Sample Information Security Policies

Transcription

1 Sample Information Security Policies Sample Information Security Policies May 31, Research Blvd Suite 2, Building T Austin, TX Boston Austin Atlanta

2 Table of Contents INFORMATION SECURITY POLICY STATEMENT FOR SAMPLE BANK... 1 INFORMATION SECURITY PROGRAM FOR SAMPLE BANK...10 INCIDENT RESPONSE POLICY FOR SAMPLE BANK...25 CHANGE MANAGEMENT POLICY FOR SAMPLE BANK POLICY FOR SAMPLE BANK...32 INTERNET USE POLICY FOR SAMPLE BANK...41 REMOTE ACCESS POLICY...51 PATCH MANAGEMENT POLICY FOR SAMPLE BANK...54 RECORD RETENTION AND DESTRUCTION POLICY FOR SAMPLE BANK...55 REGULATORY COMPLIANCE CHECKLIST...57 TECHNOLOGY ASSET DISPOSAL POLICY FOR SAMPLE BANK...63 VENDOR RELATIONSHIP MANAGEMENT POLICY FOR SAMPLE BANK...66 ANNUAL REVIEW OF VENDORS AND SERVICE PROVIDERS POLICY FOR SAMPLE BANK...78 SAMPLE BANK SECURITY COMMITTEE CHARTER...79 INCIDENT RESPONSE CHECKLIST...82 INFORMATION SECURITY INCIDENT REPORT /15/2012 2

3 Information Security Policy Statement for Sample Bank Introduction Like all financial institutions, Sample Bank, ( Sample Bank or the Bank ) is exposed to a variety of operational and transactional risks, including crime, employee fraud, and natural disaster. Additionally, because of the nature and amount of information gathered regarding the financial transactions of its customers and the extensive use of technology to process this information, Sample Bank is exposed to specific information and technology risks. The passage of the Gramm-Leach-Bliley Financial Modernization Act of 1999 ( GLBA ) intensified regulatory attention on technology risk management and information security. The Act required regulatory authorities to promulgate guidelines for safeguarding customer information. These standards require that each financial institution implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the financial institution and the nature and scope of its activities. While all parts of the financial institution are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. To comply with regulatory guidelines, a financial institution s information security program should be designed to: Ensure the security and confidentiality of customer information Protect against any anticipated threats or hazards to the security or integrity of such information Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. The Board of Directors of each financial institution is required to be involved in the development and implementation of the Information Security Program. The Board of Directors or an appropriate committee of the board of each financial institution must: Approve the financial institution s written information security program Oversee the development, implementation, and maintenance of the financial institution s information security program, including assigning specific responsibility for its implementation and reviewing reports from management. With regard to assessing and understanding risk, each financial institution must: Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. Each financial institution must design its information security program to manage and control identified risks in a manner commensurate with the sensitivity of the information and the complexity and scope of the financial institution s activities. In this regard, each financial institution must consider whether the following security measures are appropriate and adopt them accordingly: Page 1

4 Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means Access restrictions at physical locations containing customer information, such as buildings, computer facilities, office equipment rooms containing telephones, copiers and facsimile machines, and records storage facilities to permit access only to authorized individuals Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access Procedures designed to ensure that modifications ( patch management ) to the customer information system are consistent with and do not diminish the effectiveness of the financial institution s information security program Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information Monitoring systems (24 / 7) and procedures to detect actual and attempted attacks on or intrusions into customer information systems Response programs that specify actions to take when the financial institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures. In addition to developing an information security program, the financial institution must train staff to implement the bank s information security program. Further, financial institutions are required to regularly test the key controls, systems, and procedures of the information security program. The frequency and nature of such tests should be determined by the financial institution s risk assessment. Tests should be conducted or results reviewed by independent third parties or staff independent of those who develop or maintain the security programs. Sample Bank s Information Security Requirements The Board of Directors and management of Sample Bank realize that the rapidly changing nature of technology demands that a comprehensive security policy be developed and implemented to secure the confidentiality, security, integrity and accessibility of the Bank s customer information systems. Further, the Board of Directors and management of Sample Bank recognize that in order to determine the appropriate type and scope of controls to deploy as part of the information security program, the Bank must assess risks to its customer information and systems, identifying reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems and evaluate the adequacy of policies, procedures, information security systems, and other practices intended to control the risks identified. To ensure that information security risks are understood, and appropriate security systems are maintained, the Board of Directors of Sample Bank has adopted this Information Security Policy. Sample Bank is committed to implementing and maintaining and effective information security program, in compliance with the requirements of Section 501(b) of the 1999 Gramm-Leach-Bliley Act, Protection of Nonpublic Personal Information, and the Guidelines Establishing Standards for Safeguarding Customer Information. Sample Bank is committed to safe and sound banking and operating practices, to properly safeguarding both customer information and proprietary bank Page 2

