TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK
Attached is a policy statement concerning access to
sensitive supervisory information that is stored electronically.
The attachment also designates the Federal Reserve officials who
are to administer this policy and specifies procedures that are
to be followed by Reserve Banks in arranging for authorized
personnel to gain electronic access to supervisory information
systems maintained by the Board, FDIC, and OCC.
This right of access policy is founded on the principle that
Reserve Bank officials and staff should only be given access to
the sensitive supervisory information they need to know to
perform their job responsibilities effectively and efficiently.
In advancing this principle, however, it is recognized that there
are complications that will introduce ambiguities and questions
in the administration of this policy, and guidance is provided on
how decisions to authorize access should be made in the face of
these ambiguities and questions.
The policy delegates to the Reserve Bank senior officers in
charge of banking supervision the responsibility for authorizing
access to sensitive, electronically stored supervisory
information to Reserve Bank officials and staff engaged in the
supervision, discount and payments functions. The officer in
charge of banking supervision is also authorized to designate a
limited number of staff members to carry out this authorization
responsibility. An assessment of the administration of this
policy will be performed as part of the annual evaluation and
during operations reviews of the supervisory function of the
Reserve Banks.
Access approval for Reserve Bank staff members who are not
directly involved in the supervisory, discount and payments
function must be obtained from the Director of Banking
Supervision and Regulation at the Board or his designee.
New, more streamlined procedures to be followed to arrange
for authorized personnel to gain electronic access to sensitive
information systems stored at the Board, FDIC, and OCC are also
outlined in the policy statement. All requests for access to
supervisory data at the Board, FDIC, and OCC are to be sent to
the Data Security Administration Unit in the Division. Each
Reserve Bank is to appoint a person to serve as a central point
of contact to submit such requests and stand ready to work with
Raymond Holmes, the Data Security Administrator, to carry out the
new procedures.
Reserve Banks will be responsible for revalidating access
authorizations to Board, FDIC and OCC data systems and providing
notification of changes to authorizations at least every six
months. Reserve Banks may choose when to do the revalidation by
contacting the Data Security Administrator and requesting a
revalidation listing.
These policies and procedures are effective immediately for
all requests for access to supervision data at the Board, FDIC,
and OCC. The appropriate forms for arranging for individuals to
be granted access to these data are attached.
If there are policy questions, they should be addressed to
Jim Goetzinger (ext. 3408). Procedure questions should be
addressed to Raymond Holmes (ext. 3964).
Director
ATTACHMENTS TRANSMITTED ELECTRONICALLY BELOW
Supersedes SR 92-25
DATA ACCESS SECURITY PROCEDURES Banking Supervision and Regulation
February, 1995
FOR FEDERAL RESERVE SUPERVISORY INFORMATION IN ELECTRONIC FORM
Introduction
An important part of the information collected and used by the Federal Reserve's Banking
Supervision and Regulation function is sensitive, obtained on a privileged basis and protected from
public access under the Freedom of Information Act. Unauthorized disclosure or misuse of non-public supervisory information could cause volatility in financial markets and the payments system
and/or result in financial loss to private parties or to the Federal Reserve System. Such disclosures,
moreover, would most certainly cause embarrassment to the Federal Reserve System. It is of critical
importance, therefore, to ensure the security of this sensitive information.1
The Federal Reserve System has long had policies in place for the purpose of promoting the
security and integrity of sensitive information in all formats. Efforts are well underway, moreover,
to enhance these general policies, including efforts to refine the classification and handling
requirements for all sensitive information.2
This document is intended to supplement, rather than substitute for, these other on-going
efforts. Its focus is on assuring the security of sensitive supervisory information stored and accessed
electronically. To that end, a policy on right of access to sensitive supervisory information in
electronic form is set forth.
