Sample Information Security Policies - May 31, 2011 - HubSpot

1

Sample Information Security Policies May 31, 2011

13740 Research Blvd

Sui te 2, Bui ld ing T

Aust in, TX 78750

512.351.3700

www.AboundResources.com

Boston Aust in At lanta

Sample Policies and Forms for Information Security – GLBA 501B November 2006

Sample Information Security Policies

11/15/2012 2

Table of Contents

INFORMATION SECURITY POLICY STATEMENT FOR SAMPLE BANK ............................... 1

INFORMATION SECURITY PROGRAM FOR SAMPLE BANK ...............................................10

INCIDENT RESPONSE POLICY FOR SAMPLE BANK ...........................................................25

CHANGE MANAGEMENT POLICY FOR SAMPLE BANK ......................................................28

E-MAIL POLICY FOR SAMPLE BANK ....................................................................................32

INTERNET USE POLICY FOR SAMPLE BANK ......................................................................41

REMOTE ACCESS POLICY .....................................................................................................51

PATCH MANAGEMENT POLICY FOR SAMPLE BANK .........................................................54

RECORD RETENTION AND DESTRUCTION POLICY FOR SAMPLE BANK ........................55

REGULATORY COMPLIANCE CHECKLIST ...........................................................................57

TECHNOLOGY ASSET DISPOSAL POLICY FOR SAMPLE BANK .......................................63

VENDOR RELATIONSHIP MANAGEMENT POLICY FOR SAMPLE BANK ...........................66

ANNUAL REVIEW OF VENDORS AND SERVICE PROVIDERS POLICY FOR SAMPLE BANK .......................................................................................................................................78

SAMPLE BANK SECURITY COMMITTEE CHARTER ............................................................79

INCIDENT RESPONSE CHECKLIST .......................................................................................82

INFORMATION SECURITY INCIDENT REPORT ....................................................................84


Page 1

©2012 Abound Resources, Inc.

Information Security Policy Statement for Sample Bank

Introduction

Like all financial institutions, Sample Bank, (“Sample Bank” or the “Bank”) is exposed to a variety of operational and transactional risks, including crime, employee fraud, and natural disaster. Additionally, because of the nature and amount of information gathered regarding the financial transactions of its customers and the extensive use of technology to process this information, Sample Bank is exposed to specific information and technology risks.

The passage of the Gramm-Leach-Bliley Financial Modernization Act of 1999 (“GLBA”) intensified regulatory attention on technology risk management and information security. The Act required regulatory authorities to promulgate guidelines for safeguarding customer information. These standards require that each financial institution implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the financial institution and the nature and scope of its activities. While all parts of the financial institution are not required to implement a uniform set of policies, all elements of the information security program must be coordinated.

To comply with regulatory guidelines, a financial institution’s information security program should be designed to:

Ensure the security and confidentiality of customer information

Protect against any anticipated threats or hazards to the security or integrity of such information

Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

The Board of Directors of each financial institution is required to be involved in the development and implementation of the Information Security Program. The Board of Directors or an appropriate committee of the board of each financial institution must:

Approve the financial institution’s written information security program

Oversee the development, implementation, and maintenance of the financial institution’s information security program, including assigning specific responsibility for its implementation and reviewing reports from management.

With regard to assessing and understanding risk, each financial institution must:

Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems

Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information

Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.

Each financial institution must design its information security program to manage and control identified risks in a manner commensurate with the sensitivity of the information and the complexity and scope of the financial institution’s activities. In this regard, each financial institution must consider whether the following security measures are appropriate and adopt them accordingly:


Page 2


Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means

Access restrictions at physical locations containing customer information, such as buildings, computer facilities, office equipment rooms containing telephones, copiers and facsimile machines, and records storage facilities to permit access only to authorized individuals

Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access

Procedures designed to ensure that modifications (“patch management”) to the customer information system are consistent with and do not diminish the effectiveness of the financial institution’s information security program

Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information

Monitoring systems (24 / 7) and procedures to detect actual and attempted attacks on or intrusions into customer information systems

Response programs that specify actions to take when the financial institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies

Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.

In addition to developing an information security program, the financial institution must train staff to implement the bank’s information security program. Further, financial institutions are required to regularly test the key controls, systems, and procedures of the information security program. The frequency and nature of such tests should be determined by the financial institution’s risk assessment. Tests should be conducted or results reviewed by independent third parties or staff independent of those who develop or maintain the security programs.

Sample Bank’s Information Security Requirements

The Board of Directors and management of Sample Bank realize that the rapidly changing nature of technology demands that a comprehensive security policy be developed and implemented to secure the confidentiality, security, integrity and accessibility of the Bank’s customer information systems.

Further, the Board of Directors and management of Sample Bank recognize that in order to determine the appropriate type and scope of controls to deploy as part of the information security program, the Bank must assess risks to its customer information and systems, identifying reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems and evaluate the adequacy of policies, procedures, information security systems, and other practices intended to control the risks identified.

To ensure that information security risks are understood, and appropriate security systems are maintained, the Board of Directors of Sample Bank has adopted this Information Security Policy.

Sample Bank is committed to implementing and maintaining and effective information security program, in compliance with the requirements of Section 501(b) of the 1999 Gramm-Leach-Bliley Act, Protection of Nonpublic Personal Information, and the Guidelines Establishing Standards for Safeguarding Customer Information. Sample Bank is committed to safe and sound banking and operating practices, to properly safeguarding both customer information and proprietary bank


Page 3


information and to preventing unauthorized or inadvertent access to or disclosure of such information.

Purposes and Objectives of Policy

The primary purposes of Sample Bank’s Information Security Policy are to ensure that the Bank, the Board of Directors and Management:

Understand the risks and threats to which information systems are exposed,

Evaluate the potential exposures to such risks / threats

Implement appropriate information security systems and administrative, technical and physical security controls to mitigate such risks, threats and exposures, and

Test the efficacy of information security systems and controls

Specific objectives of this Policy are to:

Ensure the accuracy, integrity, security and confidentiality of customer information received, processed and maintained by the Bank.

Ensure that such information, and proprietary Bank information, is adequately protected against anticipated threats or hazards to its security or integrity.

Protect against unauthorized access to or use of customer and proprietary bank information that might result in substantial harm or inconvenience to any customer, or present a safety and soundness risk to the Bank.

Provide for the timely and comprehensive identification and assessment of vulnerabilities and risks that may threaten the security or integrity customer and proprietary bank information.

Document Policy standards for managing and controlling identified risks.

Provide standards for testing the Policy and adjust on a continuing basis to account for changes in technology, sensitivity of customer information, and internal or external threats to information security.

Specify the various categories of Information Systems data, equipment, and processes subject to comprehensive Information Security Procedures.

Ensure the Bank complies with all relevant regulations, common law, explicit agreements, or conventions that mandate the security and confidentiality of customer information.

Ensure protection of the hardware and software components that comprise the Bank’s Information Systems.

Protect against the use of the Bank’s assets in a manner contrary to the purpose for which they were intended, including the misallocation of valuable organizational resources, threats to the Company’s reputation or a violation of the law.

In connection with this general Information Security Policy, Sample Bank has also adopted the following specific policies:

Internet Usage

Network (i.e., LAN) Configuration Security

Intrusion Detection and Response

Telecommuting (Laptops) Security

Logical and Administrative Access Control


Page 4


Logging and Data Collection

Password Security

Malicious Code Protection

Data Back-up and Archival Storage

Record Retention and Destruction

Hardware and Software Acquisition, Copyright and Licensing

Technology Asset Disposal

Change Management

Patch Management

Physical Security

Business Continuity Planning

Training

The Information Security Officer will ensure that all employees of Sample Bank, its Board members and management, receive training in the regulatory guidelines and laws governing customer information security and the Bank’s information security procedures, as appropriate to their position at the Bank and job responsibilities.

The Information Security Officer will ensure that the training systems are in place to address (i) initial training for new or transferred personnel, (ii) continuing review sessions for existing personnel and (iii) updated sessions for all affected personnel when any significant revisions are made to the Information Security Program.

Risk Assessment and Management

Sample Bank will implement a comprehensive risk assessment process, including classification, or ranking, of information systems, both electronic and non-electronic, based on the following criteria:

Nature and sensitivity of information contained in the system, whether non-public customer or proprietary bank information

Quantity or volume of such information contained in the system

Impact of the loss of integrity of such information

Impact of the loss of confidentiality of such information

Impact of the loss of accessibility of such information

The risk assessment process will consider for each appropriate information system, the likelihood of occurrence of certain threats and the potential exposure to such threats, and document the existence of administrative, technical and physical security controls implemented by the Bank to mitigate the occurrence and/or potential severity of risks and exposures.

The data classification and risk assessment will be updated at least annually and the results of the assessment used in an evaluation of the adequacy of the Bank’s information security policies and programs. Results of the data classification and risk assessment will be reviewed with senior management, the Audit Committee and the Board of Directors.


Page 5


Vendor Management

Sample Bank acquires services from third-party suppliers, service providers, software vendors, and / or consultants (the “Vendor or Vendors”), including customer information and transaction processing services. Use of these services involves risks similar to those that arise when these functions are performed internally by Bank personnel. These include such risks as threats to the availability of systems used to support customer transactions, the accuracy, integrity and security of customer’s non-public, personal financial information, or compliance with banking regulations.

Under contract arrangements, however, risk management measures commonly used by financial institutions to address these risks, are generally under the control of the Vendor, rather than the financial institution. The financial institution, however, continues to bear certain associated risks of financial loss, reputation damage, or other adverse consequences from actions of the Vendor or the failure of the Vendor to adequately manage risk. Consequently, it is incumbent upon Sample Bank to: (1) expand its analysis of the ability of Vendors to fulfill their contractual obligations and (2) prepare formal analyses of risks associated with obtaining services from, or outsourcing processing to, Vendors. The following areas will be included in this process:

Selection of Vendor - In addition to other requirements included in Sample Bank’s Purchasing Policy in selecting a Vendor of critical services, the Bank will prepare a risk assessment and perform appropriate due diligence to satisfy itself regarding the Vendor’s competence and stability, both financially and operationally, to provide the expected services and meet any related commitments. Financial statements, preferably audited statements, will be obtained and reviewed.

Contracts - The written contract between Sample Bank and the Vendor must clearly specify, at a level of detail commensurate with the scope and risks of the service provided, all relevant terms, conditions, responsibilities, and liabilities of both parties. These would normally include terms such as:

Statements of the purpose of access to or maintenance of the Bank’s customers’ non-public, personal financial information

Agreements not to disclose non-public, personal financial information of the Bank’s customers either in possession of the Vendor or accessible to them, and statements of responsibility and liability for disclosure of such information

Required service levels, performance standards, and penalties

Internal controls, insurance, disaster recovery capabilities, and other risk management measures maintained by the Vendor

Data and system ownership and access

Liability for delayed or erroneous transactions and other potential risks

Provisions for and access by the Bank to internal or external audits or other reviews of the Vendor’s operations and financial condition

Compliance with applicable regulatory requirements

Provisions for handling disputes, contract changes, and contract termination

The terms and conditions of each contract will be reviewed by Sample Bank’s legal counsel to ensure that they are appropriate for the particular service being provided and result in an acceptable level of risk to the Bank.

Policies, Procedures, and Controls - The Vendor should implement internal control policies and procedures, data security and contingency capabilities, and other operational controls analogous to those that the Bank would utilize if the activity were performed internally. Appropriate controls should be placed on transactions processed or funds handled by the Vendor on behalf of the Bank. The Vendor’s policies and procedures


Page 6


should be reviewed by the Bank’s Information Security Officer as well as Accounting, Compliance, Data Processing personnel and Audit.

Ongoing Monitoring - The Bank will review the operational performance of critical Vendors on an ongoing basis to ensure that the Vendor is meeting and can continue to meet the terms of the contract (e.g., service level commitments). Business unit managers will be primarily responsibility for completing this evaluation. This evaluation should be completed at least annually and reported to the Information Security Officer. The form and elements of the evaluation will be determined by the service level commitments in the Vendor’s contract or specific Service Level Agreements negotiated between the Bank and the Vendor.

Information Access – Sample Bank will ensure that it has complete and immediate access to current and appropriate back-up information that critical to its operations and maintained or processed by an outside Vendor.

Internal Audit – Sample Bank’s Auditors will review the oversight of critical Vendors by external accountants and others, including regulators. Audits of critical Vendors should be conducted according to a scope and frequency appropriate for the particular function. For third-party data processing services, the Bank will obtain copies of the Vendor’s SAS 70 audit report and Management’s response. These, as well as other audit reports of critical Vendors, will be reviewed by the Audit Committee of the Board of Directors. Audit results and management responses will be available to examiners at their request. Internal Audit will also audit compliance with Vendor service level commitments and agreements.

Contingency Plans - Sample Bank will ensure that appropriate business resumption plans have been prepared and tested by the Vendor. Where appropriate, based on the scope and risks of the service or function and the condition and performance of the Vendor, the Bank’s contingency plans may also include plans for the continuance of processing activities, either in-house or with another provider, in the event that the Vendor is no longer able to provide the contracted services or the arrangement is otherwise terminated unexpectedly.

Annually, the Information Security Officer will evaluate the risks and exposures associated with each Vendor relationship. This evaluation process will include the following:

Update the Vendor listings

Evaluate the nature and purpose of all Vendor relationships

Determine the criticality of the product or service provided by the Vendor

Assess the relative level of strategic, credit operational, compliance and legal and reputation risk associated with this relationship and

Rank each Vendor as Critical, Important or Incidental.

A detailed risk assessment will be prepared of each “critical” Vendor, in accordance with the Vendor Relationships Risk Assessment.

Roles and Responsibilities

The following individuals are integral to the successful execution of Sample Bank's information security policies and programs and will have the following responsibilities:

Board of Directors and IT Steering Committee – Ensure that an appropriate Information Security Policy is developed and implemented. Review periodic information regarding breaches of Information Security. Ensure that annual assessments of risks and threats are prepared, information systems and related data are risk rated and that appropriate


Page 7


reviews are made of related risk management strategies and controls. Review regulatory examinations of information security and ensure that appropriate action is taken to address comments and recommendations of regulators. Audit Committee - Ensure that appropriate tests and audits of information security systems are performed. Review reports of security tests and audits and ensure that appropriate action is taken to address identified weaknesses in control. Review assessments of outsourced technology vendor performance and controls and ensure that appropriate action is taken to address identified weaknesses in vendor information security controls. Information Security Officer – A senior officer of the Bank responsible for ensuring overall compliance with the Information Security Policy, the efficacy of the Bank;s information security procedures and practices and the assessment of information Security risks and the related adequacy of information security policies and procedures. Report any breaches of Information Security to the Board of Directors and any applicable regulatory and law enforcement agencies. Information Security Administrator – Primarily responsible for the execution of significant elements of the information security program, including the granting and maintenance of information system user access rights, as requested and approved by management, and the maintenance and review of information security systems and related reports. Responsible for ensuring that the network and network based / accessible systems are secured to protect customer information. Responsible for reporting any attempted or successful breaches of security systems to the Security Officer and Information Security Officer. Information Security to the Information Security Officer. The ISA will ensure the appropriate installation, maintenance and monitoring of intrusion detection systems and intrusion response procedures. The ISA will coordinate the implementation of changes and patches to information system software and/or hardware, and maintain appropriate records of such changes and related testing/review documentation and approvals. Security Officer - Responsible for the implementation of the Bank’s Security Policy and the maintenance of appropriate physical security devices and procedures to ensure the security, confidentiality and accessibility of “physical” customer information and related information technology hardware (i.e. branch servers, etc.). Human Resources - Responsible for ensuring appropriate information security orientation is provided for new employees. Ensure new hires and contract personnel are properly vetted and agree to follow Bank information security policies. Business Unit Managers (e.g., branch / department managers) - Ensure employees are performing due diligence in protecting customer information. Provide input into Information Security Policy reviews / updates. Responsible for reporting any breaches of Information Security to the Information Security Officer. Bank Employees - Ensure that customer information is protected on a day to day basis. Responsible for reporting any breaches of Information Security to their respective business unit manager, the Security Officer and / or the Information Security Officer.

Availability and Maintenance of the Information Security Policy

The Information Security Policy is accessible to all members of the Sample Bank staff through either the Human Resources or Information Services Departments. All users of Sample Bank’s Information Services resources should be familiar with relevant sections of the policy. Relevant


Page 8


sections of this Policy, and other related policies, as described above, will be available to all employees over the Bank’s Intranet, along with other relevant Human Resources policies (i.e., confidentiality).

This Information Security Policy is a “living” document that will be revised as required to address changes in the Bank’s technology, applications, procedures, legal and social imperatives, perceived threats, etc. All revisions to the Information Security Policy will be submitted to, reviewed and approved by the Information Technology Steering Committee. The Bank’s Board of Directors must subsequently ratify / approve all changes to the Information Security Policy.

Compliance with Policy

To ensure compliance with this Policy, Sample Bank has developed a comprehensive Information Security Program, commensurate with and appropriate for the threats and risks faced by the Bank and the nature and scope of its operations. Sample Bank will appoint an Information Security Officer, a member of senior management, to ensure compliance with this Policy. In addition, Sample Bank will appoint an Information Security Administrator and other appropriate personnel, to be responsible for the day-to-day execution of the information security program, investigation and reporting attempted or successful security breaches and other aspects of the information security program and applicable Bank policies and legal and regulatory requirements.

Violations of the Bank’s Information Security Policies may result in immediate termination or probation. Specific actions for violations of this policy, or other referenced policies (i.e., e-mail, internet usage, etc.), are documented in the Information Security Program and/or those specific policies.

Attempted or Actual Breaches of Security

All breaches and attempted breaches of the Bank’s information security systems and controls will be reviewed by the Information Security Administrator and Information Security Officer, documented and reported to the Security Officer, senior management and the Board of Directors, as prescribed in this Policy and as required to the appropriate legal and regulatory authorities. If appropriate, a Suspicious Activity Report will also be filed.

