Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy June 10, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS by: Scott Baranowski 2015 Wolf & Company, P.C.
How Do You Handle All of Your Paper? 2
Recent Data Breaches A Bank employee stole records that included credit card numbers, bank account information, and other personal data of up to 8.5 million customers. A Bank improperly disposed of records containing confidential customer information affecting over 500 customers. An employee had sensitive loan application documents stolen from their car. Over a period of four months, a man searched through dumpsters outside of a Bank. He pulled out bags of paperwork with private information, including customer s Social Security numbers and account information. 3
Recent Data Breaches An employee lost a backpack that included names, Social Security numbers and birthdates. Three former Bank employees were accused of accessing and exporting mortgage data of customers, and providing to a competitor. A Bank discovered that a former contractor kept proprietary bank in his possession after leaving the company. 4
Ask Yourself What type of records do we have? What forms are maintained? What is our retention schedule? Is it accurate? Do we have a policy and procedure? Are they current? Does our records management program conflict with our information security program? 5
Goals of Records Management Program 6
Goals of Record Management Program Control and coordinate all phases of record retention and destruction: What?, Where?, How long?, By who?, What methods? Maintain active, inactive, and archival records. Ensure accessibility and security of information and records. Provide and maintain policies and procedures in accordance with laws, regulations, and organizational needs. 7
Today s Agenda Importance of a Successful, Enforceable Records Retention Program Where to Begin and What to Include Ensuring Compliance with GLBA and Privacy Requirements Auditing Your Records Management Program 8
Importance of Effective Records Retention Program- The 3 Primary Reasons 9
Three Primary Reasons Business Activities Eliminates Employee Uncertainty Regulatory Compliance 10
Accounting of Business Activities Financial records require proper supporting documentation: G/L Tickets, Checks, etc. Legal support of transactions required: Loan notes, Collateral documents, etc. Support customer transactions Document business processes and controls 11
Eliminates Employee Uncertainty Is there a record retention policy to be followed? What are they supposed to retain and destroy? Who is responsible for destroying records? How are records destroyed? 12
Regulatory Compliance Gramm-Leach-Bliley Act (1999) Requires financial institutions to ensure the security and confidentiality of the Non-public Personal Information (NPPI) of customers; Financial institutions include: Banks, Credit Unions, Insurance Companies, Mortgage Lenders, etc. Has an indirect impact on the following service providers: Core, Item, RDC, E-banking, Bill Payment, etc.. Back up and disaster recovery service providers Cloud providers Record storage and disposal services Implemented by the Federal Trade Commission (FTC) by issuing two rules: the Privacy Rule and the Safeguards Rule. 13
Safeguards Rule Applies to information who is considered a customer of a financial institution. Customer information is any record containing NPPI about a customer that is handled or maintained by or on behalf of the Financial Institution (Ex. Social Security Numbers, Bank Account Numbers, etc.) Only applies to information about a consumer who is a customer of the financial institution. Include active, non active, and denied 14
Safeguards Rule Financial Institutions are required to develop an Information Security Program (ISP) that includes the 5 required components: Designate a Program Coordinator; Conduct a Risk Assessment; Ensure that safeguards are employed to control identified risks and threats; Oversee selection and retention of service providers who handle or maintain customer NPPI; and Evaluate and adjust the program as needed. 15
Safeguards Rule 501(b) Requires agencies to establish standards for administrative, technical, and physical safeguards to: Protect against any anticipated threats or hazards to the security of integrity of such records; Ensure the security and confidentiality of customer records and information; and Protect against any unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. 16
Safeguards Administrative Policies Procedures Audit Training Technical Firewall/IPS Access Controls Tokens Anti-Virus and Anti-Spam Logging Physical Surveillance equipment Security alarms Locking rooms/cabinets Clean screen Clean desk Shredding documents 17
Example Records Retention Schedule 18
Example Records Retention Schedule 19
Example Records Retention Schedule 20
Example Records Retention Schedule 21
Example Records Retention Schedule See http://goo.gl/rploev for more information. 22
NYS Retention Requirements Bank s must preserve mortgage-related books and records for inspection, for a minimum of three years. They must establish and maintain: A centralized daily application log for all mortgage applications http://www.dfs.ny.gov/legal/regulations/adoptions/banking/410amd1.htm Authorized insurers in New York State are required to retain records of each insurance contract or policy for the longer of: Six calendar years; or After the filing of the report of examination in which the record was subject to review. Hard copies of cancelled checks must be maintained for ninety (90) days, after that an electronic copy can be archived for seven years. 23
Regulatory Compliance In 1999, New York state passed the Electronic Signatures and Records Act (ESRA). ESRA established that electronic signatures can be legally binding, and allowing the creation and storage of electronic records. Uniform Electronic Transactions Act (1999) Electronic records vs. Paper records Adopted by 47 states, the District of Columbia and the U.S. Virgin Islands The holdouts are Illinois, New York and Washington 24
