Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information
Background
These examination procedures are derived from the interagency Guidelines Establishing Standards for Safeguarding Customer Information, as mandated by Section 501(b) of the Gramm-Leach-Bliley Act of 1999. The guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.
The guidelines require each institution to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the institution and the nature and scope of its activities. While all parts of the institution are not required to implement a uniform set of policies, all elements of the information security program must be coordinated.
These examination procedures are intended to assist examiners in assessing the level of compliance with the guidelines. As such, the procedures are annotated, with commentary, to provide guidance regarding the purpose of the examination procedure or as guidance in performing the procedure.
The examination procedures are designed to apply to a wide range of banks. As such, certain procedures may not apply to smaller or less complex institutions. Examiners should take these factors into consideration during their evaluations.
Examination Procedures
| Examination Objective: Determine whether the financial institution has established an adequate written Information Security Program and whether the program complies with the Guidelines Establishing Standards for Safeguarding Customer Information mandated by section 501(b) of the Gramm-Leach-Bliley Act of 1999. | |||
| Key Questions or Considerations | Clarification/Annotation | ||
|---|---|---|---|
| I. Determine the involvement of the board. | |||
| A. | Has the board or its designated committee approved a written Corporate Information Security Program that meets the requirements of the Information Security Guidelines (guidelines)? | Review the program to determine if it is appropriate for the size and complexity of the institution and the nature and scope of its activities. | |
| B. | If the board has assigned responsibility for program implementation and review of management reports to an individual or committee, do they possess the necessary knowledge, expertise and authority to perform the task? | ||
| C. | Does the program contain the required elements? | Determine whether the program includes the basic elements of the GLBA requirements. | |
| 1. | If more than one information security program exists for the institution, are the programs coordinated across organizational units? | Determine whether an enterprise-wide coordination of information security programs exists. Coordination should encompass all elements of the information security programs. One master program is not required. | |
| D. | Determine the usefulness of reports from management to the board (or its designated committee). Does the report adequately describe the overall status of the program, material risk issues, risk assessment, risk management and control decisions, service provider oversight, results of testing, security breaches and management's response, and recommendations for program changes? | Determine who reviews the reports to ensure they are accurate. | |
| 1. | How often does the board (or its designated committee) review reports? | Reports on compliance with guidelines should be presented to the board (or its designated committee) at least annually. | |
| E. | Overall, do management and the board (or its designated committee) adequately oversee the institution's information security program? |
Comment on the degree of involvement in the oversight process by the
board (or its designated committee) and involvement by senior management.
|
|
| Key Questions or Considerations | Clarification/Annotation | |
|---|---|---|
| II. Evaluate the risk assessment process. | ||
| A. | Review the risk assessment program. | |
| 1. | How does the institution assess risk to its customer information systems and non-public customer information? | Review the steps taken to identify reasonably foreseeable threats and the potential damage those threats could cause given the policies, procedures, systems, and other factors that are in place to control risk. Discuss the use of current relevant information such as: hardware and software vulnerabilities, methods of attack, network topology, contractual requirements with outside parties, controls and control environment (e.g., policies, procedures, practices, budgets, organizational charts, and training), and test results. |
| 2. | Has the institution evaluated the risk to the entire customer information system? | The customer information system is broader than automated systems. It includes all methods to access, collect, store, use, transmit, protect, or dispose of customer information. |
| 3. | Has the institution used personnel with sufficient expertise to assess the risks to its systems and customer information on an enterprise-wide basis? | An enterprise-wide risk assessment using skills and knowledge from across the enterprise, from technical staff to management, should be conducted. Institutions may supplement their own knowledge with outside expertise. Less complex institutions may require fewer resources. |
| 4. | Is the risk assessment part of a formal risk assessment process with timelines and milestones? If not, how will management ensure timely completion? | |
| 5. | Does the institution have a process for identifying and ranking its information assets (data and system components) according to sensitivity? How does it use this process in its risk assessment? | The institution should identify the relative sensitivity of its information and customer information system, and use that identification to determine how certain data elements or system components should be protected. No specific process is required; whatever process is used should be logical, supportable, and appropriate for the institution. |
| B. | Assess adequacy and effectiveness of risk assessment process. | |
| 1. | Does the institution identify all reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems? | Review for reasonableness the threats management has identified. |
|
2.
