Presentation is loading. Please wait.

Presentation is loading. Please wait.

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

Published byWinfred Blake Modified over 9 years ago

Similar presentations

Presentation on theme: "E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002."— Presentation transcript:

1 e B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002

2 PAGE 2 of ## e B a n k i n g Background- 501(b) Guidelines Required by GLBA Purpose: to ensure security & confidentiality of customer information Effective July 1, 2001 Effective July 1, 2003, for contracts entered into on or before March 5, 2001 Guidelines, FIL 22-2001 (3/14/01) Exam Procedures, FIL 68-2001 (8/24/01)

3 PAGE 3 of ## e B a n k i n g What Do Guidelines Require Identify & assess risks to customer information Design & implement program to control risks Board review & approval Test key controls (at least annually) Train personnel Adjust the plan on a continuing basis to account for changes in technology, the sensitivity of customer information, and internal/external threats to information security.

4 PAGE 4 of ## e B a n k i n g Types of Information to be Protected Customer’s nonpublic personal information (uses Privacy regulation definition) Does not apply to business customers Does not apply to consumers with no ongoing relationship (e.g., purchase a cashier’s check, use your ATM network)

5 PAGE 5 of ## e B a n k i n g Key #1- Risk Assessment Each bank shall: Identify reasonably foreseeable internal & external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information; Assess the likelihood & potential damage of these threats taking sensitivity of information into consideration; and Assess sufficiency of procedures in place to control these risks.

6 PAGE 6 of ## e B a n k i n g Key #2- Security Program Each bank shall: Design an information security program to control identified risks, commensurate with the sensitivity of the information as well as the complexity & scope of the bank’s activities Consider the eight security measures listed in §III.C.1, and adopt if appropriate

7 PAGE 7 of ## e B a n k i n g The “Laundry List” Logical access controls Physical access controls Encryption System modification procedures Dual controls, segregation of duties, background checks IDS Incident response program Emergency plan

8 PAGE 8 of ## e B a n k i n g Key #3- Oversee Service Providers Each bank shall: Exercise appropriate due diligence in selecting service providers; Require service providers by contract to implement appropriate measures designed to meet the guideline’s objectives; and Monitor (where indicated by bank’s risk assessment) its service providers to confirm they have satisfied their obligations.

9 PAGE 9 of ## e B a n k i n g FDIC Examiner Survey DOS follow-up usually done within 1 year of new requirement Survey sent to every field office in all 8 regional offices 5 questions Informal survey, not intended to be “scientific”

10 PAGE 10 of ## e B a n k i n g FDIC Examiner Survey Survey Questions: –3 most common deficiencies –Most common question asked by bankers –Is there confusion between privacy regulation and security guidelines? –How much time have banks spent complying? –How long for examiners to complete this part of exam?

11 PAGE 11 of ## e B a n k i n g Three Most Common Deficiencies 1. Inadequate risk assessment - Slightly more than half of responses noted banks with no assessment 2. Inadequate security policy/program -About one-third of responses noted banks with no written security policy 3. Inadequate: Board involvement, testing, training

12 PAGE 12 of ## e B a n k i n g Most Common Banker Question 1. How should a bank perform & document a risk assessment? 2. Does FDIC have any further guidance on what an acceptable risk assessment & security policy should look like? What guidelines? Am I in compliance? What are other banks doing?

13 PAGE 13 of ## e B a n k i n g Confusion With Privacy Regulation YES Overall, very large percentage of survey forms said that bankers confuse privacy regulation & security guidelines Some bankers think they are same thing Some bankers think compliance with privacy regulation means compliance with security guidelines

14 PAGE 14 of ## e B a n k i n g Time Spent Complying No significant expenditure of time so far (see previous slides) Banks anticipate significant time going forward Large v. small banks Some $ spent, mostly time Some are comparing burden to Y2K

15 PAGE 15 of ## e B a n k i n g Time Spent by Examiners Nationwide overall average: about 1-1/2 days Significantly less for banks with no security program and very small banks More time for banks with a security program and large banks

16 PAGE 16 of ## e B a n k i n g Recommendations Become familiar with what the guidelines require Conduct & document a formal, comprehensive risk assessment Develop a written security policy/program Brief the Board of Directors and get their approval

17 e B a n k i n g Jeffrey M. Kopchik Senior Policy Analyst jkopchik@fdic.gov

Download ppt "E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Technology Supervision Branch New FFIEC Guidance on Strong Authentication ABA Webcast January 11, 2006.

Technology Supervision Branch New FFIEC Guidance on Strong Authentication ABA Webcast January 11, 2006.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Overview and Purpose of Market.

SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Overview and Purpose of Market.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Auditing Computer Systems

Auditing Computer Systems
Security Controls – What Works

Security Controls – What Works
Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA By David Abbott, FDIC IT Examiner.

Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA By David Abbott, FDIC IT Examiner.
Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA 2014. The policy advocacy and regulatory work of the GSMA Mobile Money team.

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.
Internal Control and Internal Audit

Internal Control and Internal Audit
Purpose of the Standards

Purpose of the Standards
Supplier Ethics: Program Checklist

Supplier Ethics: Program Checklist
Wetlands Mitigation Policy Sudbury Wetlands Administration Bylaw April 27, 2015.

Wetlands Mitigation Policy Sudbury Wetlands Administration Bylaw April 27, 2015.
Section 1 Guidelines for Office of Inspector General Quality Control and Assurance Programs Peer Review Training – National Science Foundation August 16,

Section 1 Guidelines for Office of Inspector General Quality Control and Assurance Programs Peer Review Training – National Science Foundation August 16,
Division of Depositor and Consumer Protection Banker Teleconference Series Third-Party Compliance Risk Management Tuesday, June 5, 2012.

Division of Depositor and Consumer Protection Banker Teleconference Series Third-Party Compliance Risk Management Tuesday, June 5, 2012.
Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

Similar presentations

Ads by Google