Sample Information Security Policies

Size: px
Start display at page:

Download "Sample Information Security Policies"

Transcription

1 Sample Information Security Policies Sample Information Security Policies May 31, Research Blvd Suite 2, Building T Austin, TX Boston Austin Atlanta

2 Table of Contents INFORMATION SECURITY POLICY STATEMENT FOR SAMPLE BANK... 1 INFORMATION SECURITY PROGRAM FOR SAMPLE BANK...10 INCIDENT RESPONSE POLICY FOR SAMPLE BANK...25 CHANGE MANAGEMENT POLICY FOR SAMPLE BANK POLICY FOR SAMPLE BANK...32 INTERNET USE POLICY FOR SAMPLE BANK...41 REMOTE ACCESS POLICY...51 PATCH MANAGEMENT POLICY FOR SAMPLE BANK...54 RECORD RETENTION AND DESTRUCTION POLICY FOR SAMPLE BANK...55 REGULATORY COMPLIANCE CHECKLIST...57 TECHNOLOGY ASSET DISPOSAL POLICY FOR SAMPLE BANK...63 VENDOR RELATIONSHIP MANAGEMENT POLICY FOR SAMPLE BANK...66 ANNUAL REVIEW OF VENDORS AND SERVICE PROVIDERS POLICY FOR SAMPLE BANK...78 SAMPLE BANK SECURITY COMMITTEE CHARTER...79 INCIDENT RESPONSE CHECKLIST...82 INFORMATION SECURITY INCIDENT REPORT /15/2012 2

3 Information Security Policy Statement for Sample Bank Introduction Like all financial institutions, Sample Bank, ( Sample Bank or the Bank ) is exposed to a variety of operational and transactional risks, including crime, employee fraud, and natural disaster. Additionally, because of the nature and amount of information gathered regarding the financial transactions of its customers and the extensive use of technology to process this information, Sample Bank is exposed to specific information and technology risks. The passage of the Gramm-Leach-Bliley Financial Modernization Act of 1999 ( GLBA ) intensified regulatory attention on technology risk management and information security. The Act required regulatory authorities to promulgate guidelines for safeguarding customer information. These standards require that each financial institution implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the financial institution and the nature and scope of its activities. While all parts of the financial institution are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. To comply with regulatory guidelines, a financial institution s information security program should be designed to: Ensure the security and confidentiality of customer information Protect against any anticipated threats or hazards to the security or integrity of such information Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. The Board of Directors of each financial institution is required to be involved in the development and implementation of the Information Security Program. The Board of Directors or an appropriate committee of the board of each financial institution must: Approve the financial institution s written information security program Oversee the development, implementation, and maintenance of the financial institution s information security program, including assigning specific responsibility for its implementation and reviewing reports from management. With regard to assessing and understanding risk, each financial institution must: Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. Each financial institution must design its information security program to manage and control identified risks in a manner commensurate with the sensitivity of the information and the complexity and scope of the financial institution s activities. In this regard, each financial institution must consider whether the following security measures are appropriate and adopt them accordingly: Page 1

4 Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means Access restrictions at physical locations containing customer information, such as buildings, computer facilities, office equipment rooms containing telephones, copiers and facsimile machines, and records storage facilities to permit access only to authorized individuals Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access Procedures designed to ensure that modifications ( patch management ) to the customer information system are consistent with and do not diminish the effectiveness of the financial institution s information security program Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information Monitoring systems (24 / 7) and procedures to detect actual and attempted attacks on or intrusions into customer information systems Response programs that specify actions to take when the financial institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures. In addition to developing an information security program, the financial institution must train staff to implement the bank s information security program. Further, financial institutions are required to regularly test the key controls, systems, and procedures of the information security program. The frequency and nature of such tests should be determined by the financial institution s risk assessment. Tests should be conducted or results reviewed by independent third parties or staff independent of those who develop or maintain the security programs. Sample Bank s Information Security Requirements The Board of Directors and management of Sample Bank realize that the rapidly changing nature of technology demands that a comprehensive security policy be developed and implemented to secure the confidentiality, security, integrity and accessibility of the Bank s customer information systems. Further, the Board of Directors and management of Sample Bank recognize that in order to determine the appropriate type and scope of controls to deploy as part of the information security program, the Bank must assess risks to its customer information and systems, identifying reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems and evaluate the adequacy of policies, procedures, information security systems, and other practices intended to control the risks identified. To ensure that information security risks are understood, and appropriate security systems are maintained, the Board of Directors of Sample Bank has adopted this Information Security Policy. Sample Bank is committed to implementing and maintaining and effective information security program, in compliance with the requirements of Section 501(b) of the 1999 Gramm-Leach-Bliley Act, Protection of Nonpublic Personal Information, and the Guidelines Establishing Standards for Safeguarding Customer Information. Sample Bank is committed to safe and sound banking and operating practices, to properly safeguarding both customer information and proprietary bank Page 2