Independent Testing and Audit

Sample Bank's information security policies and programs will be independently tested in accordance with the procedures adopted by Sample Bank (e.g., internal audit approved by the Audit Committee) and/or agreed upon with an independent third-party (e.g., outsourced audit function or independent security firm). Security testing (i.e., vulnerability assessments and external penetration testing) and audit procedures will be performed no less often than annually. Additionally, internal penetration testing will be performed at least once every 18 months. The specific scope and timing of such testing and audit procedures will be reviewed and approved by Sample Bank Audit Committee. The results of testing and audits will also be reviewed by the Audit Committee.


Page 9



Page 10


Information Security Program for Sample Bank

Introduction

Like all financial institutions, Sample Bank, (the “Bank”) is exposed to a variety of operational and transactional risks, including crime, employee fraud, and natural disaster. Additionally, because of the nature and amount of information gathered regarding the financial transactions of its customers and the extensive use of technology to process this information, Sample Bank is exposed to specific information and technology risks.

The passage of the Gramm-Leach-Bliley Financial Modernization Act (“GLBA”) intensified regulatory attention on technology risk management and information security. The GLBA required regulatory authorities to promulgate guidelines for safeguarding customer information. These standards require that each financial institution implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the financial institution and the nature and scope of its activities. While all parts of the financial institution are not required to implement a uniform set of policies, all elements of the information security program must be coordinated.

To comply with regulatory guidelines, a financial institution’s information security program should be designed to:

Ensure the security and confidentiality of customer information

Protect against any anticipated threats or hazards to the security or integrity of such information

Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

The Board of Directors of each financial institution is required to be involved in the development and implementation of the Information Security Program. The Board of Directors or an appropriate committee of the board of each financial institution must:

Approve the financial institution’s written information security program

Oversee the development, implementation, and maintenance of the financial institution’s information security program, including assigning specific responsibility for its implementation and reviewing reports from management.

With regard to assessing and understanding risk, each financial institution must:

Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems

Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information

Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.

Each financial institution must design its information security program to manage and control identified risks in a manner commensurate with the sensitivity of the information and the complexity and scope of the financial institution’s activities. In this regard, each financial institution must consider whether the following security measures are appropriate and adopt them accordingly:


Page 11


Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means

Access restrictions at physical locations containing customer information, such as buildings, computer facilities, office equipment rooms containing telephones, copiers and facsimile machines, and records storage facilities to permit access only to authorized individuals

Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access

Procedures designed to ensure that modifications (“patch management”) to the customer information system are consistent with and do not diminish the effectiveness of the financial institution’s information security program

Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information

Monitoring systems (24 / 7) and procedures to detect actual and attempted attacks on or intrusions into customer information systems

Response programs that specify actions to take when the financial institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies

Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.

In addition to developing an information security program, the financial institution must train staff to implement the bank’s information security program. Further, financial institutions are required to regularly test the key controls, systems, and procedures of the information security program. The frequency and nature of such tests should be determined by the financial institution’s risk assessment. Tests should be conducted or results reviewed by independent third parties or staff independent of those who develop or maintain the security programs.

Sample Bank’s Response to Information Security Needs and Requirements

The Board of Directors and management of Sample Bank realize that the rapidly changing nature of technology demands that a comprehensive security policy be developed and implemented to secure the confidentiality, security, integrity and accessibility of the Bank’s customer information systems.

Further, the Board of Directors and management of Sample Bank recognize that in order to determine the appropriate type and scope of controls to deploy as part of the information security program, the Bank must assess risks to its customer information and systems, identifying reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems and evaluate the adequacy of policies, procedures, information security systems, and other practices intended to control the risks identified.

To ensure that information security risks are understood, and appropriate security systems are maintained, the Board of Directors of Sample Bank has adopted this Information Security Policy.


Page 12


Purposes and Objectives of Policy

The primary purposes of Sample Bank’s Information Security Policy are to ensure that the Bank, the Board of Directors and Management:

Understand the risks and threats to which information systems are exposed,

Evaluate the potential exposures to such risks / threats

Implement appropriate information security systems and administrative, technical and physical security controls to mitigate such risks, threats and exposures, and

Test the efficacy of information security systems and controls

Specific objectives of this Policy are to:

Ensure the accuracy, integrity, security and confidentiality of customer information maintained by the Bank.

Ensure that such information is adequately protected against anticipated threats or hazards to its security or integrity.

Protect against unauthorized access to or use of customer information that might result in substantial harm or inconvenience to any customer, or present a safety and soundness risk to the Bank.

Provide for the timely and comprehensive identification and assessment of the risks that may threaten the security or integrity customer information.

Document Policy standards for managing and controlling identified risks.

Provide standards for testing the Policy and adjust on a continuing basis to account for changes in technology, sensitivity of customer information, and internal or external threats to information security.

Specify the various categories of Information Systems data, equipment, and processes subject to comprehensive Information Security Procedures.

Ensure the Bank complies with all relevant regulations, common law, explicit agreements, or conventions that mandate the security and confidentiality of customer information.

Ensure protection of the hardware and software components that comprise the Bank’s Information Systems.

Protect against the use of the Bank’s assets in a manner contrary to the purpose for which they were intended, including the misallocation of valuable organizational resources, threats to the Company’s reputation or a violation of the law.

Scope of Security

Sample Bank defines an effective level of information security as “the state of being free from unacceptable levels of risk or exposure to threats.” In that regard, the Bank will adopt controls and other risk mitigation practices and procedures it believes are appropriate in the circumstances to provide reasonable control and eliminate unacceptable risks.

Information Security risks, threats and exposures of concern to the Bank may be summarized in the following categories:

Confidentiality of information

This refers to the concerns of privacy of personal and corporate information.

Integrity of information


Page 13


This refers to the accuracy of customer information maintained in the Bank’s information systems.

Security of information

This includes:

Computer and peripheral equipment

Communications equipment

Computing and communication premises

Power, water, environmental controls, and communication utilities

System software (computer programs) and documentation

Application software and documentation

Customer and Bank Information, both electronic and non-electronic

Efficient and appropriate use of information and related resources

This ensures that Information Systems resources are used for the purpose for which they were intended and in a manner that does not interfere with the rights of others.

System availability and information accessibility

This area of concern is with the full functionality of systems and the Bank’s ability to recover from short and long-term business interruptions.

The potential causes of losses, or breaches of security, are termed “threats.” Threats to the Bank’s information systems may be human or non-human, natural, accidental, or deliberate.

The term “information systems” as defined by Sample Bank includes the data, equipment, and processes for creating, maintaining and accessing customer information, directly under the Bank’s control or maintained on behalf of the Bank by third-party providers. These information systems may be electronic or non-electronic.

Domains of Security Addressed by this Policy

This policy specifically addresses the following domains, or areas, of security:

Administrative practices, including information security, e-mail, Internet access and other policies. Certain administrative security policies, such as record retention and destruction, technology asset disposal and employee confidentiality, as well as e-mail and Internet access / use, are documented in separate policy statements

Technical systems security, including those securing access to the Bank’s primary processing equipment, peripheral devices, and operating systems. These include hardware and software security, such as firewalls, network intrusion monitoring systems, network configuration and protocol use, etc.

Physical security, including the premises occupied by the Information Systems personnel and equipment. Physical security requirements for those premises outside the Information Systems area are documented in the Bank’s general Security Policy.

Operational security, including environmental controls, power back-up, equipment functionality, and other operations activities.

Security over third-party technology providers, vendor, management personnel, as well as end users.

Data communications security, including security over electronic access to communications equipment such as servers, hubs, routers, patch panels, lines, etc.


Page 14


Other domains of Information Security are addressed in other Sample Bank Policy Documents, including the following:

Physical Security – Corporate Security Policy, Sample Bank, May 2005

Employee Security – Human Resources / Personnel Procedures, including recruiting, hiring and employee vetting procedures, confidentiality, conflict of interest, e-mail use and Internet access policies.

Roles and Responsibilities

The following section describes the roles and responsibilities of individuals or groups integral to the development, maintenance or execution of this Policy.

Policy Management

The Information Security Policy of Sample Bank is of vital importance to ensuring the security and integrity of customer information and the effectiveness of information security throughout the Bank. Formulation and maintenance of the Policy is the responsibility of the manager of Information Services and the Information Security officer. Its approval is vested with the Board of Directors. Advice and opinions on the content and specific requirements of the Policy may be provided by:

The Information Technology Steering Committee.

Senior Bank Management

Management of Information Services

Security Officer

Compliance Manager

Business Unit managers

Policy Implementation

Information Services will be primarily responsible for the implementation of Sample Bank’s Information Security Policy; however, each staff member of Sample Bank is responsible for understanding and adhering to the Information Security Policy.

The Information Security Administrator and IS Information Security Technicians are integrally involved in the day-to-day execution of the Information Security Policy, and as such, have no responsibility for the development or review of the Policy.

Custodians

Security of each system will be the responsibility of that system’s principal custodian, as described below:

The Information Services Department is the custodian of all strategic system platforms, the strategic communications systems, and the facilities where centralized computer equipment is operated.

The Information Services Department and each business unit, as appropriate, share in the custodian duties of certain elements of strategic systems under their management control (e.g., servers and communications devices located at the branch offices or in departments outside the data center).

Individual staff members and the Information Services Department share in the custodian duties of desktop systems.

Individuals


Page 15


To ensure the effectiveness of this Policy, all employees of Sample Bank should observe the following standards for use of Information System resources and systems:

Every employee must adhere to the Sample Bank IT End-User Policy.

Every employee must adhere to the Sample Bank Code of Conduct.

Every employee must adhere to the Sample Bank E-mail Use Policy.

Every employee must adhere to the Sample Bank Internet Use Policy.

Every employee must be responsible for the proper care and use of Information Systems resources under their direct control, including paper documents and manual files.

Every employee must adhere to Sample Bank’s procedures for authenticating customers requesting information by mail, telephone, fax or e-mail.

The following section describes the individuals and / or areas involved in the development, maintenance and execution of Sample Bank’s Information Security Policy and their role and responsibilities.

Information Technology Committee

Ensure that an appropriate Information Security Policy is developed and implemented. Review information regarding breaches of Information Security. Ensure that annual assessments of risks and threats are prepared, information systems are risk rated and that appropriate reviews are made of related risk management strategies and controls. Ensure that appropriate tests of information security systems are performed.

Information Security Officer

Ensure Information Security Policy is enforced. Work with senior management to review policy and procedures around Information Security annually to ensure current threats and responses are accurate and to identify any new threats to securing customer information. Report any breaches of Information Security to the Board of Directors and any applicable agencies. Develop annual assessments of information security risks and threats, risk rating information systems and review related risk management strategies and controls. Perform appropriate tests of information security systems.

AVP Information Technology

Responsible for ensuring that the network and network based / accessible systems are secured to protect customer information. Responsible for reporting any breaches of Information Security to the Information Security Officer.

Information Security Administrator / IS Technician

Primarily responsible for the execution of the information security program, including the granting and maintenance of information system user access rights, as requested and approved by management, and the maintenance and review of information security systems and related reports.

Risk Management Team

The Bank’s Risk Management Committee is responsible for ensuring that an annual assessment of information security risks / threats is completed and that corresponding Administrative, Technical and Physical Security Controls are documented.

Security Officer

Responsible for the implementation of the Bank’s Security Policy and the maintenance of appropriate physical security devices and procedures to ensure the security, confidentiality and


Page 16


accessibility of “physical” customer information and related information technology hardware (i.e. branch servers, etc.).

Human Resources

Responsible for providing appropriate information security orientation for new employees and on-going information security training programs.

Business Unit Managers (e.g., branch / department managers) Ensure employees are performing due diligence in protecting customer information. Provide input into Information Security Policy reviews / updates. Responsible for reporting any breaches of Information Security to the Information Security Officer.

Bank Employees

Ensure that customer information is protected on a day to day basis. Responsible for reporting any breaches of Information Security to their respective business unit manager, the Security Officer and / or the Information Security Officer.

Availability and Maintenance of the Information Security Policy

The Information Security Policy is accessible to all members of the Sample Bank staff through either the Human Resources or Information Services Departments. All users of Sample Bank’s Information Services resources should be familiar with relevant sections of the policy. Relevant sections of this Policy, such as those that apply to e-mail, Internet usage and End-User computing practices, will be available to all employees over the Bank’s Intranet, along with relevant Human Resources policies.

This Information Security Policy is a “living” document that will be revised as required to address changes in the Bank’s technology, applications, procedures, legal and social imperatives, perceived dangers, etc. All revisions to the Information Security Policy will be submitted to, reviewed and approved by the Information Technology Steering Committee. The Bank’s Board of Directors must subsequently ratify / approve all changes to the Information Security Policy.

Strategic Systems Platforms

Strategic systems are defined as those computer systems that are critical to the operation of Sample Bank. Such computer systems may be owned and operated by Sample Bank, or they may be owned and operated by another Bank with whom Sample Bank has established a business relationship. The following components comprise Sample Bank’s strategic systems:

Loan Accounting System

Deposit Accounting System

Customer Information File

Hardware and Operating System

Windows NT 2000 Active Directory

Additional significant systems which will be covered in this Policy include:

Internet Banking System and Bill Paying System

Voice Response

MCIF System

Customer Profitability

File Image System

Optical Cold Storage System (e.g., Management Information and Reports)


Page 17


Management of Strategic Systems

Oversight and management of strategic information systems is primarily the responsibility of the Information Services Department. For in-house strategic systems, day-to-day operations and daily coordination of data input from strategic systems outside the institution are performed by the Information Services Department. The Information Services Department is also primarily responsible for the management of third-party technology service providers.

Physical Security

Sample Bank recognizes that its strategic systems require a higher degree of physical security than is provided for other business operations. The following standards of physical security must be maintained for all strategic systems:

The premises must be physically secure and reasonably free from risk of damage by water, fire, vibration, dust, and environmental hazards.

Air temperature and humidity must be controlled within acceptable operating limits. Sample Bank will maintain state-of-the-art cooling systems at this facility to ensure temperatures and humidity levels are adequately controlled in the Data Center.

Backup electrical power, such as that from an uninterruptible power supply (UPS) or generator, that provides adequate protection from power surges and sags and for an orderly shutdown of affected systems after 15 minutes of total power loss, unless generator power can be applied.

An emergency generator must be installed and maintained to supply power for longer term disruptions.

Physical Access

The primary location for the strategic systems of Sample Bank is at the Bank’s Data Center in City, State. Access to this area is restricted to authorized personnel from the Information Services Department. Access by all other individuals, whether Sample Bank employees or not, must be granted by an authorized member of personnel, and must be properly logged. External doors to the designated area must remain locked. External windows must be secured so as not to allow unauthorized access. Access to this facility will be restricted to authorized personnel. File servers and other data communications equipment (e.g., hubs, routers, and patch panels) must also be located in secure areas.

It is expected that strategic systems not under the direct control of Sample Bank, such as those operated by vendors of the financial institution, will adhere to similar standards as the financial institution. Relationships should not be established with vendors that do not adhere to such standards. Additionally, contracts with vendors should contain some language addressing physical access of the strategic systems located at their offices. Failure to adhere to such standards should be considered a breach of contract.

User Access to Information Systems

Access to strategic systems is granted under the following conditions:

A System Access Authorization Form must be completed. See the sample form that follows. The form should specify the level of access required for the particular user.

An appropriately authorized member of management must approve the System Access Authorization Form.

The access level assigned to the user must be no higher than that specified by the System Access Authorization Form and in accordance with established user profiles.

All user access will be initiated by appropriate network administration and security personnel in the Information Services Department.


Page 18


The user will be assigned or permitted to select a password that meets established password criteria for the system.

Access to strategic systems will be removed under the following conditions:

Upon termination of employment.

By request of a member of the senior management of the financial institution.

Fire Prevention, Detection and Control

The designated area(s) for the location of strategic equipment must be protected by fire detection and suppression equipment. Fire suppression equipment should be of such a nature that it would not harm computer equipment or pose an unacceptable risk to employees.

Sample Bank’s Data Center facility is equipped with heat and smoke sensors, as well as an advanced fire suppression system. Fire extinguishers are also available in the event of a small fire that can be easily handled by an individual.

Data Integrity

Input of data to all strategic systems (i.e., core deposit, loan and customer information systems, platform, etc.) must be subject to appropriate reconciliation and transaction review procedures to ensure that data was input correctly and that resulting output is correct.

Data Accessibility

All strategic systems will be backed-up daily to minimize data loss in the event of a system failure or disaster situation. The backup strategy must minimally allow for a five-day rotation of complete daily backups. Redundant backup copies are recommended where it is feasible to do so. Daily backups must be stored offsite in a secure environment. At no time should all backup copies of any strategic system reside at a single location. Backup media should be validated on a periodic basis (at least annually) to ensure proper operation.

Password Controls

Each strategic system should incorporate a comprehensive password control strategy. The following criteria should be met:

All passwords must be at least six characters (e.g., alphanumeric) in length.

Passwords should automatically expire on a periodic basis, (e.g., 45 days or less) and should be restricted so that they cannot be repeated for an established period of time (e.g., 3-6 times). An employee may elect to change their password at any time, but if a password is not changed within the required time period, the system will force a password change. (Note: For example, current procedures at Sample call for passwords on the FISERV CBS, AS400 and Network to automatically expire at 30 days, and passwords cannot be reused for 12 times).

There should be restrictions on the use of particular names or words used within a password. Steps should be taken to periodically verify that such passwords are not used (e.g., password audits).

Virus Protection

The management of Sample Bank recognizes the threat computer viruses present to its computer systems and networks. As a result, several steps have been implemented to prevent infection:

Network protection — Sample Bank uses virus protection software to constantly check for viruses. A copy of this software has been installed on each file server. When any file is written to the network hard drive, the software scans the file for viruses. A complete system scan will be conducted on a regular, periodic basis (i.e., weekly)


Page 19


Desktop protection — Sample Bank has installed and uses virus protection software for individual desktop protection from viruses. Files opened on the desktop system are scanned for viruses prior to being opened.

User training — Perhaps the best tool used to prevent a virus attack is stressing to users the importance of using caution when opening email and downloading anything from the Internet. Several times per year, an email message is distributed to all staff containing instructions regarding email and Internet downloads. Sample Bank’s Information Security and End-User Policies also address this area.

Virus Signature Updates

Information Services should provide for continuous (i.e., daily if possible or at a minimum weekly) updates of current releases of new virus signatures.

