Current through Register Vol. 51, No. 19, September 20, 2024
A. A
licensee that adequately demonstrates compliance with the federal Interagency
Guidelines Establishing Information Security Standards, 12 CFR Part 30,
Appendix B, as it may be amended from time to time, shall be deemed to be in
compliance with §§B-G of this regulation.
B. A licensee shall develop, implement, and
maintain a comprehensive information security program that is commensurate with
the licensee's size and complexity, the nature and scope of the licensee's
activities, and the sensitivity of any customer information at issue.
C. A licensee's information security program
shall consider the following objectives:
(1)
Ensuring the security and confidentiality of customer information;
(2) Protecting against any anticipated
threats or hazards to the security or integrity of such information;
and
(3) Protecting against
unauthorized access to or use of such information that could result in
substantial harm or inconvenience to any customer.
D. Governance over Information Technology.
(1) A licensee shall have an established
governance process in place to control and monitor information
security.
(2) The governance
process shall include, as appropriate for the size and complexity of the
licensee and its information technology systems:
(a) The establishment of policies and
procedures related to information technology approved by the board of
directors, ownership, or most senior level of management; and
(b) A management structure that encompasses:
(i) Assigning responsibilities and
authorities for ensuring adherence to information technology policies and
procedures;
(ii) Documenting
accountability for functions to ensure compliance with information technology
policies and procedures; and
(iii)
Reporting to the board of directors, ownership, or most senior level of
management, no less than annually, regarding the effectiveness of the
information technology policies and procedures.
E. Information Technology Security
Risk Assessment.
(1) A licensee shall
complete an information technology security risk assessment on a periodic
basis, but not less than once every 3 years.
(2) A licensee's security risk assessment
shall include:
(a) Identification of the data
and information systems that need to be protected;
(b) Classification and ranking of sensitive
data, systems, and applications; and
(c) Identification and assessment of threats
and vulnerabilities.
F. Information Technology Security Testing
and Monitoring.
(1) A licensee shall perform
periodic testing and monitoring of information technology security controls as
appropriate for the size and complexity of the licensee's information
technology systems.
(2) A
licensee's periodic testing and monitoring of information technology security
controls shall include:
(a) Evaluating the
effectiveness of existing internal controls;
(b) Taking corrective action to address any
significant deficiencies identified during the course of licensee 's evaluation
of the effectiveness of existing internal controls;
(c) Monitoring of external sources for new
vulnerabilities; and
(d) Developing
and implementing additional control frame works for any new or changed threats
or risks identified by the licensee.
G. Third Party Provider Oversight. A licensee
shall oversee third party service providers by:
(1) Taking reasonable steps to select and
retain service providers that are capable of maintaining appropriate safeguards
for the customer information at issue; and
(2) Requiring service providers by contract
to implement and maintain such safeguards.
H. Reporting Obligations.
A licensee shall provide notice of a breach of the security
of a system to the Commissioner prior to giving the notice required by
Commercial Law Article, § 14-3 504(b), Annotated Code of Maryland.
I. Record Retention.
A licensee shall provide copies of risk assessments under
§D of this regulation and results of periodic testing under §E of
this regulation to the Commissioner upon request.
