Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Examination Procedures To Evaluate Compliance With The Guidelines To Safeguard Customer Information

Download as pdf or txt
Download as pdf or txt
You are on page 1of 8

OCC 2001-35

Attachment A
Examination Procedures to Evaluate Compliance with the
Guidelines to Safeguard Customer Information
Background

These examination procedures are derived from the interagency Guidelines Establishing
Standards for Safeguarding Customer Information, as mandated by Section 501(b) of the
Gramm-Leach-Bliley Act of 1999. The guidelines address standards for developing and
implementing administrative, technical, and physical safeguards to protect the security,
confidentiality, and integrity of customer information.

The guidelines require each institution to implement a comprehensive written information


security program that includes administrative, technical, and physical safeguards appropriate to
the size and complexity of the institution and the nature and scope of its activities. While all
parts of the institution are not required to implement a uniform set of policies, all elements of the
information security program must be coordinated.

These examination procedures are intended to assist examiners in assessing the level of
compliance with the guidelines. As such, the procedures are annotated, with commentary, to
provide guidance regarding the purpose of the examination procedure or as guidance in
performing the procedure.

The examination procedures are designed to apply to a wide range of banks. As such, certain
procedures may not apply to smaller or less complex institutions. Examiners should take these
factors into consideration during their evaluations.
OCC 2001-35
Attachment A
Examination Procedures

Examination Objective: Determine whether the financial institution has established an adequate
written Information Security Program and whether the program complies with the Guidelines
Establishing Standards for Safeguarding Customer Information mandated by section 501(b) of
the Gramm-Leach-Bliley Act of 1999.
Key Questions or Considerations Clarification/Annotation
I. Determine the involvement of the board.
A. Has the board or its designated committee Review the program to determine if it is
approved a written Corporate Information appropriate for the size and complexity of
Security Program that meets the requirements the institution and the nature and scope of
of the Information Security Guidelines its activities.
(guidelines)?
B. If the board has assigned responsibility for
program implementation and review of
management reports to an individual or
committee, do they possess the necessary
knowledge, expertise and authority to perform
the task?
C. Does the program contain the required Determine whether the program includes
elements? the basic elements of the GLBA
requirements.
1. If more than one information security Determine whether an enterprise-wide
program exists for the institution, are the coordination of information security
programs coordinated across organizational programs exists. Coordination should
units? encompass all elements of the information
security programs. One master program is
not required.
D. Determine the usefulness of reports from Determine who reviews the reports to
management to the board (or its designated ensure they are accurate.
committee). Does the report adequately
describe the overall status of the program,
material risk issues, risk assessment, risk
management and control decisions, service
provider oversight, results of testing, security
breaches and management's response, and
recommendations for program changes?
1. How often does the board (or its designated Reports on compliance with guidelines
committee) review reports? should be presented to the board (or its
designated committee) at least annually.
E. Overall, do management and the board (or its Comment on the degree of involvement in
designated committee) adequately oversee the the oversight process by the board (or its
institution's information security program? designated committee) and involvement by
senior management.

2
OCC 2001-35
Attachment A

II. Evaluate the risk assessment process.


A. Review the risk assessment program.
1. How does the institution assess risk to its Review the steps taken to identify
customer information systems and non public reasonably foreseeable threats and the
customer information? potential damage those threats could cause
given the policies, procedures, systems,
and other factors that are in place to control
risk. Discuss the use of current relevant
information such as: hardware and
software vulnerabilities, methods of attack,
network topology, contractual
requirements with outside parties, controls
and control environment (e.g., policies,
procedures, practices, budgets,
organizational charts, and training), and
test results.
2. Has the institution evaluated the risk to the The customer information system is
entire customer information system? broader than automated systems. It
includes all methods to access, collect,
store, use, transmit, protect, or dispose of
customer information.
3. Has the institution used personnel with An enterprise-wide risk assessment using
sufficient expertise to assess the risks to its skills and knowledge from across the
systems and customer information on an enterprise, from technical staff to
enterprise-wide basis? management, should be conducted.
Institutions may supplement their own
knowledge with outside expertise. Less
complex institutions may require fewer
resources.
4. Is the risk assessment part of a formal risk
assessment process with timelines and
milestones? If not, how will management
ensure timely completion?
5. Does the institution have a process for The institution should identify the relative
identifying and ranking its information assets sensitivity of its information and customer
(data and system components) according to information system, and use that
sensitivity? How does it use this process in identification to determine how certain data
its risk assessment? elements or system components should be
protected. No specific process is required;
whatever process is used should be logical,
supportable, and appropriate for the
institution.
B. Assess adequacy and effectiveness of risk
assessment process.

