INTERAGENCY REQUEST FOR COMMENT ON PROPOSED STANDARDS FOR CUSTOMER INFORMATION SECURITY.The Board of Governors of the Federal Reserve System Board of Governors of the Federal Reserve System The managing body of the Federal Reserve System, which sets policies on bank practices and the money supply. , the Federal Deposit Insurance Corporation Federal Deposit Insurance Corporation (FDIC), an independent U.S. federal executive agency designed to promote public confidence in banks and to provide insurance coverage for bank deposits up to $100,000. , the Office of the Comptroller of the Currency The Office of the Comptroller of the Currency (or OCC) was established by the National Currency Act of 1863 and serves to charter, regulate, and supervise all national banks and the federal branches and agencies of foreign banks in the United States. , and the Office of Thrift Supervision The Office of Thrift Supervision (OTS) was established as a bureau of the Treasury Department in August 1989 as part of a major Reorganization Plan of the thrift regulatory structure mandated by the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA) (12 U.S.C.A. jointly requested on June 21, 2000, comment on a proposed rule establishing standards for safeguarding confidential customer information. The proposed rule would implement section 501 (b) of the Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition (GLBA GLBA Gramm-Leach-Bliley Act of 1999 (Financial Modernization Act of 1999) GLBA Gay and Lesbian Business Association GLBA Great Lakes Booksellers Association GLBA Glacier Bay National Park and Preserve ). Comments will be accepted until August 25, 2000. The law requires the agencies to establish standards for financial institutions relating to relating to relate prep → concernant relating to relate prep → bezüglich +gen, mit Bezug auf +acc administrative, technical, and physical safeguards for customer records and information. These safeguards are intended to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of these records, and protect against unauthorized access to or use of these records or information that would result in substantial harm or inconvenience to a customer. The proposed rule would provide that financial institutions establish an information security program that would require them to (1) identify and assess the risks that may threaten customer information; (2) develop a written plan containing policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental to manage and control these risks; (3) implement and test the plan; and (4) adjust the plan on a continuing basis to account for changes in technology, the sensitivity of customer information, and internal or external threats to information security. The proposed rule outlines specific factors that banks should consider in implementing a security program. Among other factors, banks should evaluate their controls on access to customer information and their policies for encrypting customer information while it is being transmitted or stored on networks to which unauthorized persons may have access. Financial institutions should test, on a regular basis, key controls, systems, and procedures to confirm that they meet the objectives of their security programs. The proposed guidelines suggest that tests should be conducted by independent third parties or by staff independent of those who develop or maintain the security program. The agencies seek comment on the need for specific types of tests, such as penetration or intrusion detection See IDS and IPS. tests. The proposed rule also outlines responsibilities of directors and management of financial institutions in overseeing the protection of customer information. An institution's board of directors should approve written information on security policies and programs, and oversee management's efforts to develop, implement, and maintain an effective information security program. Management should evaluate the effect of changing business arrangements, such as mergers and joint ventures, document compliance with the security standards, and report to the board on the overall status of the program. The agencies seek comments on various aspects of the proposal, including its effect on community banks that operate with more limited resources and that may have a different risk profile than larger banks. Comments are also sought on whether the final standards should be guidelines or regulations. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion