Featured Article

Featured Article 

Sign up for our free BSA/AML Webinar

Click Here

 

Newsletter Signup

 

Comp Survey
 

2011 Independent Bank Compensation Survey


Have A Question?

We'll get right back to you.

Name:
Company:
Email:
Phone:
Interest:
Question:
TypeCode:* Security Image
Follow Us:
Home > Library > IT and Security > Annual GLBA Board Reporting
Bookmark and Share

Annual GLBA Board Reporting Requirements

3/31/2011

Banks are required to present an Annual GLBA Report to the Board of Directors; however, management may still not understand what should be included in the report. In an effort to clarify this issue, this article outlines what examiners are looking for when evaluating compliance with GLBA Title V. The following are eight areas that should be included in your report:

  • Overall GLBA Program Status – In this section of the report, the Data or Information Security Officer outlines the program’s successes, failures and overall approach toward maintaining compliance with GLBA.
  • Material Risk Issues – Ensure that you address changes to the bank’s IT / GLBA Risk Matrix. Banks use this portion of the report to address changes to their core provider or to their Internet Service Provider (ISP). The board should be made aware of these material issues.
  • Risk Assessment – This section outlines the bank’s overall approach toward performing and updating their internal IT Risk Assessment. This may include a summary of how the risk assessment was performed, evaluated and calculated.
  • Risk Management and Control Decisions – On an annual basis, risk profiles will change. A number of banks use this section to address how residual risk or mitigating controls have changed during the past year.
  • Service Provider Oversight – This section outlines how banks have incorporated service provider oversight into their GLBA Program. This may include updating the board as to how vendor relationships and contractual obligations have changed or been addressed.
  • Results of Testing – This section summarizes your penetration testing, internal vulnerability testing, social engineering testing, GLBA & safeguarding customer information testing and internal testing oversights results.
  • Security Breaches or Lack of Breaches – This section outlines virus outbreaks, malware issues and GLBA violations. If there is nothing to report, indicate that no items were escalated to this level.
  • Program Changes – This section outlines changes to the GLBA Program. This may include staff training updates, project status updates, policy changes, compliance requirement changes, implementation of changes and GLBA (core) red-flags that were discovered.

During your next IT exam, insist that these controls are included in the scope of the assessment, and be sure to include these items in your annual report to the board.