5 information and to preventing unauthorized or inadvertent access to or disclosure of such information. Purposes and Objectives of Policy The primary purposes of Sample Bank s Information Security Policy are to ensure that the Bank, the Board of Directors and Management: Understand the risks and threats to which information systems are exposed, Evaluate the potential exposures to such risks / threats Implement appropriate information security systems and administrative, technical and physical security controls to mitigate such risks, threats and exposures, and Test the efficacy of information security systems and controls Specific objectives of this Policy are to: Ensure the accuracy, integrity, security and confidentiality of customer information received, processed and maintained by the Bank. Ensure that such information, and proprietary Bank information, is adequately protected against anticipated threats or hazards to its security or integrity. Protect against unauthorized access to or use of customer and proprietary bank information that might result in substantial harm or inconvenience to any customer, or present a safety and soundness risk to the Bank. Provide for the timely and comprehensive identification and assessment of vulnerabilities and risks that may threaten the security or integrity customer and proprietary bank information. Document Policy standards for managing and controlling identified risks. Provide standards for testing the Policy and adjust on a continuing basis to account for changes in technology, sensitivity of customer information, and internal or external threats to information security. Specify the various categories of Information Systems data, equipment, and processes subject to comprehensive Information Security Procedures. Ensure the Bank complies with all relevant regulations, common law, explicit agreements, or conventions that mandate the security and confidentiality of customer information. Ensure protection of the hardware and software components that comprise the Bank s Information Systems. Protect against the use of the Bank s assets in a manner contrary to the purpose for which they were intended, including the misallocation of valuable organizational resources, threats to the Company s reputation or a violation of the law. In connection with this general Information Security Policy, Sample Bank has also adopted the following specific policies: Internet Usage Network (i.e., LAN) Configuration Security Intrusion Detection and Response Telecommuting (Laptops) Security Logical and Administrative Access Control Page 3

6 Logging and Data Collection Password Security Malicious Code Protection Data Back-up and Archival Storage Record Retention and Destruction Hardware and Software Acquisition, Copyright and Licensing Technology Asset Disposal Change Management Patch Management Physical Security Business Continuity Planning Training The Information Security Officer will ensure that all employees of Sample Bank, its Board members and management, receive training in the regulatory guidelines and laws governing customer information security and the Bank s information security procedures, as appropriate to their position at the Bank and job responsibilities. The Information Security Officer will ensure that the training systems are in place to address (i) initial training for new or transferred personnel, (ii) continuing review sessions for existing personnel and (iii) updated sessions for all affected personnel when any significant revisions are made to the Information Security Program. Risk Assessment and Management Sample Bank will implement a comprehensive risk assessment process, including classification, or ranking, of information systems, both electronic and non-electronic, based on the following criteria: Nature and sensitivity of information contained in the system, whether non-public customer or proprietary bank information Quantity or volume of such information contained in the system Impact of the loss of integrity of such information Impact of the loss of confidentiality of such information Impact of the loss of accessibility of such information The risk assessment process will consider for each appropriate information system, the likelihood of occurrence of certain threats and the potential exposure to such threats, and document the existence of administrative, technical and physical security controls implemented by the Bank to mitigate the occurrence and/or potential severity of risks and exposures. The data classification and risk assessment will be updated at least annually and the results of the assessment used in an evaluation of the adequacy of the Bank s information security policies and programs. Results of the data classification and risk assessment will be reviewed with senior management, the Audit Committee and the Board of Directors. Page 4

7 Vendor Management Sample Bank acquires services from third-party suppliers, service providers, software vendors, and / or consultants (the Vendor or Vendors ), including customer information and transaction processing services. Use of these services involves risks similar to those that arise when these functions are performed internally by Bank personnel. These include such risks as threats to the availability of systems used to support customer transactions, the accuracy, integrity and security of customer s non-public, personal financial information, or compliance with banking regulations. Under contract arrangements, however, risk management measures commonly used by financial institutions to address these risks, are generally under the control of the Vendor, rather than the financial institution. The financial institution, however, continues to bear certain associated risks of financial loss, reputation damage, or other adverse consequences from actions of the Vendor or the failure of the Vendor to adequately manage risk. Consequently, it is incumbent upon Sample Bank to: (1) expand its analysis of the ability of Vendors to fulfill their contractual obligations and (2) prepare formal analyses of risks associated with obtaining services from, or outsourcing processing to, Vendors. The following areas will be included in this process: Selection of Vendor - In addition to other requirements included in Sample Bank s Purchasing Policy in selecting a Vendor of critical services, the Bank will prepare a risk assessment and perform appropriate due diligence to satisfy itself regarding the Vendor s competence and stability, both financially and operationally, to provide the expected services and meet any related commitments. Financial statements, preferably audited statements, will be obtained and reviewed. Contracts - The written contract between Sample Bank and the Vendor must clearly specify, at a level of detail commensurate with the scope and risks of the service provided, all relevant terms, conditions, responsibilities, and liabilities of both parties. These would normally include terms such as: Statements of the purpose of access to or maintenance of the Bank s customers nonpublic, personal financial information Agreements not to disclose non-public, personal financial information of the Bank s customers either in possession of the Vendor or accessible to them, and statements of responsibility and liability for disclosure of such information Required service levels, performance standards, and penalties Internal controls, insurance, disaster recovery capabilities, and other risk management measures maintained by the Vendor Data and system ownership and access Liability for delayed or erroneous transactions and other potential risks Provisions for and access by the Bank to internal or external audits or other reviews of the Vendor s operations and financial condition Compliance with applicable regulatory requirements Provisions for handling disputes, contract changes, and contract termination The terms and conditions of each contract will be reviewed by Sample Bank s legal counsel to ensure that they are appropriate for the particular service being provided and result in an acceptable level of risk to the Bank. Policies, Procedures, and Controls - The Vendor should implement internal control policies and procedures, data security and contingency capabilities, and other operational controls analogous to those that the Bank would utilize if the activity were performed internally. Appropriate controls should be placed on transactions processed or funds handled by the Vendor on behalf of the Bank. The Vendor s policies and procedures Page 5