Disaster Recovery and Business Continuity Planning

The Bank must develop and maintain a comprehensive IT disaster recovery plan. A hot-site back-up processing site must also be maintained (e.g., Sungard) and be tested annually. Comprehensive Business Continuity Plans for all business units of the Bank, in addition to those for IT, must be prepared and updated annually.

Data Communications

Network Access Areas

Network access at Sample Bank can be divided into three major areas:

Local Area Networks (LAN)

Wide Area Networks (WAN)

External access via modem

Sample Bank has varying degrees of control over these areas of network access. In some cases, such as the LANs, the financial institution has total control over the network operation. In the case of WANs, the institution is responsible for maintaining the equipment necessary to process the data once it reaches each node (or location) of the WAN, but has no control over the data as it moves between the origination point and its destination over leased telecommunications lines. Sample Bank realizes it has no control over the Internet, and understands its challenge to protect its data that might be exchanged through this system.

Local Area Networks

Sample Bank uses the term Local Area Network or LAN to refer to a collection of computers physically located together and connected in such a way to allow them to share resources such as printers, disk drives, Internet, and fax connections. The Sample Bank local area is illustrated in the Exhibit A of this Policy. A combination of digital switches and hubs are used to segment the network.

Where possible, servers are attached directly to switches to provide better network segmentation. All desktop computers, printers, and other end-user devices are attached to hubs, which are, in turn, attached to switches.

LAN equipment is considered part of the strategic systems for Sample Bank. Standards for the physical security for all LAN equipment are the same as other strategic systems:

The premises must be physically strong and reasonably free from risk of damage by water, fire, vibration, dust, and environmental hazards.

Air temperature and humidity must be controlled within acceptable operating limits.


Page 20


The primary location for most of the LAN equipment at Sample Bank is at the Bank’s Data Center. LAN equipment located in the IS area is in a secure area. Access to this area should be restricted to authorized personnel from the Information Services Department and authorized vendor personnel only. Access to server and communications equipment in branch offices must also be secured.

Wide Area Networks

Sample Bank uses the term Wide Area Network or WAN to refer to the interconnection of computers and local area networks over an extended area using leased telephone data circuits. Sample Bank utilizes frame-relay circuits to provide WAN connectivity between offices. Routers are installed at each office to facilitate the use of the circuit.

Since Sample Bank’s WAN does rely on leased telephone data circuits, there is a greater control risk associated with the WAN as compared to that associated with the LAN equipment used by the institution. In recognition of this fact, Sample Bank will take steps to ensure the integrity of the data that moves through the WAN is not compromised. Five key elements of network security will be employed:

User identification — each user of a system must be accurately and positively identified. Sample Bank must use password authentication on all of its systems for this purpose.

Perimeter security — this element of security ensures that only authorized traffic passes through the network. Sample Bank must use routers with access control lists, dedicated firewalls, and virus scanning to provide this level of security.

Data privacy — network communications must be kept confidential and protected from eavesdropping. Encryption must be used as appropriate to ensure the confidentiality of this data.

Security monitoring — to ensure network security, the security measures utilized must be regularly tested. Sample Bank will employ a third-party vendor to review and test security systems on a regular (at least annual) basis.

Policy management — centralized policy management tools are essential to the maintenance of a secure network. Sample Bank will employ a third-party vendor who uses a series of software and hardware to analyze, interpret, configure, and report on the state of the security systems.

WAN equipment is considered part of the strategic systems for Sample Bank. Standards for the physical security for all WAN equipment physically located at Sample Bank are the same as those for other strategic systems:

The premises must be physically strong and reasonably free from risk of damage by water, fire, vibration, dust, and environmental hazards.

Air temperature and humidity must be controlled within acceptable operating limits.

Backup electrical power, such as that from an uninterruptible power supply (UPS) or generator, must be available to provide the following:

— A minimum of 15 minutes of operation in the event of a power failure at the data center.

— Adequate protection from power surges and sags at the data center and all user offices

— Back-up generation power will be provided to support servers located at the data center

The primary location for most of the WAN equipment at Sample Bank is at the Bank’s Data Center. WAN equipment located at Sample Bank is located in a specifically designated secure area. Access to this area is restricted to only authorized personnel from the Information Services Department.


Page 21


Sample Bank personnel configure and maintain WAN equipment within the Bank’s control in proper operating condition. Sample Bank personnel will review equipment on a periodic basis, at least quarterly, to ensure all required software and hardware updates necessary for proper operation have been installed on the equipment.

External Access via Modem

Access to certain Sample Bank systems is available for authorized users through a dedicated Internet service via the institution’s secure frame relay network connection. Sample Bank does not permit the use of dial-up modem access to the Internet. However, the financial institution recognizes that some vendors and third party providers may require such access for the ongoing maintenance of systems. In such specialized cases, direct, external modem access is allowed, provided the following proper security measures are taken:

Information Services Department personnel must authorize the dial-in access.

It is preferred that vendor dial-in access be restricted to normal business hours, however, the Bank understands that such access may be required outside these hours. After hours access may be authorized by data center personnel for the purposes of addressing program errors or if access has been prior approved by IS Management.

Dial-in access is only provided through the use of a licensed copy of software that allows such access to occur.

When a vendor is approved for dial-in access, a member of the Information Services Department must confirm the remote product has been installed on a vendor’s computer. The host product is then loaded on the appropriate computer at the financial institution.

Passwords must be assigned to allow the vendor to attach from the remote to the host.

If the software provides a logging capability, a log must be produced.

If a “call back” feature is available, it must be used. The vendor will initiate a session from the remote to the host. The host will then disconnect from the remote and call the remote. If all logins proceed successfully, access is allowed.

The vendor will be limited to the minimum amount of security required to perform the necessary duties while the session is active.

A member of the Information Services Department staff must monitor the activity performed by the vendor on financial institution systems as closely as possible.

The dial-in session must be terminated as soon as the vendor has finished his or her work.

The host session must be disabled immediately after the session is terminated.

If a log is produced, it should be retained either in paper or electronic form for at least one (1) year.

Standards and Guidelines for E-mail Use

Sample Bank has prepared and adopted a separate E-Mail Use Policy. It should be referred to for restrictions and guidelines concerning the authorized use of and controls over e-mail use by Bank employees.

Standards and Guidelines for Internet Use

Sample Bank has prepared and adopted a separate Internet-Use Policy. It should be referred to for restrictions and guidelines concerning the authorized use of and controls of Internet access by employees.


Page 22


Standards and Guidelines for Application and System Change Management

Sample Bank has prepared and adopted a separate Change Management Policy. It should be referred to for guidelines concerning the submission of requests for system, application or hardware changes and for guidelines for review of changes provided by the Bank’s third-party technology providers.

Standards and Guidelines for Patch Management

Sample Bank has prepared and adopted a separate Patch Management Policy. It should be referred to for guidelines concerning the maintenance of software versions and patches.

Standards and Guidelines for Record Retention and Destruction

Sample Bank has prepared and adopted a separate Record Retention and Destruction Policy. It should be referred to for guidelines concerning the maintenance, retention and destruction of bank and customer information records.

Standards and Guidelines for Technology Asset Disposal

Sample Bank has prepared and adopted a separate Technology Asset Disposal Policy. It should be referred to for guidelines concerning the retirement and disposal of technology assets, including workstations, servers, etc.

Standards and Guidelines for Physical Security

Sample Bank has prepared and adopted a separate Security Policy. It should be referred to for guidelines concerning physical security procedures and controls in user departments and the Bank’s offices.

Standards and Guidelines for Information Security Policy Oversight

Information Technology Steering Committee

In order to ensure enforcement and adherence to the standards and guidelines established within this policy, Sample Bank has formed an Information Technology Steering Committee comprised of management-level representatives from each functional area of the financial institution.

The Information Technology Committee provides direction and control for all Information Systems at Sample Bank. The Information Technology Steering Committee includes the President / CEO, SVP / CIO and other senior managers. The minutes of meetings held by the Information Systems Steering Committee will be submitted to the Board of Directors. Additionally, the SVP / CIO will periodically (e.g., quarterly) submit information regarding the Technology Plan, Technology Budget, Technology Risk Assessment and specific technology project plans and progress to the Board of Directors.

The committee has the following specific responsibilities:

Approve the Information Security Policy

Review the Information Security Program and related testing / results

Review information regarding purchases of computer hardware and software


Page 23


Review information regarding information security monitoring and breaches / incidents

Review information regarding changes to systems, applications and hardware, in accordance with the Bank’s Change Management Policies

Review information regarding the installation of software updates and releases to ensure systems are current, in accordance with the Bank’s Patch Management procedures

Review reports on Disaster Recovery / Business Continuity Plan maintenance and testing

Ensure external audit(s) of the Bank’s networks occur annually

Review information regarding management of third-party technology providers

Information Services Department

The Information Services Department has the primary responsibility for day-to-day oversight of Information Systems. The Information Systems oversight duties of the IS Department include:

Monitoring operations of all computers and software.

Adding approved new users to systems.

Changing user access rights and authorities.

Capacity monitoring and planning for all systems.

Acquiring and deploying systems.

Installing new software and upgrading existing software.

Managing outsourced vendor relationships.

Cooperating fully with regulatory and auditing agencies.

Maintaining and summarizing the Information Systems operational activities, including:

— Daily operational logs

— Application failure logs

— Equipment failure logs

— Security monitoring reports

— Software licensing information

Troubleshooting systems problems.

Maintaining current inventories of the software and hardware components that make up Information Systems.

Maintaining appropriate information security systems, including firewalls, intrusion detection systems and virus protection software, or managing the provision of these services by third-party vendors.

Standards and Guidelines for Testing the Information Security Policy

Sample Bank will employ an internal audit department (e.g., VP Auditor, supported by internal staff or contracted / outsourced staff). Internal Audit will review the results of the Bank’s annual information security risk assessment and provide management and the Board of Directors their opinion regarding the adequacy of the Policy. Key controls and procedures (e.g., administrative, technical and physical security controls) identified during the assessment of information security risks will be tested in audits of the Bank’s various business units. In addition, Compliance will test


Page 24


certain attributes of the Information Security program during the year, as will the Bank’s external CPAs. Results of these tests will be shared with the Bank’s Internal Audit Committee.


Page 25


Incident Response Policy for Sample Bank

Introduction

The Board of Directors and Management of Sample National Bank are conscious of the need to: (1) prevent unauthorized access to or disclosure of customers’ non-public, personal financial information or Bank information, (2) manage the risks associated with the use of electronic information systems, and (3) provide appropriate administrative, technical, and physical safeguards to ensure the security and integrity of customer information within such systems.

The Board and Management recognize that the use of such systems exposes customer and Bank information to a range of threat and risk events, and that the occurrence of these events must be closely monitored. Further, the Bank must prepare appropriate response plans when the Bank suspects or detects that unauthorized individuals have gained access to customer information systems, including reports to regulatory and law enforcement agencies.

Purpose

The purpose of this Policy is to provide a framework for ensuring that: (1) appropriate intrusion detection systems are installed and maintained, (2) such systems are monitored, (3) appropriate resources are dedicated to the monitoring and response to these systems (i.e., security attacks, breaches, etc., both internal and external) and (4) that appropriate guidelines and procedures have been established to respond to various intrusion attempts or other attacks against the Bank’s information systems.

Scope of Policy

This Policy covers information systems, security systems and security monitoring systems over the Bank’s network systems and related hardware and all Internet-facing hardware and applications.

Requirements for Incident Response

The Policy requires that the following actions be taken when a security incident occurs:

Assess the nature and scope of an incident

Notifying the Office of the Comptroller of Currency when an incident occurs involving unauthorized access to or use of sensitive customer information

Filing of Suspicious Activity Reports as required an notification of appropriate law enforcement authorities according to regulation

Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information

Notifying customers when warranted

If the incident involves customer information systems maintained by a third party service provider, it is the Bank’s responsibility to ensure that affected customers and regulator authorities have been notified as required by regulation


Page 26


Customer Notice

The Bank has an affirmative duty to protect customer information against unauthorized access or use. Substantial harm or inconvenience to a customer is most likely to result from the improper access to sensitive customer information because this type of information is most likely to be misused in identity theft crime. Sensitive customer information means a customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit cardnumber or a personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number.

Notifying customers of a security incident involving the unauthorized access or use of the customer’s information will assist the customer in taking steps to protect against the consequences of identity theft.

If an incident of unauthorized access to sensitive customer information occurs, a reasonable investigation will be completed. If it is determined that misuse of information about a customer has occurred or is reasonably possible, customer notification will be scheduled as soon as possible. It may be necessary to delay the notice if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the Bank with a written request for delay. However any customer notification will be implemented as soon as possible following when it no longer interfers with the investigation. The Bank will limit the notification to those customers impacted as determined during the investigation.

Requirements for Notice

The notice should be clear and conspicuous and describe the incident in general terms and the type of information that was the subject of unauthorized access or use.

It should describe steps taken by the Bank to prevent further unauthorized access.

The notice should include a telephone number that the customer can call for further information and assistance.

Remind customers of the need to remain vigilant over the next twelve to twenty-four months and to promptly report incidents of suspected identity theft to the Bank

A recommendation that the customer review account statements and immediately report any suspicious activity to the bank.

A description of fraud alerts and an explanation of how the customer may place a fraud alert in the customer’s consumer report to put the customer’s creditors on notice that the customer may be a victim of fraud;

A recommendation that the customer periodically obtain credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted.

An explanation of now the customer may obtain a credit report free of charge and

Information about the availability of the FTCs online guidance regarding steps a consumer can take to protect against identity theft. The notice should provide the FTC’s web site address and toll-free telephone number that customers may use to obtain the identity theft guidance and report suspected incidents of identity theft

Delivered in a manner designed to ensure that a customer can reasonably be expected to receive it. (may contact customers affected by telephone, or by mail, or by electronic mail for those customers who have agreed to receive communications electronically.


Page 27


Responsibilities


The Information Technology Group will be responsible for the execution of this Policy, including the implementation of security systems and procedures. ITG will maintain appropriate documentation of security systems and organizational roles and responsibilities.

The Information Security Officer is primarily responsible for the on-going assessment of information security risks and related security systems. This includes reviews of information security risks assessments and evaluations of the effectiveness of information security systems and related response procedures and the adequacy of incident response resources and organization.

The Information Security Administrator is primarily responsible for the implementation of appropriate intrusion detection systems and the development of appropriate response procedures for various threats / risks / attacks.

The Information Security Administrator will periodically review the reports of external security attack signatures / profiles.

The Information Security Administrator will periodically review the reports of internal attempts to breach security (i.e., log-on failures, multiple log-ons, etc.).

Where appropriate, the ISD may employ third-party technology providers to monitor or manage the Bank’s network systems and / or intrusion detection systems. These vendors may also be permitted to respond to such attacks / threats in accordance with specific guidelines provided by / agreed upon with the Bank.

Execution of this Policy

This Policy will be executed in accordance with standards of the Incident Response Procedures. These procedures detail the specific response procedures for those attack / threat scenarios considered the most likely or potentially most damaging to the Bank.


Page 28


Change Management Policy for Sample Bank

Introduction

Sample Bank acquires its technology systems and application software from third-party technology vendors. For example, the Bank’s core processing system (e.g., loan, deposit and general ledger accounting systems) were acquired from FISERV. These systems are primarily maintained by the vendor from whom they were purchased. In most cases, Sample Bank does not have possession of source code to make changes.

The Board of Directors and management are aware, however, that; (1) vendors make periodic changes to application software used by the Bank, including comprehensive changes in the form of new releases and “fixes” of immediate problems, and (2) the Bank has the option of changing parameters, options, etc, which alter the functions of specific applications. Further, the Board and management understand that either of these categories of changes may affect the effectiveness of the Bank’s information security program. Consequently, any change to the Bank’s systems, application programs, computer hardware and data communications hardware and software may impair the effectiveness of Sample Bank’s Information Security Program. Consequently, this Policy has been adopted to provide guidance for the management of such changes.

Policy Purposes and Objectives

The primary purposes of Sample Bank’s Information Security Policy are to enumerate the elements that constitute Information Security.

Software Change Control

Definition

Software Change Control covers the control of all aspects of strategic systems software including the operating systems, compilers and utilities, third party and in-house developed applications, together with any command procedures and documentation to support and run them.

General Obligations

When software changes are required, it is essential that the changes are appropriately authorized and approved. Authorization for any software change must come from a member of the senior management, or the Information Technology Steering Committee. The only exception to this policy is for changes made to correct errors found in existing programs or procedures, or for “patches” to existing systems, such as Program Temporary Fixes (PTFs) or Service Packs (on network systems). Because it may not be convenient or advisable to delay applying such changes while waiting for approval, these types of changes (i.e., PTFs or can be made, but should be communicated to appropriate management personnel as soon as possible.

It is equally important that all software changes adhere to the following guidelines:

Changes must not violate any other policies or procedures.

Changes must be thoroughly tested.

Changes must be sufficiently documented.

Changes or appropriate documentation must be reviewed by a Business Unit Manager.

Changes must be implemented at an appropriate time to reduce or eliminate disruption of customer activity, Bank workflow, and system operations.


Page 29


Change Control Responsibilities

The following personnel may approve software changes:

President and CEO

Senior Vice President Operations and Technology

Information Technology Steering Committee

It is the responsibility of appropriate personnel within the Information Services Department to implement software changes. Changes must be implemented (i.e., put into production) by personnel other than those initially responsible for evaluating the effects of a change and testing the change.

Change Control Environment

To the degree that it is economically feasible and practical, software changes should be implemented through the utilization of three separate steps:

Development — New program releases or significant program changes are typically prepared by a third-party technology Service provider. The Bank does little actual programming, with the exception of custom report generations. It is the responsibility of the Information Services Department to receive and review all release letters or other appropriate documentation or a system

Testing — Once a program change or new release is received from a vendor, it must be thoroughly reviewed by the Information Services Department and appropriate, affected users. The purposes of this review are to determine the effects of the proposed changes on the Bank’s information security systems and on the operational systems. Information Services will ensure that the implementation of the new release, or program change, will not materially impair the effectiveness of the Bank’s information security systems. Program changes / releases must deployed in a test environment by Information Services Department personnel not involved, or permitted access to the Production environment. The changes should also be thoroughly tested by the end-user department.