The policy delegates to Reserve Bank Senior Vice Presidents in charge of Bank
Supervision the responsibility for authorizing access to electronically stored sensitive
supervisory information to Reserve Bank officials and staff members engaged in the
supervision, discount and payments function.3 Reserve Bank staff not directly involved in
these functions are to obtain authorization for access to classified supervisory information
from the senior officer in the Board's Division of Banking Supervision and Regulation
designated by the Division's Director to perform that responsibility.4 More streamlined
procedures to be followed to arrange for authorized personnel to obtain access to the
information systems maintained by the Board, FDIC and OCC are also specified. This policy
supersedes that set forth in SR 92-25.
Board staff will monitor the Reserve Banks' administration of this policy to assure
conformance with its specifications and uniformity of implementation across the System. An
assessment of the administration of the policy will be performed as part of the annual
evaluations of the supervisory functions of Reserve Banks and during Operations Reviews of
these Reserve Bank functions.
Need to Know Policy
The officials and staff of the Federal Reserve System should be accorded ready access
to all information they need to know to effectively and efficiently perform their job
responsibilities. This statement sets forth the guiding principle on which decisions to
authorize Reserve Bank personnel access to sensitive information in electronic form should be
based.
In some cases, decisions can be reached that are in full conformance with the principle
just stated. Some officials and staff members have a clear need for access to all information
in a sensitive data series on a continuing basis in order to effectively carry out their
responsibilities. Others may not have a need to know about such information at any time. In
these polar cases, decisions on whether to grant access are straight forward: access should be
granted in the first case and denied in the second.
The appropriate decision is much less clear, however, in other cases. The need-to-know requirements of officials and staff members can vary with respect to how critical the
information is to the carrying out of their responsibilities. In some cases, it may be
impossible to effectively perform assigned responsibilities without access to the information.
In other cases, responsibilities may be performable, but perhaps not as effectively as would be
the case if the information were available. Moreover, some officials and staff members may
have a need to know only part of the information in a data series and/or may need to know it
only during certain periods. Because technological limitations and other constraints make it
cost ineffective to attempt to finely tailor data series and data access arrangements to fit
particular needs of each individual, in all these situations it is necessary to exercise judgment
in deciding whether to grant officials and staff members access to sensitive information.
These decisions should be reached by weighing the need to promote efficiency and
effectiveness of job performance versus the importance of limiting access to sensitive
information in order to protect its security and integrity. In reaching such decisions,
therefore, consideration should be given to the degree of sensitivity of the data, to the position
of the individual, and to the acuteness of the individual's need to know. The more sensitive
the data, and/or the less senior the individual's position and/or the less acute the need-to-know to meet job responsibilities, the more restrictive should be the stance taken in granting
access to a data series.
Reserve Bank Senior Vice Presidents in charge of Bank Supervision are delegated the
responsibility of administering this policy for their bank's officials and staff members who
work in the supervision, discount and payments function. Consistent with the basic guideline,
officials and staff members engaged in these functions who have a need to know about
sensitive supervisory information to efficiently and effectively carry out their job
responsibilities should be accorded routine access to that information. Routine access may
also be granted to a few technically-skilled individuals whose responsibilities include updating
data series, preparing reports and other analyses for officials and staff members, and carrying
out various ad hoc projects. The services of these individuals may also be used to make
sensitive information available to individuals that have a need to examine sensitive data on
an ad hoc basis. In these cases, the decision to provide sensitive information to these
individuals should be made not by the technically-skilled individual but rather by the Senior
Officer or that officer's designee.
Members of a Reserve Bank staff who are not directly involved in the supervision,
discount and payments functions and do not have an ongoing need to know about classified
supervisory information to carry out their primary responsibility may, on occasion, wish to
obtain access to such information to carry out special projects. In these cases, approval for
staff members to be given access to classified supervisory information should be obtained
from the senior officer in the Board's Division of Banking Supervision and Regulation
designated by the Division's Director to review and decide such requests.
Restricting access to officials and staff members with a need to know will contribute
importantly to assuring the security of sensitive information. This practice also needs to be
reinforced by other measures, however. It is important to make sure through proper training
programs and other means that individuals are fully aware of the critical importance of
protecting against an unauthorized access to or disclosure of sensitive supervisory
information.