8 should be reviewed by the Bank s Information Security Officer as well as Accounting, Compliance, Data Processing personnel and Audit. Ongoing Monitoring - The Bank will review the operational performance of critical Vendors on an ongoing basis to ensure that the Vendor is meeting and can continue to meet the terms of the contract (e.g., service level commitments). Business unit managers will be primarily responsibility for completing this evaluation. This evaluation should be completed at least annually and reported to the Information Security Officer. The form and elements of the evaluation will be determined by the service level commitments in the Vendor s contract or specific Service Level Agreements negotiated between the Bank and the Vendor. Information Access Sample Bank will ensure that it has complete and immediate access to current and appropriate back-up information that critical to its operations and maintained or processed by an outside Vendor. Internal Audit Sample Bank s Auditors will review the oversight of critical Vendors by external accountants and others, including regulators. Audits of critical Vendors should be conducted according to a scope and frequency appropriate for the particular function. For third-party data processing services, the Bank will obtain copies of the Vendor s SAS 70 audit report and Management s response. These, as well as other audit reports of critical Vendors, will be reviewed by the Audit Committee of the Board of Directors. Audit results and management responses will be available to examiners at their request. Internal Audit will also audit compliance with Vendor service level commitments and agreements. Contingency Plans - Sample Bank will ensure that appropriate business resumption plans have been prepared and tested by the Vendor. Where appropriate, based on the scope and risks of the service or function and the condition and performance of the Vendor, the Bank s contingency plans may also include plans for the continuance of processing activities, either in-house or with another provider, in the event that the Vendor is no longer able to provide the contracted services or the arrangement is otherwise terminated unexpectedly. Annually, the Information Security Officer will evaluate the risks and exposures associated with each Vendor relationship. This evaluation process will include the following: Update the Vendor listings Evaluate the nature and purpose of all Vendor relationships Determine the criticality of the product or service provided by the Vendor Assess the relative level of strategic, credit operational, compliance and legal and reputation risk associated with this relationship and Rank each Vendor as Critical, Important or Incidental. A detailed risk assessment will be prepared of each critical Vendor, in accordance with the Vendor Relationships Risk Assessment. Roles and Responsibilities The following individuals are integral to the successful execution of Sample Bank's information security policies and programs and will have the following responsibilities: Board of Directors and IT Steering Committee Ensure that an appropriate Information Security Policy is developed and implemented. Review periodic information regarding breaches of Information Security. Ensure that annual assessments of risks and threats are prepared, information systems and related data are risk rated and that appropriate Page 6

9 reviews are made of related risk management strategies and controls. Review regulatory examinations of information security and ensure that appropriate action is taken to address comments and recommendations of regulators. Audit Committee - Ensure that appropriate tests and audits of information security systems are performed. Review reports of security tests and audits and ensure that appropriate action is taken to address identified weaknesses in control. Review assessments of outsourced technology vendor performance and controls and ensure that appropriate action is taken to address identified weaknesses in vendor information security controls. Information Security Officer A senior officer of the Bank responsible for ensuring overall compliance with the Information Security Policy, the efficacy of the Bank;s information security procedures and practices and the assessment of information Security risks and the related adequacy of information security policies and procedures. Report any breaches of Information Security to the Board of Directors and any applicable regulatory and law enforcement agencies. Information Security Administrator Primarily responsible for the execution of significant elements of the information security program, including the granting and maintenance of information system user access rights, as requested and approved by management, and the maintenance and review of information security systems and related reports. Responsible for ensuring that the network and network based / accessible systems are secured to protect customer information. Responsible for reporting any attempted or successful breaches of security systems to the Security Officer and Information Security Officer. Information Security to the Information Security Officer. The ISA will ensure the appropriate installation, maintenance and monitoring of intrusion detection systems and intrusion response procedures. The ISA will coordinate the implementation of changes and patches to information system software and/or hardware, and maintain appropriate records of such changes and related testing/review documentation and approvals. Security Officer - Responsible for the implementation of the Bank s Security Policy and the maintenance of appropriate physical security devices and procedures to ensure the security, confidentiality and accessibility of physical customer information and related information technology hardware (i.e. branch servers, etc.). Human Resources - Responsible for ensuring appropriate information security orientation is provided for new employees. Ensure new hires and contract personnel are properly vetted and agree to follow Bank information security policies. Business Unit Managers (e.g., branch / department managers) - Ensure employees are performing due diligence in protecting customer information. Provide input into Information Security Policy reviews / updates. Responsible for reporting any breaches of Information Security to the Information Security Officer. Bank Employees - Ensure that customer information is protected on a day to day basis. Responsible for reporting any breaches of Information Security to their respective business unit manager, the Security Officer and / or the Information Security Officer. Availability and Maintenance of the Information Security Policy The Information Security Policy is accessible to all members of the Sample Bank staff through either the Human Resources or Information Services Departments. All users of Sample Bank s Information Services resources should be familiar with relevant sections of the policy. Relevant Page 7