5 information and to preventing unauthorized or inadvertent access to or disclosure of such information. Purposes and Objectives of Policy The primary purposes of Sample Bank s Information Security Policy are to ensure that the Bank, the Board of Directors and Management: Understand the risks and threats to which information systems are exposed, Evaluate the potential exposures to such risks / threats Implement appropriate information security systems and administrative, technical and physical security controls to mitigate such risks, threats and exposures, and Test the efficacy of information security systems and controls Specific objectives of this Policy are to: Ensure the accuracy, integrity, security and confidentiality of customer information received, processed and maintained by the Bank. Ensure that such information, and proprietary Bank information, is adequately protected against anticipated threats or hazards to its security or integrity. Protect against unauthorized access to or use of customer and proprietary bank information that might result in substantial harm or inconvenience to any customer, or present a safety and soundness risk to the Bank. Provide for the timely and comprehensive identification and assessment of vulnerabilities and risks that may threaten the security or integrity customer and proprietary bank information. Document Policy standards for managing and controlling identified risks. Provide standards for testing the Policy and adjust on a continuing basis to account for changes in technology, sensitivity of customer information, and internal or external threats to information security. Specify the various categories of Information Systems data, equipment, and processes subject to comprehensive Information Security Procedures. Ensure the Bank complies with all relevant regulations, common law, explicit agreements, or conventions that mandate the security and confidentiality of customer information. Ensure protection of the hardware and software components that comprise the Bank s Information Systems. Protect against the use of the Bank s assets in a manner contrary to the purpose for which they were intended, including the misallocation of valuable organizational resources, threats to the Company s reputation or a violation of the law. In connection with this general Information Security Policy, Sample Bank has also adopted the following specific policies: Internet Usage Network (i.e., LAN) Configuration Security Intrusion Detection and Response Telecommuting (Laptops) Security Logical and Administrative Access Control Page 3

6 Logging and Data Collection Password Security Malicious Code Protection Data Back-up and Archival Storage Record Retention and Destruction Hardware and Software Acquisition, Copyright and Licensing Technology Asset Disposal Change Management Patch Management Physical Security Business Continuity Planning Training The Information Security Officer will ensure that all employees of Sample Bank, its Board members and management, receive training in the regulatory guidelines and laws governing customer information security and the Bank s information security procedures, as appropriate to their position at the Bank and job responsibilities. The Information Security Officer will ensure that the training systems are in place to address (i) initial training for new or transferred personnel, (ii) continuing review sessions for existing personnel and (iii) updated sessions for all affected personnel when any significant revisions are made to the Information Security Program. Risk Assessment and Management Sample Bank will implement a comprehensive risk assessment process, including classification, or ranking, of information systems, both electronic and non-electronic, based on the following criteria: Nature and sensitivity of information contained in the system, whether non-public customer or proprietary bank information Quantity or volume of such information contained in the system Impact of the loss of integrity of such information Impact of the loss of confidentiality of such information Impact of the loss of accessibility of such information The risk assessment process will consider for each appropriate information system, the likelihood of occurrence of certain threats and the potential exposure to such threats, and document the existence of administrative, technical and physical security controls implemented by the Bank to mitigate the occurrence and/or potential severity of risks and exposures. The data classification and risk assessment will be updated at least annually and the results of the assessment used in an evaluation of the adequacy of the Bank s information security policies and programs. Results of the data classification and risk assessment will be reviewed with senior management, the Audit Committee and the Board of Directors. Page 4

