FCG 5.3 Further guidance
1FCTR contains the following additional material on data security:
• FCTR 6 summarises the findings of the FSA’s thematic review of Data security in Financial Services and includes guidance on:
◦ Governance (FCTR 6.3.1G)
◦ Training and awareness (FCTR 6.3.2G)
◦ Staff recruitment and vetting (FCTR 6.3.3G)
◦ Controls – access rights (FCTR 6.3.4G)
◦ Controls – passwords and user accounts (FCTR 6.3.5G)
◦ Controls – monitoring access to customer data (FCTR 6.3.6G)
◦ Controls – data back-up (FCTR 6.3.7G)
◦ Controls – access to the internet and email (FCTR 6.3.8G)
◦ Controls – key-logging devices (FCTR 6.3.9G)
◦ Controls – laptop (FCTR 6.3.10G)
◦ Controls – portable media including USB devices and CDs (FCTR 6.3.11G)
◦ Physical security (FCTR 6.3.12G)
◦ Disposal of customer data (FCTR 6.3.13G)
◦ Managing third party suppliers (FCTR 6.3.14G)
◦ Internal audit and compliance monitoring (FCTR 6.3.15G)
• FCTR 10 summarises the findings of the Small Firms Financial Crime Review, and contains guidance directed at small firms on:
◦ Records (FCTR 10.3.5G)
◦ Responsibilities and risk assessments (FCTR 10.3.7G)
◦ Access to systems (FCTR 10.3.8G)
◦ Outsourcing (FCTR 10.3.9G)
◦ Physical controls (FCTR 10.3.10G)
◦ Data disposal (FCTR 10.3.11G)
◦ Data compromise incidents (FCTR 10.3.12G)