Production — This is the environment in which the current, active software resides. Only after a program has completed the testing phase satisfactorily and been approved should it be moved to the production environment. Once the user department is satisfied with the results from the testing environment, the Software Change Control form should be completed and signed by the end-user department. The completed Software Change Request Form should be sent to the Information Services Manager, who will then place the program into the Production environment.

Implementation of Vendor-Supplied Changes

Operating Systems

A review of all existing operating systems is conducted on at least a quarterly basis (i.e., in coordination with the Information Technology Steering Committee) by the Information Services (IS) Department to check for upgrades, releases, and patches that may recently have been made available. This includes network operating systems, individual desktop operating systems and software, electronic mail operating systems, proxy server operating systems, network backup and recovery systems, and the host processing operating system. The changes made within these upgrades are examined in order to determine the urgency of the need to apply the modifications.

In the event that a problem occurs that requires a patch to be installed outside the regularly scheduled times, the IS department should apply the necessary updates and notify Sample Bank management.


Page 30


All upgrades, releases, and patches should be scheduled, when feasible, for implementation during off peak hours. All installations are performed under the direct supervision of the IS Department.

The IS Department is also responsible for installing and updating desktop operating systems, office automation software products, electronic mail clients, network clients, browser software, various product clients, and other software used at the desktop level. These updates are performed on an as-needed basis. Every effort is made to maintain consistency throughout the network, but because of user preferences and the number of desktop systems in use, it is not possible to always have exactly the same levels of software on every computer. As new computers are introduced and older computers are reloaded, the latest software and software updates are always applied. The Information Services Department will ensure that appropriate security patches are installed / implemented on all devices within the Bank.

Host Processing Systems

It is the responsibility of the IS Department to install and maintain any mainframe computer operating system software. Most vendors provide release updates for these operating systems in accumulated packages. Unless a particular system problem occurs, it is not necessary to download and apply individual fixes on a regular basis. At least quarterly, the IS Department is to determine if a new cumulative software package is available. If it is available, the package is ordered. The package should contain all of the accumulated patches for the particular version of the operating system being used. Implementation should be scheduled with the financial institution’s host banking system processing software vendor to insure there are no known problems between the application software and the patch package. Implementation is to be scheduled with senior management approval, as the package installation does require some amount of system downtime.

Core Banking System Software

The core banking system vendor, for example FiServe CBS, will periodically (usually two or three times per calendar year — spring, fall, and year-end) send software “releases” to their client banks. Because of the potential wide-ranging impact of these software releases, the scheduling, training, and implementation of the releases is more complex than with operating system software where the changes are usually transparent to the end user. The following outlines the basic steps performed when installing a banking system software release:

Prior to distributing a new release, the vendor will conduct training classes at various locations around the United States. If at all possible, at least one associate from the financial institution should attend one of these classes.

Upon receipt of the installation media, the media should be checked on the host system. The media should be read and a report of its contents produced. This report should be checked and, if possible, compared against a media list sent with the installation media by the vendor.

Upon receipt of the release documentation, it should be distributed to a release installation team made up of key Bank management and staff members, appropriate to the nature and scope of the changes being made in the release. As soon as possible after those employees have reviewed the documentation, an implementation team meeting should be held to assign implementation tasks.

Training is to be scheduled for any employees who might be affected by the release. Training is to be conducted by the implementation team, or someone they designate.

Documentation of changes should be distributed to the appropriate departments prior to the installation of the release.

The actual release installation must be scheduled far enough in advance so that all employees are properly notified. All employees and the vendor should be notified of the release installation date.


Page 31


All third-party vendors must be notified of the release date. Written assurance of compliance with the release should be obtained where possible.

If the release includes any pre-installation tasks, they should be complete at least one week prior to the release installation, if possible.

Meetings of the implementation team should be conducted on an as-needed basis prior to the installation date to make sure everything is proceeding on schedule.

A system backup prior to the installation date should be verified for use in case a problem develops with the installation.

If the software vendor recommends additional backups other than the complete system backup, those backups should be performed immediately before installation of the release.

On the installation date, the IS department installs the release. Any exceptions to expected results are noted.

The vendor is notified of the completion of the release installation.

Any user-written programs and queries affected by the release are modified and recompiled as needed by the IS department and / or the Operations department.

Third-party programs are tested for compliance. Any failures are immediately reported to the program vendor.

Updated manual documentation should be distributed to the appropriate departments.

Manuals should be updated with documentation changes.

The first processing cycle following the installation of the release should be closely monitored by the operations department to make sure all changes were implemented as expected and no existing processes were negatively affected.

A post-installation meeting should be held by the implementation team to review installation.

Documentation

Appropriate documentation must be provided for the following:

Change control procedures — the procedures for implementing software changes should be fully documented and followed.

Software change requests — all requests for software changes should be submitted in writing on the appropriate Software Change Request Form. The form must be approved by the appropriate personnel.

Technical functions — a guide for the technical functionality of the software should be maintained by the Information Services Department.

Operational functions — any operational instructions required should be available to the appropriate department.

End-user functions — specific instructions for using the software should be available to the appropriate department.


Page 32


E-Mail Policy for Sample Bank

Introduction

This document clarifies Sample Bank policies regarding electronic mail and defines new policy and procedures where existing policies do not specifically address issues particular to the use of electronic mail.

Sample Bank encourages the use of electronic mail and respects the privacy of users. It does not routinely inspect, monitor, or disclose electronic mail without the holder’s consent. Nonetheless, subject to the requirements for authorization, notification, and other conditions specified in this Policy, the Bank may deny access to its electronic mail services and may inspect, monitor, or disclose electronic mail when:

Required by and consistent with law.

There is substantiated reason to believe that violations of law or Bank policies have taken place.

There are compelling circumstances.

Under time-dependent, critical operational circumstances.

Users should be aware that:

Both the nature of electronic mail and the character of the Bank’s business make electronic mail less private than users may anticipate. For example, electronic mail intended for one person sometimes may be widely distributed because of the ease with which recipients can forward it to others. A reply to an electronic mail message posted on an electronic bulletin board or file server intended only for the originator of the message could be distributed to all subscribers to the file server. Furthermore, even after a user deletes an electronic mail record from a computer or electronic mail account it may persist on backup facilities, and thus be subject to disclosure under the provisions of “General Provisions” section of this Policy. The Bank cannot routinely protect users against such eventualities.

Electronic mail, whether or not created or stored on Bank equipment, may constitute a record subject to disclosure under Banking regulations or other laws, or as a result of litigation. However, the Bank does not automatically comply with all requests for disclosure, but evaluates all such requests against the precise provisions of the laws concerning financial institution disclosure and privacy, or other applicable law.

The Bank, in general, cannot and does not wish to be the arbiter of the contents of electronic mail. Neither can the Bank, in general, protect users from receiving electronic mail they may find offensive. Employees however, are strongly encouraged to use the same personal and professional courtesies and considerations in electronic mail as they would in other forms of communication.

There is no guarantee, unless "authenticated" mail systems are in use, that electronic mail received was in fact sent by the purported sender, since it is relatively easy to do, although a violation of this Policy, for senders to disguise their identity. Furthermore, electronic mail that is forwarded may also be modified. As with print documents, in case of doubt, receivers of electronic mail messages should check with the purported sender to validate authorship or authenticity.

Encryption of electronic mail is another emerging technology that is not in widespread use as of the date of this Policy. This technology enables the encoding of electronic mail so that for all practical purposes it cannot be read by anyone who does not possess the


Page 33


correct “key” to de-encode the message. The answers to questions raised by the growing use of these technologies are not now sufficiently understood to warrant the formulation of policy at this time. Users and operators of electronic mail facilities should be aware, however, that these technologies will become generally available and probably will be increasingly used by officers and staff of the Bank.

Purpose

The purpose of this Policy is to:

Establish guidelines for the acceptable use of the Bank’s e-mail systems

Ensure Bank employees are informed about the applicability of policies and laws to electronic mail, including Privacy laws, and

Ensure e-mail mail services are used in compliance with those policies and laws.

Definitions

The terms "electronic mail" and "email" are used interchangeably throughout this Policy. Other terms used in this Policy are defined in Exhibit A. Knowledge of these definitions is important to an understanding of this Policy.

Scope

This Policy applies to:

All electronic mail systems and services provided or owned by the Bank

All Bank employees and users of Bank email services

All Bank email records in the possession of Bank employees or other email users of electronic mail services provided by the Bank (contractors, consultants, etc.)

This Policy applies to electronic mail in its electronic form or to printed copies of electronic mail. Other Bank records management policies do not distinguish among the media in which records are generated or stored. Electronic mail messages, therefore, in either their electronic or printed forms, may also be subject to those other policies, including provisions regarding retention and disclosure.

General Provisions

As noted in the Introduction, the Bank recognizes that principles such as freedom of speech, and privacy of information hold important implications for electronic mail and electronic mail services. This Policy reflects these firmly held principles within the context of the Bank’s legal and other obligations.

Purpose:

In support of its mission to provide the necessary tools to encourage the efficient and proactive sharing of information relative to servicing customers and the transacting of financial services, the Bank encourages the use of electronic mail services to share information, improve communication and exchange ideas.

Bank Property: Bank electronic mail systems and services are Bank facilities as that term is used in other policies and guidelines. Any electronic mail address or account associated with the Bank, or any sub-unit of the Bank, assigned by the Bank to individuals, sub-units, or functions of the Bank, is the property of Sample Bank.


Page 34


Service Restrictions:

Those who use Bank electronic mail services are expected to do so responsibly, that is, to comply with applicable local and national laws, with this and other policies and procedures of the Bank, and with normal standards of professional and personal courtesy and conduct. Access to Bank electronic mail services, when provided, is a privilege that may be wholly or partially restricted by the Bank without prior notice and without the consent of the email user when required by and consistent with law, when there is substantiated reason to believe that violations of policy or law have taken place, or, in exceptional cases, when required to meet time-dependent, critical operational needs. Such restriction is subject to established Bank procedures or, in the absence of such procedures, to the approval of the Chief Information Officer.

Consent and Compliance:

An email holder’s consent may be sought by the Bank prior to any inspection, monitoring, or disclosure of Bank email records in the holder’s possession. Bank employees are expected to comply with Bank requests for copies of email records in their possession that pertain to the business of the Bank, or whose disclosure is required to comply with applicable laws, regardless of whether such records reside on a computer housed or owned by the Bank. Failure to comply with such requests can lead to the conditions of “Policy Violations”.

Restrictions on Access Without Consent.

The Bank shall only permit the inspection, monitoring, or disclosure of electronic mail without the consent of the holder of such email (i) when required by and consistent with law; (ii) when there is substantiated reason (as defined in Exhibit A) to believe that violations of law or of Bank policies have taken place; (iii) when there are compelling circumstances as defined in Exhibit A; or (iv) under time-dependent, critical operational circumstances as defined in Exhibit A.

Compliance with Law.

Actions taken under Paragraphs 1 and 2 shall be in full compliance with the law and other applicable Bank policy. This has particular significance for email residing on computers not owned or housed by the Bank. Advice of counsel always must be sought prior to any action taken under such circumstances. It also has particular significance for email whose content is protected under certain financial institution regulations, which applies equally to email as it does to print records.

Misuse:

In general, both law and Bank policy prohibits the theft or other abuse of computing resources. Such prohibitions apply to electronic mail services and include (but are not limited to) unauthorized entry, use, transfer, and tampering with the accounts and files of others, and interference with the work of others and with other computing facilities. Under certain circumstances, the law contains provisions for felony offenses.

Specific Provisions

Allowable Use

In general, use of Bank electronic mail services is governed by policies that apply to the use of all Bank facilities. In particular, use of Bank electronic mail services is encouraged and is allowable subject to the following conditions:

Purpose

Electronic mail services are to be provided by the Bank in support of the organization’s mission in providing financial services and the administrative functions that support this mission.

Users


Page 35


Users of Bank electronic mail services are to be limited primarily to Bank officers and staff for purposes that conform to the requirements of this section.

Restrictions

Bank electronic mail services may not be used for: unlawful activities; commercial purposes not under the auspices of the Bank, personal financial gain (see applicable Human Resources policies) personal use inconsistent with this section; or uses that violate other Bank policies or guidelines. The latter include (but are not limited to), policies and guidelines regarding intellectual property, or regarding sexual or other forms of harassment.

Representation

Electronic mail users shall not give the impression that they are representing, giving opinions, or otherwise making statements on behalf of the Bank or any unit of the Bank unless appropriately authorized (explicitly or implicitly) to do so. Where appropriate, an explicit disclaimer shall be included unless it is clear from the context that the author is not representing the Bank. An appropriate disclaimer is: "These statements are my own, not those of the Bank."

False Identity

Bank email users shall not employ a false identity. Email may, however, be sent anonymously provided this does not violate any law of this or any other Bank policy, and does not unreasonably interfere with the administrative business of the Bank.

Interference

Bank email services shall not be used for purposes that could reasonably be expected to cause, directly or indirectly, excessive strain on any computing facilities, or unwarranted or unsolicited interference with others’ use of email or email systems. Such uses include, but are not limited to, the use of email services to: (i) send or forward email chain letters; (ii) "spam," that is, to exploit file / mail servers or similar broadcast systems for purposes beyond their intended scope to amplify the widespread distribution of unsolicited email; and (iii) "letter-bomb," that is, to re-send the same email repeatedly to one or more recipients to interfere with the recipient's use of email.

Personal Use

Bank electronic mail services may be used for incidental personal purposes provided that, in addition to the foregoing constraints and conditions, such use does not: (i) directly or indirectly interfere with the Bank operation of computing facilities or electronic mail services; (ii) burden the Bank with noticeable incremental cost; or (iii) interfere with the email user’s employment or other obligations to the Bank. Email records arising from such personal use may, however, be subject to the presumption in Exhibit A regarding personal and other email record. Email users should assess the implications of this presumption in their decision to use Bank electronic mail services for personal purposes.

Security and Confidentiality

The confidentiality of electronic mail cannot be assured. Such confidentiality may be compromised by applicability of law or policy, including this policy, by unintended redistribution, or because of inadequacy of current technologies to protect against unauthorized access. Users, therefore, should exercise extreme caution in using email to communicate confidential or sensitive matters.

The Bank’s Human Resources Policies prohibits Bank employees and others from "seeking out, using, or disclosing" without authorization "personal or confidential" information, and requires employees to take necessary precautions to protect the confidentiality of personal or confidential information encountered in the performance of their duties or otherwise. This prohibition applies to email records.


Page 36


Not withstanding the previous paragraph, users should be aware that, during the performance of their duties, network and computer operations personnel and system administrators need from time to time to observe certain transactional addressing information to ensure proper functioning of Bank email services, and on these and other occasions may inadvertently see the contents of email messages. Except as provided elsewhere in this policy, they are not permitted to see or read the contents intentionally; to read transactional information where not germane to the foregoing purpose; or disclose or otherwise use what they have seen. One exception, however, is that of systems personnel (such as "postmasters") who may need to inspect email when re-routing or disposing of otherwise undeliverable email. This exception is limited to the least invasive level of inspection required to perform such duties. Furthermore, this exception does not exempt postmasters from the prohibition against disclosure of personal and confidential information of the previous paragraph, except insofar as such disclosure equates with good faith attempts to route the otherwise undeliverable email to the intended recipient. Re-routed mail normally should be accompanied by notification to the recipient that the email has been inspected for such purposes.

The Bank attempts to provide secure and reliable email services. Operators of Bank electronic mail services are expected to follow sound professional practices in providing for the security of electronic mail records, data, application programs, and system programs under their jurisdiction. Since such professional practices and protections are not foolproof, however, the security and confidentiality of electronic mail cannot be guaranteed. Furthermore, operators of email services have no control over the security of email that has been downloaded to a user’s computer. As a deterrent to potential intruders and the misuse of email, email users should employ whatever protections (such as passwords) are available to them.

Users of electronic mail services should be aware that even though the sender and recipient have discarded their copies of an electronic mail record, there might be back-up copies that can be retrieved. Systems may be "backed-up" on a routine or occasional basis to protect system reliability and integrity, and to prevent potential loss of data. The back-up process results in the copying of data onto storage media that may be retained for periods of time and in locations unknown to the originator or recipient of electronic mail. The practice and frequency of back-ups and the retention of back-up copies of email vary from system to system. Electronic mail users are encouraged to request information on the back-up practices followed by the operators of Bank electronic mail services, and such operators are required to provide such information upon request.

Archiving and Retention

Bank record management policies do not distinguish among media with regard to the definition of Bank records. As such, electronic mail records are subject to these policies. In particular, such records are subject to disposition schedules as maintained by the Bank.

The Bank does not maintain central or distributed electronic mail archives of all electronic mail sent or received. Electronic mail is normally backed up only to assure system integrity and reliability, not to provide for future retrieval, although back-ups may at times serve the latter purpose incidentally. Operators of Bank electronic mail services are not required by this Policy to retrieve email from such back-up facilities upon the holder’s request, although on occasion they may do so as a courtesy.

Email users should be aware that generally it is not possible to assure the longevity of electronic mail records for record-keeping purposes, in part because of the difficulty of guaranteeing that electronic mail can continue to be read in the face of changing formats and technologies and in part because of the changing nature of electronic mail systems. This becomes increasingly difficult as electronic mail encompasses more digital forms, such as embracing compound documents composed of digital voice, music, image, and video in addition to text. Furthermore, in the absence of the use of authentication systems, it is difficult to guarantee that email documents have not been altered, intentionally or inadvertently.


Page 37


Email users and those in possession of Bank records in the form of electronic mail are cautioned, therefore, to be prudent in their reliance on electronic mail for purposes of maintaining a lasting record. Sound business practice suggests that consideration be given to transferring (if possible) electronic mail to a more lasting medium / format, such as acid-free paper or microfilm, where long-term accessibility is an issue.

User Guidelines

Email is a fast way of transmitting information quickly to district employees. Following are suggestions to use it effectively:

DO:

Do check your electronic mail daily to see if you have any messages.

Do include a meaningful subject line in your message.