3
OCC 2001-35
Attachment A
1. Does the institution identify all reasonably Review for reasonableness the threats
foreseeable internal and external threats that management has identified.
could result in unauthorized disclosure,
misuse, alteration, or destruction of customer
information or customer information systems?

2. Does the institution support its estimate of the Review the process management uses to
potential damage posed by various threats? identify the potential risks and to assess the
potential damage, if the risk is not
mitigated.
3. Review the institution’s existing controls to
mitigate risks. Does the institution’s analysis
consider the current administrative, physical,
and technical safeguards that prevent or
mitigate potential damage?
4. Does the institution use test results to support
its assessment of the adequacy and
effectiveness of those controls?
C. Does the institution identify and prioritize its Review factors used to evaluate level of
risk exposure, decide on the risks it must risks and acceptability of risk as a business
mitigate, and create a mitigation strategy? Is decision.
the decision to accept risks documented and Assess the reasonableness of
reported to the appropriate management documentation used to support this
levels? decision. All risk acceptance must be
supported adequately and approved by the
appropriate level of management.
1. Does the institution promptly act to mitigate Risk assessments that uncover immediate
risks that pose the immediate possibility of risks of material loss should be traceable to
material loss? prompt actions taken to mitigate those
risks.
2. How does the institution demonstrate that the Review documentation.
mitigation strategy was reviewed by
appropriate officials?
3. Does the risk assessment provide guidance for
the nature and extent of testing?
4. Does the risk assessment include vendor
oversight requirements?

III. Evaluate the adequacy of the program to


manage and control risk.
A. Review internal controls and policies. Has Assess the adequacy of controls used to
the institution documented or otherwise support risk mitigation judgments.
demonstrated, at a minimum, that it
considered the following controls, and
adopted those it considered appropriate?

4
OCC 2001-35
Attachment A
1. Access controls, such as controls to Controls include both technical measures
authenticate and permit access to customer and procedures to guard against non-
information systems to authorized persons technical attacks, such as impersonation or
only. identity theft.
2. Access restrictions at physical locations, such Physical locations include all places where
as buildings and computer facilities, to permit customer data is kept in a retrievable form,
access to authorized persons only. including document disposal.
3. Encryption of electronically transmitted and Review the encryption standards used by
stored customer data. the institution. The selection of data to
encrypt and the encryption technique and
level should be supported by the risk
assessment.
4. Procedures to ensure that systems Discuss changes in control procedures.
modifications are consistent with the Determine who has access to make
approved security program. changes to the system, both hardware and
software, and how those changes are
reviewed and verified.
5. Dual control procedures, segregation of Check standard internal control procedures
duties, and employee background checks. to minimize fraud and other risks. In
general, only employees should have
access to customer information or customer
information systems necessary to perform
job functions.
6. Monitoring systems and procedures to detect Review monitoring systems and
actual and attempted attacks on or intrusions procedures, including network and host
into customer information systems. intrusion detection systems, network traffic
monitoring, manual review of logs, and
other information available to assess
management's monitoring processes.
7. Response programs specifying actions to be Determine whether procedures are in place
taken by specific individuals when the to isolate, analyze, recover, and
institution suspects unauthorized access appropriately report unauthorized access.
(i.e., incident response). Recovery involves technical as well as
public relations elements. Consider
whether the bank has appropriate internal
and external reporting procedures (e.g.,
regulator, law enforcement, news media).
8. Measures to protect against destruction, loss, Review data and system backup and
or damage of information from potential business resumption capabilities.
environmental hazards, such as fire and water
damage or technological failures.
B. Is staff adequately trained to implement the Review existing staff qualifications and
security program? requirements for ongoing training to ensure
that the staff stays abreast of current
technology and methods to safeguard
customer information.

