Information Security Standards Flashcards
Who does the information security act cover
-All depository institutions and subsidiaries (except for brokers, dealers providing insurance, investment companies)
Customer Information - Non public information involving a bank customer( on paper or electronic)
Consumer Information -consumer record maintained or possessed by or on behalf of the bank paper or electronic form
Service providers that have access to consumer information
Some examples of consumer information include
- Consumer Reports
- Information a bank obtains from an affiliate
- Information of a person applying for a loan but does not receive a loan
- information of person guaranteeing loan
- Information from a consumer report a bank obtains about an prospective employee
What are requirements for the Information Security Standards
Have a program that will manage and control the risks
A information security program should have what charteristics
Be comprehensive
Has administrative, technical and physical safeguards
Be the appropriate size of the bank
Ensure security and confidentiality of customer information
Protect against unauthorized access
Properly disposes of customer information
Managing and controlling risk during the program should consider
Review of access to physical locations
The encryption of customer information,
dual control,
segregation of duties
employee background checks,
Flexibility to adjust
The grammar Leah bloody bill requires financial institutions
Ensure the confidentiality of customer information
Protect against anticipated threats
Protect against unauthorized use of customer information
A OCC examination of an information security program may include
Board involvement
Useful management and board reporting
Evaluate risk assessment program
Determine if staff is adequately trained
Determine if key controls are tested by an independent person
Determine if thee is an effective process to adjust the program
Acne bank is reviewing its security program for safeguarding customer information. All but one of the following functions should be included in it’s review.
A. The banks Internet website
B. The banks loan operations bank office where loan files are kept
C. The bank system of disposing of its trash
D. The banks printed marketing and promotional materials
D. The banks printed marketing and prompt materials
State National Bank’s security officer is preparing for the bank annual information security review. Which of the following steps is not required for this review:
A an intrusion test of the banks online banking system
B. An audit of the bank lobby during business hours to determine whether customer information is kept private
C. A review of all contacts from service providers with access to bank customer information
D. A review of all outside window to check for physical security
D. A review of all outside windows to check for physical security
Which of the following actions is Not a requirement of the banks directors in implementing an information security program
A
A. Approve the Information security program
B. Determine whether the information security officer is qualified
C. Physically audit the banks online banking system
D. Review management reports on information security periodically
C. Physically audit the banks on line banks system
If a service provider what must they have in regards to this standard
Agreements with the bank that are in compliance with these standards
What is the C I A triad
Confidentiality - prevent authorized use
Integrity - prevent unauthorized modification
Availabliliy - prevent disruption of service
Board of directors must oversee the ____, _______,_____ of an information security program
Development, implementation, and maintence
Examples of items not considered consumer information are
Aggregate information derived from a group of consumer reports
Blind data, such as payment history on accounts that are not personally identifiable
