Welcome » IT Booklets » Management » IT Risk Management Process » IT Controls Implementation » Information Security
The board of directors is responsible for overseeing the development, implementation, and maintenance of the institution's information security program. The board should provide management with guidance and review the effectiveness of management's actions. The board should approve written information security policies and the information security program at least annually. The board should provide management with its expectations and requirements for:
Information is one of a financial institution's most important assets. Management and the board of directors should protect information assets to establish and maintain trust between the financial institution and its customers. The unauthorized loss, destruction, or disclosure of confidential information can adversely affect a financial institution's earnings and capital.
The GLBA, section 501(b), requires management to develop and the board to approve an information security program to protect the security and confidentiality of customer information. The institution should protect customer information from any anticipated threats to security or integrity. It should also protect customer information from unauthorized access or use that would result in substantial harm or inconvenience to any customer. GLBA also requires that the Board oversee the development, implementation and maintenance of the bank's security program and that it assigns specific responsibility for its implementation. The Board should also review an annual report, prepared by management, regarding the bank's actions toward GLBA compliance. The IT Handbook's "Information Security Booklet" has additional information on this topic.