Information Security for Financial Institutions: Operations, Technology, and Compliance

Your customers count on you to protect their information -- and so do your regulators! Get the expert guidance you need to safeguard your customers' information with Information Security for Financial Institutions.

Protecting your customers' information has never been more critical to your business -- or more challenging. Advances in technology along with increased regulatory scrutiny, require your immediate and careful attention. Information Security for Financial Institutions helps you put together an information security program that will pass muster with both the regulators and your customers.

This manual takes you step-by-step through a security planning process that helps you assess business risks and related threats, deflect threats, build more secure systems, and continuously monitor and improve security.

•  Expert, practical guidance helps you develop and implement an information security program -- or improve your existing program.
•  Compliance is built in -- just follow our plan to stay in compliance with the regulatory guidelines.
•  Forms, diagrams, charts, glossary, risk assessment worksheets, and other tools make your planning process easier, yet more comprehensive.
•  Organized by the six phases of security planning: risk assessment, protective controls, detective controls, technology management, response management, and compliance management -- so you can find the information you need quickly.
•  Use our sample policies and monitoring tools to set up your own compliance manual.

Subscribers will receive a downloadable file containing editable forms.

Editable Documents

The publication subscription includes downloadable files delivered through the LexisNexis® Store download center. The downloadable files include the following features:

•  The entire publication is provided in a Folio infobase, offering a robust search engine and the ability to jump from one search match to the next through the entire publication. The Table of Contents for the entire publication can be viewed side-by-side with the text.

•  Editable Microsoft® Word files are included in the Folio infobase and can be downloaded and customized. The Word files are fully Formatted and will be updated to reflect changes made in corresponding text sections of the publication. Word files are provided for a variety of documents, including exhibits, Checklists, sample policies, sample Procedures, sample audits, Questionnaires, and model Forms.

This publication includes editable Word files for the following documents:

No.             Title
2.2              Computer Hardware Inventory
2.3              Computer Software Inventory
2.4              Data Communications Inventory
2.5              Risk Mitigation Worksheet
3.1              Insurance Analysis Worksheet – Real and Personal Property
3.2              Insurance Records Form
5.1              Facility Security Requirements
5.2              Visitor Sign-In Log
5.3              Records Retention Schedule
7.1              E-Mail Account/NT Domain Account Request Form
7.2              Password Receipt
7.3              Password Recommendations
8.1              Glossary of Server Security Terms
8.2              Server Security Acronyms and Abbreviations
8.3              POSIX System Security Checklist
8.4              OS/400 System Security Checklist
8.5              Server Security Policy
8.6              Server Virtualization Policy
9.2              Firewall Features, Functions, and Capabilities
11.1            Representative Commercial Software Products
12.1            Application Checklist
12.2            Glossary of Patch Management Terms
12.3            Patching Resources
12.4            Virus Software Download/Update/Security Centers
12.5            Vulnerability Advisory Resources
12.6            ICAT Metabase Information
12.7            Sample Patch Management and Control Policy
14.1            Acceptable Use Policy
14.2            Social Media Policy
14.3            Security Awareness Policy
14.4            Security Training Policy
15.1            Checklist of IT Documentation
15.2            Sample Description of the Security Committee
15.3            Security Policy Responsibility Chart
15.4            Termination/Separation Checklist
16.1            Security Policy Responsibility Chart
16.2            Distribution Register
16.3            Acknowledgement of Receipt
16.4            Security Plan Maintenance Form Policy Name:
17.1            Comparison of IDPS Technology Types
17.2            Glossary
17.3            Acronyms
17.4            Sample IDPS Requirements
17.5            Initial Research Questionnaire
17.6            Vendor Questionnaire
17.7            Cost Analysis Worksheet
18.1            Firewall Vulnerability Tests
20.1            Software Requirements Checklist
20.2            Software Design Checklist
20.3            Software Development Checklist
20.4            Software Architecture Checklist
20.5            Software Development Request Form
22.1            Acronyms
22.2            Cloud Computing Guidelines
22.3            Cloud Computing Risk Assessment Checklist
22.4            Cloud Computing Policy
23.2            Sample Outline of a Technology Plan
23.3            Technology Planning Survey
23.4            Common Wireless Frequencies and Applications
23.5            Acronyms and Abbreviations
23.6            Summary of Wireless Security Concerns
23.7            Wireless LAN Security Checklist
23.8            Bluetooth Security Checklist
23.9            Wireless Handheld Device Security Checklist
23.10          Wireless LAN Software Countermeasures
23.11          Wireless LAN Hardware Countermeasures
23.12          Wireless Security Audit Work Plan
23B.1         Sample SDLC Metrics
23B.2         Metrics Template and Instructions
23B.3         Metrics for Board of Directors/Trustees
23B.4         Metrics for Management
23B.5         Technical Metrics
23C.1         Terms and Definitions
23C.2         Mobile Device Risk Assessment Checklist
23C.3         Mobile Device Use Policy
24.2            Security Incident Reporting Form
25.1            Shutdown Procedures for Various Operating Systems
25.2            Vulnerability Repair Techniques
25.3            Instructions for Write-Protecting Media
25.4            IRT Standard Procedure Form
26.5            Off-Site Storage
26.6            Backup Routines
27.1            Risk Assessment Form
27.2            Business Impact Assessment Questionnaire
27.3            Comparison of Recovery Strategies
27.4            Alternate Facility Locations
27.5            Facility Specifications
27.6            Sample Business Continuity Plan Contents
27.7            Sample BCP Format
27.15          Sample Position Description for Business Continuity Planning Manager
27.16          Sample Position Description for Business Continuity Planning Staff Member
29.1            Information Systems Audit Manager Position Description
29.2            Information Systems Audit Staff Position Description
29.3            Criticality Ratings by System
29.4            Exposure Ratings by System
29.5            Overall Risk Rating
29.6            IT Audit Documentation
29.7            Information Systems Audit Schedule
29.8            IT Infrastructure Checklist
29.9            IT Audit Skills Assessment Form
29.10          Knowledge, Skills, and Abilities for IT Security Audit Areas by Audit Objective
29.11          Knowledge, Skills, and Abilities for Information Security Specialists
35.3            Content Management Systems–Features, Functions, and Capabilities
37.1            Risk Assessment Policy
37.2            Insurance Policy
37.3            Physical Security Policy
37.4            Information Assets Policy
37.5            Analog/ISDN Line Security Policy
37.6            Virtual Private Network (VPN) Policy
37.7            Password Policy
37.8            Database Password Policy
37.9            Encryption Policy
37.10          Anti-Virus Policy
37.11          Automatically Forwarded E-Mail Policy
37.12          Electronic Security and Monitoring Policy
37.13          Electronic Mail Policy
37.14          Technology Acceptable Use Policy
37.15          Security Awareness Policy
37.16          Security Training Policy
37.17          Acquisition Assessment Policy
37.18          Dial-In Access Policy
37.19          Extranet Policy
37.20          Information Sensitivity Policy
37.21          Privacy and Confidentiality
37.22          Server Security Policy
37.23          Software Copyrights – Licensing Policy
37.24          Wireless Communication Policy
37.25          Audit Policy
37.26          Security Administration Policy
37.27          Segregation of Duties Policy
37.28          Computer Center Operations Policy
37.29          Information Technology Steering Committee Policy
37.30          Program Change Control Policy
37.31          Third-Party IT Service Organization Policy
37.32          Cloud Computing Policy
37.33          Information Technology Planning Policy
37.34          Server Virtualization Policy
37.35          Incident Management Policy
37.36          Backup and Recovery Policy
37.37          Business Continuity Planning Policy
36.1            Application Controls
36.2            Backup Routines
36.3            Building Construction
36.4            Business Continuity Planning
36.5            Communication Controls
36.6            Computer Operations
36.7            Computer Room Security
36.8            Data Backup Procedures
36.9            E-Commerce Threats
36.10          Facility Security
36.11          Front Counter and Back Counter System Controls
36.12          General Computer Security and Controls
36.12          Insurance
36.13          Intrusion Detection Systems
36.14          Key and Lock Control
36.15          Main Computer Security
36.16          Network
36.17          Off-Site Storage
36.18          Personnel
36.19          Platform Virtualization
36.20          Remote Deposit System Controls
36.21          Positive Pay System Controls
36.22          Program Development
36.23          Vital Records