GLBA/FFIEC Compliance Solution
Financial Services Regulations
Financial services regulations on information security, initiated by the Gramm-Leach-Bliley Act (GLBA), require financial institutions in the United States to create an information security program to:
- "Ensure the security and confidentiality of customer information;
- Protect against any anticipated threats or hazards to the security or integrity of such information; and
- Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer."
The Federal Financial Institutions Examination Council (FFIEC) has supported this mission by providing extensive, evolving guidelines for compliance. These are collected in the FFIEC IT Examination Handbook (html version; PDF version), as well as updates issued by the five enforcing agencies.
Who's in Charge?
The Financial Services Modernization Act, a.k.a. the Gramm-Leach-Bliley Act (GLBA) of 1999, first established a requirement to protect consumer financial information. The Federal Financial Institutions Examination Council (FFIEC) is charged with providing specific guidelines for evaluating institutions for compliance with GLBA (among other things). Enforcement falls to five agencies, the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS). Different agencies may have additional requirements, such as this recent
FDIC directive.
Fortify's Solution
| Section of the Act |
Summary |
Solutions |
| Security Process |
- Implement an ongoing security process and institute appropriate governance for the security function, assigning clear and appropriate roles and responsibilities to the board of directors, management and employees.
|
- Professional Services, including Corporate Information Security Program Development, Policies, Standards, and Security Baseline development, and Enterprise Security Architecture and Standards Development
|
|
| Information Security Risk Assessment |
Maintain an ongoing information |
|
| Risk Assessment |
security risk assessment program that considers assets, data, threats to prioritize risk. |
- including Enterprise Risk Assessment and Analysis
|
|
| Information Security Strategy |
Develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include controls, processes and policies. |
- Professional Services including Corporate Information Security Program Development and Enterprise Security Architecture and Standards Development
|
|
Security Controls Implementation
- Access Control
- Physical and Environmental Protection
- Encryption
- Malicious Code Prevention
- Systems Development, Acquisition, and Maintenance
- Personnel Security
- Data Security
- Service Provider Oversight
- Business Continuity Considerations
- Insurance
|
|
Establish security controls to:
- Restrict access to authorized individuals and devices and to disallow access to all others.
- Define physical security zones and implement appropriate preventative and detective controls in each zone.
- Employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.
- Protect against the risk of malicious code by implementing appropriate controls at the host and network level
- Ensure that systems are developed, acquired and maintained with appropriate security controls.
- Mitigate the risks posed by internal users
- Control and protect access to paper, film and computer-based media to avoid loss or damage.
- Exercise their security responsibilities for outsourced operations
- Provide for business continuity and disaster recovery
- Evaluate the extent and availability of coverage in relation to the specific risks they are seeking to mitigate.
|
|
- Security Operations
- Secure Communication Services
- Professional Services including Policies, Standards, and Security Baseline development and Security Awareness program development
|
|
| Security Monitoring |
Financial institutions should gain assurance of the adequacy of their risk mitigation strategy and implementation by monitoring network and host activity to identify policy violations, anomalous behavior, unauthorized configuration and other conditions which increase the risk of intrusion or other security events. They should also analyze the results of monitoring to accurately and quickly identify, classify, escalate, report, and guide responses to security events; and responding to intrusions and other security events and weaknesses. |
- Security Operations
- Log Monitoring
- Dashboard for event management
- Professional Services including GLBA Compliance and Incident Response Program Development
|
|
| Security Process Monitoring and Updating |
Financial institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls. They should then use that information to update the risk assessment, strategy, and implemented controls. |
|
|
|