7 Vendor Management Sample Bank acquires services from third-party suppliers, service providers, software vendors, and / or consultants (the Vendor or Vendors ), including customer information and transaction processing services. Use of these services involves risks similar to those that arise when these functions are performed internally by Bank personnel. These include such risks as threats to the availability of systems used to support customer transactions, the accuracy, integrity and security of customer s non-public, personal financial information, or compliance with banking regulations. Under contract arrangements, however, risk management measures commonly used by financial institutions to address these risks, are generally under the control of the Vendor, rather than the financial institution. The financial institution, however, continues to bear certain associated risks of financial loss, reputation damage, or other adverse consequences from actions of the Vendor or the failure of the Vendor to adequately manage risk. Consequently, it is incumbent upon Sample Bank to: (1) expand its analysis of the ability of Vendors to fulfill their contractual obligations and (2) prepare formal analyses of risks associated with obtaining services from, or outsourcing processing to, Vendors. The following areas will be included in this process: Selection of Vendor - In addition to other requirements included in Sample Bank s Purchasing Policy in selecting a Vendor of critical services, the Bank will prepare a risk assessment and perform appropriate due diligence to satisfy itself regarding the Vendor s competence and stability, both financially and operationally, to provide the expected services and meet any related commitments. Financial statements, preferably audited statements, will be obtained and reviewed. Contracts - The written contract between Sample Bank and the Vendor must clearly specify, at a level of detail commensurate with the scope and risks of the service provided, all relevant terms, conditions, responsibilities, and liabilities of both parties. These would normally include terms such as: Statements of the purpose of access to or maintenance of the Bank s customers nonpublic, personal financial information Agreements not to disclose non-public, personal financial information of the Bank s customers either in possession of the Vendor or accessible to them, and statements of responsibility and liability for disclosure of such information Required service levels, performance standards, and penalties Internal controls, insurance, disaster recovery capabilities, and other risk management measures maintained by the Vendor Data and system ownership and access Liability for delayed or erroneous transactions and other potential risks Provisions for and access by the Bank to internal or external audits or other reviews of the Vendor s operations and financial condition Compliance with applicable regulatory requirements Provisions for handling disputes, contract changes, and contract termination The terms and conditions of each contract will be reviewed by Sample Bank s legal counsel to ensure that they are appropriate for the particular service being provided and result in an acceptable level of risk to the Bank. Policies, Procedures, and Controls - The Vendor should implement internal control policies and procedures, data security and contingency capabilities, and other operational controls analogous to those that the Bank would utilize if the activity were performed internally. Appropriate controls should be placed on transactions processed or funds handled by the Vendor on behalf of the Bank. The Vendor s policies and procedures Page 5

8 should be reviewed by the Bank s Information Security Officer as well as Accounting, Compliance, Data Processing personnel and Audit. Ongoing Monitoring - The Bank will review the operational performance of critical Vendors on an ongoing basis to ensure that the Vendor is meeting and can continue to meet the terms of the contract (e.g., service level commitments). Business unit managers will be primarily responsibility for completing this evaluation. This evaluation should be completed at least annually and reported to the Information Security Officer. The form and elements of the evaluation will be determined by the service level commitments in the Vendor s contract or specific Service Level Agreements negotiated between the Bank and the Vendor. Information Access Sample Bank will ensure that it has complete and immediate access to current and appropriate back-up information that critical to its operations and maintained or processed by an outside Vendor. Internal Audit Sample Bank s Auditors will review the oversight of critical Vendors by external accountants and others, including regulators. Audits of critical Vendors should be conducted according to a scope and frequency appropriate for the particular function. For third-party data processing services, the Bank will obtain copies of the Vendor s SAS 70 audit report and Management s response. These, as well as other audit reports of critical Vendors, will be reviewed by the Audit Committee of the Board of Directors. Audit results and management responses will be available to examiners at their request. Internal Audit will also audit compliance with Vendor service level commitments and agreements. Contingency Plans - Sample Bank will ensure that appropriate business resumption plans have been prepared and tested by the Vendor. Where appropriate, based on the scope and risks of the service or function and the condition and performance of the Vendor, the Bank s contingency plans may also include plans for the continuance of processing activities, either in-house or with another provider, in the event that the Vendor is no longer able to provide the contracted services or the arrangement is otherwise terminated unexpectedly. Annually, the Information Security Officer will evaluate the risks and exposures associated with each Vendor relationship. This evaluation process will include the following: Update the Vendor listings Evaluate the nature and purpose of all Vendor relationships Determine the criticality of the product or service provided by the Vendor Assess the relative level of strategic, credit operational, compliance and legal and reputation risk associated with this relationship and Rank each Vendor as Critical, Important or Incidental. A detailed risk assessment will be prepared of each critical Vendor, in accordance with the Vendor Relationships Risk Assessment. Roles and Responsibilities The following individuals are integral to the successful execution of Sample Bank's information security policies and programs and will have the following responsibilities: Board of Directors and IT Steering Committee Ensure that an appropriate Information Security Policy is developed and implemented. Review periodic information regarding breaches of Information Security. Ensure that annual assessments of risks and threats are prepared, information systems and related data are risk rated and that appropriate Page 6

9 reviews are made of related risk management strategies and controls. Review regulatory examinations of information security and ensure that appropriate action is taken to address comments and recommendations of regulators. Audit Committee - Ensure that appropriate tests and audits of information security systems are performed. Review reports of security tests and audits and ensure that appropriate action is taken to address identified weaknesses in control. Review assessments of outsourced technology vendor performance and controls and ensure that appropriate action is taken to address identified weaknesses in vendor information security controls. Information Security Officer A senior officer of the Bank responsible for ensuring overall compliance with the Information Security Policy, the efficacy of the Bank;s information security procedures and practices and the assessment of information Security risks and the related adequacy of information security policies and procedures. Report any breaches of Information Security to the Board of Directors and any applicable regulatory and law enforcement agencies. Information Security Administrator Primarily responsible for the execution of significant elements of the information security program, including the granting and maintenance of information system user access rights, as requested and approved by management, and the maintenance and review of information security systems and related reports. Responsible for ensuring that the network and network based / accessible systems are secured to protect customer information. Responsible for reporting any attempted or successful breaches of security systems to the Security Officer and Information Security Officer. Information Security to the Information Security Officer. The ISA will ensure the appropriate installation, maintenance and monitoring of intrusion detection systems and intrusion response procedures. The ISA will coordinate the implementation of changes and patches to information system software and/or hardware, and maintain appropriate records of such changes and related testing/review documentation and approvals. Security Officer - Responsible for the implementation of the Bank s Security Policy and the maintenance of appropriate physical security devices and procedures to ensure the security, confidentiality and accessibility of physical customer information and related information technology hardware (i.e. branch servers, etc.). Human Resources - Responsible for ensuring appropriate information security orientation is provided for new employees. Ensure new hires and contract personnel are properly vetted and agree to follow Bank information security policies. Business Unit Managers (e.g., branch / department managers) - Ensure employees are performing due diligence in protecting customer information. Provide input into Information Security Policy reviews / updates. Responsible for reporting any breaches of Information Security to the Information Security Officer. Bank Employees - Ensure that customer information is protected on a day to day basis. Responsible for reporting any breaches of Information Security to their respective business unit manager, the Security Officer and / or the Information Security Officer. Availability and Maintenance of the Information Security Policy The Information Security Policy is accessible to all members of the Sample Bank staff through either the Human Resources or Information Services Departments. All users of Sample Bank s Information Services resources should be familiar with relevant sections of the policy. Relevant Page 7