10 sections of this Policy, and other related policies, as described above, will be available to all employees over the Bank s Intranet, along with other relevant Human Resources policies (i.e., confidentiality). This Information Security Policy is a living document that will be revised as required to address changes in the Bank s technology, applications, procedures, legal and social imperatives, perceived threats, etc. All revisions to the Information Security Policy will be submitted to, reviewed and approved by the Information Technology Steering Committee. The Bank s Board of Directors must subsequently ratify / approve all changes to the Information Security Policy. Compliance with Policy To ensure compliance with this Policy, Sample Bank has developed a comprehensive Information Security Program, commensurate with and appropriate for the threats and risks faced by the Bank and the nature and scope of its operations. Sample Bank will appoint an Information Security Officer, a member of senior management, to ensure compliance with this Policy. In addition, Sample Bank will appoint an Information Security Administrator and other appropriate personnel, to be responsible for the day-to-day execution of the information security program, investigation and reporting attempted or successful security breaches and other aspects of the information security program and applicable Bank policies and legal and regulatory requirements. Violations of the Bank s Information Security Policies may result in immediate termination or probation. Specific actions for violations of this policy, or other referenced policies (i.e., , internet usage, etc.), are documented in the Information Security Program and/or those specific policies. Attempted or Actual Breaches of Security All breaches and attempted breaches of the Bank s information security systems and controls will be reviewed by the Information Security Administrator and Information Security Officer, documented and reported to the Security Officer, senior management and the Board of Directors, as prescribed in this Policy and as required to the appropriate legal and regulatory authorities. If appropriate, a Suspicious Activity Report will also be filed. Independent Testing and Audit Sample Bank's information security policies and programs will be independently tested in accordance with the procedures adopted by Sample Bank (e.g., internal audit approved by the Audit Committee) and/or agreed upon with an independent third-party (e.g., outsourced audit function or independent security firm). Security testing (i.e., vulnerability assessments and external penetration testing) and audit procedures will be performed no less often than annually. Additionally, internal penetration testing will be performed at least once every 18 months. The specific scope and timing of such testing and audit procedures will be reviewed and approved by Sample Bank Audit Committee. The results of testing and audits will also be reviewed by the Audit Committee. Page 8

11 Page 9

12 Information Security Program for Sample Bank Introduction Like all financial institutions, Sample Bank, (the Bank ) is exposed to a variety of operational and transactional risks, including crime, employee fraud, and natural disaster. Additionally, because of the nature and amount of information gathered regarding the financial transactions of its customers and the extensive use of technology to process this information, Sample Bank is exposed to specific information and technology risks. The passage of the Gramm-Leach-Bliley Financial Modernization Act ( GLBA ) intensified regulatory attention on technology risk management and information security. The GLBA required regulatory authorities to promulgate guidelines for safeguarding customer information. These standards require that each financial institution implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the financial institution and the nature and scope of its activities. While all parts of the financial institution are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. To comply with regulatory guidelines, a financial institution s information security program should be designed to: Ensure the security and confidentiality of customer information Protect against any anticipated threats or hazards to the security or integrity of such information Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. The Board of Directors of each financial institution is required to be involved in the development and implementation of the Information Security Program. The Board of Directors or an appropriate committee of the board of each financial institution must: Approve the financial institution s written information security program Oversee the development, implementation, and maintenance of the financial institution s information security program, including assigning specific responsibility for its implementation and reviewing reports from management. With regard to assessing and understanding risk, each financial institution must: Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. Each financial institution must design its information security program to manage and control identified risks in a manner commensurate with the sensitivity of the information and the complexity and scope of the financial institution s activities. In this regard, each financial institution must consider whether the following security measures are appropriate and adopt them accordingly: Page 10

13 Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means Access restrictions at physical locations containing customer information, such as buildings, computer facilities, office equipment rooms containing telephones, copiers and facsimile machines, and records storage facilities to permit access only to authorized individuals Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access Procedures designed to ensure that modifications ( patch management ) to the customer information system are consistent with and do not diminish the effectiveness of the financial institution s information security program Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information Monitoring systems (24 / 7) and procedures to detect actual and attempted attacks on or intrusions into customer information systems Response programs that specify actions to take when the financial institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures. In addition to developing an information security program, the financial institution must train staff to implement the bank s information security program. Further, financial institutions are required to regularly test the key controls, systems, and procedures of the information security program. The frequency and nature of such tests should be determined by the financial institution s risk assessment. Tests should be conducted or results reviewed by independent third parties or staff independent of those who develop or maintain the security programs. Sample Bank s Response to Information Security Needs and Requirements The Board of Directors and management of Sample Bank realize that the rapidly changing nature of technology demands that a comprehensive security policy be developed and implemented to secure the confidentiality, security, integrity and accessibility of the Bank s customer information systems. Further, the Board of Directors and management of Sample Bank recognize that in order to determine the appropriate type and scope of controls to deploy as part of the information security program, the Bank must assess risks to its customer information and systems, identifying reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems and evaluate the adequacy of policies, procedures, information security systems, and other practices intended to control the risks identified. To ensure that information security risks are understood, and appropriate security systems are maintained, the Board of Directors of Sample Bank has adopted this Information Security Policy. Page 11

14 Purposes and Objectives of Policy The primary purposes of Sample Bank s Information Security Policy are to ensure that the Bank, the Board of Directors and Management: Understand the risks and threats to which information systems are exposed, Evaluate the potential exposures to such risks / threats Implement appropriate information security systems and administrative, technical and physical security controls to mitigate such risks, threats and exposures, and Test the efficacy of information security systems and controls Specific objectives of this Policy are to: Ensure the accuracy, integrity, security and confidentiality of customer information maintained by the Bank. Ensure that such information is adequately protected against anticipated threats or hazards to its security or integrity. Protect against unauthorized access to or use of customer information that might result in substantial harm or inconvenience to any customer, or present a safety and soundness risk to the Bank. Provide for the timely and comprehensive identification and assessment of the risks that may threaten the security or integrity customer information. Document Policy standards for managing and controlling identified risks. Provide standards for testing the Policy and adjust on a continuing basis to account for changes in technology, sensitivity of customer information, and internal or external threats to information security. Specify the various categories of Information Systems data, equipment, and processes subject to comprehensive Information Security Procedures. Ensure the Bank complies with all relevant regulations, common law, explicit agreements, or conventions that mandate the security and confidentiality of customer information. Ensure protection of the hardware and software components that comprise the Bank s Information Systems. Protect against the use of the Bank s assets in a manner contrary to the purpose for which they were intended, including the misallocation of valuable organizational resources, threats to the Company s reputation or a violation of the law. Scope of Security Sample Bank defines an effective level of information security as the state of being free from unacceptable levels of risk or exposure to threats. In that regard, the Bank will adopt controls and other risk mitigation practices and procedures it believes are appropriate in the circumstances to provide reasonable control and eliminate unacceptable risks. Information Security risks, threats and exposures of concern to the Bank may be summarized in the following categories: Confidentiality of information This refers to the concerns of privacy of personal and corporate information. Integrity of information Page 12

15 This refers to the accuracy of customer information maintained in the Bank s information systems. Security of information This includes: Computer and peripheral equipment Communications equipment Computing and communication premises Power, water, environmental controls, and communication utilities System software (computer programs) and documentation Application software and documentation Customer and Bank Information, both electronic and non-electronic Efficient and appropriate use of information and related resources This ensures that Information Systems resources are used for the purpose for which they were intended and in a manner that does not interfere with the rights of others. System availability and information accessibility This area of concern is with the full functionality of systems and the Bank s ability to recover from short and long-term business interruptions. The potential causes of losses, or breaches of security, are termed threats. Threats to the Bank s information systems may be human or non-human, natural, accidental, or deliberate. The term information systems as defined by Sample Bank includes the data, equipment, and processes for creating, maintaining and accessing customer information, directly under the Bank s control or maintained on behalf of the Bank by third-party providers. These information systems may be electronic or non-electronic. Domains of Security Addressed by this Policy This policy specifically addresses the following domains, or areas, of security: Administrative practices, including information security, , Internet access and other policies. Certain administrative security policies, such as record retention and destruction, technology asset disposal and employee confidentiality, as well as and Internet access / use, are documented in separate policy statements Technical systems security, including those securing access to the Bank s primary processing equipment, peripheral devices, and operating systems. These include hardware and software security, such as firewalls, network intrusion monitoring systems, network configuration and protocol use, etc. Physical security, including the premises occupied by the Information Systems personnel and equipment. Physical security requirements for those premises outside the Information Systems area are documented in the Bank s general Security Policy. Operational security, including environmental controls, power back-up, equipment functionality, and other operations activities. Security over third-party technology providers, vendor, management personnel, as well as end users. Data communications security, including security over electronic access to communications equipment such as servers, hubs, routers, patch panels, lines, etc. Page 13

16 Other domains of Information Security are addressed in other Sample Bank Policy Documents, including the following: Physical Security Corporate Security Policy, Sample Bank, May 2005 Employee Security Human Resources / Personnel Procedures, including recruiting, hiring and employee vetting procedures, confidentiality, conflict of interest, use and Internet access policies. Roles and Responsibilities The following section describes the roles and responsibilities of individuals or groups integral to the development, maintenance or execution of this Policy. Policy Management The Information Security Policy of Sample Bank is of vital importance to ensuring the security and integrity of customer information and the effectiveness of information security throughout the Bank. Formulation and maintenance of the Policy is the responsibility of the manager of Information Services and the Information Security officer. Its approval is vested with the Board of Directors. Advice and opinions on the content and specific requirements of the Policy may be provided by: The Information Technology Steering Committee. Senior Bank Management Management of Information Services Security Officer Compliance Manager Business Unit managers Policy Implementation Information Services will be primarily responsible for the implementation of Sample Bank s Information Security Policy; however, each staff member of Sample Bank is responsible for understanding and adhering to the Information Security Policy. The Information Security Administrator and IS Information Security Technicians are integrally involved in the day-to-day execution of the Information Security Policy, and as such, have no responsibility for the development or review of the Policy. Custodians Security of each system will be the responsibility of that system s principal custodian, as described below: Individuals The Information Services Department is the custodian of all strategic system platforms, the strategic communications systems, and the facilities where centralized computer equipment is operated. The Information Services Department and each business unit, as appropriate, share in the custodian duties of certain elements of strategic systems under their management control (e.g., servers and communications devices located at the branch offices or in departments outside the data center). Individual staff members and the Information Services Department share in the custodian duties of desktop systems. Page 14

17 To ensure the effectiveness of this Policy, all employees of Sample Bank should observe the following standards for use of Information System resources and systems: Every employee must adhere to the Sample Bank IT End-User Policy. Every employee must adhere to the Sample Bank Code of Conduct. Every employee must adhere to the Sample Bank Use Policy. Every employee must adhere to the Sample Bank Internet Use Policy. Every employee must be responsible for the proper care and use of Information Systems resources under their direct control, including paper documents and manual files. Every employee must adhere to Sample Bank s procedures for authenticating customers requesting information by mail, telephone, fax or . The following section describes the individuals and / or areas involved in the development, maintenance and execution of Sample Bank s Information Security Policy and their role and responsibilities. Information Technology Committee Ensure that an appropriate Information Security Policy is developed and implemented. Review information regarding breaches of Information Security. Ensure that annual assessments of risks and threats are prepared, information systems are risk rated and that appropriate reviews are made of related risk management strategies and controls. Ensure that appropriate tests of information security systems are performed. Information Security Officer Ensure Information Security Policy is enforced. Work with senior management to review policy and procedures around Information Security annually to ensure current threats and responses are accurate and to identify any new threats to securing customer information. Report any breaches of Information Security to the Board of Directors and any applicable agencies. Develop annual assessments of information security risks and threats, risk rating information systems and review related risk management strategies and controls. Perform appropriate tests of information security systems. AVP Information Technology Responsible for ensuring that the network and network based / accessible systems are secured to protect customer information. Responsible for reporting any breaches of Information Security to the Information Security Officer. Information Security Administrator / IS Technician Primarily responsible for the execution of the information security program, including the granting and maintenance of information system user access rights, as requested and approved by management, and the maintenance and review of information security systems and related reports. Risk Management Team The Bank s Risk Management Committee is responsible for ensuring that an annual assessment of information security risks / threats is completed and that corresponding Administrative, Technical and Physical Security Controls are documented. Security Officer Responsible for the implementation of the Bank s Security Policy and the maintenance of appropriate physical security devices and procedures to ensure the security, confidentiality and Page 15