Right of Access Procedures
Reserve Banks should employ the following procedures, which supersede SR 92-25, in
authorizing access to sensitive, non-public supervisory information and in arranging for access
to such information (both sensitive and non-sensitive). These procedures apply to all
individuals who read from or write to databases at the Board containing sensitive supervisory
information, including NIC databases, archival files and any other mainframe, server, or PC
database at the Board, the OCC's Supervisory Monitoring System, and the FDIC's Banking
Information Tracking System. Each Reserve Bank should ensure that similar procedures are
in place for authorizing access to local supervisory systems containing sensitive data,
including FRED. 5
As indicated above, the responsibility for approving access to sensitive supervisory
information at Reserve Banks will rest primarily with the Senior Vice President in charge of
Bank Supervision or individual(s) they designate with the exception that staff outside of the
supervision, discount and payment functions requesting access will also require approval from
the Board. As part of the streamlining effort, all individuals approved for SIS User Access
on NIC will also automatically be given access to confidential data on NIC (see Instructions
for National Information Center RSSD & SIS Access Request Form). This "hierarchy of
risk" approach to addressing security will eliminate a considerable portion of the paper work
and processing requirements associated with administering data security.
The Senior Vice President in charge of Bank Supervision or the designee will be
responsible for ensuring that a completed access form is prepared for each individual in the
supervision, discount and payments function approved for access to sensitive data. The form
is to be sent to the Data Security Administration (DSA) Unit in the Supervisory Information
Resources (SIR) Section of the Board's Division of Banking Supervision and Regulation. A
copy of the form should be retained at the Reserve Bank in order to provide documentation
for the approval. The appropriate forms for requesting access and the instructions for
completing the form are attached.6
Requests to accord access to classified supervisory data for special projects for staff
members not in the supervision, discount and payments function are to be sent to the Board
for approval with a descriptive note explaining the use of such data. This request should be
sent to the DSA Unit; it will then be forwarded to the appropriate senior officer in the
Division for approval. If the request is approved, it will be processed as all other requests.
A copy of the approved form and accompanying note will be returned to the Reserve Bank in
order to provide documentation for the approval.
Each Reserve Bank will designate an individual to be a central point of contact for
answering processing questions, receiving notification that authorized individuals have been
provided with access, informing requester that the request has been processed, coordinating
revalidation, and notifying SIR\DSA of changes in authorization as a result of terminations,
transfers, etc.
SIR\DSA will be responsible for ensuring that the appropriate steps are taken to
provide individuals approved for access to sensitive data with the proper access. That will be
done, depending on the data in question, by notifying the Board's IRM Division, another
agency, or those in the Board's Division of Banking Supervision and Regulation that needed
actions should be taken to provide the authorized individual with access to the data. Once
those steps are completed, a designated central point of contact at the Reserve Bank will be
notified electronically (ADI). As a general rule, access to Board data systems will be
provided within 2 days of receipt of a completed form. Access requests to data systems at
other agencies will be forwarded to the respective agency within the same timeframe. Efforts
are continuing with the other agencies to improve the timeliness with which they grant access.
It will be the Reserve Bank's responsibility to revalidate each individual in the
supervision, discount and payments function and notify SIR\DSA of any changes in access
authorization. The Reserve Bank should also notify SIR\DSA if they wish individuals in
other functional areas to continue to have access to classified data. This is to be done at least
every six months, but may be done more frequently at the Reserve Bank's discretion. The
Reserve Bank will choose when to do the revalidation by contacting the SIR\DSA Unit and
requesting a revalidation listing. Between revalidation cycles, Reserve Banks are to inform
the SIR\DSA Unit of changes in authorization for their staff members. In addition to using the specified forms for the purpose of arranging for authorized individuals to be accorded access to sensitive data, Board staff will use these forms as a means of monitoring the Reserve Bank's administration of the right of access policy. The main objectives of this monitoring activity will be to assure that data access decisions are being made in ways consistent with this policy statement and to promote uniformity in administration of the policy across the System. An assessment of a Reserve Bank's administration of this right-of-access policy will be performed as part of the annual evaluation of the supervisory functions of the Reserve Banks and during the Operations Reviews of the supervisory function of the Reserve Banks.
