Jackie Marshall, VP, I.T. Regulatory Compliance
It’s mid-2006 and your institution’s Information Security Officer (ISO) finally feels confident about the status of the Information Security Program. The implemented program is based on risk, appropriate security controls have been assigned, employees have been trained to protect private customer information and the Bank President follows the clean desk policy (at least most of the time).
But it’s not time to relax yet. One of the most important (and commonly overlooked) components of a GLBA compliant Information Security Program are the procedures for responding to a security breach. It’s not so much “if” your institution will face a security incident in the future, but it’s more likely “when” your institution will have to respond to a security incident. Even the most secure controls will not mitigate 100% of the risk to the security and confidentiality of customer information.
Implementation of an appropriate security incident response plan is the new “hot button” for federal regulators. Recent regulatory guidance require financial institutions to not only fix the problem but also to investigate the causes, be able to determine the impact and, in some cases notify third parties of the results of these investigations. The scope of expectation is similar to planning for disaster recovery and business contingency. Examiners will be looking to see that your plan includes specific scenario based incidents with well thought out steps for security incident investigation. Incident response plans are not all about I.T. related incidents; your institution must be prepared to respond to incidents that involve private customer information in any form. Improper disposal of records containing personal information on an individual or a social engineering issue are examples.
Gladiator Technology Services, Inc. has recently enhanced the Information Security Program with a new version of the Incident Response Procedures. These procedures include detailed steps for recognizing and identifying an incident, informing appropriate personnel, containing and eradicating, and applying preventative measures and detail (based on the incident) for providing customer and regulator notice. Several forms are included in the Incident Response Procedures to assist in documenting and supporting the detailed response process.
For more information, contact Jackie Marshall Jackie@gladtech.net or Erin Willis firstname.lastname@example.org in our Regulatory Compliance Department.