Transcript Director’s College 2007 Protecting Your Customers’ Privacy

Directors’ College 2007
Protecting Your Customers’ Privacy
A Directors’ Guide to GLBA
By David Abbott, FDIC IT Examiner
The Regulations
• Gramm-Leach-Bliley Act -Section 501(b)
FINANCIAL INSTITUTIONS’ SAFEGUARDS.
In furtherance of the policy in subsection (a), each agency or authority
described in section 505(a) shall establish appropriate standards for the
financial institutions subject to their jurisdiction relating to administrative,
technical, and physical safeguards
(1) to insure the security and confidentiality of customer records and
information;
(2) to protect against any anticipated threats or hazards to the security or
integrity of such records; and
(3) to protect against unauthorized access to or use of such records or
information which could result in substantial harm or inconvenience to any
customer.
The Response
• Interagency Guidelines Establishing
Standards for Safeguarding Customer
Information
–
–
–
–
FDIC - 12 CFR Parts 308 and 364
OCC - 12 CFR Part 30
FRB - 12 CFR Parts 208, 211, 225, and 263
OTS - 12 CFR Parts 568 and 570
Appendix B to Part 364—Interagency Guidelines
Establishing Information Security Standards
Table of Contents
I. Introduction
A. Scope
B. Preservation of Existing Authority
C. Definitions
II. Standards for Safeguarding Customer Information
A. Information Security Program
B. Objectives
III. Development and Implementation of Customer Information Security
Program
A. Involve the Board of Directors
B. Assess Risk
C. Manage and Control Risk
D. Oversee Service Provider Arrangements
E. Adjust the Program
F. Report to the Board
G. Implement the Standards
Breaches, Breaches and more Breaches*
* Source - www.privacyrights.org
Public Bank Breaches*
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Bank of America
Wachovia
PNC
Westborough Bank, MA
Citi Financial
J.P. Morgan Chase & Co.
North Fork Bank, NY
Firstrust Bank
La Salle Bank
People's Bank
Vystar Credit Union, FL
Nat'l Institutes of Health Federal Credit Union
U.S. Bank
Sovereign Bank
FirstBank
West Shore Bank, MI
Premier Bank, MO
Chase Bank
* Source - www.privacyrights.org
Common GLBA Examination Findings
Findings
• Partial inventories
• Incomplete risk assessments
• Weak Board reporting
• Limited ongoing training
• Lack of monitoring of suspicious activity for all customer
information systems
• Incomplete incident response plans
• Weak oversight on service providers / vendors
• Limited validation
Inventory
• Identifying the data
– Where is the data?
• Network, Servicer, Back-up, Physical
– Who can access the data?
• Employees, Vendors, Consultants, Programmers
– How can the data be accessed?
• Intranet, Internet, Database, Application
Risk Assessment
• How is the data threatened?
– Internal and External; New and Old Threats
• How is the data protected?
– Encryption, Access Control, Security Configurations
• How is the data monitored?
– When, How Often, Independently
• How is the data disposed of?
– Shredded, Electronically Destroyed ---
– FACTA (FIL-130-2004)
Risk Assessment Conclusions
• Are you mitigating all threats?
• Would breaches be caught?
• Are changes detectable?
• Are you doing enough?
Board Reporting
Report to the Board. Each bank shall report to its board or an
appropriate committee of the board at least annually. This report
should describe the overall status of the information security
program and the bank's compliance with these Guidelines. The
report, which will vary depending upon the complexity of each
bank's program should discuss material matters related to its
program, addressing issues such as: risk assessment; risk
management and control decisions; service provider
arrangements; results of testing; security breaches or violations,
and management's responses; and recommendations for
changes in the information security program.
Training
• Determine the frequency
– Most companies perform annually
– All new employees
• “One Size Doesn’t Fit All”
• Combine with other training
Monitoring
• Need to determine what needs monitoring
• Alert triggers should be established
• Should be done by independent person
• Should be automated
Incident Reponses
• Need a definitive program
• Should address responses for any/all
anticipated incidents
• Should consider walk-throughs and/or
preparatory activities
FIL-27-2005
Service Providers and Vendors
• It is your responsibility to ensure that your
Service Providers and Vendors adhere to
GLBA
• All GLBA procedures should be conducted for
all Service Providers and Vendors that have
access or can gain access to Non-Public
Customer Data
• Just having a Contract Clause is NOT enough
FIL 81-2000
Validation
• Vital part
• Needs to be done independently of the
controls
• Frequency and Scope should be determined
by your Risk Assessment
References
• Appendix B to Part 364—Interagency Guidelines
Establishing Information Security Standards
– http://www.fdic.gov/regulations/laws/rules/2000-8660.html
• FFIEC GLBA Online Resources
– http://www.ffiec.gov/exam/InfoBase/start.htm
• Privacy Rights Clearinghouse
– http://www.privacyrights.org/
• FFIEC Handbooks
– http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html
Appendix B to Part 364—Interagency Guidelines
Establishing Information Security Standards
http://www.fdic.gov/regulations/laws/rules/2000-8660.html
FFIEC GLBA Online Training
http://www.ffiec.gov/exam/InfoBase/start.htm
Privacy Rights Clearinghouse
http://www.privacyrights.org/
FFIEC Handbooks
http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html
Contacts

 Robert Sargent - FDIC
IT Specialist
15 Braintree Hill Office Park
Braintree, Massachusetts 02184
(781) 794-5535
[email protected]
Paul Nadeau – BOS FED
Supervisory Examiner
Federal Reserve Bank of Boston
600 Atlantic Avenue - PO Box 2076
Boston, Massachusetts 02106
(617) 973-5976
 Peter Carter - OCC
 Thomas J. Donahue - OTS
Lead Technology Expert
IT Exam Manager
Office of the Comptroller of the Currency
10 Exchange Place - 18th Floor
112 Madison Avenue - Suite 400
Jersey City, New Jersey 07302
New York, NY 10016
(201) 413-7510
(212) 779-4537
[email protected]
[email protected]