18 accessibility of physical customer information and related information technology hardware (i.e. branch servers, etc.). Human Resources Responsible for providing appropriate information security orientation for new employees and ongoing information security training programs. Business Unit Managers (e.g., branch / department managers) Ensure employees are performing due diligence in protecting customer information. Provide input into Information Security Policy reviews / updates. Responsible for reporting any breaches of Information Security to the Information Security Officer. Bank Employees Ensure that customer information is protected on a day to day basis. Responsible for reporting any breaches of Information Security to their respective business unit manager, the Security Officer and / or the Information Security Officer. Availability and Maintenance of the Information Security Policy The Information Security Policy is accessible to all members of the Sample Bank staff through either the Human Resources or Information Services Departments. All users of Sample Bank s Information Services resources should be familiar with relevant sections of the policy. Relevant sections of this Policy, such as those that apply to , Internet usage and End-User computing practices, will be available to all employees over the Bank s Intranet, along with relevant Human Resources policies. This Information Security Policy is a living document that will be revised as required to address changes in the Bank s technology, applications, procedures, legal and social imperatives, perceived dangers, etc. All revisions to the Information Security Policy will be submitted to, reviewed and approved by the Information Technology Steering Committee. The Bank s Board of Directors must subsequently ratify / approve all changes to the Information Security Policy. Strategic Systems Platforms Strategic systems are defined as those computer systems that are critical to the operation of Sample Bank. Such computer systems may be owned and operated by Sample Bank, or they may be owned and operated by another Bank with whom Sample Bank has established a business relationship. The following components comprise Sample Bank s strategic systems: Loan Accounting System Deposit Accounting System Customer Information File Hardware and Operating System Windows NT 2000 Active Directory Additional significant systems which will be covered in this Policy include: Internet Banking System and Bill Paying System Voice Response MCIF System Customer Profitability File Image System Optical Cold Storage System (e.g., Management Information and Reports) Page 16

19 Management of Strategic Systems Oversight and management of strategic information systems is primarily the responsibility of the Information Services Department. For in-house strategic systems, day-to-day operations and daily coordination of data input from strategic systems outside the institution are performed by the Information Services Department. The Information Services Department is also primarily responsible for the management of third-party technology service providers. Physical Security Sample Bank recognizes that its strategic systems require a higher degree of physical security than is provided for other business operations. The following standards of physical security must be maintained for all strategic systems: The premises must be physically secure and reasonably free from risk of damage by water, fire, vibration, dust, and environmental hazards. Air temperature and humidity must be controlled within acceptable operating limits. Sample Bank will maintain state-of-the-art cooling systems at this facility to ensure temperatures and humidity levels are adequately controlled in the Data Center. Backup electrical power, such as that from an uninterruptible power supply (UPS) or generator, that provides adequate protection from power surges and sags and for an orderly shutdown of affected systems after 15 minutes of total power loss, unless generator power can be applied. An emergency generator must be installed and maintained to supply power for longer term disruptions. Physical Access The primary location for the strategic systems of Sample Bank is at the Bank s Data Center in City, State. Access to this area is restricted to authorized personnel from the Information Services Department. Access by all other individuals, whether Sample Bank employees or not, must be granted by an authorized member of personnel, and must be properly logged. External doors to the designated area must remain locked. External windows must be secured so as not to allow unauthorized access. Access to this facility will be restricted to authorized personnel. File servers and other data communications equipment (e.g., hubs, routers, and patch panels) must also be located in secure areas. It is expected that strategic systems not under the direct control of Sample Bank, such as those operated by vendors of the financial institution, will adhere to similar standards as the financial institution. Relationships should not be established with vendors that do not adhere to such standards. Additionally, contracts with vendors should contain some language addressing physical access of the strategic systems located at their offices. Failure to adhere to such standards should be considered a breach of contract. User Access to Information Systems Access to strategic systems is granted under the following conditions: A System Access Authorization Form must be completed. See the sample form that follows. The form should specify the level of access required for the particular user. An appropriately authorized member of management must approve the System Access Authorization Form. The access level assigned to the user must be no higher than that specified by the System Access Authorization Form and in accordance with established user profiles. All user access will be initiated by appropriate network administration and security personnel in the Information Services Department. Page 17

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Instructions for Completing the Information Technology Officer s Questionnaire

Instructions for Completing the Information Technology Officer s Questionnaire Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine

More information

Subject: Safety and Soundness Standards for Information

Subject: Safety and Soundness Standards for Information OFHEO Director's Advisory Policy Guidance Issuance Date: December 19, 2001 Doc. #: PG-01-002 Subject: Safety and Soundness Standards for Information To: Chief Executive Officers of Fannie Mae and Freddie

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Data Privacy and Gramm- Leach-Bliley Act Section 501(b) Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement

More information

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Risk Management of Outsourced Technology Services. November 28, 2000

Risk Management of Outsourced Technology Services. November 28, 2000 Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11 Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

GUIDANCE FOR MANAGING THIRD-PARTY RISK

GUIDANCE FOR MANAGING THIRD-PARTY RISK GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,

More information

Network Security: Policies and Guidelines for Effective Network Management

Network Security: Policies and Guidelines for Effective Network Management Network Security: Policies and Guidelines for Effective Network Management Department of Electrical and Computer Engineering, Federal University of Technology, Minna, Nigeria. jgkolo@gmail.com, usdauda@gmail.com

More information

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy June 10, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee

More information

California State University, Sacramento INFORMATION SECURITY PROGRAM

California State University, Sacramento INFORMATION SECURITY PROGRAM California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...

More information

IT SECURITY POLICY (ISMS 01)

IT SECURITY POLICY (ISMS 01) IT SECURITY POLICY (ISMS 01) NWAS IM&T Security Policy Page: Page 1 of 14 Date of Approval: 12.01.2015 Status: Final Date of Review Recommended by Approved by Information Governance Management Group Trust

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Regulations on Information Systems Security. I. General Provisions

Regulations on Information Systems Security. I. General Provisions Riga, 7 July 2015 Regulations No 112 (Meeting of the Board of the Financial and Capital Market Commission Min. No 25; paragraph 2) Regulations on Information Systems Security Issued in accordance with

More information

INFORMATION SECURITY PROGRAM

INFORMATION SECURITY PROGRAM Approved 1/30/15 by Dr. MaryLou Apple, President MSCC Policy No. 1:08:00:02 MSCC Gramm-Leach-Bliley INFORMATION SECURITY PROGRAM January, 2015 Version 1 Table of Contents A. Introduction Page 1 B. Security

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

State of Oregon. State of Oregon 1

State of Oregon. State of Oregon 1 State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information

More information

Security Compliance Assessment Checklist

Security Compliance Assessment Checklist Security Compliance Assessment Checklist ITO Security Services January 2011 V0.2 Intro This checklist is used to evaluate project compliance with the Government of Saskatchewan IT Security Standards 2010.

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

Information Security Program

Information Security Program Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security

More information

Information Security Plan effective March 1, 2010

Information Security Plan effective March 1, 2010 Information Security Plan effective March 1, 2010 Section Coverage pages I. Objective 1 II. Purpose 1 III. Action Plans 1 IV. Action Steps 1-5 Internal threats 3 External threats 3-4 Addenda A. Document

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Valdosta Technical College. Information Security Plan

Valdosta Technical College. Information Security Plan Valdosta Technical College Information Security 4.4.2 VTC Information Security Description: The Gramm-Leach-Bliley Act requires financial institutions as defined by the Federal Trade Commision to protect

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Hengtian Information Security White Paper

Hengtian Information Security White Paper Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

TOOLBOX. ABA Financial Privacy

TOOLBOX. ABA Financial Privacy ABA Financial Privacy TOOLBOX This tool will help ensure that privacy remains a core value in all corners of your institution. The success of your privacy program depends upon your board s and your management

More information

Information Security Standards

Information Security Standards Information Security Standards March 2015 Information & Technology Services Information Security Standards Table of Contents 1.0 Common Policy Elements... 7 1.1 Introduction and Scope... 7 1.2 Authority...

More information

White Paper on Financial Institution Vendor Management

White Paper on Financial Institution Vendor Management White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety

More information

Information Assurance Policy for Information Systems

Information Assurance Policy for Information Systems Information Assurance Policy for Information Systems 1. Purpose... 3 2. Goals... 3 3. Applicability... 4 4. Compliance... 4 5. Roles & Responsibilities... 4 5.1. All Departments...4 5.2. FCT Information

More information

Provisions and Guidelines for Information Security Management. Dhr. C. Walters

Provisions and Guidelines for Information Security Management. Dhr. C. Walters Provisions and Guidelines for Information Security Management Dhr. C. Walters 1 Why impose rules for Information Security Management? Supervised institutions have been requesting rules; Rules promotes

More information

HIPAA Compliance Evaluation Report

HIPAA Compliance Evaluation Report Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations

More information

Cal Poly Information Security Program

Cal Poly Information Security Program Policy History Date October 5, 2012 October 5, 2010 October 19, 2004 July 8, 2004 May 11, 2004 January May 2004 December 8, 2003 Action Modified Separation or Change of Employment section to address data

More information

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology

More information

Protection of Personal Information Security and Incident Investigation Procedures and Practices for Local Governmental Units

Protection of Personal Information Security and Incident Investigation Procedures and Practices for Local Governmental Units Fall 2014 Protection of Personal Information Security and Incident Investigation Procedures and Practices for Local Governmental Units Effective January 1, 2015 Darren T. Sammons, Staff Attorney Commonwealth

More information

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed

More information

Information Security: Business Assurance Guidelines

Information Security: Business Assurance Guidelines Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies

More information

Vendor Management Best Practices

Vendor Management Best Practices 23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion

More information

TABLE OF CONTENTS INTRODUCTION... 1

TABLE OF CONTENTS INTRODUCTION... 1 TABLE OF CONTENTS INTRODUCTION... 1 Overview...1 Coordination with GLBA Section 501(b)...2 Security Objectives...2 Regulatory Guidance, Resources, and Standards...3 SECURITY PROCESS... 4 Overview...4 Governance...5

