Information Risk Management for Banks
Banks must ensure that security measures are sufficient to reduce risks and vulnerabilities for data repositories to a reasonable and appropriate level. In order to accomplish this, the following measures are common and customary:
a) Implement security measures for each data repository sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. The level, complexity and cost of such security measures must be commensurate with the risk classification of each data repository. Every bank must meet the following minimum guidelines in implementing security measures:
Low risk data repositories may be appropriately safeguarded by normal best-practice security measures in place such as user accounts, passwords and perimeter firewalls
- Medium to High risk data repositories must be highly secured in accordance with least privilege and multi-layered security
b) Changes or alterations to security measures must documented and audited
c) Reassess the potential risks and vulnerabilities of the data repository as part of a periodic review; it must update the security for such data repository to reflect any changes in the risks and vulnerabilities assessment.
d) Upon completion of a security audit, corrective actions are determined as necessary
e) Networks, systems, and applications that may send, receive, store, or access customer or protected data must also comply with the Information Security Policies
f) The security measures implemented for each data repository within the bank must documented and submitted to the Information Security Office or its designee for approval.
« Bank Community Reinvestment Act Plan | Home | Electronic Media Storage for Banks »
Leave a Comment