Customer Information Security Guidelines. The four bank regulators issued a joint final rule establishing guidelines for the security and confidentiality of customer records and information, as required by the Gramm-Leach-Bliley Act. The final guidelines require banks to identify and assess risks to the security, confidentiality, of integrity or customer information and the adequacy of information security systems and policies. Banks must also develop a comprehensive written information security program.
As urged by ICBA, the guidelines explicitly provide flexibility for a bank to develop a security program appropriate for its size and complexity as well as the nature and scope of its activities, in order to reflect variations in bank practices and operations.
The bank's board of directors must approve and oversee the information security program. In response to comments from ICBA, the agencies reduced the reporting requirements to boards of directors from "regular routine reports" to annual reports. However, more frequent reporting of material events or system modifications will be necessary. Also, in response to ICBA comments, the agencies will not require designation of a Corporate Information Security Officer with responsibility for the information security program.
Under the guidelines, banks must also appropriately train staff; regularly test key controls, systems, and procedures; and adjust their security program to account for changes in the information security environment.
Of particular importance for banks that outsource, banks are required to exercise appropriate due diligence in selecting and monitoring service providers. Banks should contractually require service providers to implement appropriate measures to meet the objectives of the guidelines. Where indicated by its risk assessment, the bank should monitor service providers to confirm that they have satisfied their obligations. The guidelines do not require on-site service provider inspections.
The guidelines will be effective on July 1, 2001, the same date as the new privacy rule. However, existing service provider contracts and contracts entered into within 30 days of the publication of the final guidelines will be grandfathered until July 1, 2003.