The document summarizes the findings of an information security risk assessment conducted for a bank. It identified risks related to the disposal of used fax machine film cartridges containing confidential information. To address this issue, the committee analyzed options for replacing existing fax machines, destroying cartridges on-site at branches, or using a third party destruction service. Replacing fax machines with newer models that eliminate film cartridges would eliminate the risk but require an initial investment, while in-house or third party cartridge destruction would mitigate the risk but involve ongoing costs and require internal controls or reliance on an external vendor.

1. Information Security Program
Committee
Information Security Department
XXXXXXX 20XX

2. Introduction
2

3. Introduction
√ Objective
Oversee the development, implementation,
and maintenance of the bank's information
security program, including assigning specific
responsibility for its implementation and
reviewing reports from management.
3

4. Introduction
√ Information Security Program
PART 1. NETWORK SECURITY AND CONTROLS
PART 2. CORE PROCESING SYSTEMS SECURITY AND CONTROL
PART 3. OTHER SYSTEMS AVAILABILITY, SECURITY AND CONTROLS
PART 4. PERSONAL COMPUTERS
PART 5. PAPER BASE INFORMATION SECURITY
PART 6. SERVICE PROVIDER ADMINISTRATION
PART 7. DEBIT / ATM CARDS
PART 8. PHYSICAL SECURITY
PART 9. EMPLOYEE BACKGROUND CHECKS
PART 10. INFORMATION SECURITY PROGRAM COMMITTEE
PART 11. ANNUAL REPORTING TO THE BOARD
4

5. Information Risk Assessment
5

6. Information Risk Assessment
√ Annual compliance with the Gramm-Leach-Bliley
Act (GLBA).
– Information Security Risk Assessment
Worked with Integrated Compliance Solutions to
develop the annual Information Security Risk
Assessment.
Information Security Assessment
Reviewed Compushare’s Vulnerability Test
Report.
6

7. Information Security Risk Assessment
√ Findings: Closed
– Controls over the securing of current and next-day backup tapes.
Policy and Procedure Modified.
Storing current and next-day backup tapes in the computer room.
Insufficient controls for enterprise-wide automatic lockout settings on all
PCs
Information Security Policy and Program Modified.
Enabling automatic lock-out in active domain with standard business practice
10 minutes of non-use.
– Ensure that all fax cover sheets in every department and branch contain a
standardized legal disclaimer..
Implementation of corporate fax cover sheet, including a standardized legal
disclaimer.
– Install a polarizing screen at CSR desk.
Defined CSR desks in risk.
Installed polarizing screen in seven branches.
7

8. Information Security Risk Assessment
√ Findings: Open
“Fax machine uses film-style cartridge which leaves an impression on the film
ribbon which could disclose confidential information on all faxes received if
discarded used cartridge is taken by an unauthorized person.”
Risks Involved:
√ Reputational
√ Operational :
Internal Fraud
External Fraud
Legal
8

9. Faxes Replacement
9

10. Analysis
Facsimiles. According to the last asset inventory :
Total 38
Film Ribbon Cartridge (FRC) 14 (36 %)
Branches = 31
FRC 45%
√ No Control in the ribbon cartridge disposal
√ No Procedure for discard of used cartridge
√ Type of ribbon cartridge:
Brother PC-201
10

11. Mitigation Options
Current Options
√ Facsimile Replacement
√ Branch Destruction
√ Third Party Destruction
11

12. Facsimile Replacement
√ The IT Department made an extensive Thermal
Fax Analysis
Selected Facsimile : Brother Intellifax 4100e
Laser 15 pages per minute
Toner Yield: 6000 pages
Fax, copy, telephone
– Discount Trade: Buy back Brother 1270e
√ Risk Eliminated
√ One time investment $3,829.00
12

13. Branch Destruction
√ Develop a Destruction Procedure
√ Develop an Internal Control
√ Branch Manager, Teller and Head Office Supervisor time consumption
√ Risk Mitigated
√ Monthly Cost : $6,722.80
√ Assumptions
Monthly
Branch Manager: 10 minutes
Teller: 1 hour
Head Office Supervisor: 5 hours
Number of Branches Disposal : 8
Number of Years: 5
Interest Rate: 5%
Non Customer Legal Action versus BBVA Bancomer USA for ID Theft
13

14. Third Party Destruction
√ Search and Hired Destruction Company
√ Develop a Confidentiality Agreement
√ Risk Shifted
√ Monthly Cost : $3,933.55
√ Assumptions
Monthly
Branch Manager: 10 minutes
Head Office Supervisor: 5 hours
Number of Branches Disposal : 8
Number of Years: 5
Interest Rate: 5%
Non Customer Legal Actions versus BBVA Bancomer USA for ID Theft
14

15. Summary
Facsimile Branch Third Party
Replacement Destruction Destruction
Present Net $3,829.00 $6,722.80 $3,933.55
Value (5%,5Y)
Risk Eliminated Mitigated Shifted
√Branch Manager √Branch Manager
Human None √Teller √Head Office Supervisor
Resources √Head Office Supervisor √Third Party Manager
Strength Risk Eradication Internal Control Low Cost
Weakness One Time Time External
Investment Consuming Control
15