NATIONAL INFORMATION CENTER RSSD & SIS ACCESS REQUEST FORM Access to the NIC will require the completion of the RSSD & SIS Access Request Form. A copy of this form is enclosed. The completed form must be approved by the Senior Officer in Charge of Bank Supervision or a designee and submitted to the Data Security Administration (DSA) Unit in the Supervisory Information Resources (SIR) Section of the Board's Division of Banking Supervision and Regulation. Once received, the request will be forwarded to the appropriate staff within the Board to activate the request. After the request has been acted upon, the Reserve Bank central contact will be notified that the action has been taken.
The RSSD & SIS Access Request Form is to be used for granting and deleting access
to SIS Updater Functions, RSSD Structure Updater Functions and User Access Functions.
Refer to Volume V of the Processing Information Guide for additional information on the
capabilities associated with each of these functions.
SIS UPDATER FUNCTIONS (Data in this category are classified.)
Updater with Supervisory Authority - Allows access and modification, including deletion, to
final data in SIS.
Updater without Supervisory Authority - Allows access and modification to data in SIS, but
does not allow data deletion or change to final data.
RSSD STRUCTURE UPDATER FUNCTIONS
NIC Administration - Allows access and modification to all structure tables and execution of
all plans in RSSD (Board staff only.)
Supervisor - Allows execution of all Structure Updater functions.
General Processor - Allows execution of all Structure Updater functions except Commit to
Final with override and manual override of data ownership
Limited General Processor - Allows execution of all Structure Updater functions except the
deletion of rows in the ATTRIBUTES table, Commit to Final with override and
manual override of data ownership.
Restricted Processor - Allows limited Structure Updater functions, and excludes authority to
override edit exceptions.
Investments Processor - Allows access and modifications to all Investment tables and views
and requires access to classified Foreign Investment data (FR 2064).
Note: If an individual requires access to any Structure Updater functions and Investments,
both the Investments box and the appropriate Structure Updater box must be checked.
USER ACCESS FUNCTIONS
Public Access - Allows access to Structure and financial data that are not sensitive.
Confidential Access - Allows access to Structure and Financial data that are less sensitive
than classified data. Data in this category include the confidential section of the following
data:
BHC Financial Reports (FR Y-9C, SP, LP, Y-11I, AS, Q, Y-20, Y-8 and FR 2352) SVGL (S&L and Savings Bank Report of Condition) CUSA (Credit Union Report of Condition) UBPR (Uniform Bank Performance Report) BHCPR (Bank Holding Company Performance Report) FORB (FFIEC-030, Foreign Branch Report of Condition) NIC/RSSD Structure Country Grouping Table(s)7
Classified Access - Allows access to Structure and financial data that are the most sensitive of
all supervisory information. Data in this category include:
FFIEC 009 (Country Exposure Report) FFIEC 019 (Country Report) SIS (Supervisory Information Systems) FR 2064 (Report of Change in Foreign Investments) Country Grouping Table(s)8
NOTE: Requests for access to SIS USER ACCESS will also provide access to the following
Confidential series on NIC:
BHC Financial Reports (FR Y-9C, SP, LP, Y-11I, AS, Q, Y-20, Y-8 and FR 2352) SVGL (S&L and Savings Bank Report of Condition) CUSA (Credit Union Report of Condition) UBPR (Uniform Bank Performance Report) BHCPR (Bank Holding Company Performance Report) FORB (FFIEC-030, Foreign Branch Report of Condition) NIC/RSSD Structure Country Groupings Table(s)
The completed form should be sent to:
Division of Banking Supervision and Regulation Mail Stop 176 Board of Governors of the Federal Reserve System Washington, DC 20551 ARCHIVAL AND NON-ARCHIVAL DATA BS&R DATA SECURITY CONTROL FORM
Access to supervisory data maintained in the Archival data system will require the
completion of the BS&R Data Security Control Form. A copy of this form is enclosed. The
completed form must be approved by the Senior Officer in Charge of Bank Supervision or a
designee and submitted to the Data Security Administration (DSA) Unit in the Supervisory
Information Resources (SIR) Section of the Board's Division of Banking Supervision and
Regulation. Once received, the request will be forwarded to the appropriate staff within the
Board to activate the request. After the request has been acted upon, the Federal Reserve
central contact will be notified that action has been taken. Individuals granted approval for
user access to these files will have read only access.