10 sections of this Policy, and other related policies, as described above, will be available to all employees over the Bank s Intranet, along with other relevant Human Resources policies (i.e., confidentiality). This Information Security Policy is a living document that will be revised as required to address changes in the Bank s technology, applications, procedures, legal and social imperatives, perceived threats, etc. All revisions to the Information Security Policy will be submitted to, reviewed and approved by the Information Technology Steering Committee. The Bank s Board of Directors must subsequently ratify / approve all changes to the Information Security Policy. Compliance with Policy To ensure compliance with this Policy, Sample Bank has developed a comprehensive Information Security Program, commensurate with and appropriate for the threats and risks faced by the Bank and the nature and scope of its operations. Sample Bank will appoint an Information Security Officer, a member of senior management, to ensure compliance with this Policy. In addition, Sample Bank will appoint an Information Security Administrator and other appropriate personnel, to be responsible for the day-to-day execution of the information security program, investigation and reporting attempted or successful security breaches and other aspects of the information security program and applicable Bank policies and legal and regulatory requirements. Violations of the Bank s Information Security Policies may result in immediate termination or probation. Specific actions for violations of this policy, or other referenced policies (i.e., , internet usage, etc.), are documented in the Information Security Program and/or those specific policies. Attempted or Actual Breaches of Security All breaches and attempted breaches of the Bank s information security systems and controls will be reviewed by the Information Security Administrator and Information Security Officer, documented and reported to the Security Officer, senior management and the Board of Directors, as prescribed in this Policy and as required to the appropriate legal and regulatory authorities. If appropriate, a Suspicious Activity Report will also be filed. Independent Testing and Audit Sample Bank's information security policies and programs will be independently tested in accordance with the procedures adopted by Sample Bank (e.g., internal audit approved by the Audit Committee) and/or agreed upon with an independent third-party (e.g., outsourced audit function or independent security firm). Security testing (i.e., vulnerability assessments and external penetration testing) and audit procedures will be performed no less often than annually. Additionally, internal penetration testing will be performed at least once every 18 months. The specific scope and timing of such testing and audit procedures will be reviewed and approved by Sample Bank Audit Committee. The results of testing and audits will also be reviewed by the Audit Committee. Page 8

11 Page 9

12 Information Security Program for Sample Bank Introduction Like all financial institutions, Sample Bank, (the Bank ) is exposed to a variety of operational and transactional risks, including crime, employee fraud, and natural disaster. Additionally, because of the nature and amount of information gathered regarding the financial transactions of its customers and the extensive use of technology to process this information, Sample Bank is exposed to specific information and technology risks. The passage of the Gramm-Leach-Bliley Financial Modernization Act ( GLBA ) intensified regulatory attention on technology risk management and information security. The GLBA required regulatory authorities to promulgate guidelines for safeguarding customer information. These standards require that each financial institution implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the financial institution and the nature and scope of its activities. While all parts of the financial institution are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. To comply with regulatory guidelines, a financial institution s information security program should be designed to: Ensure the security and confidentiality of customer information Protect against any anticipated threats or hazards to the security or integrity of such information Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. The Board of Directors of each financial institution is required to be involved in the development and implementation of the Information Security Program. The Board of Directors or an appropriate committee of the board of each financial institution must: Approve the financial institution s written information security program Oversee the development, implementation, and maintenance of the financial institution s information security program, including assigning specific responsibility for its implementation and reviewing reports from management. With regard to assessing and understanding risk, each financial institution must: Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. Each financial institution must design its information security program to manage and control identified risks in a manner commensurate with the sensitivity of the information and the complexity and scope of the financial institution s activities. In this regard, each financial institution must consider whether the following security measures are appropriate and adopt them accordingly: Page 10

13 Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means Access restrictions at physical locations containing customer information, such as buildings, computer facilities, office equipment rooms containing telephones, copiers and facsimile machines, and records storage facilities to permit access only to authorized individuals Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access Procedures designed to ensure that modifications ( patch management ) to the customer information system are consistent with and do not diminish the effectiveness of the financial institution s information security program Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information Monitoring systems (24 / 7) and procedures to detect actual and attempted attacks on or intrusions into customer information systems Response programs that specify actions to take when the financial institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures. In addition to developing an information security program, the financial institution must train staff to implement the bank s information security program. Further, financial institutions are required to regularly test the key controls, systems, and procedures of the information security program. The frequency and nature of such tests should be determined by the financial institution s risk assessment. Tests should be conducted or results reviewed by independent third parties or staff independent of those who develop or maintain the security programs. Sample Bank s Response to Information Security Needs and Requirements The Board of Directors and management of Sample Bank realize that the rapidly changing nature of technology demands that a comprehensive security policy be developed and implemented to secure the confidentiality, security, integrity and accessibility of the Bank s customer information systems. Further, the Board of Directors and management of Sample Bank recognize that in order to determine the appropriate type and scope of controls to deploy as part of the information security program, the Bank must assess risks to its customer information and systems, identifying reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems and evaluate the adequacy of policies, procedures, information security systems, and other practices intended to control the risks identified. To ensure that information security risks are understood, and appropriate security systems are maintained, the Board of Directors of Sample Bank has adopted this Information Security Policy. Page 11