Do check the address line before sending a message and check you are sending it to the right person.

Do delete electronic mail messages when they are no longer required.

Do respect the legal protections to data and software provided by copyright and licenses.

Do take care not to express views which could be regarded as defamatory or libelous.

DO NOT:

Do not print electronic mail messages unless absolutely necessary.

Do not expect an immediate reply, the recipient might not be at their computer or could be too busy to reply straight away.

Do not forward electronic mail messages sent to you personally to others, particularly newsgroups or mailing lists, without the permission of the originator.

Do not use electronic mail for personal reasons.

Do not send excessively large electronic mail messages or attachments.

Do not send unnecessary messages such as festive greetings or other non-work items by electronic mail, particularly to several people.

Do not participate in chain or pyramid messages or similar schemes.

Do not represent yourself as another person.

Do not use electronic mail to send or forward material that could be construed as confidential, political, obscene, threatening, offensive or libelous.

Don't assume privacy

Electronic Mail is Bank property. All electronic mail activity is monitored and logged. All the content of electronic mail is scanned for offensive material.

Courts have ruled that messages sent on a company's or district's email system is property of the company or district property, and that employers may search worker's electronic mail boxes. Never send a message you wouldn't want made public. (As point of courtesy, don't forward messages to third parties before you get permission from the original sender.)

If you are in any doubt about an issue affecting the use of electronic mail you should consult the I.T. Services Manager.


Page 38


Violations of Policy

Violations of Bank policies governing the use of Bank electronic mail services may result in restriction of access to Bank information technology resources. In addition, disciplinary action, up to and including dismissal, may be applicable under other Bank policies and / or guidelines.

Responsibility for Policy

The Information Security Officer is responsible for development and maintenance of this Policy.


Page 39


Exhibit A – Definitions Computing Facilities:

Resources, services, and networked systems such as computers and computer time, data processing or storage functions, servers, networks, input / output and connecting devices, and related computer records, programs, software, and documentation.

Electronic Mail Systems or Services:

Any messaging system that depends on computing facilities to create, send, forward, reply to, transmit, store, hold, copy, download, display, view, read, or print computer records for purposes of asynchronous communication across computer networks between or among individuals or groups, that is either explicitly denoted as a system for electronic mail or is implicitly used for such purposes, including services such as electronic bulletin boards, file servers, and newsgroups.

Bank Email Systems or Services:

Electronic mail systems or services owned or operated by the Bank or any of its sub-units.

Email Record or Email:

Any or several electronic computer records or messages created, sent, forwarded, replied to, transmitted, stored, held, copied, downloaded, displayed, viewed, read, or printed by one or several email systems or services. This definition of email records applies equally to the contents of such records and to transactional information associated with such records, such as headers, summaries, addresses, and addressees. This policy applies only to electronic mail in its electronic form. The policy does not apply to printed copies of electronic mail.

Bank Record:

A "public record" is further defined as: records that include any writing containing information relating to the conduct of the public's business prepared, owned, used, or retained (by the Bank) regardless of physical form or characteristics. With certain defined exceptions, such Bank records are subject to disclosure under certain financial regulations. Records held by employees, including email, are considered Bank records unless such records are pursuant to an employment or agent relationship the employee / contractor has or has had with the Bank. This exemption does not, however, exclude employee email from other aspects of this Policy, regardless of whether such email is a Bank record.

Bank Email Record:

A Bank Record in the form of an email record regardless of whether any of the computing facilities utilized to create, send, forward, reply to, transmit, store, hold, copy, download, display, view, read, or print the email record are owned by the Bank. This implies that the location of the record, or the location of its creation or use, does not change its nature as: (i) a Bank email record for purposes of this or other Bank policy (see, however, the “General Provisions” section), and (ii) having potential for disclosure under financial regulations. Until determined otherwise or unless it is clear from the context, any email record residing on Bank-owned computing facilities may be deemed to be a Bank email record for purposes of this policy. This includes, for example, personal email (see “Specific Provisions” section). Consistent, however, with the principles asserted in the “General Provisions” section of least perusal and least action necessary and of legal compliance, the Bank must make a good faith a prior effort to distinguish Bank email records from personal and other email where relevant to disclosures under financial regulations and other laws, or for other applicable purposes of this policy.

Use of Bank or Other Email Services:


Page 40


To create, send, forward, reply to, transmit, store, hold, copy, download, display, view, read, or print email (with the aid of Bank email services). An Email User is an individual who makes use of Bank email services. Receipt of email prior to actual viewing is excluded from this definition of "use" to the extent that the recipient does not have advance knowledge of the contents of the email record.

Possession of Email:

An individual is in "possession" of an email record, whether the original record or a copy or modification of the original record, when that individual has effective control over the location of its storage. Thus, an email record that resides on a computer server awaiting download to an addressee is deemed, for purposes of this policy, to be in the possession of that addressee. Systems administrators and other operators of Bank email services are excluded from this definition of possession with regard to email not specifically created by or addressed to them.

Holder of an Email Record or Email Holder:

An email user who is in possession of a particular email record, regardless of whether that email user is the original creator or a recipient of the content of the record.

Substantiated Reason:

Reliable evidence indicating that violation of law or of policies probably has occurred, as distinguished from rumor, gossip, or other unreliable evidence.

Compelling Circumstances:

Circumstances where failure to act may result in significant bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or of Bank policies, or significant liability to the Bank or to members of the Bank community.

Emergency Circumstances:

Circumstances where time is of the essence and where there is a high probability that delaying action would almost certainly result in compelling circumstances.

Time-dependent and Critical Operational Circumstances:

Circumstances where failure to act could seriously hamper the ability of the Bank to function administratively or to meet its obligations, but excluding circumstances pertaining to personal or professional activities


Page 41


Internet Use Policy for Sample Bank

Introduction

This document clarifies Sample Bank (“the Bank”) policies regarding use of Internet services. It also defines new policy and procedures where existing policies do not specifically address issues particular to the use of Internet based services provided to end users by Sample Bank.

The Internet has become a popular method of acquiring and disseminating information, data and programs within the personal computing community. Its use at Sample Bank must include prudent actions that will protect the organization from undue risk through infection by viruses, illegal copying of software, illicit or illegal use and associated issues.

The Chief Information Officer must approve use of Internet electronic services by the Bank (i.e., contracting with an Internet Services Provider or contracting with a vendor for the provision of services across the Internet) in writing. Approval will be handled in the same manner as requesting new software.

While the Bank respects the privacy of all users, from time to time the Bank may routinely inspect or monitor Internet electronic services and transmissions without the end-user’s consent. The Bank provides access to Internet services and therefore the Bank may deny access to said services and may inspect or monitor usage when:

Required by and consistent with law

There is substantiated reason to believe that violations of law or Bank policies have taken place

There are compelling circumstances

As provided for by this policy and other Bank policies and procedures, which may be applicable.

Users should be aware of the following:

Electronic transactions via Internet services, whether or not created or stored on Bank equipment, may constitute a record (see Exhibit A, definitions) subject to disclosure under banking regulations or other laws, or as a result of litigation. However, the Bank does not automatically comply with all requests for disclosure, but evaluates all such requests against the precise provisions of the laws concerning financial institution disclosure and privacy, or other applicable law.

Users of Bank provided Internet services also should be aware that stipulations of banking regulations other laws jeopardize the ability of the Bank to guarantee complete protection of personal transactions or messages communicated via the Internet that utilize Bank owned PC’s, file servers or communication servers for such transactions. In general, the Bank does not condone use of its electronic services for personal use.

The Bank, in general, cannot and does not wish to be the arbiter of either transactions or messages related to Internet services when used by employees for personal means. Neither can the Bank, in general, protect users from receiving messages from the Internet they may find offensive. Every attempt will be made by the Bank to filter “content” received from the Internet via Bank provided equipment. By acceptance of this policy, employees agree to hold the Bank harmless from any issues arising from illicit or offensive content that may be transmitted over Internet services provided by the Bank. Employees are strongly encouraged to use the same personal and professional courtesies and considerations in use of these services as they would in the normal course of business.


Page 42


There is no guarantee, unless "authenticated" systems are in use, that messages and transactions either received or transmitted via Internet services are secure. Additionally, it is a violation of this Policy, for users to disguise their identity for use of Internet services for any reason.

Encryption of electronic transactions via Internet services is recommended whenever possible. This technology enables the encoding of information transmitted via the Internet so that for all practical purposes it cannot be read by anyone who does not possess the right “key”.

Staff members that are granted access to Internet services are advised that all usage is continually monitored by Sample Bank management through the use of logs and reports generated by the Bank’s file servers and proxy / firewall software. These logs and reports identify the services accessed by end-users and the time spent doing so.

The Bank will take steps to block access to certain unsuitable sites.

In as much as there are no guarantees regarding the integrity of downloaded files (programs, data files, etc.) even in a private and controlled access point, the same controls and cautions must be exercised when accessing these services as when accessing public services.

Purpose

The purpose of this Policy is to:

Establish guidelines for the approved and safe use of the Internet

Ensure Internet services are used in compliance with those guidelines

Ensure users of Internet services are informed about concepts of privacy and security applicable to electronic mail

Disruptions to Bank provided Internet services and other services and activities are minimized.

Users of Internet related services are informed as to Bank expectations regarding applicable use.

Definitions

Terms used in this Policy are defined in Exhibit A. Knowledge of these definitions is important to an understanding of this Policy.

Scope

This Policy applies to:

All Internet “accounts” and services provided or owned by the Bank (including workstation software or “browsers”)

All users and uses of Bank provided Internet services

All Bank records in the possession of Bank employees or other electronic or Internet services provided by the Bank

This Policy applies only to Internet use and content in its electronic form. The Policy does not apply to printed copies of Internet pages / content nor downloaded files, applications or publications. Other Bank records management policies may not distinguish among the media in which records are generated or stored. Internet content, therefore, in either their electronic or


Page 43


printed forms, are subject to those other policies, including provisions of those policies regarding retention and disclosure, if applicable.

General Provisions

The Bank provides Internet services to assist the Bank’s officers and staff in the performance of their duties and for providing information services and customer related services. This policy serves to define the Bank’s policies regarding these services, while remaining within the context of the Bank’s legal and other obligations.

Purpose:

In support of its mission to provide the necessary tools to encourage the efficient sharing of information relative to transacting of financial services, the Bank encourages the use of Internet services to obtain and share information, to improve communication, and to enhance customer service and support.

Bank Property:

Internet systems and access to the Internet is provided by the Bank and therefore is considered Bank Property. While information and services that reside within “web site” or “upon” the Internet is owned by non-related Companies, this policy addresses the use of said services and interaction with resources which are considered Bank Property. Any Internet access or account provided by an ISP via Sample Bank’s contract or other agreement associated with the Bank, or any sub-unit of the Bank, assigned by the Bank to individuals, sub-units, or functions of the Bank, is the property of Sample Bank.

Service Restrictions:

Those who use Bank provided Internet services are expected to do so responsibly, that is, to comply with local, state and federal laws, with this and other policies and procedures of the Bank, and with normal standards of professional and personal courtesy and conduct. Access to Bank provided Internet services, when provided, is a privilege that may be wholly or partially restricted by the Bank without prior notice and without the consent of user when required by and consistent with law, when there is substantiated reason to believe that violations of Bank policy or law have taken place, or upon the employees termination of employment. Such restriction is subject to established Bank procedures or, in the absence of such procedures, to the approval of the Chief Information Officer.

Consent and Compliance:

The Bank prior to any inspection or monitoring is not required to seek the end users consent. Records or logs generated and stored on an employee’s personal computer that pertain to Bank business related dealings will be considered Bank owned intellectual property.

Access Without Consent:

The Bank permits the inspection, monitoring, or disclosure of logs or records pertaining to Internet services without the consent of the holder (I) when required by and consistent with law; (ii) when there is substantiated reason (as defined in Exhibit A, Definitions) to believe that violations of law or of Bank policies listed in Exhibit B have taken place; (iii) when there are compelling circumstances as defined in Exhibit A; or (iv) should the Bank desire to review such records on the basis to ensure compliance with all published Bank policies and procedures. The Bank reserves the right to utilize automated electronic tools to “scan” data flows for inappropriate content or abuse of services at any time.

Misuse:

In general, both law and Bank policy prohibit the theft or other abuse of computing resources. Such prohibitions apply to Internet electronic services and include (but are not limited to)


Page 44


unauthorized entry, use, transfer, and tampering with the accounts and files of others, and interference with the work of others and with other computing facilities. Under certain circumstances, the law contains provisions for felony offenses. Users of Internet services are encouraged to familiarize themselves with these laws and policies (see Exhibit B, References).

Offensive and Inappropriate Material:

Sample Bank employees are not to access or distribute any material that could be considered inappropriate, offensive or disrespectful to others. While it is impossible to list every form of such material, some clear examples include:

Materials that contain sexually explicit images or descriptions

Materials that advocate illegal activity

Materials that advocate intolerance for others

Employees should discuss questions concerning inappropriate or offensive material with their managers or the Chief Information Officer.

Specific Provisions

Allowable Use.

In general, use of Bank Internet services is governed by policies that apply to the use of all Bank facilities. In particular, use of Bank Internet services is encouraged and is allowable subject to the following conditions:

Purpose.

Internet access and Internet services are to be provided by Bank units in support of organization’s mission in providing financial services to the customer base, and the administrative functions that support this mission.

Users.

Users of Bank provided Internet access and Internet services are to be limited primarily to certain Bank officers and staff for purposes that conform to the requirements of this Section. Said users will be approved for use of services based on a case-by-case basis and approved by the Chief Information Officer.

Non-Competition.

Bank Internet services shall not be provided for end users use in competition with commercial services to individuals or companies outside the Bank.

Restrictions.

Bank Internet services may not be used for: unlawful activities; commercial purposes not under the auspices of the Bank; personal financial gain (see applicable Human Resources policies); personal use inconsistent with Section VI; or uses that violate other Bank policies or guidelines. The latter include, but are not limited to, policies and guidelines (see Exhibit B) regarding intellectual property, or regarding sexual or other forms of harassment.

Representation.

Internet services users shall not give the impression that they are representing, giving opinions, or otherwise making statements on behalf of the Bank or any unit of the Bank unless appropriately authorized (explicitly or implicitly) to do so. Where appropriate, an explicit disclaimer shall be included unless it is clear from the context that the author is not representing the Bank. An appropriate disclaimer is: "These statements are my own, not those of the Bank."


Page 45


False Identity.

Internet services users shall not employ a false identity when utilizing said services.

Interference.

Bank provided Internet services shall not be used for purposes that could reasonably be expected to cause, directly or indirectly, excessive strain on any computing facilities, or unwarranted or unsolicited interference with others’ use of Bank systems or Internet accounts. Such uses include, but are not limited to, the use of Internet services to: (I) access illicit or immoral content; (ii) access of confidential or illegal resources that may be available on the Internet; (iii) publish, disseminate or share confidential or classified bank and / or customer related data; and (iv) utilize Internet services for personal gain or competition with the Bank.

Acceptable Internet Activities

The following list, although not all-inclusive, provides some examples of acceptable uses:

Communication and / or information gathering with government personnel / entities, vendors, and other private businesses; so long as those entities and their functions are applicable to business requirements specific to Sample Bank

Communications, including information exchange, for professional development or to maintain knowledge or skills

Activities involving associations, advisory, or standards activities

Research activities which are directly associated with work-related issues

Communications for administrative and general work related purposes (including perusal of business news and financial market information)

Items must be access and / or downloaded legally. This means that if upgrades to products are downloaded, the organization must be legally licensed to do so.

Personal Use

Bank provided Internet services may be used for incidental personal purposes provided that, in addition to the foregoing constraints and conditions, such use does not: (I) directly or indirectly interfere with the Bank operation of computing facilities or electronic services; (ii) burden the Bank with noticeable incremental cost; or (iii) interfere with the user’s employment or other obligations to the Bank. Records arising from such personal use may, however, be subject to the presumption in Exhibit A regarding personal and other records. Internet services users should assess the implications of this presumption in their decision to use Bank Internet services for personal purposes.

Security and Confidentiality

The confidentiality of electronic transactions related to the Internet cannot be assured. Such confidentiality may be compromised by applicability of law or policy, including this Policy, by unintended redistribution, or because of inadequacy of current technologies to protect against unauthorized access. Users, therefore, should exercise extreme caution in using Internet services to transmit confidential or sensitive matters.

The Bank’s Human Resources and Policies & Procedures manuals prohibits Bank employees and others from "seeking out, using, or disclosing" without authorization "personal or confidential" information, and requires employees to take necessary precautions to protect the confidentiality of personal or confidential information encountered in the performance of their duties or otherwise. This prohibition applies to Internet services in addition to email records.

Notwithstanding the previous paragraph, users should be aware that, during the performance of their duties, network and computer operations personnel and system administrators need from


Page 46


time to time to observe certain transactional and usage information to ensure proper functioning of Bank Internet services. Except as provided elsewhere in this Policy, IS staff members are not permitted to see or read the contents of messaging and transactional data flows intentionally; to read transactional information where not germane to the foregoing purpose; or disclose or otherwise use what they have seen.

The Bank attempts to provide secure and reliable electronic services to the end user community. Operators of Bank provided Internet services and access to said services are expected to follow sound professional practices in providing for the security of electronic records, firewalls, virus detection software, data, application programs, and system programs under their jurisdiction. Since such professional practices and protections are not foolproof, however, the security and confidentiality of Internet transactions and messaging services cannot be guaranteed. Furthermore, operators of Bank provided Internet services have no control over the security of email that has been downloaded to a user’s computer. As a deterrent to potential intruders and to misuse of such services, end users should employ whatever protections are available to them.

Users of Internet services should be aware that even though the copies and “history files” or “cookies” stored on the end user’s PC have been discarded, there might be back-up copies that can be retrieved. Systems and PC’s may be "backed-up" on a routine or occasional basis to protect system reliability and integrity, and to prevent potential loss of data. The back-up process results in the copying of data onto storage media that may be retained for periods of time and in locations unknown to the originator or recipient of electronic mail. The practice and frequency of back-ups and the retention of back-up copies vary from system to system.

