Customer notice should be delivered in any manner designed to ensure that a customer can reasonably be expected to receive it. For example, the bank may choose to contact all customers affected by telephone or by mail, or by electronic mail for those customers for whom it has a valid e-mail address and who have agreed to receive communications electronically.
USB shall report to its Board of Directors or a Board designated committee at least annually. This report should describe the overall status of the information security program and the institution’s compliance with these guidelines. The report, which can vary depending on the complexity of the institution’s program, should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations (and management’s responses); and recommendations for changes in the information security program.
The Risk Assessment Report to the Board of Directors shall include the following topics:
– Facilities Restrictions
– Dual Control Procedures
– Response Programs
– Protection From Destruction, Loss or Damage
– Staff Training
– Service Provider Oversight
– Service Provider Audit