Wipfli LLP - CPAs and Consultants
Affiliates Contact Us Careers Events About Wipfli
 
subscribe
Rate Content

 
View all Financial Institutions articles

Safeguarding Customer Information through a Compliant Information Security Program
February 01, 2005

Note: This is the first article in a four-part series on protecting financial institution customer information.

Information is among a financial institution’s most significant assets. Securing customer information is an essential means toward establishing and sustaining customer trust and allows for the optimization of overall operations and transactions. Therefore, customer information and its ultimate protection, are vital to every financial institution’s performance and survival.

The Gramm-Leach-Bliley Act of 1999 (GLBA) requires that financial institutions establish an information security program to ensure the security and confidentiality of customer information. Such programs must be extensive and should include standards that affect the administrative, technical, and physical safeguards of all customer records and information.

Beyond the development of a comprehensive program, many financial institutions are challenged to further ensure that their information security programs are ongoing. Financial institutions  must continually assess their risks and be prepared to react in the wake of rapidly changing threats to customer information security or integrity. As a result, every financial institution’s program objectives should include the protection against anticipated threats or hazards as well as the protection against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to customers.

In addition, an effective information security program continually integrates processes, third-party vendors, employees, and technology to identify, manage, and mitigate risk. Moreover, the responsibility for information security lies with everyone within a financial institution—the board of directors, managers, and employees.

Building a comprehensive and reliable program

Regulatory requirements for developing an information security program are uncompromising. Not only must your financial institution create a comprehensive program appropriate to its size and to the complexity of its activities, but it must also thoroughly implement the program and maintain it. Often, designating an information security officer within your organization is an important measure. Information security officers can be responsible for managing and overseeing your program’s development and be accountable for ongoing compliance efforts.

To build a reliable program, a financial institution must first identify and assess the risks that may threaten customer information. This requires conducting an initial third-party vendor information technology examination and vulnerability test, as well as an IT GLBA risk assessment (see diagram below). Internal audit and compliance should also be involved with an annual IT control review.

Once risks are identified, the program then takes form in a written plan that contains policies and procedures to manage and control such risks. This should address all factors as they relate to information technology—from PCs, networks, and laptops to Internet banking and data and vendor management (see diagram below). 

The plan must then be implemented and painstakingly tested. Ongoing  adjustments are made continuously to address changes in technology, sensitivity of customer information, and internal or external threats to information security.

What’s more, a financial institution’s board of directors is expected to approve the institution’s written information security program, as well as oversee efforts to develop, implement, and maintain an effective plan.

Recognizing the security challenge

Establishing information security standards and safeguards requires significant visionary efforts that peer around corners, look under every rock, and glimpse into the future. By taking a process-based approach and applying it to various information technology aspects of your institution’s operations, you can develop a total information security program that fully recognizes and mitigates risks. It is a responsibility your customers are counting on.

Part two of this four-part series explores the process of examining a financial institution's information technology and identifying the vulnerabilities as the first step in safeguarding customer information. In part three, learn more about the critical importance of an effective risk assessment. Then discover the details required in creating an information security policy in part four.