14 Purposes and Objectives of Policy The primary purposes of Sample Bank s Information Security Policy are to ensure that the Bank, the Board of Directors and Management: Understand the risks and threats to which information systems are exposed, Evaluate the potential exposures to such risks / threats Implement appropriate information security systems and administrative, technical and physical security controls to mitigate such risks, threats and exposures, and Test the efficacy of information security systems and controls Specific objectives of this Policy are to: Ensure the accuracy, integrity, security and confidentiality of customer information maintained by the Bank. Ensure that such information is adequately protected against anticipated threats or hazards to its security or integrity. Protect against unauthorized access to or use of customer information that might result in substantial harm or inconvenience to any customer, or present a safety and soundness risk to the Bank. Provide for the timely and comprehensive identification and assessment of the risks that may threaten the security or integrity customer information. Document Policy standards for managing and controlling identified risks. Provide standards for testing the Policy and adjust on a continuing basis to account for changes in technology, sensitivity of customer information, and internal or external threats to information security. Specify the various categories of Information Systems data, equipment, and processes subject to comprehensive Information Security Procedures. Ensure the Bank complies with all relevant regulations, common law, explicit agreements, or conventions that mandate the security and confidentiality of customer information. Ensure protection of the hardware and software components that comprise the Bank s Information Systems. Protect against the use of the Bank s assets in a manner contrary to the purpose for which they were intended, including the misallocation of valuable organizational resources, threats to the Company s reputation or a violation of the law. Scope of Security Sample Bank defines an effective level of information security as the state of being free from unacceptable levels of risk or exposure to threats. In that regard, the Bank will adopt controls and other risk mitigation practices and procedures it believes are appropriate in the circumstances to provide reasonable control and eliminate unacceptable risks. Information Security risks, threats and exposures of concern to the Bank may be summarized in the following categories: Confidentiality of information This refers to the concerns of privacy of personal and corporate information. Integrity of information Page 12

15 This refers to the accuracy of customer information maintained in the Bank s information systems. Security of information This includes: Computer and peripheral equipment Communications equipment Computing and communication premises Power, water, environmental controls, and communication utilities System software (computer programs) and documentation Application software and documentation Customer and Bank Information, both electronic and non-electronic Efficient and appropriate use of information and related resources This ensures that Information Systems resources are used for the purpose for which they were intended and in a manner that does not interfere with the rights of others. System availability and information accessibility This area of concern is with the full functionality of systems and the Bank s ability to recover from short and long-term business interruptions. The potential causes of losses, or breaches of security, are termed threats. Threats to the Bank s information systems may be human or non-human, natural, accidental, or deliberate. The term information systems as defined by Sample Bank includes the data, equipment, and processes for creating, maintaining and accessing customer information, directly under the Bank s control or maintained on behalf of the Bank by third-party providers. These information systems may be electronic or non-electronic. Domains of Security Addressed by this Policy This policy specifically addresses the following domains, or areas, of security: Administrative practices, including information security, , Internet access and other policies. Certain administrative security policies, such as record retention and destruction, technology asset disposal and employee confidentiality, as well as and Internet access / use, are documented in separate policy statements Technical systems security, including those securing access to the Bank s primary processing equipment, peripheral devices, and operating systems. These include hardware and software security, such as firewalls, network intrusion monitoring systems, network configuration and protocol use, etc. Physical security, including the premises occupied by the Information Systems personnel and equipment. Physical security requirements for those premises outside the Information Systems area are documented in the Bank s general Security Policy. Operational security, including environmental controls, power back-up, equipment functionality, and other operations activities. Security over third-party technology providers, vendor, management personnel, as well as end users. Data communications security, including security over electronic access to communications equipment such as servers, hubs, routers, patch panels, lines, etc. Page 13

