and Compliance 1 ANA GRANTEE MEETING  FEBRUARY 5, 2015.
Chapter Three IT Risks and Controls.
Securing Your Computing Environment to Conform to Privacy Regulations July 31, 2002.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.
Audit Committee Roles & Responsibilities Audit Committee July 20, 2004.
Chapter 21 Internal, Operational, and Compliance Auditing McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
BSA PROGRAM REQUIREMENTS.  Written, approved by the board of directors, and noted in the board minutes.  Based on the risk assessment  Fully implemented.
MANAGING THIRD-PARTY RISK New York Region Regulatory Conference Call March 3, 2011.
ANTI-MONEY LAUNDERING COMPLIANCE PROGRAM FCM TRAINING
FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
5/18/2006 Department of Technology Services Security Architecture.
PACB One-Day Cybersecurity Workshop CYBERSECURITY IN YOUR ISP! PRESENTED BY: JON WALDMAN, SBS – CISA, CRISC © Secure Banking Solutions, LLC
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
INTERNAL CONTROLS What are they? Why should I care?
SOLGM Wanaka Retreat Health and Safety at Work Act 2015 Ready? 4 February 2016 Samantha Turner Partner DDI: Mob:
FDIC Perspective on Environmental Risk Presented by: Gordon Stoner Legal Division Federal Deposit Insurance Corporation May 6, 2008.
Federal Information Security Management Act (F.I.S.M.A.) [ Justin Killian ]
1 Vereniging van Compliance Officers The Compliance Function in Banks Amsterdam, 10 June 2004 Marc Pickeur CBFA CBFA.
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Improving Compliance with ISAs Presenters: Al Johnson & Pat Hayle.
Learn Your Information Security Management System
IS4680 Security Auditing for Compliance
Cyberforum 2018 March 8, 2018 Los Angeles GDPR & SECURITY
General Counsel and Chief Privacy Officer
#IASACFO.
DATA BREACHES & PRIVACY Christine M
UCA Gramm-Leach Bliley Act (GLBA) Safeguards Rule Compliance Training Effective June 12, 2018 Adapted from materials published by the Federal Trade Commission.
HIPAA Security Standards Final Rule
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Presentation transcript:

e B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002

PAGE 2 of ## e B a n k i n g Background- 501(b) Guidelines Required by GLBA Purpose: to ensure security & confidentiality of customer information Effective July 1, 2001 Effective July 1, 2003, for contracts entered into on or before March 5, 2001 Guidelines, FIL (3/14/01) Exam Procedures, FIL (8/24/01)

PAGE 3 of ## e B a n k i n g What Do Guidelines Require Identify & assess risks to customer information Design & implement program to control risks Board review & approval Test key controls (at least annually) Train personnel Adjust the plan on a continuing basis to account for changes in technology, the sensitivity of customer information, and internal/external threats to information security.

PAGE 4 of ## e B a n k i n g Types of Information to be Protected Customer’s nonpublic personal information (uses Privacy regulation definition) Does not apply to business customers Does not apply to consumers with no ongoing relationship (e.g., purchase a cashier’s check, use your ATM network)

PAGE 5 of ## e B a n k i n g Key #1- Risk Assessment Each bank shall: Identify reasonably foreseeable internal & external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information; Assess the likelihood & potential damage of these threats taking sensitivity of information into consideration; and Assess sufficiency of procedures in place to control these risks.

PAGE 6 of ## e B a n k i n g Key #2- Security Program Each bank shall: Design an information security program to control identified risks, commensurate with the sensitivity of the information as well as the complexity & scope of the bank’s activities Consider the eight security measures listed in §III.C.1, and adopt if appropriate

PAGE 7 of ## e B a n k i n g The “Laundry List” Logical access controls Physical access controls Encryption System modification procedures Dual controls, segregation of duties, background checks IDS Incident response program Emergency plan

PAGE 8 of ## e B a n k i n g Key #3- Oversee Service Providers Each bank shall: Exercise appropriate due diligence in selecting service providers; Require service providers by contract to implement appropriate measures designed to meet the guideline’s objectives; and Monitor (where indicated by bank’s risk assessment) its service providers to confirm they have satisfied their obligations.

PAGE 9 of ## e B a n k i n g FDIC Examiner Survey DOS follow-up usually done within 1 year of new requirement Survey sent to every field office in all 8 regional offices 5 questions Informal survey, not intended to be “scientific”

PAGE 10 of ## e B a n k i n g FDIC Examiner Survey Survey Questions: –3 most common deficiencies –Most common question asked by bankers –Is there confusion between privacy regulation and security guidelines? –How much time have banks spent complying? –How long for examiners to complete this part of exam?

PAGE 11 of ## e B a n k i n g Three Most Common Deficiencies 1. Inadequate risk assessment - Slightly more than half of responses noted banks with no assessment 2. Inadequate security policy/program -About one-third of responses noted banks with no written security policy 3. Inadequate: Board involvement, testing, training

PAGE 12 of ## e B a n k i n g Most Common Banker Question 1. How should a bank perform & document a risk assessment? 2. Does FDIC have any further guidance on what an acceptable risk assessment & security policy should look like? What guidelines? Am I in compliance? What are other banks doing?

PAGE 13 of ## e B a n k i n g Confusion With Privacy Regulation YES Overall, very large percentage of survey forms said that bankers confuse privacy regulation & security guidelines Some bankers think they are same thing Some bankers think compliance with privacy regulation means compliance with security guidelines

PAGE 14 of ## e B a n k i n g Time Spent Complying No significant expenditure of time so far (see previous slides) Banks anticipate significant time going forward Large v. small banks Some $ spent, mostly time Some are comparing burden to Y2K

PAGE 15 of ## e B a n k i n g Time Spent by Examiners Nationwide overall average: about 1-1/2 days Significantly less for banks with no security program and very small banks More time for banks with a security program and large banks

PAGE 16 of ## e B a n k i n g Recommendations Become familiar with what the guidelines require Conduct & document a formal, comprehensive risk assessment Develop a written security policy/program Brief the Board of Directors and get their approval

e B a n k i n g Jeffrey M. Kopchik Senior Policy Analyst

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.