Skip to content

Information Security Guidelines for Banks

SECTIONS OF the Gramm-Leach-Bliley Act and the Fair and Accurate Credit Transactions Act of 2003 specify a set of security guidelines “relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity and the proper disposal of customer information.” Helping financial institutions to comply with these guidelines is the goal of a new guide from the Federal Reserve and several thrift regulatory agencies.

The guide defines important terms used in the security guidelines and then outlines the steps companies should follow to develop and implement an information security program, such as conducting assessments of internal and external threats. It also provides methods of assessing policies and procedures.

Since the security guidelines require financial institutions to design an information security program to control the risks identified in the assessment, the guide next describes methods of designing adequate security controls. These include both physical security measures (such as shredding paper records as necessary) and IT security measures (for example, ensuring that deleted data cannot be recovered).

The guidance also covers training staff members and overseeing service providers, and it explains the responsibilities of a financial institution’s board of directors.