16 Other domains of Information Security are addressed in other Sample Bank Policy Documents, including the following: Physical Security Corporate Security Policy, Sample Bank, May 2005 Employee Security Human Resources / Personnel Procedures, including recruiting, hiring and employee vetting procedures, confidentiality, conflict of interest, use and Internet access policies. Roles and Responsibilities The following section describes the roles and responsibilities of individuals or groups integral to the development, maintenance or execution of this Policy. Policy Management The Information Security Policy of Sample Bank is of vital importance to ensuring the security and integrity of customer information and the effectiveness of information security throughout the Bank. Formulation and maintenance of the Policy is the responsibility of the manager of Information Services and the Information Security officer. Its approval is vested with the Board of Directors. Advice and opinions on the content and specific requirements of the Policy may be provided by: The Information Technology Steering Committee. Senior Bank Management Management of Information Services Security Officer Compliance Manager Business Unit managers Policy Implementation Information Services will be primarily responsible for the implementation of Sample Bank s Information Security Policy; however, each staff member of Sample Bank is responsible for understanding and adhering to the Information Security Policy. The Information Security Administrator and IS Information Security Technicians are integrally involved in the day-to-day execution of the Information Security Policy, and as such, have no responsibility for the development or review of the Policy. Custodians Security of each system will be the responsibility of that system s principal custodian, as described below: Individuals The Information Services Department is the custodian of all strategic system platforms, the strategic communications systems, and the facilities where centralized computer equipment is operated. The Information Services Department and each business unit, as appropriate, share in the custodian duties of certain elements of strategic systems under their management control (e.g., servers and communications devices located at the branch offices or in departments outside the data center). Individual staff members and the Information Services Department share in the custodian duties of desktop systems. Page 14

17 To ensure the effectiveness of this Policy, all employees of Sample Bank should observe the following standards for use of Information System resources and systems: Every employee must adhere to the Sample Bank IT End-User Policy. Every employee must adhere to the Sample Bank Code of Conduct. Every employee must adhere to the Sample Bank Use Policy. Every employee must adhere to the Sample Bank Internet Use Policy. Every employee must be responsible for the proper care and use of Information Systems resources under their direct control, including paper documents and manual files. Every employee must adhere to Sample Bank s procedures for authenticating customers requesting information by mail, telephone, fax or . The following section describes the individuals and / or areas involved in the development, maintenance and execution of Sample Bank s Information Security Policy and their role and responsibilities. Information Technology Committee Ensure that an appropriate Information Security Policy is developed and implemented. Review information regarding breaches of Information Security. Ensure that annual assessments of risks and threats are prepared, information systems are risk rated and that appropriate reviews are made of related risk management strategies and controls. Ensure that appropriate tests of information security systems are performed. Information Security Officer Ensure Information Security Policy is enforced. Work with senior management to review policy and procedures around Information Security annually to ensure current threats and responses are accurate and to identify any new threats to securing customer information. Report any breaches of Information Security to the Board of Directors and any applicable agencies. Develop annual assessments of information security risks and threats, risk rating information systems and review related risk management strategies and controls. Perform appropriate tests of information security systems. AVP Information Technology Responsible for ensuring that the network and network based / accessible systems are secured to protect customer information. Responsible for reporting any breaches of Information Security to the Information Security Officer. Information Security Administrator / IS Technician Primarily responsible for the execution of the information security program, including the granting and maintenance of information system user access rights, as requested and approved by management, and the maintenance and review of information security systems and related reports. Risk Management Team The Bank s Risk Management Committee is responsible for ensuring that an annual assessment of information security risks / threats is completed and that corresponding Administrative, Technical and Physical Security Controls are documented. Security Officer Responsible for the implementation of the Bank s Security Policy and the maintenance of appropriate physical security devices and procedures to ensure the security, confidentiality and Page 15

