OCC Bulletin 2005-44| December 14, 2005
Small Entity Compliance Guide: Information Security
Chief Executive Officers of All National Banks, Federal Branches and Agencies, Service Providers and Software Vendors, Department and Division Heads, and All Examining Personnel
The guidance attached to this bulletin continues to apply to federal savings associations.
This bulletin transmits a small entity compliance guide for the Interagency Guidelines Establishing Information Security Standards (Security Guidelines), jointly drafted by staff of the federal banking agencies, pursuant to the requirements of the Small Business Regulatory Enforcement Fairness Act of 1996. The compliance guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations.
The compliance guide provides an explanation of the core terms used in the Security Guidelines as well as information to help financial institutions assess risks, design, and implement an information security program, properly dispose of customer and consumer information, respond to incidents of unauthorized access to customer information, and oversee service providers that have access to customer information. The compliance guide also lists resources that may be helpful in assessing risks and designing and implementing information security programs.
The compliance guide is not a substitute for the Security Guidelines. The compliance guide only addresses a financial institution's obligations under the Security Guidelines and does not address the applicability of any other federal or state laws or regulations that may pertain to policies or practices for protecting customer records and information.
Questions regarding the compliance guidance may be directed to your supervisory office or the Bank Information Technology Division at (202) 647-6340.
Emory W. Rushton
Senior Deputy Comptroller and Chief National Bank Examiner