|
Does the institution support its estimate of the potential damage posed by various threats? | Review the process management uses to identify the potential risks and to assess the potential damage, if the risk is not mitigated. |
| 3. | Review the institution’s existing controls to mitigate risks. Does the institution’s analysis consider the current administrative, physical, and technical safeguards that prevent or mitigate potential damage? | |
| 4. | Does the institution use test results to support its assessment of the adequacy and effectiveness of those controls? | |
| C. | Does the institution identify and prioritize its risk exposure, decide on the risks it must mitigate, and create a mitigation strategy? Is the decision to accept risks documented and reported to the appropriate management levels? | Review factors used to evaluate level of risks and acceptability of risk as a business decision. Assess the reasonableness of documentation used to support this decision. All risk acceptance must be supported adequately and approved by the appropriate level of management. |
| 1. | Does the institution promptly act to mitigate risks that pose the immediate possibility of material loss? | Risk assessments that uncover immediate risks of material loss should be traceable to prompt actions taken to mitigate those risks. |
| 2. | How does the institution demonstrate that the mitigation strategy was reviewed by appropriate officials? | Review documentation. |
| 3. | Does the risk assessment provide guidance for the nature and extent of testing? | |
| 4. | Does the risk assessment include vendor oversight requirements? | |
| Key Questions or Considerations | Clarification/Annotation | |
|---|---|---|
| III. Evaluate the adequacy of the program to manage and control risk. | ||
| A. | Review internal controls and policies. Has the institution documented or otherwise demonstrated, at a minimum, that it considered the following controls, and adopted those it considered appropriate? | Assess the adequacy of controls used to support risk mitigation judgments. |
| 1. | Access controls, such as controls to authenticate and permit access to customer information systems to authorized persons only. | Controls include both technical measures and procedures to guard against non-technical attacks, such as impersonation or identity theft. |
| 2. | Access restrictions at physical locations, such as buildings and computer facilities, to permit access to authorized persons only. | Physical locations include all places where customer data is kept in a retrievable form, including document disposal. |
| 3. | Encryption of electronically transmitted and stored customer data. | Review the encryption standards used by the institution. The selection of data to encrypt and the encryption technique and level should be supported by the risk assessment. |
| 4. | Procedures to ensure that systems modifications are consistent with the approved security program. | Discuss changes in control procedures. Determine who has access to make changes to the system, both hardware and software, and how those changes are reviewed and verified. |
| 5. |
Dual control procedures, segregation of duties, and employee background
checks.
|
Check standard internal control procedures to minimize fraud and other risks. In general, only employees should have access to customer information or customer information systems necessary to perform job functions. |
| 6. |
Monitoring systems and procedures to detect actual and attempted
attacks on or intrusions into customer information systems.