Below is a list of the more commonly requested archival and other non-NIC
supervisory data files:
CONFIDENTIAL DATA
BHCF (Y-9C, SP, LP; Y-11q, Y-8, 8f) BHAS (Y-11AS) BHCC (Y-11i) ISUD (Y-20) BHCD (Y-8) BHCI ( InterimY-8) BHIF (Y-8f) BHII (Interim Y-8f) BHCPR ( BHC Performance Report) SVGL (Savings and Loan Condition Report) UBPR (Uniform Bank Performance Report) FORB (FFIEC-030, Foreign Branch Report of Condition)
CLASSIFIED DATA
FCEX (FFIEC-019) SUBS (FR-2314a,b,c)
The completed form should be sent to:
Division of Banking Supervision and Regulation Mail Stop 176 Board of Governors of the Federal Reserve System Washington, DC 20551
Access to all other archival files is to be requested by completing a FR 1438 "Request
for Access to Confidential Archival Files". All archival files are referenced in the Micro
Data Reference Manual, but includes the following files most frequently requested by
supervisory personnel:
CUSA (Credit Union Report of Condition)
The completed form should be sent to:
Division of Research and Statistics Mail Stop 401 Board of Governors of the Federal Reserve System Washington, DC 20551
ACCESS TO DATA AT OTHER AGENCIES OCC DATA REQUEST FDIC DATA REQUEST
Each of the banking regulatory agencies has separate forms and procedures which
must be completed and signed before they will grant access. The request forms for the FDIC
and OCC are enclosed. The agencies require that the submission of forms come from a
central point in the Federal Reserve System. As a result, the same procedures are to be
followed for requests for access to data at other agencies as for data from the Board. The
appropriate form must be approved by the Senior Officer in Charge of Bank Supervision or a
designee and submitted to the Data Security Administration (DSA) Unit in the Supervisory
Information Resources (SIR) Section of the Board's Division of Banking Supervision and
Regulation. Once received, the request will be forwarded to the staff at the appropriate
agency to activate the request. After the request has been acted upon, SIR\DSA will notify
the Reserve Bank central contact that the action has been taken.
The completed form should be sent to:
Division of Banking Supervision and Regulation Mail Stop 176 Board of Governors of the Federal Reserve System Washington, DC 20551
Footnotes 1. Sensitive information includes information that falls in one of two categories, classified or confidential, as defined by the Board's Division of Banking Supervision and Regulation. In cases where the institution has provided the sensitive information to the public it is no longer considered sensitive. Return to text 2. The current Data Security Manual is being reviewed by a System Security Group. It is expected that this effort will result in new classification terminology and handling procedures for all System data. When a new policy is approved, the classification and handling of information in the supervision function will need to be reviewed for consistency with the objectives of the System policy. Return to text 3. The Senior Vice President may find it necessary to designate more than one individual in the department to authorize access. For control and accountability, however, there should generally be no more than two or three individuals designated. Return to text 4. Approval from the Board's Division of Banking Supervision and Regulation will only be required for the most sensitive supervisory data which have been designated as classified. Access to confidential data may be approved by the Senior Vice President or the designee. Return to text 5. Federal Reserve System information security policies for maintaining confidentiality and integrity of information are defined in the Information Security Policy Manual. Return to text 6. The use of automated security forms is currently under consideration. As soon as certain procedures in the use of these automated forms are resolved, they will be offered as a substitute for use. Reserve Bank automation staff have been given evaluation copies for review. Return to text 7. All countries included in a confidential country grouping should be considered confidential. Return to text 8. All countries included in a classified country grouping should be considered classified. Return to text |
||||||||||
