Information Security Program Development
The Gramm-Leach-Bliley Act is also known as the Gramm-Leach-Bliley Financial Services Modernization Act, or "GLBA". GLBA was passed by the United States Congress and signed into law by President Clinton in 1999.
The Gramm-Leach-Bliley Act repealed portions of the Glass-Steagall Act of 1933, and allowed commercial and investment banks to consolidate. GLBA goes well beyond its initial purpose and addresses numerous information security requirements as well.
In terms of compliance, there are three major components of the law enacted to govern the collection, disclosure, and protection of consumers' nonpublic personal information; or personally identifiable information:
Financial Privacy Rule, (Subtitle A: Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. 6801-6809)
"The Financial Privacy Rule requires financial institutions to give their customers privacy notices that explain the financial institution's information collection and sharing practices. In turn, customers have the right to limit some sharing of their information. Also, financial institutions and other companies that receive personal financial information from a financial institution may be limited in their ability to use that information." - Source: Federal Trade Commission
Safeguards Rule, (Subtitle A: Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. 6801-6809)
"Ensure the security and confidentiality of customer records and information; protect against any anticipated threats or hazards to the security or integrity of such records; and protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer" - Source: Federal Trade Commission
The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect current and former clients' nonpublic personal information.
This plan must include:
* Denoting at least one employee to manage the safeguards,
* A thorough risk assessment for each department handling the
nonpublic information,
* Develop, monitor, and test a program to secure the information, and
* Change procedures to modify the safeguards as needed commensurate with
the changes in how information is collected, stored, and used.
Pretexting Protection, (Subtitle B: Fraudulent Access to Financial Information, codified at 15 U.S.C. 6821-6827)
"The Gramm-Leach-Bliley Act prohibits 'pretexting,' the use of false pretenses, including fraudulent statements and impersonation, to obtain consumers' personal financial information, such as bank balances. This law also prohibits the knowing solicitation of others to engage in pretexting." - Source: Federal Trade Commission.
Common forms of pretexting include social engineering and phishing.
The GLBA encourages the organizations covered by the GLBA to implement safeguards against pretexting. For example, a well-written plan designed to meet GLBA's Safeguards Rule ("develop, monitor, and test a program to secure the information") would likely include a section on training employees to recognize and deflect inquiries made under pretext.
In fact, the evaluation of the effectiveness of such employee training should include a follow-up program of random spot-checks, "outside the classroom", after completion of the initial employee training. This type of testing would check the effectiveness of the classroom training and the resistance of a given student to various types of "social engineering"
GLBA compliance is mandatory, regardless of whether a "financial institution" discloses nonpublic information or not.
The GLBA defines "financial institutions" as: ...companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance.
The Federal Trade Commission (FTC) has jurisdiction over financial institutions similar to, and including, these:
* non-bank mortgage lenders, * loan brokers, * some financial or investment advisers, * debt collectors, * tax return preparers, * banks, and * real estate settlement service providers.
These companies must also be considered significantly engaged in the financial service or production that defines them as a "financial institution".
FRSecure is well-versed in GLBA compliance and has proven to be a valuable partner to clients. Our information security assessments provide clients with a GLBA compliance gap analysis. FRSecure provides clients with an accurate picture of current compliance posture and best in class recommendations.
Copyright � 2009 FRSecure LLC All Rights Reserved.