More information

CAYMAN ISLANDS. Supplement No. 5 published with Gazette No. 19 dated 14 September, STATEMENT OF GUIDANCE: OUTSOURCING REGULATED ENTITIES

CAYMAN ISLANDS. Supplement No. 5 published with Gazette No. 19 dated 14 September, STATEMENT OF GUIDANCE: OUTSOURCING REGULATED ENTITIES CAYMAN ISLANDS Supplement No. 5 published with Gazette No. 19 dated 14 September, 2015. STATEMENT OF GUIDANCE: OUTSOURCING REGULATED ENTITIES Statement of Guidance: Outsourcing Regulated Entities 1. STATEMENT

More information

INFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire

INFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire Institution Charter Date of Exam Prepared By INFORMATION TECHLOGY OFFICER S QUESTIONNAIRE Instructions for Completing the Information Technology Examination Officer s Questionnaire The Information Technology

More information

HOW TO COMPLY WITH THE NEW INFORMATION SECURITY STANDARDS: A DO IT YOURSELF MANUAL FOR COMMUNITY BANKS AND THRIFTS PREPARED FOR THE CONFERENCE OF STATE BANK EXAMINERS By THE CODA GROUP, INC. BARNETT SIVON

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES A CONSULTATION REPORT OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS STANDING COMMITTEE 3 ON MARKET INTERMEDIARIES

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

Attachment A. Identification of Risks/Cybersecurity Governance

Attachment A. Identification of Risks/Cybersecurity Governance Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...

More information

Safeguarding Customer Information An ABA Toolbox

Safeguarding Customer Information An ABA Toolbox Safeguarding Customer Information An ABA Toolbox The ABA is proud to offer this toolbox - free to ABA members - to assist bankers in safeguarding their customer information. Financial institutions have

More information

OCC 98-3 OCC BULLETIN

OCC 98-3 OCC BULLETIN To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel

More information

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 1. INTRODUCTION Financial institutions outsource business activities, functions and processes

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy. Abstract This paper addresses the methods and methodologies required to develop a corporate security policy that will effectively protect a company's assets. Date: January 1, 2000 Authors: J.D. Smith,

More information

Interagency Guidelines Establishing Information Security Standards. Small-Entity Compliance Guide

Interagency Guidelines Establishing Information Security Standards. Small-Entity Compliance Guide Interagency Guidelines Establishing Information Security Standards Small-Entity Compliance Guide I. INTRODUCTION Purpose and Scope of the Guide This Small-Entity Compliance Guide (footnote 1) is intended

More information

Exam 1 - CSIS 3755 Information Assurance

Exam 1 - CSIS 3755 Information Assurance Name: Exam 1 - CSIS 3755 Information Assurance True/False Indicate whether the statement is true or false. 1. Antiquated or outdated infrastructure can lead to reliable and trustworthy systems. 2. Information

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

IT - General Controls Questionnaire

IT - General Controls Questionnaire IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Application Development within University. Security Checklist

Application Development within University. Security Checklist Application Development within University Security Checklist April 2011 The Application Development using data from the University Enterprise Systems or application Development for departmental use security

More information

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information

More information

Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION

Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION The purpose of this policy is to outline essential roles and responsibilities within the University community for

More information

Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act)

Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act) Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act) The GLB Act training packet is part of the Information Security Awareness Training that must be completed by employees. Please visit

More information

Stellenbosch University. Information Security Regulations

Stellenbosch University. Information Security Regulations Stellenbosch University Information Security Regulations 1. Preamble 1.1. Information Security is a component of the Risk structure and procedures of the University. 1.2. Stellenbosch University has an

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

ISMS Implementation Guide

ISMS Implementation Guide atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: 512-615-7300 Fax: 512-615-7301 www.atsec.com ISMS Implementation Guide atsec information security ISMS Implementation

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

PRIVACY OF CONSUMERS' FINANCIAL INFORMATION PART 12 501(b) AND BANK MANAGEMENT

PRIVACY OF CONSUMERS' FINANCIAL INFORMATION PART 12 501(b) AND BANK MANAGEMENT PRIVACY OF CONSUMERS' FINANCIAL INFORMATION PART 12 501(b) AND BANK MANAGEMENT RESOURCES PROVIDED THROUGH APRIL 2001 Slides Narration In the last presentation, you learned about some of the general responsibilities

More information

Statement of Guidance: Outsourcing All Regulated Entities

Statement of Guidance: Outsourcing All Regulated Entities Statement of Guidance: Outsourcing All Regulated Entities 1. STATEMENT OF OBJECTIVES 1.1. 1.2. 1.3. 1.4. This Statement of Guidance ( Guidance ) is intended to provide guidance to regulated entities on

More information

787 Wye Road, Akron, Ohio 44333 P 330-666-6200 F 330-666-7801 www.keystonecorp.com

787 Wye Road, Akron, Ohio 44333 P 330-666-6200 F 330-666-7801 www.keystonecorp.com Introduction Keystone White Paper: Regulations affecting IT This document describes specific sections of current U.S. regulations applicable to IT governance and data protection and maps those requirements

More information

Operational Risk Management Policy

Operational Risk Management Policy Operational Risk Management Policy Operational Risk Definition A bank, including a development bank, is influenced by the developments of the external environment in which it is called to operate, as well

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information

Information Security Program Management Standard

Information Security Program Management Standard State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information