Internet Usage Policy Guideline

The World Wide Web (WWW), Internet, and traditional Bulletin Boards have become popular methods of acquiring and disseminating information, data and programs within the personal computing community. Their use at must include prudent actions that will protect the bank from undue risk through infection by viruses or illegal copying of software.

These guidelines are intended to help you make the best use of the Internet resources at your disposal. You should understand the following.

The Bank provides Internet access to staff to assist them in carrying out their duties for the Bank. It is envisaged that it will be used to lookup details about suppliers, products, to access government information and other statutory information. It should not be used for personal reasons.

You may only access the Internet by using the Bank’s content scanning software, firewall and router.

You may only access the Internet after you have been authorized to do so by your section manager in writing.

When using the Bank’s Internet access facilities you should comply with the following guidelines.

DO:

Do keep your use of the Internet to a minimum

Do check that any information you access on the Internet is accurate, complete and current.

Do check the validity of the information found.

Do respect the legal protections to data and software provided by copyright and licenses.

Do inform the I.T. Services immediately of any unusual occurrence.

DO NOT:


Page 47


Do not download text or images which contain material of a pornographic, racist or extreme political nature, or which incites violence, hatred or any illegal activity.

Do not download content from Internet sites unless it is work related.

Do not download software from the Internet and install it upon the Bank’s computer equipment.

Do not use the Bank’s computers to make unauthorized entry into any other computer or network.

Do not disrupt or interfere with other computers or network users, services, or equipment. Intentional disruption of the operation of computer systems and networks is a crime under the Computer Misuse Act 1990.

Do not represent yourself as another person.

Do not use Internet access to transmit confidential, political, obscene, threatening, or harassing materials.

Please note:

All activity on the Internet is monitored and logged.

All material viewed is scanned for viruses.

All the content viewed is scanned for offensive material.

If you are in any doubt about an issue affecting Internet Access you should consult the I.T. Manager or Network Administration personnel.


Page 48


Exhibit A: Definitions

Computing Facility(ies):

Computing resources, services, and network systems such as computers and computer time, data processing or storage functions, computer systems and services, servers, networks, input / output and connecting devices, and related computer records, programs, software, and documentation.

Internet Systems or Services:

Any system that connects to computing external facilities to create, send, forward, reply to, transmit, store, hold, copy, download, display, view, read, or print computer records for purposes of asynchronous communication across computer network systems between or among individuals or groups, that is either explicitly denoted as a system for Internet connectivity or is implicitly used for such purposes, including services such as browsers, electronic bulletin boards, file servers, and newsgroups.

Bank Provided Systems or Services:

Internet systems or services owned or operated by the Bank or any of its sub-units.

Bank Record:

A "public record" is further defined as: records that include any writing containing information relating to the conduct of the public's business prepared, owned, used, or retained (by the Bank) regardless of physical form or characteristics. With certain defined exceptions, such Bank records are subject to disclosure under certain financial regulations. Records held by employees, including email and Internet transmissions, are considered Bank records unless such records are pursuant to an employment or agent relationship the employee / contractor has or have had with the Bank. This exemption does not, however, exclude employee email or Internet transmissions from other aspects of this Policy, regardless of whether such content is a Bank record.

Use of Bank or Other Internet Services:

To create, send, forward, reply to, transmit, store, hold, copy, download, display, view, read, or print Web content or email (with the aid of Bank services). An end user is an individual who makes use of Bank Internet and other electronic services.

Possession of Documentation and “Downloaded” Files:

An individual is in "possession" of documentation or records, whether the original record or a copy or modification of the original record, when that individual has effective control over the location of its storage. Thus, an electronic record, log or file that resides on a computer server awaiting download to an intended recipient is deemed, for purposes of this Policy, to be in the possession of that addressee. Systems administrators and other operators of Bank Internet services are excluded from this definition of possession with regard to content not specifically created by or addressed to them.

Holder of Documentation or “Downloaded” Files:

An end user who is in possession of a particular record, log or file, regardless of whether that user is the original creator or a recipient of the content of the record.

Substantiated Reason:

Reliable evidence indicating that violation of law or of policies has occurred, as distinguished from rumor, gossip, or other unreliable evidence.

Compelling Circumstances:


Page 49


Circumstances where failure to act may result in significant property loss or damage, loss of significant evidence of one or more violations of law or of Bank or significant liability to the Bank or to Bank customers.


Page 50


Exhibit B: Policy Violations

Violations of Bank policies governing the use of Bank provided Internet services may result in disciplinary action, up to and including dismissal; as provided for under other Bank policies and / or guidelines.

Unacceptable Activities

The following list, although not all-inclusive, provides some examples of unacceptable uses:

Private or personal, for-profit activities (e.g., consulting for pay, sale of goods such as Avon, Amway, or Excel products, etc.), without prior written consent of employer

Use for private or personal business and / or gain, without prior written consent of employer

Use for any illegal purpose, including communications which violate any laws or regulations

Transmitting or forwarding threatening, obscene, or harassing messages

Intentionally seeking information about, obtaining copies of, or modifying files, other data, or passwords belonging to other users, unless explicitly authorized to do so

Interfering with or disrupting network users, services, or equipment. Such disruptions could include, but are not limited to, (1) distribution of unsolicited advertising or messages, (2) propagation of computer worms or viruses, and (3) using Internet access to gain unauthorized entry to another machine or network resource via the Internet

Personal use, including shopping, seeking information regarding employment opportunities, chat rooms, etc.

Illicit use, such as pornographic web-sites, militant organizations, or any other uses that may be construed as an act of moral turpitude.

Responsibility for Policy

The Chief Information Officer is responsible for development and maintenance of this Policy. Because Bank policies are subject to change; this policy may change from time to time. The final and approved policy will be posted under the listings of Bank policies posted on Bank file servers. Authority to change this Policy rests with the Chief Information Officer.

Acknowledgement of Policy Changes

Employees will be notified of changes to this Policy and be required to read and acknowledge that they have read the changed Policy.


Page 51


Remote Access Policy

Purpose

The purpose of this policy is to define standards for connecting to Sample Bank's network from any host. These standards are designed to minimize the potential exposure to Sample Bank from damages which may result from unauthorized use of Sample Bank resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical Sample Bank internal systems, etc.

Scope

This policy applies to all Sample Bank employees, contractors, vendors and agents with a Sample Bank-owned or personally-owned computer or workstation used to connect to the Sample Bank network. This policy applies to remote access connections used to do work on behalf of

Sample Bank, including reading or sending email and viewing intranet web resources.

Remote access implementations that are covered by this policy include, but are not limited to, dial-in modems, frame relay, ISDN, DSL, VPN, SSH, and cable modems, etc.

Policy - General

1. It is the responsibility of Sample Bank employees, contractors, vendors and agents with remote access privileges to Sample Bank's corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to Sample Bank.

2. General access to the Internet for recreational use by immediate household members through the Sample Bank Network on personal computers is permitted for employees that have flat-rate services. The Sample Bank employee is responsible to ensure the family member does not violate any Sample Bank policies, does not perform illegal activities, and does not use the access for outside business interests. The Sample Bank employee bears responsibility for the consequences should the access be misused.

3. Please review the following policies for details of protecting information when accessing the corporate network via remote access methods, and acceptable use of Sample Bank's network:

a. Acceptable Encryption Policy

b. Virtual Private Network (VPN) Policy

c. Wireless Communications Policy

d. Acceptable Use Policy

4. For additional information regarding Sample Bank's remote access connection options, including how to order or disconnect service, cost comparisons, troubleshooting, etc., go to the Remote Access Services website.

Requirements


Page 52


1. Secure remote access must be strictly controlled. Control will be enforced via one-time password authentication or public/private keys with strong pass-phrases. For information on creating a strong pass-phrase see the Password Policy.

2. At no time should any Sample Bank employee provide their login or email password to anyone, not even family members.

3. Sample Bank employees and contractors with remote access privileges must ensure that their Sample Bank-owned or personal computer or workstation, which is remotely connected to Sample Bank's corporate network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.

4. Sample Bank employees and contractors with remote access privileges to Sample Bank's corporate network must not use non-Sample Bank email accounts (i.e., Hotmail, Yahoo, AOL), or other external resources to conduct Sample Bank business, thereby ensuring that official business is never confused with personal business.

5. Routers for dedicated ISDN lines configured for access to the Sample Bank network must meet minimum authentication requirements of CHAP.

6. Reconfiguration of a home user's equipment for the purpose of split-tunneling or dual homing is not permitted at any time.

7. Frame Relay must meet minimum authentication requirements of DLCI standards.

8. Non-standard hardware configurations must be approved by Remote Access Services, and InfoSec must approve security configurations for access to hardware.

9. All hosts that are connected to Sample Bank internal networks via remote access technologies must use the most up-to-date anti-virus software (place url to corporate software site here), this includes personal computers. Third party connections must comply with requirements as stated in the Third Party Agreement.

10. Personal equipment that is used to connect to Sample Bank's networks must meet the requirements of Sample Bank-owned equipment for remote access.

11. Organizations or individuals who wish to implement non-standard Remote Access solutions to the Sample Bank production network must obtain prior approval from Remote Access Services and InfoSec.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Definitions

Term Definition

Cable Modem - Cable companies such as AT&T Broadband provide Internet access over Cable TV coaxial cable. A cable modem accepts this coaxial cable and can receive data from the Internet at over 1.5 Mbps. Cable is currently available only in certain communities.

CHAP - Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function. DLCIData Link Connection Identifier ( DLCI) is a unique number assigned to a Permanent Virtual Circuit (PVC) end point in a frame relay network. DLCI identifies a particular PVC endpoint within a user's access channel in a frame relay network, and has local significance only to that channel.


Page 53


Dial-in Modem - A peripheral device that connects computers to each other for sending communications via the telephone lines. The modem modulates the digital data of computers into analog signals to send over the telephone lines, then demodulates back into digital signals to be read by the computer on the other end; thus the name "modem" for modulator/demodulator.

Dual Homing - Having concurrent connectivity to more than one network from a computer or network device. Examples include: Being logged into the Corporate network via a local Ethernet connection, and dialing into AOL or other Internet service provider (ISP). Being on a Sample Bank-provided Remote Access home network, and connecting to another network, such as a spouse's remote access. Configuring an ISDN router to dial into Sample Bank and an ISP, depending on packet destination.

DSL - Digital Subscriber Line (DSL) is a form of high-speed Internet access competing with cable modems. DSL works over standard phone lines and supports data speeds of over 2 Mbps downstream (to the user) and slower speeds upstream (to the Internet).

Frame Relay - A method of communication that incrementally can go from the speed of an ISDN to the speed of a T1 line. Frame Relay has a flat-rate billing charge instead of a per time usage. Frame Relay connects via the telephone company's network.

ISDN - There are two flavors of Integrated Services Digital Network or ISDN: BRI and PRI. BRI is used for home office/remote access. BRI has two "Bearer" channels at 64kbit (aggregate 128kb) and 1 D channel for signaling info.

Remote Access - Any access to Sample Bank's corporate network through a non-Sample Bank controlled network, device, or medium.

Split-tunneling - Simultaneous direct access to a non-Sample Bank network (such as the Internet, or a home network) from a remote device (PC, PDA, WAP phone, etc.) while connected into Sample Bank's corporate network via a VPN tunnel. VPN Virtual Private Network (VPN) is a method for accessing a remote network via "tunneling" through the Internet.


Page 54


Patch Management Policy for Sample Bank

Introduction

The Board of Directors and Management recognize that Sample Bank (the “Bank”) acquires technology applications, systems and hardware from various third-party providers. These technology applications, systems and hardware are periodically updated to enhance their performance or ensure that appropriate security is maintained (i.e., to address identified or known vulnerabilities).

Purpose

The purpose of this Policy is to provide a framework for ensuring the maintenance of current, authorized and licensed software and operating systems and ensuring that security capabilities of such systems are current and compliant with the Bank’s information security policies. These systems include any application that resides on the mainframe or network environment (hardware and software, including servers and workstations, routers, etc.), applications processed across the network, telephone systems, and the FedLine system.

Scope of Policy

This Policy, which is part of the Bank’s Information Security Program, complements the Change Management Policy, addressing specifically security and version updates to the Bank’s applications, systems and hardware.

Responsibilities


The Information Security Officer will be notified of the implementation of patches and service packs or changes to hardware operating systems and ratify those changes.

The Information Security Officer will periodically review the change logs and ratify changes made.

The Information Services Department (i.e., Information Services Administrator) will be responsible for the execution of this Policy, including the implementation of security patches / changes for applications, services and hardware. IDS will maintain appropriate documentation of changes made to each application, system and hardware device.

The Information Services Department will also be responsible for ensuring that consistent, approved, licensed versions of software are maintained / used on all workstations, servers and other information technology platforms. This will be accomplished through periodic inventories of application, system and hardware versions.

The Bank may use the services of a third-party provider, or internal resources / systems, to periodically inventory systems and versions and determine that appropriate, licensed versions are in use.


Page 55


Record Retention and Destruction Policy for Sample Bank

The Board of Directors and Management of Sample Bank (the “Bank” or “SAMPLE”) recognize the importance of maintaining records in accordance with regulatory guidelines and in keeping with good business practice. Our employees, regulators, auditors, and compliance personnel depend on bank records to establish the bank's compliance with all banking regulations. Further, these records could be critical to restoring operations in the event of a disaster and corroborating the Bank’s position in legal actions. Therefore, it is important for employees to practice due diligence in maintaining bank records.

Consequently, the Board of Directors of Sample Bank requires that all business units of the Bank establish appropriate procedures, systems and practices to maintain records in accordance with applicable regulations and the Bank’s defined business needs. This policy is designed to emphasized compliance with all recordkeeping requirements needed to conduct audits and compliance examinations.

Policy Objectives

Recordkeeping requirements must be adhered to in order to sufficiently demonstrate compliance with various federal and state regulations. A system must be created to achieve this objective without placing undue burdens on employees.

The specific goals of this policy are to:

Communicate the need for compliance in recordkeeping.

Establish responsibility for procedure development and implementation.

Responsibility

The responsibility of adopting and maintain record retention procedures rests with each business unit and department. A department head may authorize a department employee to coordinate with the compliance area to establish record retention and destruction procedures conforming with applicable banking laws and regulations. However, it is the department head that has the ultimate responsibility for maintaining proper records. Fewer material changes will be communicated via memoranda. More substantial changes in record retention requirements or the form of those requirements, due to regulatory changes or operations changes, will be communicated through written memorandum as well as through training of appropriate personnel.

Internal auditors and the compliance officer will participate in communicating new or amended recordkeeping requirements relating to banking laws and regulations. In addition, the internal auditors and the compliance officer will periodically test record retention procedures to assure compliance.

Training

Each department is responsible for training new employees to comply with procedures that have been adopted. Department employees with responsibility for record retention will work with the compliance officer and the training area of Human Resources to develop the training workshop and / or materials. All operations employees will receive an overview of this policy during their fist few days of employment.


Page 56


Storage

Sample Bank warehouses many records in the file rooms and records vaults in various business units and departments (i.e., Credit Card, Residential Mortgage Lending, and Commercial Lending). Additionally, the Bank maintains an off-site warehouse storage facility. An employee, or group of employees will be assigned in each business unit and department as vault custodians and will be responsible for maintaining customer, Bank and departmental records in an orderly and readily accessible fashion. All archive boxes must be marked legibly with contents, date of material and the expiration date of retention period.

Only records with retention periods exceeding two years may be sent to the offsite warehouse. All others must be maintained in the originating department.

Destruction

The Bank provides receptacles for the destruction of confidential information on a day-to-day basis. Employees have been instructed regarding the types of information that requires shredding and which should be placed in these receptacles. A third-party vendor removes and destroys these documents.

Archived records must be destroyed at expiration of the retention period. Normally, shredding will be used to destroy all paper records and this process will be completed by third-party vendors. No unshredded documents will be recycled.

Destruction of any records with retention periods exceeding two years must be authorized by the officer of the department in which the information originated. The officer must check through the records and attend the record destruction.

Coordination with Business Continuity Planning

Each business unit manager or department head with responsibility for record retention will be aware of the Business Continuity Plan and procedure requirements affecting their area and the methods used to ensure that record retention requirements are complied with if on-premises bank records are destroyed.


Page 57


Regulatory Compliance Checklist

Regulations require substantiation through the maintenance of supporting records. To maintain a strong operating institution and comply with regulations, sufficient recordkeeping procedures must be adopted. To establish proper guidelines, individual regulations must be carefully reviewed for recordkeeping requirements and penalties.

Record Retention Guidelines

Accounting

Item Description Retention Period

Bank call reports 10 years

Cashiers Checks 2 years

Cashiers Check Statements 2 years

Certified Checks 2 years

Certified Check Statements 2 years

Daily Reserve Computations 1 years

Daily Stmt. Of Condition (EOM) 2 years

Earnings, Dividend Reports Permanent

Expense Checks 7 years

Expense Check Statements 2 years

General Ledger Tickets 1 years

GL Account Reconcilements 2 years

Insurance Records 5 years

Internal Expense Vouchers 7 years

Paid Bills, Statements 3 years

Repo Account records of customer’s purchase of bank government securities

2 years easily accessible, 6 years total [17 CFR 450.4(f)]

Audit


Audit Working papers 3 years

Auditor’s Reports 3 years

Bank Examiners’ Reports 7 years

Customer Confirmations 3 years

Director Examination Reports Permanent


Page 58


Branch Records


ATM Teller settlement Records 1 year

Bait Money & Serial Number Lists Until Superseded

Bank Secrecy Act Compliance Program Permanent (12 CFR 21 – unspecified)

Undeliverable / Unclaimed Check Orders 2 months

Closed Certificates of Deposit 5 years

Closed Check / Savings Signature Cards 5 years

Correspondence 5 years

Equipment Test Records 1 year

Garnishments 3 years

Hold Notices under Regulation CC 2 years

(12 CFR 229.21)

Loss Reports 10years

Night Deposit Agreements 1 year

Night Deposit Envelopes 45 days

Night Deposit Logs 1 year

Registered Mail Receipts 1 year

Robbery, Fraud Reports 10 years

Safe Deposit Entrance Records 5 years

Safe Deposit Forced entry records 5 years

Series EE Bond Application 1 year

Series EE Bond Redeemed Transmittal Letter 1 year

Taxpayer ID # for all deposit accounts opened Obtain within 30 days of opening the account, retain for 5 years (31 CFR 103.34 & 103.38)

Teller’s Difference Records 1 year

Teller’s Cash Item Records 1 year

Teller’s Machine Tapes 1 year

Teller’s Settlement Records 1 year

Traveler’s Checque Applications 1 year


Page 59


Customer Service / Operations


Affidavits for Losses / Forgeries 5 years

CD Daily Settlements 3 months

Change of Address Notices 1 year

Computer Records of all account activity records, (checks, drafts, monetary instrument, statements, etc.)

