Implementing Information Safeguards Under Gramm-Leach-Bliley
The Gramm-Leach-Bliley Act (GLBA) contains a rule, known as the Safeguard Rule, under which the Federal Trade Commission and other federal agencies have established standards for financial institutions relating to administrative, technical, and physical safeguards for customer information. The objectives are to ensure the security and confidentiality of customer records and information, protect against threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to any customer.
The rule requires financial institutions to develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards. As part of its program, each financial institution must designate an employee or employees to coordinate its information security program. They must identify internal and external risks to the security, confidentiality, and integrity of customer information and assess the adequacy of safeguards, assure that contractors or service providers are capable of maintaining appropriate safeguards for customer information, and adjust the information security program in light of developments that may materially affect the entity's safeguards.
The FTC has published information on safeguards at http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act.
When implementing the Safeguards Rule, a company must consider all areas of its operation, especially employee management and training; information systems; and managing system failures. The FTC suggests that companies train employees about basic security measures, such as locking rooms and/or filing cabinets where records are kept, using strong password-activated screen savers (passwords should be at least eight characters long and should contain both letters and numbers), changing passwords frequently, and reporting any fraudulent attempt to obtain customer information to the appropriate law enforcement agencies. Companies may also want to check the references of any potential employees who would have access to customer information, and ask each new employee to sign an agreement to follow the confidentiality and security standards for handling that information.
The Safeguards Rule also requires financial institutions to maintain security within their information systems - which include network and software design as well as information processing, storage, transmission, retrieval, and disposal. To accomplish this, companies should consider, storing all records in a secure area, providing for secure data transmission, and disposing of customer information in a secure manner. Similarly, in order to prevent and manage system failures, the new publication suggests that companies should respond to any security breach in a timely manner; regularly update firewalls and antivirus software; and install patches to repair software vulnerabilities.
The FTC provides additional guidance at http://business.ftc.gov/privacy-and-security/data-security.
Guidance is also available from leading security professionals who've assembled consensus lists of vulnerabilities and defenses so that every organization, regardless of its resources or expertise in information security, can take basic steps to reduce its risks. The lists identify commonly exploited vulnerabilities that pose the greatest risk of harm to information systems. Use these lists to help prioritize your efforts so you can tackle the most serious threats first.
- The 20 Most Critical Internet Security Vulnerabilities (www.sans.org/top20) was produced by the SANS Institute and the FBI. It describes the 20 most commonly exploited vulnerabilities in Windows and UNIX. Although thousands of security incidents affect these operating systems each year, the majority of successful attacks target one or more of the vulnerabilities on this list. This site also has links to scanning tools and services to help you monitor your own network vulnerabilities at www.sans.org/top20/tools.pdf.
- The 10 Most Critical Web Application Security Vulnerabilities (www.owasp.org) was produced by the Open Web Application Security Project (OWASP). It describes common vulnerabilities for web applications and databases and the most effective ways to address them. Attacks on web applications often pass undetected through firewalls and other network defense systems, putting at risk the sensitive information that these applications access. Application vulnerabilities are often neglected, but they are as important to deal with as network issues.