18 accessibility of physical customer information and related information technology hardware (i.e. branch servers, etc.). Human Resources Responsible for providing appropriate information security orientation for new employees and ongoing information security training programs. Business Unit Managers (e.g., branch / department managers) Ensure employees are performing due diligence in protecting customer information. Provide input into Information Security Policy reviews / updates. Responsible for reporting any breaches of Information Security to the Information Security Officer. Bank Employees Ensure that customer information is protected on a day to day basis. Responsible for reporting any breaches of Information Security to their respective business unit manager, the Security Officer and / or the Information Security Officer. Availability and Maintenance of the Information Security Policy The Information Security Policy is accessible to all members of the Sample Bank staff through either the Human Resources or Information Services Departments. All users of Sample Bank s Information Services resources should be familiar with relevant sections of the policy. Relevant sections of this Policy, such as those that apply to , Internet usage and End-User computing practices, will be available to all employees over the Bank s Intranet, along with relevant Human Resources policies. This Information Security Policy is a living document that will be revised as required to address changes in the Bank s technology, applications, procedures, legal and social imperatives, perceived dangers, etc. All revisions to the Information Security Policy will be submitted to, reviewed and approved by the Information Technology Steering Committee. The Bank s Board of Directors must subsequently ratify / approve all changes to the Information Security Policy. Strategic Systems Platforms Strategic systems are defined as those computer systems that are critical to the operation of Sample Bank. Such computer systems may be owned and operated by Sample Bank, or they may be owned and operated by another Bank with whom Sample Bank has established a business relationship. The following components comprise Sample Bank s strategic systems: Loan Accounting System Deposit Accounting System Customer Information File Hardware and Operating System Windows NT 2000 Active Directory Additional significant systems which will be covered in this Policy include: Internet Banking System and Bill Paying System Voice Response MCIF System Customer Profitability File Image System Optical Cold Storage System (e.g., Management Information and Reports) Page 16

19 Management of Strategic Systems Oversight and management of strategic information systems is primarily the responsibility of the Information Services Department. For in-house strategic systems, day-to-day operations and daily coordination of data input from strategic systems outside the institution are performed by the Information Services Department. The Information Services Department is also primarily responsible for the management of third-party technology service providers. Physical Security Sample Bank recognizes that its strategic systems require a higher degree of physical security than is provided for other business operations. The following standards of physical security must be maintained for all strategic systems: The premises must be physically secure and reasonably free from risk of damage by water, fire, vibration, dust, and environmental hazards. Air temperature and humidity must be controlled within acceptable operating limits. Sample Bank will maintain state-of-the-art cooling systems at this facility to ensure temperatures and humidity levels are adequately controlled in the Data Center. Backup electrical power, such as that from an uninterruptible power supply (UPS) or generator, that provides adequate protection from power surges and sags and for an orderly shutdown of affected systems after 15 minutes of total power loss, unless generator power can be applied. An emergency generator must be installed and maintained to supply power for longer term disruptions. Physical Access The primary location for the strategic systems of Sample Bank is at the Bank s Data Center in City, State. Access to this area is restricted to authorized personnel from the Information Services Department. Access by all other individuals, whether Sample Bank employees or not, must be granted by an authorized member of personnel, and must be properly logged. External doors to the designated area must remain locked. External windows must be secured so as not to allow unauthorized access. Access to this facility will be restricted to authorized personnel. File servers and other data communications equipment (e.g., hubs, routers, and patch panels) must also be located in secure areas. It is expected that strategic systems not under the direct control of Sample Bank, such as those operated by vendors of the financial institution, will adhere to similar standards as the financial institution. Relationships should not be established with vendors that do not adhere to such standards. Additionally, contracts with vendors should contain some language addressing physical access of the strategic systems located at their offices. Failure to adhere to such standards should be considered a breach of contract. User Access to Information Systems Access to strategic systems is granted under the following conditions: A System Access Authorization Form must be completed. See the sample form that follows. The form should specify the level of access required for the particular user. An appropriately authorized member of management must approve the System Access Authorization Form. The access level assigned to the user must be no higher than that specified by the System Access Authorization Form and in accordance with established user profiles. All user access will be initiated by appropriate network administration and security personnel in the Information Services Department. Page 17