Welcome » IT Booklets » E-Banking » Risk Management of E-Banking Activities » Information Security Program » Security Guidelines
Financial institutions must comply with the "Guidelines Establishing Standards for Safeguarding Customer Information" (guidelines) as issued pursuant to the Gramm-Leach-Bliley Act of 1999 (GLBA).The guidelines were published in the Federal Register on February 1, 2001, and effective on July 1, 2001. When financial institutions introduce e-banking or related support services, management must re-assess the impact to customer information under the GLBA. The guidelines require financial institutions to:
The guidelines outline specific measures institutions should consider in implementing a security program. These measures include:
The guidelines also outline the responsibilities of management to oversee the protection of customer information including the security of customer information maintained or processed by service providers. Oversight of third-party service providers and vendors is discussed in this booklet under the headings "Board and Management Oversight" and "Managing Outsourcing Relationships." Additional information on the guidelines can be found in the IT Handbook's "Management Booklet." The IT Handbook's "Information Security Booklet" presents additional information on the risk assessment process and information processing controls.
The guidelines required by the GLBA apply to customer information stored in electronic form as well as paper-based records. Examination procedures specifically addressing compliance with the GLBA guidelines can be accessed through the agency websites listed in the reference section of this booklet. Although the guidelines supporting GLBA define customer as "a consumer who has a customer relationship with the institution," management should consider expanding the written information security program to cover the institution's own confidential records as well as confidential information about its commercial customers.