|
Review monitoring systems and procedures, including network and host intrusion detection systems, network traffic monitoring, manual review of logs, and other information available to assess management's monitoring processes. |
| 7. |
Response programs specifying actions to be taken by specific
individuals when the institution suspects unauthorized access
(i.e., incident response). |
Determine whether procedures are in place to isolate, analyze, recover, and appropriately report unauthorized access. Recovery involves technical as well as public relations elements. Consider whether the bank has appropriate internal and external reporting procedures (e.g., regulator, law enforcement, news media). |
| 8. | Measures to protect against destruction, loss, or damage of information from potential environmental hazards, such as fire and water damage or technological failures. | Review data and system backup and business resumption capabilities. |
| B. | Is staff adequately trained to implement the security program? | Review existing staff qualifications and requirements for ongoing training to ensure that the staff stays abreast of current technology and methods to safeguard customer information. |
| 1. | Obtain from management a listing of the training provided to all users of the institution’s system. | Training includes awareness programs as well as classroom instruction. Training should be consistent with user’s security-related responsibility and function. |
| C. | Determine whether key controls, systems, and procedures of the information security program are regularly tested by independent third parties or qualified independent staff in accordance with the risk assessment. | Verify that the institution has identified its key controls, systems, and procedures. Key controls can be both technical and procedural in nature. |
| 1. | Assess whether the nature and frequency of testing is consistent with the risk assessment. | Review scope and test results to ensure they address key risk areas. |
| 2. | Assess whether tests are conducted or reviewed by independent third parties or qualified staff independent of those that develop or maintain the security program. | Tests should be conducted or reviewed by persons independent of those who operate the systems, including the management of those systems. |
| 3. | Assess whether management reviews test results promptly. Assess whether management takes appropriate steps to address adverse test results. | Assess adequacy of corrective actions taken. |
| Key Questions or Considerations | Clarification/Annotation | |
|---|---|---|
| IV. Assess the measures taken to oversee service providers. | ||
| A. | Determine whether the institution exercises due diligence in selecting service providers. | Due diligence should include a review of the measures taken by a service provider to protect customer information. |
| B. | Determine what information is supplied to service providers. | List vendor(s) and type of data that is shared with them. |
| C. | Obtain a copy of the contract(s) with the service provider(s). Determine whether contracts require service providers to implement appropriate measures to meet the objectives of the guidelines. | Contracts entered on or before March 5, 2001 must be brought into compliance by July 1, 2003. |
| D. | If the institution’s risk assessment requires monitoring a service provider, then perform the following steps for each applicable service provider. | |
| 1. | Determine whether the service provider contract provides for sufficient reporting from the service provider to allow the institution to appropriately evaluate the service provider’s performance and security, both in ongoing operations and when malicious activity is suspected or known. | Review the service provider reporting to ensure it provides the institution with sufficient information to manage the risks of inadequate performance as well as suspected or actual information security compromise. |
| 2. | Determine whether the institution’s actions adequately control information supplied to service providers, ensuring that the information is managed and secured properly. | Review vendor management policies and procedures for adequacy, including the appropriateness and completeness of management reviews of service provider audits, test results, or other equivalent evaluations. |
| 3. | Review financial condition of service provider. | |
| Key Questions or Considerations | Clarification/Annotation | |
|---|---|---|
| V. Determine whether an effective process exists to adjust program. | ||
| A. | Does the institution have an effective process to adjust the information security program as needed? Is the appropriate person assigned responsibility for adjusting the information security program? | Regardless of who does the oversight (board, designated committee, or individual), assess adequacy of monitoring, discuss the current program, and identify planned changes to the program. |
| B. |
Review procedures that are in place to ensure that when the institution
makes changes in technology and its business function the requirements of
the guidelines are also considered. These changes can include:
1) Technology changes (e.g., software patches, new attack technologies and methodologies). 2) Sensitivity of information. 3) Threats (both nature and extent). 4) Upcoming changes to institution’s business arrangements (e.g., mergers and acquisitions, alliances and joint ventures, outsourcing arrangements). 5) Upcoming changes to customer information systems (e.g., new configurations or connectivity, new software). |
Determine how the responsible individual(s) is (are) informed of
changes that might require adjustment to the program.
|
| C. | Determine whether appropriate expertise is applied to evaluate whether changes to the information security program are necessary. | |
| D. | Determine whether appropriate controls exist to ensure changes to the information security program are properly implemented in a timely, risk-based manner. | The institution should ensure that adequate controls are implemented before the institution changes its systems or environment. |
| Key Questions or Considerations | Clarification/Annotation | |
|---|---|---|
| VI. Summarize and communicate your findings. | ||
| A. | Discuss issues, conclusions, and potential violations with EIC. | |
| B | Discuss findings with institution management. If you have identified material issues, obtain and document management commitments to address those issues. | |
| C. | Complete workpapers. | |
| D. | Detail findings with support in a Summary Comment. | |