Presentation is loading. Please wait.

Presentation is loading. Please wait.

Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA By David Abbott, FDIC IT Examiner.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA By David Abbott, FDIC IT Examiner."— Presentation transcript:

1 Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA By David Abbott, FDIC IT Examiner

2 The Regulations Gramm-Leach-Bliley Act -Section 501(b) FINANCIAL INSTITUTIONS’ SAFEGUARDS. In furtherance of the policy in subsection (a), each agency or authority described in section 505(a) shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

3 The Response Interagency Guidelines Establishing Standards for Safeguarding Customer Information –FDIC - 12 CFR Parts 308 and 364 –OCC - 12 CFR Part 30 –FRB - 12 CFR Parts 208, 211, 225, and 263 –OTS - 12 CFR Parts 568 and 570

4 Appendix B to Part 364—Interagency Guidelines Establishing Information Security Standards Table of Contents I. Introduction A. Scope B. Preservation of Existing Authority C. Definitions II. Standards for Safeguarding Customer Information A. Information Security Program B. Objectives III. Development and Implementation of Customer Information Security Program A. Involve the Board of Directors B. Assess Risk C. Manage and Control Risk D. Oversee Service Provider Arrangements E. Adjust the Program F. Report to the Board G. Implement the Standards

5

6 Breaches, Breaches and more Breaches* * Source - www.privacyrights.orgwww.privacyrights.org

7 Public Bank Breaches* Bank of America Wachovia PNC Westborough Bank, MA Citi Financial J.P. Morgan Chase & Co. North Fork Bank, NY Firstrust Bank La Salle Bank People's Bank Vystar Credit Union, FL Nat'l Institutes of Health Federal Credit Union U.S. Bank Sovereign Bank FirstBank West Shore Bank, MI Premier Bank, MO Chase Bank * Source - www.privacyrights.orgwww.privacyrights.org

8

9 Common GLBA Examination Findings Findings Partial inventories Incomplete risk assessments Weak Board reporting Limited ongoing training Lack of monitoring of suspicious activity for all customer information systems Incomplete incident response plans Weak oversight on service providers / vendors Limited validation

10 Inventory Identifying the data –Where is the data? Network, Servicer, Back-up, Physical –Who can access the data? Employees, Vendors, Consultants, Programmers –How can the data be accessed? Intranet, Internet, Database, Application

11 Risk Assessment How is the data threatened? –Internal and External; New and Old Threats How is the data protected? –Encryption, Access Control, Security Configurations How is the data monitored? –When, How Often, Independently How is the data disposed of? –Shredded, Electronically Destroyed --- –FACTA (FIL-130-2004)

12 Risk Assessment Conclusions Are you mitigating all threats? Would breaches be caught? Are changes detectable? Are you doing enough?

13 Board Reporting Report to the Board. Each bank shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the bank's compliance with these Guidelines. The report, which will vary depending upon the complexity of each bank's program should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations, and management's responses; and recommendations for changes in the information security program.

14 Training Determine the frequency –Most companies perform annually –All new employees “One Size Doesn’t Fit All” Combine with other training

15 Monitoring Need to determine what needs monitoring Alert triggers should be established Should be done by independent person Should be automated

16 Incident Reponses Need a definitive program Should address responses for any/all anticipated incidents Should consider walk-throughs and/or preparatory activities FIL-27-2005

17 Service Providers and Vendors It is your responsibility to ensure that your Service Providers and Vendors adhere to GLBA All GLBA procedures should be conducted for all Service Providers and Vendors that have access or can gain access to Non-Public Customer Data Just having a Contract Clause is NOT enough FIL 81-2000

18 Validation Vital part Needs to be done independently of the controls Frequency and Scope should be determined by your Risk Assessment

19 References Appendix B to Part 364—Interagency Guidelines Establishing Information Security Standards –http://www.fdic.gov/regulations/laws/rules/2000-8660.htmlhttp://www.fdic.gov/regulations/laws/rules/2000-8660.html FFIEC GLBA Online Resources –http://www.ffiec.gov/exam/InfoBase/start.htmhttp://www.ffiec.gov/exam/InfoBase/start.htm Privacy Rights Clearinghouse –http://www.privacyrights.org/http://www.privacyrights.org/ FFIEC Handbooks –http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.htmlhttp://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html

20 Appendix B to Part 364—Interagency Guidelines Establishing Information Security Standards http://www.fdic.gov/regulations/laws/rules/2000-8660.html http://www.fdic.gov/regulations/laws/rules/2000-8660.html

21 FFIEC GLBA Online Training http://www.ffiec.gov/exam/InfoBase/start.htm http://www.ffiec.gov/exam/InfoBase/start.htm

22 Privacy Rights Clearinghouse http://www.privacyrights.org/ http://www.privacyrights.org/

23 FFIEC Handbooks http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html

24 lRobert Sargent - FDIC IT Specialist 15 Braintree Hill Office Park Braintree, Massachusetts 02184 (781) 794-5535 rsargent@fdic.gov lThomas J. Donahue - OTS IT Exam Manager 10 Exchange Place - 18th Floor Jersey City, New Jersey 07302 (201) 413-7510 thomas.donahue@ots.treas.gov lPaul Nadeau – BOS FED Supervisory Examiner Federal Reserve Bank of Boston 600 Atlantic Avenue - PO Box 2076 Boston, Massachusetts 02106 (617) 973-5976 lPeter Carter - OCC Lead Technology Expert Office of the Comptroller of the Currency 112 Madison Avenue - Suite 400 New York, NY 10016 (212) 779-4537 peter.carter@occ.treas.gov Contacts

Download ppt "Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA By David Abbott, FDIC IT Examiner."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
University of Minnesota

University of Minnesota
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Information System Assurance Practices in China Key players doing IS Assurance In China Regulatory Regime and Professional Organizations -Regulatory AuthoritiesRegulatory.

Information System Assurance Practices in China Key players doing IS Assurance In China Regulatory Regime and Professional Organizations -Regulatory AuthoritiesRegulatory.
1 SAFEGUARDING REGULATIONS AND HOW THEY EFFECT US MICHIGAN ASSOCIATION FOR STUDENT FINANACIAL SERVICE ADMINISTRATORS BY: KAREN REDDICK NATIONAL CREDIT.

1 SAFEGUARDING REGULATIONS AND HOW THEY EFFECT US MICHIGAN ASSOCIATION FOR STUDENT FINANACIAL SERVICE ADMINISTRATORS BY: KAREN REDDICK NATIONAL CREDIT.
Chapter 12: Regulatory Compliance for Financial Institutions.

Chapter 12: Regulatory Compliance for Financial Institutions.
Auditing Corporate Information Security John R. Robles Tuesday, November 1, 2005 Tel: 787-647-396.

Auditing Corporate Information Security John R. Robles Tuesday, November 1, Tel:
Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.

Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
The Role of Risk Management and Assurance in Effective Organizational Governance Urton Anderson The University of Texas at Austin.

The Role of Risk Management and Assurance in Effective Organizational Governance Urton Anderson The University of Texas at Austin.
Step 1: A.User enters id/pw for FI: encrypted in Quicken PIN vault B.Id/pw transmitted to Intuit CustomerCentral Servers at NCR using 128 bit SSL Step.

Step 1: A.User enters id/pw for FI: encrypted in Quicken PIN vault B.Id/pw transmitted to Intuit CustomerCentral Servers at NCR using 128 bit SSL Step.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Vendor Risk: Effective Management is Essential

Vendor Risk: Effective Management is Essential
Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.

Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.

Similar presentations

Ads by Google