5
OCC 2001-35
Attachment A
1. Obtain from management a listing of the Training includes awareness programs as
training provided to all users of the well as classroom instruction. Training
institution’s system. should be consistent with user’s security-
related responsibility and function.
C. Determine whether key controls, systems, and Verify that the institution has identified its
procedures of the information security key controls, systems, and procedures. Key
program are regularly tested by independent controls can be both technical and
third parties or qualified independent staff in procedural in nature.
accordance with the risk assessment.
1. Assess whether the nature and frequency of Review scope and test results to ensure
testing is consistent with the risk assessment. they address key risk areas.
2. Assess whether tests are conducted or Tests should be conducted or reviewed by
reviewed by independent third parties or persons independent of those who operate
qualified staff independent of those that the systems, including the management of
develop or maintain the security program. those systems.
3. Assess whether management reviews test Assess adequacy of corrective actions
results promptly. Assess whether taken.
management takes appropriate steps to
address adverse test results.

IV. Assess the measures taken to oversee


service providers.
A. Determine whether the institution exercises Due diligence should include a review of
due diligence in selecting service providers. the measures taken by a service provider to
protect customer information.
B. Determine what information is supplied to List vendor(s) and type of data that is
service providers. shared with them.
C. Obtain a copy of the contract(s) with the Contracts entered on or before March 5,
service provider(s). Determine whether 2001 must be brought into compliance by
contracts require service providers to July 1, 2003.
implement appropriate measures to meet the
objectives of the guidelines.
D. If the institution’s risk assessment requires
monitoring a service provider, then perform
the following steps for each applicable service
provider.
1. Determine whether the service provider Review the service provider reporting to
contract provides for sufficient reporting from ensure it provides the institution with
the service provider to allow the institution to sufficient information to manage the risks
appropriately evaluate the service provider’s of inadequate performance as well as
performance and security, both in ongoing suspected or actual information security
operations and when malicious activity is compromise.
suspected or known.

6
OCC 2001-35
Attachment A
2. Determine whether the institution’s actions Review vendor management policies and
adequately control information supplied to procedures for adequacy, including the
service providers, ensuring that the appropriateness and completeness of
information is managed and secured properly. management reviews of service provider
audits, test results, or other equivalent
evaluations.
3. Review financial condition of service
provider.

V. Determine whether an effective process


exists to adjust program.
A. Does the institution have an effective process Regardless of who does the oversight
to adjust the information security program as (board, designated committee, or
needed? Is the appropriate person assigned individual), assess adequacy of monitoring,
responsibility for adjusting the information discuss the current program, and identify
security program? planned changes to the program.
B. Review procedures that are in place to ensure Determine how the responsible
that when the institution makes changes in individual(s) is (are) informed of changes
technology and its business function the that might require adjustment to the
requirements of the guidelines are also program.
considered. These changes can include:
1) Technology changes (e.g., software
patches, new attack technologies and
methodologies).
2) Sensitivity of information.
3) Threats (both nature and extent).
4) Upcoming changes to institution’s business
arrangements (e.g., mergers and acquisitions,
alliances and joint ventures, outsourcing
arrangements).
5) Upcoming changes to customer
information systems (e.g., new configurations
or connectivity, new software).
C. Determine whether appropriate expertise is
applied to evaluate whether changes to the
information security program are necessary.
D. Determine whether appropriate controls exist The institution should ensure that adequate
to ensure changes to the information security controls are implemented before the
program are properly implemented in a institution changes its systems or
timely, risk-based manner. environment.

VI. Summarize and communicate your


findings.
A. Discuss issues, conclusions, and potential
violations with EIC.

7
OCC 2001-35
Attachment A
B Discuss findings with institution management.
If you have identified material issues, obtain
and document management commitments to
address those issues.
C. Complete workpapers.
D. Detail findings with support in a Summary
Comment.

You might also like