Westborough Bank, MA. Citi Financial. J.P. Morgan Chase PowerPoint PPT Presentation

presentation player overlay
1 / 24
About This Presentation
Transcript and Presenter's Notes

Title: Westborough Bank, MA. Citi Financial. J.P. Morgan Chase


1
Directors College 2007Protecting Your
Customers PrivacyA Directors Guide to GLBA
  • By David Abbott, FDIC IT Examiner

2
The Regulations
  • Gramm-Leach-Bliley Act -Section 501(b)

FINANCIAL INSTITUTIONS SAFEGUARDS. In
furtherance of the policy in subsection (a), each
agency or authority described in section 505(a)
shall establish appropriate standards for the
financial institutions subject to their
jurisdiction relating to administrative,
technical, and physical safeguards (1) to insure
the security and confidentiality of customer
records and information (2) to protect against
any anticipated threats or hazards to the
security or integrity of such records and (3) to
protect against unauthorized access to or use of
such records or information which could result in
substantial harm or inconvenience to
any customer.
3
The Response
  • Interagency Guidelines Establishing Standards for
    Safeguarding Customer Information
  • FDIC - 12 CFR Parts 308 and 364
  • OCC - 12 CFR Part 30
  • FRB - 12 CFR Parts 208, 211, 225, and 263
  • OTS - 12 CFR Parts 568 and 570

4
Appendix B to Part 364Interagency Guidelines
Establishing Information Security Standards
  • Table of Contents I.  Introduction   A.  Scope
      B.  Preservation of Existing Authority
      C.  Definitions II.  Standards for
    Safeguarding Customer Information
      A.  Information Security Program
      B.  Objectives III.  Development and
    Implementation of Customer Information Security
    Program   A.  Involve the Board of Directors
      B.  Assess Risk   C.  Manage and Control Risk
      D.  Oversee Service Provider Arrangements
      E.  Adjust the Program   F.  Report to the
    Board   G.  Implement the Standards

5
Is It Working????
6
Breaches, Breaches and more Breaches
Over 100 Million Records Compromised
Your Company !?!?
Source - www.privacyrights.org
7
Public Bank Breaches
  • Bank of America
  • Wachovia
  • PNC
  • Westborough Bank, MA
  • Citi Financial
  • J.P. Morgan Chase Co.
  • North Fork Bank, NY
  • Firstrust Bank
  • La Salle Bank
  • People's Bank
  • Vystar Credit Union, FL
  • Nat'l Institutes of Health Federal Credit Union
  • U.S. Bank
  • Sovereign Bank
  • FirstBank
  • West Shore Bank, MI
  • Premier Bank, MO
  • Chase Bank

Source - www.privacyrights.org
8
Will you be on the list?
Would you know if your data was stolen?
9
Common GLBA Examination Findings
  • Findings
  • Partial inventories
  • Incomplete risk assessments
  • Weak Board reporting
  • Limited ongoing training
  • Lack of monitoring of suspicious activity for all
    customer information systems
  • Incomplete incident response plans
  • Weak oversight on service providers / vendors
  • Limited validation

10
Inventory
  • Identifying the data
  • Where is the data?
  • Network, Servicer, Back-up, Physical
  • Who can access the data?
  • Employees, Vendors, Consultants, Programmers
  • How can the data be accessed?
  • Intranet, Internet, Database, Application

11
Risk Assessment
  • How is the data threatened?
  • Internal and External New and Old Threats
  • How is the data protected?
  • Encryption, Access Control, Security
    Configurations
  • How is the data monitored?
  • When, How Often, Independently
  • How is the data disposed of?
  • Shredded, Electronically Destroyed ---
  • FACTA (FIL-130-2004)

12
Risk Assessment Conclusions
  • Are you mitigating all threats?
  • Would breaches be caught?
  • Are changes detectable?
  • Are you doing enough?

13
Board Reporting
  • Report to the Board.  Each bank shall report to
    its board or an appropriate committee of the
    board at least annually. This report should
    describe the overall status of the information
    security program and the bank's compliance with
    these Guidelines. The report, which will vary
    depending upon the complexity of each bank's
    program should discuss material matters related
    to its program, addressing issues such as risk
    assessment risk management and control
    decisions service provider arrangements results
    of testing security breaches or violations, and
    management's responses and recommendations for
    changes in the information security program.

14
Training
  • Determine the frequency
  • Most companies perform annually
  • All new employees
  • One Size Doesnt Fit All
  • Combine with other training

15
Monitoring
  • Need to determine what needs monitoring
  • Alert triggers should be established
  • Should be done by independent person
  • Should be automated

16
Incident Reponses
  • Need a definitive program
  • Should address responses for any/all anticipated
    incidents
  • Should consider walk-throughs and/or preparatory
    activities

FIL-27-2005
17
Service Providers and Vendors
  • It is your responsibility to ensure that your
    Service Providers and Vendors adhere to GLBA
  • All GLBA procedures should be conducted for all
    Service Providers and Vendors that have access or
    can gain access to Non-Public Customer Data
  • Just having a Contract Clause is NOT enough

FIL 81-2000
18
Validation
  • Vital part
  • Needs to be done independently of the controls
  • Frequency and Scope should be determined by your
    Risk Assessment

19
References
  • Appendix B to Part 364Interagency Guidelines
    Establishing Information Security Standards
  • http//www.fdic.gov/regulations/laws/rules/2000-86
    60.html
  • FFIEC GLBA Online Resources
  • http//www.ffiec.gov/exam/InfoBase/start.htm
  • Privacy Rights Clearinghouse
  • http//www.privacyrights.org/
  • FFIEC Handbooks
  • http//www.ffiec.gov/ffiecinfobase/html_pages/it_0
    1.html

20
Appendix B to Part 364Interagency Guidelines
Establishing Information Security Standards
http//www.fdic.gov/regulations/laws/rules/2000-8
660.html
21
FFIEC GLBA Online Traininghttp//www.ffiec.gov/ex
am/InfoBase/start.htm
22
Privacy Rights Clearinghousehttp//www.privacyrig
hts.org/
23
FFIEC Handbookshttp//www.ffiec.gov/ffiecinfobase
/html_pages/it_01.html
24
Contacts
  • Paul Nadeau BOS FED
  • Supervisory Examiner
  • Federal Reserve Bank of Boston
  • 600 Atlantic Avenue - PO Box 2076
  • Boston, Massachusetts 02106
  • (617) 973-5976
  • Peter Carter - OCC
  • Lead Technology Expert
  • Office of the Comptroller of the Currency
  • 112 Madison Avenue - Suite 400
  • New York, NY 10016
  • (212) 779-4537
  • peter.carter_at_occ.treas.gov
  • Robert Sargent - FDIC
  • IT Specialist
  • 15 Braintree Hill Office Park
  • Braintree, Massachusetts 02184
  • (781) 794-5535
  • rsargent_at_fdic.gov
  • Thomas J. Donahue - OTS
  • IT Exam Manager
  • 10 Exchange Place - 18th Floor
  • Jersey City, New Jersey 07302
  • (201) 413-7510 thomas.donahue_at_ots.treas.gov
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2026 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Westborough Bank, MA. Citi Financial. J.P. Morgan Chase " is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!