Regulatory Compliance Government Organization That Require the Retention of Documents: Internal Revenue Service Federal Deposit Insurance Housing and Urban Corporation Development Small Business Administration Department of Labor Commodity and Securities Money and Finance Bureau of Indian Affairs Department of Education Department of Veterans Affairs Public Contracts - Dept. of Labor State Banking Agencies Equal Employment Opportunity Commission United States Code Office of the Comptroller of Currency Federal Reserve Board 25
Where to Begin and What to Include 26
Where to Begin and What to Include Start with Assessment of Current Retention Program Evaluate the Options Available Threats to Information Security & Prevention 27
Start with Assessment Is there a program? Retention schedule? Who, if anyone is currently responsible and in what areas? What are we storing, how and where and what does it cost? What is required legally? What is required to support business functionality and customer service? 28
Start with Assessment What are we destroying? How? What does it cost? Are business needs being met? What are alternatives and related savings? What are the intangible improvements? Are proper safeguards in place? 29
How Do I Get the Effort Organized? 30
How Do I Organize Build consensus through involvement Choose a Records Management Committee of no more than 6-7 members Need business involvement. Consider key operations personnel throughout the Bank: IT, Loan Operations, Branch Operations, Trust Operations, Deposit Operations. Consider Others: Compliance, Audit, Legal 31
Conducting a Records Inventory Physically inspect all of the paper files and record the essential information about them. Identify duplicate, fragmented, and related records. Match the records to the records schedules. Evaluate the existing records (documentation) against your documentation strategy and information needs. 32
Perform a Risk Assessment Risk assessment should be performed to evaluate the Bank s current Records Retention Program as well as Alternatives. Identify foreseeable internal and external risk to the security, confidentiality, and integrity of customer information. Should consider these relevant areas of operation, at a minimum: Employee training and management; Record management, including storage, access, and disposal Information systems, including network and software design, information processing, storage, transmission and disposal, and Detecting, preventing and responding to attacks, intrusions, or other system failures. 33
Customer Information Risk Assessment Question Control Name Control Description Management 1. Are there policies that address document handling procedures based on a data classification scheme? Data Classification Policy Policy which governs the requirements for proper record retention, such as storage inventory, retention timeframe, and destruction schedule Access 1. Does the Organization maintain privacy agreements with third parties that handle the Organization's information? 2. Are credit and criminal checks performed on employees with access to confidential information? Transfer and Disclosure 1. Does the organization require confidentiality agreements and provide appropriate disclosures? 2. Does the organization use industry standard encryption technology when transmitting sensitive data electronically? Vendor Security and Confidentiality Employee CORI Verification Confidentiality Agreement and Disclosure Procedure Encryption Standards and Controls All Wolf third party contracts include a confidentiality clause, and contracts are maintained by the Manager - Administration. HR performs and maintains background verification for new employees. Any concerns are appropriately reviewed by designated management for required action. All Wolf third party contracts include a confidentiality clause, and contracts are maintained by the Manager - Administration. Email transmissions can be secured and encrypted by the employee adding the term "secure" within the email subject line. Collection 1. Is there a retention schedule in place? Record Retention Policy Policy which governs the requirements for proper record retention, such as, storage inventory, retention timeframe, and destruction schedule. 2. Is there an off-site location to store long-term documents? Offsite Records Storage Facility Wolf uses Iron Mountain as an offsite managed facility where they can store or archive paper or electronic records. 3. Do procedures exists for employees to report breaches in information security? Use and Retention 1. Are privacy policies and procedures and changes thereto reviewed and approved by management. 2. Is notice provided to the individual about the organization's privacy policies and procedures? 3. Does management confirm that third parties from whom personal information is collected are reliable sources that collect information fairly and lawfully? Incident Response Plan Policy and Procedure Review Process Annual Privacy Notice Vendor Identification Procedures Wolf's Information Security Policy includes an Incident Response Plan which details that, on identify a security incident, employees must complete an Incident Response Form and submit to the I.S. Department. Policies are reviewed annually by the Technology Committee and approved by the Board of Directors. All Wolf client engagements letters include the Firm's confidentiality agreement and wording. Verification that vendors used for confidential data collection purpose are a reliable and valid source of information and that data has been collected and handled lawfully. Disposal and Destruction 1. Does the organization have a policy or procedure for disposing Document Destruction Policy of documents containing confidential information? Wolf's Information Security Policy includes sections on Data Classification and Retention, and File Security and Disposal. 2. Does the organization provide locked shredding bins or shredding machines to dispose of paper documents and electronic media containing customer information? 3. Is there a control in place to prevent the shredding bins ever being outside the control of the organization (i.e. left outside during non business hours) Document Disposal Resources Shredding Procedure Locked shredding bins are provided throughout Boston and Springfield offices. Electronic media is destroyed by the IS Department. Locked shredding bins are collected from within the offices by Iron Mountain, 34 and documents are shredded on Iron Mountain trucks with the bins being returned to the offices.
