- GLBA (1999) requires financial institutions to protect consumers' personal financial information through a written security program.
- Three core objectives. Ensure security and confidentiality, protect against anticipated threats, and prevent unauthorized access.
- The Safeguards Rule (effective 2003) requires proactive security measures including risk assessment, safeguard implementation and monitoring.
- The FTC uses an extremely broad definition of financial institution. Including tax preparers, credit counselors, real estate settlement services and debt collectors.
- The FFIEC provides an Information Security Handbook with 20 plus tests specifically for intrusion prevention and detection.
- Failure to comply has serious consequences for both individuals and organizations.
Overview Of GLBA
In accordance with GLBA, almost any organization that works with consumers’ money is considered a financial institution. Some inclusions are obvious (e.g. bank, credit union or brokerage). However, there are many less obvious inclusions as well.
Some examples from the FTC include:
- Ensure the security and confidentiality of customer records and information
- Protect against any anticipated threats or hazards to the security or integrity of such records
- Protect against unauthorized access or use of such records or information which could result in substantial harm or inconvenience to any customer.
In addition to the direct providers of those services, any organization that receives data from those providers must also comply with GLBA requirements. The FTC uses an extremely broad definition of the term "financial institution" for the purposes of GLBA
Safeguards Rule
The Safeguards Rule, which went into effect in 2003, requires that included institutions take proactive steps to ensure the security of customer information.
At a minimum, institutions must:
- Appoint an individual or group to bear specific responsibility for GLBA compliance.
- Identify risks to customer information and assess existing safeguards.
- Implement safeguards that are needed to fill any gaps.
- Monitor the effectiveness of all safeguards.
- Ensure service providers are capable of meeting GLBA requirements.
- Adjust the organization's security program as necessary when circumstances change.
Compliance with the GLBA is a serious matter. Failure to comply has serious consequences for individuals and organizations found guilty.
FFIEC Security Process
The Federal Financial Institutions Examination Council (FFIEC), comprised of examiners from many different regulatory bodies tasked with GLBA enforcement, has created an Information Security Handbook and an exhaustive set of tests to assess compliance with the Safeguards Rule, including over 20 specifically related to intrusion prevention and detection.
The security process recommended by the FFIEC comprises five key areas:
- Information Security risk assessment
- Information Security strategy
- Implement security controls
- Security testing
- Monitoring and updating