Wipfli LLP - CPAs and Consultants
Affiliates Contact Us Careers Events About Wipfli
 
subscribe
Rate Content

 
View all Financial Institutions articles

Safeguarding Customer Information with a Practical Information Security Program
May 01, 2005

Note: This is the fourth in a series of articles on protecting financial institution customer information. The first three articles, “Safeguarding Customer Information through Risk Assessment," "Safeguarding Customer Information through an Information Technology Examination and Vulnerability Testing," and “Safeguarding Customer Information through a Compliant Information Security Program," are available in the Financial Institutions industry archive.


Every financial institution must establish a security process to protect the confidentiality, integrity, and availability of its information systems and data.

In order to achieve the necessary safeguards, a financial institution must perform a rigorous exploration. It must identify risks, form a strategy to manage those risks, implement that strategy, test the implementation, and continually monitor the environment to control future threats.

This security journey culminates into one, crucial, final step—the development of an information security program. It’s the key to successfully fulfilling the key requirements of the Gramm-Leach-Bliley Act (GLBA), and thereby implementing the entire scope of security efforts, internal controls, user awareness, and board of directors’ oversight.

The program’s written guidelines form a detailed document defining all of an institution’s security policies and procedures and guiding management and the board of directors in implementing them. The program will also drive the financial institution’s audit function as it relates to the standards for safeguarding customer information.

Spelling out the information security program

An information security program outlines an institution’s expectations for creating, implementing, and maintaining its standards for protecting customer information. It must include administrative, technical, operational, and physical safeguards appropriate to the size and complexity of the institution, as well as the nature and scope of its activities.

The document further defines the financial institution’s various control objectives. For instance, one objective might be to prevent employees from providing customer information to unauthorized individuals. The range of approaches taken to meet those objectives are then identified; in this case, the approach would involve the procedures for proper identity verification. Financial institutions should develop multiple layers of security controls, and each should be included in the information security program.

The guidelines also define the board of directors’ security oversight role and its continuing role in evaluating and monitoring the program’s overall status.

Awareness and accountability

Financial institution employees must know, understand, and be held accountable for meeting their security responsibilities. A written information security program further serves as a vital communication tool for employee education and user awareness.

Program guidelines clearly spell out the financial institution’s security directives. The program’s policies guide the decisions of administrators, managers, and employees by informing them of their responsibilities and specifying the procedures through which those responsibilities can be met. Additionally, the written program serves to integrate security controls throughout a financial institution and ensures that policies are consistently applied.

To ensure that an information security program is successful, it must be communicated in a clear, understandable manner to financial institution employees. Financial institution administrators should obtain verification that each employee has read and understands the procedures and the administrators must also enforce the policies.

Prepared for protection

An information security program is a living document. The plan should be continually adjusted in response to technology changes, sensitivity of customer information, and internal or external threats to information security. In addition, it must be reviewed and approved by the board of directors annually or as adjustments to the program become necessary.

By implementing an ongoing security process and assigning clear and appropriate responsibilities to the board of directors, management, and employees, financial institutions will be well-prepared to protect their customers’ information.