An information security policy is a set of rules that ensures data security by regulating domain and network usage. This policy should protect not only the organization's data but the customers’ data as well. In this article, we’ll outline critical elements that a community bank needs to consider when planning its information security policy.
1. Define Your Purpose
Thomas Carlyle once said, “The person without a purpose is like a ship without a rudder.” Identifying the purpose of any plan in your organization is always the best place to start. There are many reasons why a community bank would need an information security policy.
Perhaps bank leadership doesn’t want to find their bank in the next customer information breach story on the evening news. Maybe they see the importance of protecting the reputation of the company and the privacy of their customers. Specifying the purpose of your organization is the first step for your information security policy. This is paramount to making sure you are working in the right direction.
2. Determine the Scope
Information security policies for banks must include all the data, apps, systems, networks, customers, facilities, and infrastructure under your control. If you miss something, you could be opening your organization or your customers to security risk.
Here is a sample to get you started:
Data
- Customer Data: account information, personal information (name, SSN, DOB, etc.), transaction history, customer communication (emails, chat logs, call recordings)
- Employee Data: personal information (Name, SSN, DOB, etc.), employment records, payroll and benefits information, performance evaluations
- Financial Data: balance sheets, income statements, cash flow statements, tax records
- Regulatory and Compliance Data: audit reports, risk assessments, compliance documentation, incident reports
Apps and Systems
- Core banking system
- Customer relationship management (CRM) system
- Loan origination system
- Online and mobile banking apps
- Payment processing systems
- Security and surveillance systems
- Human resources management system
- Document management system
- Data analysis and reporting tools
- Other third-party applications and services
Networks
- Local area network (LAN)
- Wide area network (WAN)
- Wireless network (Wi-Fi)
- Remote access and virtual private network (VPN)
- Network segmentation and access control
Customers
- Retail customers
- Business customers
- High-net-worth individuals
- Third-party vendors and service providers
- Government entities and regulators
Facilities
- Branches
- ATMs
- Data centers
- Disaster recovery sites
- Remote offices
Infrastructure
- Servers
- Storage systems
- Workstations and laptops
- Mobile devices (tablets, smartphones)
- Security devices (Firewalls, intrusion detection/prevention systems)
- Backup and recovery systems
- Power and cooling systems
- Physical access control systems (doors, locks, badges, etc.)
- Environmental monitoring systems (smoke, water, temperature sensors)
3. Outline the Security Objectives for Your Institution
The objectives of your information security policy should be well-defined. Simplicity is key in defining the security policy. Simplicity will allow your objectives to be concise and understood by all involved. This is critical to ensuring everyone understands and upholds their responsibilities.
Some examples to include are:
- Protect Confidentiality: Ensure that sensitive information is only accessible to authorized personnel and not disclosed to unauthorized parties.
- Maintain Integrity: Guarantee the accuracy and reliability of data by preventing unauthorized editing, corruption, or destruction.
- Ensure Availability: Keep essential services, systems, and data accessible to authorized users when needed while minimizing downtime.
- Implement Access Control: Restrict access to systems, networks, and data based on roles, responsibilities, and the principle of least privilege.
- Promote Security Awareness: Train employees to recognize and respond to security threats, fostering a culture of security vigilance.
- Monitor and Respond to Threats: Implement proactive threat monitoring, incident response plans, and regular security assessments.
- Ensure Compliance: Adhere to relevant laws, regulations, and industry standards.
- Manage Third-Party Risks: Evaluate and mitigate risks associated with vendors, partners, and service providers.
- Develop Business Continuity and Disaster Recovery Plans: Establish plans to ensure the bank can recover and resume operations post-disaster.
- Continuously Improve Security: Regularly review and update security policies, procedures, and technologies to adapt to the evolving threat landscape.
4. Create an Authorization and Access Control Policy
Access control and authorization are where you define who has what level of access to which resources. This goes hand-in-hand with the rights, responsibilities, and duties of your personnel.
The policy needs to answer the who, how, why, and when of the access to your organization's resources. We suggest using your org chart or Entra ID (formerly known as Active Directory) to get started.
Ask yourself:
-
For what applications is MFA needed?
-
Who needs access to what devices, applications, and information?
-
Are you able to restrict access further within devices and applications?
-
Are you able to track what is accessed, when, and by who?
5. Create Data Classifications and Security Levels
Your data must be classified and prioritized to ensure that only those who are supposed to access and use the data can do so. You may have data that is considered high-risk or protected under federal legislation.
You will also have confidential data, such as customer information. Then there is public information that is free to be distributed to anyone. Data classification is key to protecting the most important and potentially sensitive information within your organization.
6. Communicate Personnel Rights, Responsibilities, and Duties
Finally, your institution needs to specify all rights, responsibilities, and duties of your personnel. This information must be specific, documented, and communicated to your personnel.
Questions that should be answered are:
- Who makes the decisions, and who makes the actual changes?
- What's the process for when someone leaves the company, and who's in charge of that process?
- Is there training available to make sure everyone knows their responsibilities and duties?
Shoring Up Your Community Bank’s Information Security Policy
Is your information security policy ready and robust enough for your community bank? Does your IT staff have the knowledge and expertise to handle this kind of security policy? Or can you see yourself working with a partner who knows your industry and all of the ins and outs of cybersecurity in banking?
Ascend Can Help
Ascend is a Chicago-based managed service provider with experts in all aspects of IT technology and how it relates to your community bank. We continue to navigate the changes brought on by industry and market conditions, as well as customer preferences.
We hold a robust and proven bank risk assessment methodology and can help you create a bank information security policy that improves your institution’s cybersecurity and makes sense for your business. Reach out to talk to an expert!
To continue strengthening your community bank’s security, check out our Comprehensive Guide to Incident Response.