Permanent on OMS, & CD ROM (31 CFR 103.38 – 5 years)

Corporate Resolutions 3 years

CTRs Permanent

Suspect CTR Verification Reports 5 years

Demand Deposit account records to trace or supply a description of a check in excess of $100 deposited in a demand account

5 years (31 CFR 103.38)

DDA Daily Settlements 3 months

EFT Notices, Evidence of compliance with Electronic Funds Transfer Act

2 years

(12 CFR 205.13)

Fiduciary account records 3 years

(12 CFR 9.8)

FRB Incoming Return Letters 3 years

FRB Large Item Return Wire Notices 3 years

Indemnity Bonds for Official Checks 5 years

IRS Levies 3 years

Microfiche Permanent

Microfilm Permanent

Other Levies 3 years

Returned Mail 60 days

Savings Daily Settlements 3 months

Savings Deposits 1 year

Savings Withdrawals 1 year

Stop payment records 5 years

Subpoenas 3 years

Suspicious Activity Reports Permanent

TT&L Records 3 years

Writs of Attachment 3 years

Wire Records 5 years

(31 CFR 103.33)


Page 60


Corporate Records


Director’s Reports 5 years

Dividend Checks 10 years

Dividend Register 5 years

Minutes of Directors, Stockholders, Other Meetings

Permanent

Pending Litigation to which the bank is a party in connection with its exercise of fiduciary powers

3 years from the later of termination of the fiduciary account, or of the litigation relating to such account (12 CFR 9.8)

Proxies 5 years

Stock Certificates Permanent

Stock Certificate Receipts 5 years

Stock Transfer Register Permanent

Stockholder Ledger Permanent

Stock Transfer Register Permanent

Surety Bonds for Lost Certificates Permanent

Tax Returns Permanent

Investments


Accrual Records 2 years

Broker’s Invoices 5 years

Brokers’ Statements 5 years

Buy and Sell Orders 2 years

Loans


Advertisements for Loan Programs 2 years (12 CFR 226.25)

Charge Offs 10 years

Declined Personal Loan Applications 25 months (12 CFR 202.9)

Declined Business Loan Applications (gross income under $1,000,000)

12 months (12 CFR 202.9)

Declined Business Loan Applications (gross income over $1,000,000)

60 days (12 CFR 202.9)

Good Faith Estimate, HUD-1, HUD-1A, service provider information

5 years (24 CFR 3500.11)


Page 61


HMDA LAR 5 years (12 CFR 203.5)

Identification documents of borrowing customers 5 years after loan paid off

Flood Insurance verification Can destroy at payoff (12 CFR 22.6)

Mortgage loan disclosure statement 5 years (12 CFR 203.5)

Non-Accrual Loan Records 10 years

Paid Off Loan & Letter of Credit Files (must specifically retain: name & address of borrower, amount of the loan, nature or purpose, date)

5 years (31 CFR 103.33)

Public Comments for CRA performance 2 years

(12 CFR 25.43)

Records of loans to executive officers, directors and principal shareholders

Permanent (12 CFR 215.8)

Requests by members of the public on loans made to insiders

2 years (12 CFR 215.11)

Truth in Lending disclosures 2 years from date of disclosure (12 CFR 226.25)

Miscellaneous


Bank Contracts 5 years

Bank Correspondence 5 years

Bank Leases 5 years

Personnel Records


Employee Time Cards 5 years

Federal Tax Reports Permanent

Group Insurance Records Permanent

Payroll Ledgers 7 years

Retirement Fund Records Permanent

Employee Personnel Files 7 Years

Employment Applications 18 months

State Tax Reports Permanent


Page 62


Offsite Storage Locations:

Location / Address Contents

Record Destruction Companies:

Company / Address / Contact Assignment / Schedule


Page 63


Technology Asset Disposal Policy for Sample Bank

Introduction

The purpose of this policy is to establish and define standards, procedures, and restrictions for the disposal of non-leased technology equipment in a legal, cost-effective manner. Sample Bank’s surplus or obsolete technology assets and resources (i.e. desktop computers, servers, printers, etc.) must be discarded according to legal requirements and environmental regulations through the appropriate external agents and Sample Bank’s upgrade guidelines. Therefore, all disposal procedures for retired technology assets must adhere to Bank approved methods.

Scope

This policy applies to the proper disposal of all non-leased Sample Bank hardware, including PCs, monitors, keyboards, mice, printers, handheld devices, servers, hubs, switches, bridges, routers, phones, PBXs and so on. Bank owned surplus hardware, obsolete machines, and any equipment beyond reasonable repair or reuse are covered by this policy. Where applicable, it is desirable to achieve some residual value of the technology asset in question through reselling, auctioning, donation, or reassignment to a less-critical function.

Definitions

“Non-leased” refers to any and all technology assets that are the sole property of Sample Bank; that is, equipment that is not rented, leased, or borrowed from a third-party supplier or partner company.

“Disposal” refers to the reselling, reassignment, recycling, donating, or throwing out of technology equipment through responsible, ethical, and environmentally sound means.

“Obsolete” refers to any and all equipment over 5 years old and / or that which no longer meets requisite functionality.

“Surplus” refers to hardware that has been replaced by upgraded equipment or is superfluous to existing requirements.

“Beyond reasonable repair” refers to any and all equipment whose condition requires fixing or refurbishing that is likely cost equal to or more than total replacement.

Guidelines

Disposal and disposal procedures of all technology assets and equipment will be centrally managed and coordinated by Sample Bank’s Information Technology department. Sample Bank’s IT department is also responsible for backing up and then wiping clean of company data all IT assets slated for disposal, as well as the removal of company tags and / or identifying labels. The IT department is in charge of selecting and approving external agents for recycling hardware and / or sanitizing hardware of harmful toxins before shipment to landfills.

Practices

Acceptable methods for the disposal of technology assets are as follows:


Page 64


Sold to existing staff.

Auctioned online

Sold as scrap to a licensed dealer.

Used as a trade-in against cost of replacement item.

Reassigned to a less-critical business operation function.

Donated to schools, charities, and other non-profit organizations.

Recycled and / or refurbished to leverage further use (within limits of reasonable repair).

Discarded as rubbish in a landfill after sanitized of toxic materials by approved service provider.

Policy

It is imperative that any disposals of equipment by Sample Bank are handled appropriately, responsibly, and ethically, as well as with company resource in mind. The following rules must therefore be observed:

Obsolete IT Assets:

As prescribed above, “obsolete” refers to any and all computer or computer-related equipment over 5 years old and / or equipment that no longer meets requisite functionality. Identifying and classifying technology assets as obsolete are the sole province of the Bank’s IT department. Decisions on this matter will be made according to the Bank’s purchasing / procurement strategies. Equipment lifecycles are to be determined by technology asset management best practices (i.e. total cost of ownership, required upgrades, etc.).

Reassignment of Retired Assets:

Reassignment of computer hardware to a less-critical role is made at the sole discretion of the Bank’s IT department. It is, however, the goal of Sample Bank to – whenever possible – reassign technology assets in order to achieve full return on investment (ROI) from the equipment and to minimize hardware expenditures; when feasible reassignment to another business function will do instead.

Trade-Ins:

Where applicable, cases in which a piece of equipment is due for replacement by a newer model, reasonable actions must be taken to ensure that a fair and market trade-in value is obtained for the old technology asset against the cost of the replacement.

Cannibalization and Assets Beyond Reasonable Repair:

The IT manager is responsible for verifying and classifying any technology assets beyond reasonable repair. Equipment identified as much should be cannibalized for any spare and / or working parts that can still be put to sufficient use within the organization. The IT department will inventory and stockpile these parts.

Decommissioning of Assets:

All hardware slated for disposal by any means must be fully wiped clean of all company data. Sample Bank’s IT department will decommission this equipment by deleting all files, Bank licensed programs, and applications using a pre-approved disk-sanitizer. This sanitizer will completely overwrite each and every disk sector of the machine with zero-filled blocks. The U.S. Department of Defense approved method makes all data from that disk completely unrecoverable. In addition, any property tags or identifying labels must also be removed from the retired equipment.


Page 65


Income Derived from Disposal:

Whenever possible, it is desirable to achieve some residual value from retired or surplus technology assets. Any and all receipts from the sale of technology assets must be kept and submitted to the Finance Department. Income derived from sales to staff, the public, or through online auctioning must be fully receipted and monies sent to the Finance Department. Sales to staff should be advertised through the company intranet or via e-mail. Auctioning methods will be chosen as a joint decision between Bank’s IT manager and the senior management.

Donations:

IT assets that are not assigned for reuse, discarding, or sale to employees or external buyers, may be donated to a company-approved school, charity, or other non-profit organization. All donations must be authorized by an appropriate member of the Bank’s senior management team and approved by the Finance Department. All donations must be submitted to the Finance Department for taxation purposes.


Page 66


Vendor Relationship Management Policy for Sample Bank

Introduction

The Board of Directors and Management recognizes that Sample Bank (the “Bank”) acquires services from third-party suppliers, service providers, software vendors, and / or consultants (the “Vendor or Vendors”), including customer information and transaction processing services, involves risks similar to those that arise when these functions are performed internally by Bank personnel. These include such risks as threats to the availability of systems used to support customer transactions, the accuracy, integrity and security of customer’s non-public, personal financial information, or compliance with banking regulations.

Under contract arrangements, however, risk management measures commonly used by financial institutions to address these risks, are generally under the control of the Vendor, rather than the financial institution. The financial institution, however, continues to bear certain associated risks of financial loss, reputation damage, or other adverse consequences from actions of the Vendor or the failure of the Vendor to adequately manage risk. Consequently, it is incumbent upon financial institutions to: (1) expand their analysis of the ability of Vendors to fulfill their contractual obligations and (2) prepare formal analyses of risks associated with obtaining services from, or outsourcing processing to, Vendors.

Purpose

Sample Bank relies on products, systems and services provided by a variety of Vendors, including hardware / software vendors, marketing firms, technology and telecommunication services installers and support personnel and consultants. A current list of these vendors is included as Exhibit A of this Policy statement.

It is the duty of the Board of Directors and Management to ensure that: (1) the risks associated with the use of Vendors for the Bank’s critical operations are fully understood and (2) an appropriate oversight program is in place to monitor each Vendor’s risk management controls, financial condition, and contractual performance. In recognition of the Bank’s reliance on Vendor supplied products and services and the need to manage the attendant risks, Management has prepared and the Board has adopted this policy governing the acceptance, maintenance and on-going monitoring of contractual relationships with Vendors.

New Vendors and Contractual Relationships

The Risk Management Officer must be notified of all new contracts for outsourced services. The Risk Manager will ensure that each contract has been reviewed by the Bank’s Legal Department, and that it includes, as required, appropriate non-disclosure agreements and statements of responsibility for the maintenance of security, accuracy and integrity of customers’ non-public, personal financial information, either in possession of the outsourced service provider or accessible by the outsourced service provider.

The Risk Management Officer will ensure that appropriate performance standards have been outlined in the contract and that the Bank has established appropriate performance monitoring systems.

In addition to reviewing compliance of the contract with Bank requirements, the Risk Management Officer will be responsible for preparing a preliminary assessment of the criticality of each Vendor or outsourced service provider In making this assessment, the following factors should be considered:


Page 67


Overall customer service responsibilities and the potential impact on the image of the Company,

Potential impact on the Bank’s earnings (i.e., potential for “real” dollar losses which might be incurred),

Bank’s ability to meet regulatory requirements, and control or monitor the Vendor’s compliance with regulatory requirements, and

Potential impact on the Bank’s ability to deliver minimum levels of service acceptable to Management if the Vendor fails or fails to provide consistent service.

Sensitivity of Bank and customer information maintained by the Vendor, or accessible by the Vendor.

The following definitions will be used for setting the criticality of Vendors:

Critical –

Services in this category include those considered “mission critical” to the Bank’s operations. The Bank would not be able to: (1) operate at adequate capacity without the availability of such services or (2) deliver minimally acceptable levels of customer service. The use of such services and Vendors exposes the Bank to significant levels of strategic, operational or reputation risk. For example, the Vendor interacts directly with current or prospective customers and their performance would directly reflect on the Bank’s image and reputation in the community. Also, there is no immediate replacement or back-up for such services, such that detailed contingency plans are required to ensure continuity of the Bank’s operations. Additionally, the Vendor’s business may be subject to high levels of credit or other financial risk (i.e., they may be highly leveraged, or dependent on a small market segment, etc.) or the Vendor may collect and remit payments on behalf of the Bank, exposing the Bank to operational, interest rate, market or liquidity risk. The Vendor may have access to or possession of significant limited confidential customer data. Significant “hard” dollar losses (e.g., unbudgeted, extraordinary, out-of-pocket, cash expenditures for additional assistance, legal costs, etc.) and “soft” dollar losses (e.g., damage to Bank’s reputation, disrupted service, staff time / overtime) could be incurred from the Vendor’s failure to adequately manage risk.

Important –

Services in this category include those considered of importance to the Bank’s operations. In the event of a failure by the Vendor, the Bank would be able to:

Operate at minimum acceptable levels of service or would have readily available (i.e., acceptable alternative means to process transactions or provide management information and service) such that minimal costs or losses are incurred or,

Deliver minimally acceptable levels of customer service.

The use of such services may expose the Bank to moderate levels of strategic, operational or reputation risk, but the Bank has some degree of control or influence over these risks, or has systems in place to monitor such risks on an ongoing basis. Also, there are available replacements, including other Vendors, or back-ups for such services that ensure the continuity of the Bank’s operations. The Vendor’s business may be subject to moderate levels of credit risk or other financial risk. The Vendor does not collect and remit payments on behalf of the Bank, or does so only to a limited degree, exposing the Bank to minimal operational, interest rate, market or liquidity risk. Similarly, the Vendor may have access to or possession of only limited confidential customer data. Acceptable, minimal “hard / soft” dollar losses could be incurred from the Vendor’s failure to adequately manage risk.

Incidental –


Page 68


Services of vendors in this category include those considered incidental to the Bank’s operations or for whom the Bank would have readily available: (1) an acceptable alternative vendor or (2) and adequate, alternative means to process transactions or provide management information and service or would be able to:

Operate at acceptable levels of service with little or no risk of financial loss, or

Deliver minimally acceptable levels of customer service.

The use of such services exposes the Bank to minimal levels of strategic, operational or reputation risk or the Bank has significant control or influence over these risks, or has comprehensive systems in place to monitor such risks on an ongoing basis. Also, there are immediately available replacement Vendors, or back-ups for such services that ensure the continuity of the Bank’s operations. The Vendor’s business is subject to minimal levels of credit risk or other financial risk. The Vendor does not collect and remit payments on behalf of the Bank, exposing the Bank to little or no operational, interest-rate, market or liquidity risk. The Vendor does not have access to or possession of confidential customer data, or only incidentally, as part of completing one-by-one transactions. Little or no “hard” dollar losses and minimal, acceptable “soft” dollar losses would be incurred from the Vendor’s failure to adequately manage risk.

Before entering into a contract with a Vendor for a critical service, the Bank will assess the key risks that may arise and options for controlling these risks. It is the primary responsibility of the business unit manager acquiring the service to evaluate the related vendor risk. The Bank’s Risk Manager will ensure that an appropriate evaluation has been made.

Factors influencing the risk assessment will include, for example, the criticality of the function to the Bank, the nature of activities to be performed by the Vendor, including handling funds or implementing credit decisions, the availability of alternative Vendors for the particular function, insurance coverage available for particular risks, and the cost and time required to switch Vendors should problems arise. In addition, this review will ensure that the Bank understands the roles, responsibilities, and contractual obligations of all parties.

The following areas will be included in this process:

Selection of Vendor - In addition to other requirements included in the Bank’s Purchasing Policy in selecting a Vendor of critical services, the Bank will prepare a risk assessment and perform appropriate due diligence to satisfy itself regarding the Vendor’s competence and stability, both financially and operationally, to provide the expected services and meet any related commitments. Financial statements, preferably audited statements, will be obtained and reviewed by the Controller.

Contracts - The written contract between the Bank and the Vendor should clearly specify, at a level of detail commensurate with the scope and risks of the service provided, all relevant terms, conditions, responsibilities, and liabilities of both parties. These would normally include terms such as:

Statements of the purpose of access to or maintenance of the Bank’s customers’ non-public, personal financial information

Agreements not to disclose non-public, personal financial information of the Bank’s customers either in possession of the Vendor or accessible to them, and statements of responsibility and liability for disclosure of such information

Required service levels, performance standards, and penalties

Internal controls, insurance, disaster recovery capabilities, and other risk management measures maintained by the Vendor

Data and system ownership and access

Liability for delayed or erroneous transactions and other potential risks


Page 69


Provisions for and access by the Bank to internal or external audits or other reviews of the Vendor’s operations and financial condition

Compliance with applicable regulatory requirements

Provisions for handling disputes, contract changes, and contract termination

Terms and conditions of each contract will be reviewed by the Bank’s legal counsel to ensure that they are appropriate for the particular service being provided and result in an acceptable level of risk to the Bank.

Policies, Procedures, and Controls - The Vendor should implement internal control policies and procedures, data security and contingency capabilities, and other operational controls analogous to those that the Bank would utilize if the activity were performed internally. Appropriate controls should be placed on transactions processed or funds handled by the Vendor on behalf of the Bank. The Vendor’s policies and procedures should be reviewed by the Bank’s Risk Manager, Accounting, Compliance, Data Processing and Information Security and Internal Audit.

