Implement an ongoing security process and institute appropriate governance for the security function, assigning clear and appropriate roles and responsibilities to the board of directors, management and employees.

Security and Risk Consulting: including Corporate Information Security Program Development, Policies, Standards, and Security Baseline development, and Enterprise Security Architecture and Standards Development

Maintain an ongoing information security risk assessment program that considers assets, data, threats to prioritize risk.

Security and Risk Consulting includingEnterprise Risk Assessment and Analysis

Develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include controls, processes and policies.

Security and Risk Consulting including Corporate Information Security Program Development and Enterprise Security Architecture and Standards Development

Security Controls Implementation• Access Control Physical and Environmental Protection Encryption Malicious Code Prevention Systems Development, Acquisition, and Maintenance Personnel Security Data Security Service Provider Oversight Business Continuity Considerations Insurance

Establish security controls to: Restrict access to authorized individuals and devices and to disallow access to all others. Define physical security zones and implement appropriate preventative and detective controls in each zone. Employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit. Protect against the risk of malicious code by implementing appropriate controls at the host and network level Ensure that systems are developed, acquired and maintained with appropriate security controls. Mitigate the risks posed by internal users Control and protect access to paper, film and computer-based media to avoid loss or damage. Exercise their security responsibilities for outsourced operations Provide for business continuity and disaster recovery Evaluate the extent and availability of coverage in relation to the specific risks they are seeking to mitigate.

Security and Risk Consulting including Policies, Standards, and Security Baseline development and Security Awareness program development

Financial institutions should gain assurance of the adequacy of their risk mitigation strategy and implementation by monitoring network and host activity to identify policy violations, anomalous behavior, unauthorized configuration and other conditions which increase the risk of intrusion or other security events. They should also analyze the results of monitoring to accurately and quickly identify, classify, escalate, report, and guide responses to security events; and responding to intrusions and other security events and weaknesses.

Security and Risk Consulting including GLBA Compliance and Incident Response Program Development

Financial institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls. They should then use that information to update the risk assessment, strategy, and implemented controls.

• Vulnerability Scanning Security and Risk ConsultingincludingPenetration Testing and Web Application Testing