directors college 2007 protecting your customers privacy a directors guide to glba l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA PowerPoint Presentation
Download Presentation
Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA

Loading in 2 Seconds...

play fullscreen
1 / 24

Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA - PowerPoint PPT Presentation


  • 205 Views
  • Uploaded on

Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA. By David Abbott, FDIC IT Examiner. The Regulations. Gramm-Leach-Bliley Act -Section 501(b). FINANCIAL INSTITUTIONS’ SAFEGUARDS .

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA' - dunne


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
directors college 2007 protecting your customers privacy a directors guide to glba

Directors’ College 2007Protecting Your Customers’ PrivacyA Directors’ Guide to GLBA

By David Abbott, FDIC IT Examiner

the regulations
The Regulations
  • Gramm-Leach-Bliley Act -Section 501(b)

FINANCIAL INSTITUTIONS’ SAFEGUARDS.

In furtherance of the policy in subsection (a), each agency or authority described in section 505(a) shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards

(1) to insure the security and confidentiality of customer records and information;

(2) to protect against any anticipated threats or hazards to the security or

integrity of such records; and

(3) to protect against unauthorized access to or use of such records or

information which could result in substantial harm or inconvenience to any

customer.

the response
The Response
  • Interagency Guidelines Establishing Standards for Safeguarding Customer Information
    • FDIC - 12 CFR Parts 308 and 364
    • OCC - 12 CFR Part 30
    • FRB - 12 CFR Parts 208, 211, 225, and 263
    • OTS - 12 CFR Parts 568 and 570
appendix b to part 364 interagency guidelines establishing information security standards
Appendix B to Part 364—Interagency Guidelines Establishing Information Security Standards

Table of ContentsI.  Introduction   A.  Scope   B.  Preservation of Existing Authority   C.  Definitions II.  Standards for Safeguarding Customer Information   A.  Information Security Program   B.  Objectives III.  Development and Implementation of Customer Information Security Program   A.  Involve the Board of Directors   B.  Assess Risk   C.  Manage and Control Risk   D.  Oversee Service Provider Arrangements   E.  Adjust the Program   F.  Report to the Board   G.  Implement the Standards

breaches breaches and more breaches
Breaches, Breaches and more Breaches*

Over 100 Million Records Compromised

Your Company !?!?

* Source - www.privacyrights.org

public bank breaches
Public Bank Breaches*
  • Bank of America
  • Wachovia
  • PNC
  • Westborough Bank, MA
  • Citi Financial
  • J.P. Morgan Chase & Co.
  • North Fork Bank, NY
  • Firstrust Bank
  • La Salle Bank
  • People's Bank
  • Vystar Credit Union, FL
  • Nat'l Institutes of Health Federal Credit Union
  • U.S. Bank
  • Sovereign Bank
  • FirstBank
  • West Shore Bank, MI
  • Premier Bank, MO
  • Chase Bank

* Source - www.privacyrights.org

slide8

Will you be on the list?

Would you know if your data was stolen?

common glba examination findings
Common GLBA Examination Findings

Findings

  • Partial inventories
  • Incomplete risk assessments
  • Weak Board reporting
  • Limited ongoing training
  • Lack of monitoring of suspicious activity for all customer information systems
  • Incomplete incident response plans
  • Weak oversight on service providers / vendors
  • Limited validation
inventory
Inventory
  • Identifying the data
    • Where is the data?
      • Network, Servicer, Back-up, Physical
    • Who can access the data?
      • Employees, Vendors, Consultants, Programmers
    • How can the data be accessed?
      • Intranet, Internet, Database, Application
risk assessment
Risk Assessment
  • How is the data threatened?
    • Internal and External; New and Old Threats
  • How is the data protected?
    • Encryption, Access Control, Security Configurations
  • How is the data monitored?
    • When, How Often, Independently
  • How is the data disposed of?
    • Shredded, Electronically Destroyed ---
    • FACTA (FIL-130-2004)
risk assessment conclusions
Risk Assessment Conclusions
  • Are you mitigating all threats?
  • Would breaches be caught?
  • Are changes detectable?
  • Are you doing enough?
board reporting
Board Reporting

Report to the Board.  Each bank shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the bank's compliance with these Guidelines. The report, which will vary depending upon the complexity of each bank's program should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations, and management's responses; and recommendations for changes in the information security program.

training
Training
  • Determine the frequency
    • Most companies perform annually
    • All new employees
  • “One Size Doesn’t Fit All”
  • Combine with other training
monitoring
Monitoring
  • Need to determine what needs monitoring
  • Alert triggers should be established
  • Should be done by independent person
  • Should be automated
incident reponses
Incident Reponses
  • Need a definitive program
  • Should address responses for any/all anticipated incidents
  • Should consider walk-throughs and/or preparatory activities

FIL-27-2005

service providers and vendors
Service Providers and Vendors
  • It is your responsibility to ensure that your Service Providers and Vendors adhere to GLBA
  • All GLBA procedures should be conducted for all Service Providers and Vendors that have access or can gain access to Non-Public Customer Data
  • Just having a Contract Clause is NOT enough

FIL 81-2000

validation
Validation
  • Vital part
  • Needs to be done independently of the controls
  • Frequency and Scope should be determined by your Risk Assessment
references
References
  • Appendix B to Part 364—Interagency Guidelines Establishing Information Security Standards
    • http://www.fdic.gov/regulations/laws/rules/2000-8660.html
  • FFIEC GLBA Online Resources
    • http://www.ffiec.gov/exam/InfoBase/start.htm
  • Privacy Rights Clearinghouse
    • http://www.privacyrights.org/
  • FFIEC Handbooks
    • http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html
slide20

Appendix B to Part 364—Interagency Guidelines Establishing Information Security Standards http://www.fdic.gov/regulations/laws/rules/2000-8660.html

ffiec glba online training http www ffiec gov exam infobase start htm
FFIEC GLBA Online Traininghttp://www.ffiec.gov/exam/InfoBase/start.htm
ffiec handbooks http www ffiec gov ffiecinfobase html pages it 01 html
FFIEC Handbookshttp://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html
slide24

Contacts

  • Paul Nadeau – BOS FED

Supervisory Examiner

  • Federal Reserve Bank of Boston
  • 600 Atlantic Avenue - PO Box 2076
  • Boston, Massachusetts 02106
  • (617) 973-5976
  • Peter Carter - OCC

Lead Technology Expert

  • Office of the Comptroller of the Currency
  • 112 Madison Avenue - Suite 400
  • New York, NY 10016
  • (212) 779-4537
  • peter.carter@occ.treas.gov
  • Robert Sargent - FDIC

IT Specialist

  • 15 Braintree Hill Office Park
  • Braintree, Massachusetts 02184
  • (781) 794-5535
  • rsargent@fdic.gov
  • Thomas J. Donahue - OTS

IT Exam Manager

  • 10 Exchange Place - 18th Floor
  • Jersey City, New Jersey 07302
  • (201) 413-7510 thomas.donahue@ots.treas.gov