Ensure That Audit is Involved In The Discussion Onsite versus offsite record storage, not just costs, but also impact on business Evaluate service providers and ensure they are capable of safeguarding customer data they handle or maintain. Electronic storage versus hard copy, again not just cost, but research efficiency and back-up. If selecting Vendors/systems-Remember regulators require a method to be followed, and its good business practice 35
Back-ups What information requires a backup? Ensure that backups are stored separately from original documents. Disaster Recovery Prevent mixing of backups and originals Consider organizing backups by retention requirement date. Prevent accidental destruction of backups with varying retention requirement dates. Can t store everything! 36
If it can be destroyed destroy it Destruction Designate a trained staff member Try to eliminate duplicates of duplicates Ensure the record retention schedule is followed prior to destruction! Can t store everything 37
In-house or Third Party Determine what can be stored on site vs. off site How will it affect daily business functions? Review the access controls for on-site storage of paper documents Is access to on-site storage limited to employees with a business need? Perform due diligence over third party service providers Regulators look for an established vendor approval method that is followed. 38
What About Security of Information and Records? 39
Internal Threats to Information Security Sloppiness and poor practice: Poor destruction practices Documents containing NPPI left in exposed areas Poor data maintenance, input, quality assurance Loss and destruction of data: Disasters Corruption Lack of change controls Unauthorized use or access by employees 40
External Threats to Information Security Theft Dumpster diving Vendors Break-ins Phishing and Pharming: Bogus e-mails requesting confidential data Malicious software redirecting users to fake websites to collect confidential data 41
With all this paper how can I ensure it s safe? 42
Safeguarding Against Threats A successful Records Retention Program should incorporate the following GLBA Safeguards to protect against Information Security threats: Administrative Physical Technical 43
Administrative Safeguards Administrative safeguards are generally within the direct control of a department and may include: Checking references on potential employees and vendors. Training employees on basic steps they must take to protect customer NPPI. Limiting access to customer NPPI to employees who have a business need to see it. Reducing exposure to the Safeguards Rule by requesting customer information only when it is required to conduct departmental activities. Ensuring that employees are knowledgeable about applicable policies and expectations. 44
Physical Safeguards Physical safeguards are also generally within a department s control and may include: Locking rooms and file cabinets where customer information is kept. Using strong passwords Changing passwords periodically and not sharing or writing them down. Encrypting sensitive customer information transmitted electronically. Being alert to fraudulent attempts to obtain customer information and reporting these to management for referral to appropriate law enforcement agencies. 45
Physical Safeguards Ensuring that storage areas are protected against destruction or potential damage from physical hazards. Storing records in a secure area and limiting access to authorized employees only. Disposing of customer information appropriately: Designate a trained staff member to supervise the disposal of records. (i.e. shredding) Erase all data when disposing of computers, diskettes, hard drives, etc. that contain customer information. Promptly dispose of outdated customer information within record retention policies. 46
Technical Safeguards Technical safeguards are generally the responsibility of IT Department. Department staff should be knowledgeable how their electronic customer information is safeguarded. Departments are responsible for alerting IT to the existence of customer information on networks. 47
Technical Safeguards Technical safeguards include: Storing electronic customer information on a secure server Avoiding storage of customer information on machines with an Internet connection. Using anti-virus software that updates automatically. Obtaining and installing patches that resolve software vulnerabilities. Following written contingency plans to address breaches of safeguards. Maintaining up-to-date firewalls particularly if the Financial Institution allows staff to connect via VPN 48
Auditing Your Records Management Program to Ensure Compliance 49
Ensuring Compliance Successful auditing of your Records Retention Program should examine the following three levels: Employee Compliance Business Compliance Vendor Compliance 50
Employee Compliance Conduct after hour walkthroughs and ensure Clean Desk policies are being followed. Verify that current employee training program is consistent with GLBA requirements. Provide employees with a training acknowledgement form after completion of GLBA training program. Periodically review Training Completion Tracking report to identify any employees that have fallen behind. Test employees knowledge through social engineering attempts and quizzes. 51
Social Engineering Examples 52
Social Engineering Examples 53
Social Engineering Prevention 54
Employee Knowledge Quiz 55
Business Compliance Ensure that required policies and Information Security Program are up to date and approved annually by the Board of Directors. Review employee access controls, physical and electronic, to ensure rights are limited to business needs. Audit a sample of user access modifications to verify the change was properly supported. 56
Business Compliance Verify that any dual control & segregation of duties procedures are being followed. Document destruction Moving documents to offsite storage Review response measures taken to security incidents. Verify that Senior Management is monitoring departmental reports as required. Employee Training Record Retention Schedule 57
Vendor Compliance Periodic monitoring of vendor practices. Review of vendor contracts to ensure language provides protection for customers and the Financial Institution. Incident Response Plan Abidance with Regulatory Standards Disposal of Customer NPPI Reasonable Measures Taken to Protect Data Vendor s Policy on Use/Monitoring of Subcontractors 58
Common Findings Vulnerable customer NPPI discovered during walkthroughs. All employees have not completed privacy training. Contracts with third party service providers are unsigned, or do not include adequate privacy language. Risk assessments over customer information and vendors are incomplete or inaccurate risk ratings. 59
Questions?
Thank You Scott Baranowski, CIA Director, Internal Audit Services 617-428-5413 sbaranowski@wolfandco.com 61