Purpose
This policy reaffirms The First National Bank of Allendale (hereinafter referred to as FNBA) realization of its responsibility to protect consumer records and information in its possession. We understand the requirements for establishing appropriate standards relating to the administrative, technical, and physical safeguards for consumer records and information. It is intended to assure the security and confidentiality of consumer records and information obtained by our bank during its normal course of business. Also, it is designed to protect against unanticipated threats or hazards to the security or integrity of such records and against unauthorized access to or use of such records that would result in substantial harm or inconvenience to any consumer.
FNBA will also act in compliance with all applicable federal and state laws and regulations.
Responsibility
The Board of Directors of FNBA have the ultimate responsibility to appropriately establish and maintain this policy and assure that it is being observed in the daily operations of the bank. The CFO and the Compliance Committee are responsible for carrying out this policy and making recommendations to the board of directors as to necessary or desirable changes to the policy.
Safeguarding Customer Information
FNBA recognizes its responsibilities for ensuring that it has an effective security program in place to protect customer information from all unauthorized persons or forms of access. To accomplish this, the bank’s board of directors has been directly involved by assuming the following responsibilities:
- Approving a written information security program
- Overseeing the program development, implementation, and maintenance
- Assigning specific responsibility for program implementation
- Reviewing management reports
To assess FNBA’s risk in regard to customer information, the bank will:
- Identify foreseeable internal and external threats that could result in unauthorized use, alteration, or destruction of customer information or information systems.
- Assess the potential damages of these threats, considering the sensitivity of the customer information
- Assess the sufficiency of policies, procedures, information systems, and other arrangements in place to control risks.
- FNBA will implement the following security procedures, as appropriate:
- Access controls on customer information, including controls to prevent pretext calling, which is when unauthorized individuals seek to obtain information by fraudulent means;
- Access restrictions at physical locations that contain customer information;
- Encryption of electronic information (currently encryption of electronic data is being provided by the vendors supplying the transfer service)
- Procedures designed to ensure that information system modifications are consistent with the bank’s information security program;
- Dual control procedures, segregation of duties, and background checks for employees who have responsibilities for, or have access to, customer information;
- Monitoring procedures to detect actual and attempted attacks on information systems;
- Response programs that specify actions to be taken when the bank suspects or detects unauthorized access to information systems, including reports to regulatory and law enforcement agencies; and
- Measures to protect against the loss of customer information due to potential environmental hazards.
Employee Education and Training
At least once during each calendar year, FNBA will conduct training in which matters affecting the safeguarding of customer information will be discussed. Such discussions will include the following:
- The proper use of customer information;
- Procedures for maintaining security of customer information;
- The importance of confidentiality and the protection of sensitive customer information and;
- Any incidents, or circumstances where security has been breached and where violations of the security of customer information have or may have been violated.
Record Keeping and Reporting
Management will regularly test the information security program. The frequency and nature of the tests will be determined by the bank’s risk assessment. The FNBA’s internal auditor will conduct these tests.
Management will provide the board of directors with an annual status report on customer information security that will include:
- Risk assessment;
- Risk management and control decisions;
- Service provider arrangements;
- Results of testing;
- Security breaches or violations and management’s response and;
- Recommendations for program changes.
Review of Policy
The Board of Directors of FNBA will review this policy at least once each year and make any revisions and amendments it deems appropriate. The CFO will be responsible for suggesting more frequent revisions as situations or changes in laws or regulations dictate.