TRENDING:

Implementing Information Safeguards Under Gramm-Leach-Bliley

Andrew MillerAugust 11, 2006    
Implementing Information Safeguards Under Gramm-Leach-Bliley

The Gramm-Leach-Bliley Act (GLBA) contains a rule, known as the Safeguard Rule, under which the Federal Trade Commission and other federal agencies have established standards for financial institutions relating to administrative, technical, and physical safeguards for customer information. The objectives are to ensure the security and confidentiality of customer records and information, protect against threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to any customer.

See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases

The rule requires financial institutions to develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards. As part of its program, each financial institution must designate an employee or employees to coordinate its information security program. They must identify internal and external risks to the security, confidentiality, and integrity of customer information and assess the adequacy of safeguards, assure that contractors or service providers are capable of maintaining appropriate safeguards for customer information, and adjust the information security program in light of developments that may materially affect the entity's safeguards.

The FTC has published information on safeguards at http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act.

When implementing the Safeguards Rule, a company must consider all areas of its operation, especially employee management and training; information systems; and managing system failures. The FTC suggests that companies train employees about basic security measures, such as locking rooms and/or filing cabinets where records are kept, using strong password-activated screen savers (passwords should be at least eight characters long and should contain both letters and numbers), changing passwords frequently, and reporting any fraudulent attempt to obtain customer information to the appropriate law enforcement agencies. Companies may also want to check the references of any potential employees who would have access to customer information, and ask each new employee to sign an agreement to follow the confidentiality and security standards for handling that information.

The Safeguards Rule also requires financial institutions to maintain security within their information systems - which include network and software design as well as information processing, storage, transmission, retrieval, and disposal. To accomplish this, companies should consider, storing all records in a secure area, providing for secure data transmission, and disposing of customer information in a secure manner. Similarly, in order to prevent and manage system failures, the new publication suggests that companies should respond to any security breach in a timely manner; regularly update firewalls and antivirus software; and install patches to repair software vulnerabilities.

The FTC provides additional guidance at http://business.ftc.gov/privacy-and-security/data-security.

Guidance is also available from leading security professionals who've assembled consensus lists of vulnerabilities and defenses so that every organization, regardless of its resources or expertise in information security, can take basic steps to reduce its risks. The lists identify commonly exploited vulnerabilities that pose the greatest risk of harm to information systems. Use these lists to help prioritize your efforts so you can tackle the most serious threats first.

  • The 20 Most Critical Internet Security Vulnerabilities (www.sans.org/top20) was produced by the SANS Institute and the FBI. It describes the 20 most commonly exploited vulnerabilities in Windows and UNIX. Although thousands of security incidents affect these operating systems each year, the majority of successful attacks target one or more of the vulnerabilities on this list. This site also has links to scanning tools and services to help you monitor your own network vulnerabilities at www.sans.org/top20/tools.pdf.
  • The 10 Most Critical Web Application Security Vulnerabilities (www.owasp.org) was produced by the Open Web Application Security Project (OWASP). It describes common vulnerabilities for web applications and databases and the most effective ways to address them. Attacks on web applications often pass undetected through firewalls and other network defense systems, putting at risk the sensitive information that these applications access. Application vulnerabilities are often neglected, but they are as important to deal with as network issues.
Previous
Visa Takes Aim at Data Compromises
Next
Initial Commentary on the FFIEC Internet Banking Guidance FAQs

About the Author

Andrew Miller

Andrew Miller

Contributing Writer, ISMG

Andrew Miller is a freelance writer specializing in financial services and information technology. He holds an MBA from Columbia University and a Master's in computer science from Rensselaer Polytechnic Institute. He has held jobs at CMP Media, MetLife, and Gartner.



Around the Network

How State Governments Can Regulate AI and Protect Privacy
How State Governments Can Regulate AI and Protect Privacy
How Biden's AI Executive Order Will Affect Healthcare
How Biden's AI Executive Order Will Affect Healthcare
Protocol Isolation: The Key to Securing OT Environments
Protocol Isolation: The Key to Securing OT Environments
How AI Can Help Speed Up Physician Credentialing Chores
How AI Can Help Speed Up Physician Credentialing Chores
Getting a Tighter Grip on Vendor Security Risk in Healthcare
Getting a Tighter Grip on Vendor Security Risk in Healthcare
Why Hospitals Should Beware of Malicious AI Use
Why Hospitals Should Beware of Malicious AI Use
AI in Healthcare: The Growing Promise - and Potential Risks
AI in Healthcare: The Growing Promise - and Potential Risks
Joe Sullivan on What CISOs Need to Know About the Uber Trial
Joe Sullivan on What CISOs Need to Know About the Uber Trial
Mapping Access - and Attack - Paths in Active Directory
Mapping Access - and Attack - Paths in Active Directory
Stopping Cloud Workload Attacks
Stopping Cloud Workload Attacks

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.