Bank Enterprise Information Security Policy (EISP)

The organization that we will use is a small community bank. This type of organization was selected because everyone in the course should have some familiarity with banks, a community bank has a smaller scope, the banking industry has regulatory requirements to follow, and public trust in banking is very important. (Maryland SECU is an example of this type of bank.)

Here are some technical parameters of the Bank of Bowie.

· Headquarters is located in Bowie, MD

· Headquarters building has corporate offices and a branch on the lower level

· Two branch offices are located in Bowie and Laurel

· Each of the three branches employees the following staff

o Branch Manager

o Branch Security Officer

o Six Tellers

o Two Loan Officers

· Corporate Headquarters employs the following staff

o Officers and Directors

§ Chairman/CEO/President/Director

§ Vice-President/Secretary/Director

§ Financial Officer/Treasurer

§ Assistant Treasurer 

§ Six Directors – Corporate Strategy, Branch Oversight, Personnel Oversight, Regulatory Implementation, Customer Focus, Policy/Standards/Processes

§ Chief Compliance Officer

o Employees

§ Head Loan Officer 

§ Senior Loan Administrator

§ Two Loan Processors

§ Escrow Processor

§ Eight Customer Service Representatives

§ Internal Auditor

§ Compliance Officer

§ Two Human Resources Personnel

§ Five Information Technology Personnel

· Bank Offerings

o Savings and Checking Accounts

o Loans

o Deposit Products such as IRAs

o Online Banking

Information Technology Landscape

· Primary corporate databases are maintained at the Headquarters and a backup location

· Data is replicated routinely from the branches to the Headquarters

· Headquarters and branch personnel use desktops for their day-to-day activities

· Software consists of a number of standard applications, e.g., Office, and customized banking applications

· The Bank of Bowie website provides static information about the bank

· Electronic banking activities are outsourced to other providers

· Data is archived by a third-party provider

· Data protection mechanisms include encryption, digital signatures, access control firewalls, and other measures

Vision/Mission

Bank of Bowie is built on weeks of dedication to the community, Bank of Bowie will “continue in our rich tradition of providing impeccable customer service within a community environment.”[1]

Regulation

We will simplify the government regulations for this activity. You must account for federal requirements for the following.

· All financial transactions must have integrity.

· All financial transactions must be audited and audit data must be retained for a period of six years.

· Social Security Numbers must be kept confidential.

· Customers must have access to their accounts at least every 48 hours.

· Interest rates and other loan terms and conditions must be clearly disclosed to customers.

Submission One – Policies

Bank of Bowie requires a set of policies to guide their efforts. 

Write an Enterprise Information Security Policy for the Bank of Bowie. See Page 148, Table 4-1 for an example. Make certain the policy includes what the information security needs are and not how to achieve them. Include the five federal requirements and three additional requirements based on market competitors (local banks – such as MECU, SECU, PointBreeze Credit Union, 1st Mariner Bank, Rosedale Federal Savings and Loan). Please detail the mission, vision, and values to support the justification for the “information security needs”. 

Create an Issue-specific security policy (ISSP) on a relevant topic of your choosing. It can be for internal system users or for customers or services provided to customers. 

Create a system specific policy that addresses audit logs and backup of the audit logs. Make certain that it is compliant with the laws indicated in the background. 

Each policy document should be well organized per the outlines presented in the text or another reference. Each policy should be between 2 and 4 pages and it will be graded based on its completeness in addressing the topic, not on its length. Finally, it should follow all of the guidelines for each policy type in the text.