IT Examiner School

Results of On-Site Discussions with Management Examiner: I have reviewed the December 18, 20XX Board minute for GLBA content. It seems very general and appears that the Board is only informed. Is there another place where GLBA related topics are discussed? Compliance Officer Ben Thomas: The IT Steering Committee reviews the risk assessment Examiner: As I understand, these minutes are not documented. Compliance Officer Ben Thomas: Yes, but we will start to keep minutes beginning next month. Our auditors suggested we do that, so going forward we will follow their guidance to ensure the minutes show sufficient detail. Examiner: Does the IT Steering Committee have any input into the risk assessment? Compliance Officer Ben Thomas: Yes they do. We will start to keep track of this information in the minutes beginning next month. Examiner: How does the Board assess adequacy of the program if you do not provide anything for them to review? Compliance Officer Ben Thomas: That’s a good point. Examiner: Do you and NA Fossil compare notes, so to speak, about your two risk assessments? Compliance Officer Ben Thomas: No. She is responsible for the IT portion and I am responsible for the GLBA and compliance portion of it. Examiner: Have you read Section 501, Appendix B, which is the basis of GLBA for your bank? Compliance Officer Ben Thomas: Yes. Both NA Fossil and I recently attended a seminar that had a session regarding key topics for Board reporting. We both learned that we need to provide more detailed information. As she may have mentioned, we are in the process of hiring additional staff to assist us and this will give us time to do this Board reporting better going forward. Examiner: How would you classify the status of your information security program? Compliance Officer Ben Thomas: Well, I was assigned this responsibility only 6 months or so ago. I realize I still need to get some things done, so that’s why I went to the seminar. We had a good speaker, a federal regulator, who really helped us since our growth will put us on their “radar”. Also, if you have any other suggestions, I would like to hear them.