Ongoing Monitoring - The Bank will review the operational performance of critical Vendors on an ongoing basis to ensure that the Vendor is meeting and can continue to meet the terms of the contract (e.g., service level commitments). Business unit managers will be primarily responsibility for completing this evaluation. This evaluation should be completed at least semi-annually and reported to the Risk Manager. The form and elements of the evaluation will be determined by the service level commitments in the Vendor’s contract or specific Service Level Agreements negotiated between the Bank and the Vendor.

Information Access - The Bank will ensure that it has complete and immediate access to current and appropriate back-up information that critical to its operations and maintained or processed by an outside Vendor.

Internal Audit - The Bank’s Internal Auditors will review the oversight of critical Vendors by external accountants and others, including regulators. Audits of critical Vendors should be conducted according to a scope and frequency appropriate for the particular function. For third-party data processing services, the Bank will obtain copies of the Vendor’s SAS 70 audit report and Management’s response. These, as well as other audit reports of critical Vendors, will be reviewed by the Audit Committee of the Board of Directors. Audit results and management responses will be available to examiners at their request. Internal Audit will also audit compliance with Vendor service level commitments and agreements.

Contingency Plans - The Bank will ensure that appropriate business resumption plans have been prepared and tested by the Vendor. Where appropriate, based on the scope and risks of the service or function and the condition and performance of the Vendor, the Bank’s contingency plans may also include plans for the continuance of processing activities, either in-house or with another provider, in the event that the Vendor is no longer able to provide the contracted services or the arrangement is otherwise terminated unexpectedly.

Ongoing Vendor Risk Evaluations

Annually, the Risk Management Officer will evaluate the risks and exposures associated with each Vendor relationship. This evaluation process will include the following:

Update the Vendor listings

Evaluate the nature and purpose of all Vendor relationships

Determine the criticality of the product or service provided by the Vendor


Page 70


Assess the relative level of strategic, credit operational, compliance and legal and reputation risk associated with this relationship and

Rank each Vendor as Critical, Important or Incidental.

A detailed risk assessment will be prepared of each “critical” Vendor, in accordance with the Vendor Relationships Risk Assessment form attached as Exhibit B of this policy. The Risk Manager will be primarily responsible for completing this risk assessment, with the assistance of appropriate business unit managers and responsible managers in Legal, Accounting, Compliance, Information Technology and Information Security and Internal Audit.


Page 71


Exhibit A

(Listing of all vendors, description of service / product and risk ranking)


Page 72


Exhibit B:

The following risk assessment (“Assessment”) should be completed for all vendor / contract relationships rated as Critical. This assessment should be updated annually. The primary objectives of this assessment are to identify risk issues in the relationship between the vendor and the Bank, and provide a means to document the methods by which these attendant risks will be identified, measured, monitored and controlled.


Page 73


Vendor Relationship Review form for Sample Bank

Vendor Information Security and Business Impact Risk Rating

Information Security Risk Rating

Business Impact Risk Rating

Composite Risk Rating

Assessment Prepared By: Date:

Vendor Contact Information

Company Name:

Contact Name:

Address:

Telephone:

Fax:

E-mail Address:

Primary Manager of Vendor Relationship (Sample Bank)

Name:

Business Unit:

Telephone:

E-mail Address:

Relationship Overview

What business function is provided by the service provider? Briefly describe the services provided:

Is your business unit responsible for managing this outsourcing arrangement? If not, then which business unit does?

If you depend on this outsourcing that you do not own / control, is there a feedback process for poor service?

Do any other of our institution’s business units use or receive services from this provider, covered under this contract? If yes, please specify:

Contract

Describe the key elements of the contract between the institution and this vendor, including date and term of contract, specific obligations of the vendor and the Bank under the contract and warranties included in the contract. Attach copy of contract to this assessment.

Have there been any changes in the nature of the services provided over the last 12 months? If


Page 74



yes, please describe:

Performance Monitoring

Is there a Service Level Agreement in the contract that establishes standards for quality and performance levels?

To the extent possible, describe any service level commitments made under the contract by the vendor and the method by which such commitments will be measured / monitored by the Bank.

If no SLA has been established, describe how the terms of the contract are being monitored and by whom:

Describe how you identify and measure performance issues?

Does the contract have set (periodic) renewals, or does it continue until one party invokes a termination clause?

Describe any performance issues arising during the prior 12 months, including means of detection and resolution. Are there any performance issues still outstanding?

Overall, are you satisfied that services provided are of acceptable quality, and that the service provider’s internal controls and financial condition are adequate to protect our institution?

Business Recovery Plans

Does the service provider have adequate business contingency plans?

Has the service provider provided information to the instution regading how to respond in the event the service provider executes their business response and recovery plan?

Have these plans been tested with the service provider? When was the last date they were tested?

Information Security

Does the arrangement involve sharing customer information with the service provider? If “yes,” for corporate customers, or for retail customers, or for both?

Does the arrangement involve sharing proprietary bank information with the service provider?

Does the service provider company have


Page 75



adequate information security procedures

Has the institution been provided a copy of the service provider’s SAS 70 report or other reports regarding information security, including PCI DSS, penetration testing certification, regulatory report or other information?

Have these reports been reviewed and actions taken regarding any recommendations relevant to the institution? By whom?

Financial Condition

Has either a credit analysis or some other means of assessing the financial condition of the service provider been performed during the prior 12 months? By whom?

Is the service provider’s financial condition satisfactory? Are there any concerns?

Conclusions/Comments

Risk Rating Summary

The following rating should be compiled for all vendors with a High Risk rating for Information Security, Business Impact or on a composite basis.

Vendor Relationship Risk Assessment form for Sample Bank

Risk Category Inherent Risk Rating

Adequacy of Risk

Identification / Measurement

Systems

Adequacy of Risk Monitoring

Systems

Adequacy of Specific Risk

Controls

(High, Medium, Low)

(Adequate, Inadequate)




Page 76


Strategic Risk

Credit Risk

Interest Rate Risk

Liquidity Risk

Compliance Risk

Operations Risk

Reputation Risk

Please provide an overall conclusion regarding the risks and exposures to Sample Bank associated with this vendor relationship. Highlight any specific risks and exposures you believe warrant special attention. Also, include any recommendations you might have for improving or strengthening the risk measurement, monitoring and control processes, if necessary.

Risk Assessment Rating Instruction

Complete the following risk assessment, providing the information requested for each category. Include: (1) potential risk issues in each category, if any; (2) degree of exposure to loss, if measurable; and (3) the methods by which compliance with the contract and relevant risks will be measured and monitored on an ongoing basis (i.e., the primary systems, reports, committees, etc.) and the frequency of such measuring / monitoring.

Strategic Risk –

Describe how the establishment of this vendor relationship supports the achievement of the Bank’s strategic objectives (e.g., provides cost-effective solution or skills not present at Bank, allows Bank to meet a competitive threat, takes advantage of a unique opportunity, provides current technology, etc.).

Credit Risk –

Obtain and evaluate the most recent audited financial statements from the vendor. Prepare commentary on the credit condition of the vendor and their financial capacity to fulfill the contract and ability to deliver specified / contracted services. Comment on the potential impact on the Bank of an unannounced failure or bankruptcy of the vendor on the Bank’s operations.

Interest Rate Risk –

Obtain and evaluate the most recent audited financial statements from the vendor. Prepare commentary on the condition of the vendor, the vendor’s ability to provide services (i.e., payment processing) and the potential impact of the vendor’s failure to either process or process and forward funds in a timely manner on the Bank’s interest rate risk position.

Liquidity Risk –

Obtain and evaluate the most recent audited financial statements from the vendor. Prepare commentary on the condition of the vendor, the vendor’s ability to provide services (i.e., securities delivery, payment processing, etc.) and the potential impact of the vendor’s failure to either process or process and forward funds in a timely manner on the Bank’s liquidity position.

Compliance Risk –


Page 77


Provide information regarding compliance requirements of the product / service offered by this vendor. Indicate whether, and to what extent, provision of services by this vendor exposes the Bank to potential litigation from customers, shareholders, regulators or others. If known, identify insurance coverage carried by the vendor for such exposures and whether the Bank is a named loss payee or covered party under such insurance.

Operational Risk –

Indicate whether the product / service provided by this vendor presents opportunities for theft, robbery or fraud losses involving Bank property, customer information or proprietary business information. Also, consider the degree to which provision of the product / service by the vendor is contingent systems and processes being available and how a disruption in service (i.e., computer, electrical, or natural disaster) would affect the vendor’s service delivery.

Reputation Risk –

Describe the potential effect provision of this product / service by this particular vendor might have on the Bank’s reputation with its customers, shareholders, regulators, or others.


Page 78


Annual Review of Vendors and Service Providers Policy for Sample Bank

The Board of Directors and management of Sample Bank (the “Bank” or “Sample”) are committed to safeguarding customer and bank information. The Bank relies on systems, products and services provided by a variety of Vendors, including hardware / software vendors, marketing firms, technology and telecommunication services installers and support personnel and consultants. It is the duty of the Board of Directors and Management to ensure that: (1) the risks associated with the use of Vendors for the Bank’s critical operations are fully understood and (2) an appropriate oversight program is in place to monitor each Vendor’s risk management controls, financial condition, and contractual performance.

In recognition of the Bank’s reliance on Vendor supplied products and services and the need to manage the attendant risks, the Bank will annually review the performance and status of each of its service provider arrangements to ensure that each of these arrangements is properly monitored. These reviews will be documented in the following form for each “Critical” vendor, as defined in the Bank’s Vendor Management Policy. These reviews should be completed by the business unit manager primarily responsible for managing this Vendor relationship, and forwarded to the Information Technology Department for inclusion in an overall risk assessment of this Vendor.


Page 79


Sample Bank Security Committee Charter

Committee Composition

Comprised of five to eight members

Members should be mid to senior level managers

Include representatives from all significant functional areas of the bank

Committee should be represented on the Technology Steering Committee

Team Responsibilities / Skills

Chairperson - Information Security Officer

Characteristics:

Senior level manager

Has an understanding of all aspects of customer privacy

Must command respect throughout the organization

Action oriented

Thorough knowledge of banking laws and regulations, particularly Privacy Act and Information Security Guidelines

Thorough understanding of Bank operating systems and processes (i.e.,, methods transactions are processed throughout the organization)

Responsibilities:

Provides Strategic direction to the committee

Prioritizes security initiatives

Reports to the Board quarterly

Secretary

Organize meeting agenda

Organize and distribute meeting materials

Maintain minutes,

Creation of binder with minutes, customer privacy regulations, and other material used in meetings or relating to customer privacy

Training

Details customer privacy training requirements

Works with training manager to identify training curriculum and training approach

Serves as subject matter expert if required

Monitors training schedule for customer privacy training

Policies / Procedures

Interprets applicable banking laws and regulations


Page 80


Facilitates the creation of the various policies and procedures. One example would be the Information Security / Customer Privacy Policy and Procedures

Builds and maintains the Information Security initiatives that will support strategic and business plans

Information Technology Security

Keep the Security Committee updated on security infractions

Responsible for guarding against external attack

Vendor Management

Information access control, storage, retrieval and archive

Identify anticipated threats or hazards to the security or integrity of information, which may impact the Bank’s compliance posture

Ensure adequate protection against unauthorized access to information exists to eliminate the potential of substantial harm or inconvenience to customers and / or the Bank

Physical Security

Ensure locations safeguard customer information

Ensure adequate protection against unauthorized access to information exists to eliminate the potential of substantial harm or inconvenience to customers and / or the Bank

Audit

Ensure policies and procedures are being followed throughout the organization

Oversee implementation plans.

Manage results


Page 81


Security Committee Structure

The Security Committee will meet periodically (e.g.,, quarterly or monthly). The Security Committee will report to the Board of Directors quarterly, with the Chairperson as the liaison for the Security Committee.

The Board of Directors has overall responsibility of setting policy and allocating resources to the Bank’s security needs. The Board will utilize the Audit Committee to assist in the assessment, evaluation and monitoring of internal controls relating to the Bank’s technology policies and practices.

The organization chart below summarizes the Bank’s security planning and monitoring process:

The current composition of each of the Committees presented above is as follows:

Security Steering Committee:

Name Chairperson

Name Secretary

Name Policies / Procedures

Name Training

Name Information Technology Security

Name Physical Security

Name Audit

Security Committee Guidelines and Responsibilities

The Security Committee will meet monthly and report to the Board quarterly. The committee’s

General responsibilities include:

Interpret Security / Privacy regulations

Develop Information Security / Customer Privacy Program

Develop Information Security / Customer Privacy Policies

Develop Information Security / Customer Privacy Procedures

Implement / Enforce Information Security / Customer Privacy Program, Policies and Procedures

Reports to the Board quarterly

Leave each meeting with action items assigned to individual committee members for all issues discussed

Individual committee members may choose to delegate certain items they are assigned, but will continue to maintain ownership of the item

INFORMATION SECURITY/CUSTOMER PRIVACY COMMITTEE

Security Committee

Board of Directors


Page 82


Incident Response Checklist

During the course of all businesses, there will be a time when your organization will be faced with an incident. In some cases, wrong actions taken during an incident can cause destruction of evidence, financial loss or loss of reputation. This list is provided to organization, which currently has no incident handling policy and are in the midst of an incident. This list is by no means is complete and does not replace a proper incident handling policy.

Prior to an Incident:

Make Backups based on your local policies.

Ensure the accuracy of all systems clocks and time zones.

Activate all auditing software based on your local policies.

Provide adequate warning banners on all systems.

Create an Initial Response Team.

Create a contact list which includes all law enforcement, vendor and staff contacts which you may need during an incident.

Create a relationship with Law Enforcement prior to an incident. This includes attending events like InfraGard.

Create & Test IRT Procedure to address:

Port/Network Scan/Probe

System/Network Compromise/Intrusion

Denial of Service Attack

Virus/Malicious Software

Other Incidents

Incident Occurrence:

Don't panic: Be as calm and methodical as you can. Don't wait.

Gather information about the incident: Gather all relevant information; this is the evidence about the incident. If the event is a break-in, including but not limited to systems logs, screen prints, error messages, and activity logs will all give information leading to where the intruder is located and who the intruder is. If the indecent is harassment, including but not limited to; save all e-mails to and from the offending individual, obtain directory listing for the person. If it isn't in writing it didn't happen.

Follow your IRT Procedures

Make backup copies of damaged or altered files, and keep these backups in a secure location;

Contact your organizations Security Officer & Legal Team

Contact Law Enforcement

Take Notes: Record all relevant information, include things that you observer, and actions you took. This will provide a time frame of when things occurred and how the event progress from the time the incident started.

DO NOT contact the suspected perpetrator.

Law Enforcement Requirements:


Page 83


Names, location, and purpose of operating systems involved;

Names and location of programs accessed;

Type of Incident

Port/Network Scan/Probe

System Compromised/Intrusion

Denial of Service Attack

Virus/Malicious Software

Other Incidents

How intrusion access was obtained; (if known)

Highest classification of information stored in the systems.

Impact of brake in: (The dollar loss caused by the compromise of information).

Backup copies of damaged or altered files, and keep these backups in a secure location.

Copy of all audit logs. This should include:

Firewall,

Servers (NT, UNIX syslog, Web Server, etc)

Routers

Intrusion Detection

Application

Copy of all keystroke monitoring, if available

Copy of your warning banners

Copy of your AUP

Copy of your notes and records


Page 84


Information Security Incident Report

Page 1 of 3 Date of report Completed By:

Phone

email

Incident Occurrence Details

Date: Time: Place (site):

General Description of Seurity Incident

Type of Incident:

Intrusion attempt (successful)

Intrusion attempt (not successful)

Malicious code (virus, Trojan horse, etc.

Unauthorized disclosure of information

Denial of service attack

Misuse

Other:

Loss Associated with the Incident

Time: < 1 hour 1-24 hours 24-48 hrs 2-5

days

5 days

Cost: < $10,000 $10,000 - $50,000 > $50,000

Loss, or potential loss, of reputation:

Ranking of Incident

Significant

Important Routine

Justification for ranking:

Was this incident reportable to management? Yes No


Page 85


Classification and sensitivity levels of system / information involved in incident. Check all that apply

System: Unclassified Non-sensitive Sensitive Classified

Confidential

NSI (National Security Info)

Secret RD (Restricted Data)

Top Secret SCI (Sensitive Compartmented Info)

Data / Information: Unclassified

Non-sensitive Sensitive UCNI NNPI EXPORT / IMPORT

OUO

CRADA

Business Proprietary Medical Personnel

Financial

Password file(s)

Other:

Data / Information: Classified

Confidential

NSI (National Security Info)

Secret RD (Restricted Data)

Top Secret

SCI (Sensitive Compartmented Info)

What system platform was involved?

What was the damage to the affected data?

Stolen

Modified Deleted Encrypted

Copied

None

Unknown

Other

Describe damage to the affected network(s)?

Local access interrupted Internet access interrupted None

Other

Describe damage to the affected system?

Service Interrupted User Access

E-mail server

Web-server

Ftp

Other


Page 86


How was incident discovered?

A user An incident response team

Another Site

Audit logs

Noticed unusual activity / behavior Other

Other Comments/Recommendations for Security Improvements


Page 87


Page 3 of 3

Was the originating source of the incident located?

Yes

No If yes, what was the source of the incident?

For malicious code:

Diskette Downloaded file Attachment Obtained while on foreign travel

System used anti-virus software

For an intrusion attempt:

Insider Outsider .gov .mil .edu .org

.com Non-US. If Non-US what country?

For a denial-of-service attack:

Insider Outsider .gov .mil .edu .org

.com Non-US. If Non-US what country?

Was law enforcement contacted regarding this incident? Yes No

If yes: Was the intruder identified?

Yes No prosecuted? Yes No

Was NIPC / CERT / CIAC contacted regarding this incident? Yes No

If yes: NIPC / CERT / CIAC incident number:

# Date opened:

Date closed:

Was the FDIC or FBI contacted regarding this incident? Yes No

If yes: SAR was filled out, is there a tracking number:

# Date opened:

Date closed:

Notes:


Page 88


Sample Information Security Policies - May 31, 2011 - HubSpot

Documents

Transcript of Sample Information Security Policies - May 31, 2011 - HubSpot