This paper examines the implementation of a Gramm-Leach-Bliley Act (GLBA)-compliant information security program for financial institutions. It covers the statutory objectives and scope of such programs, the oversight of service provider arrangements, and the identification and classification of nonpublic personal information. The paper also addresses risk and vulnerability assessment requirements, management and control measures, and identity theft concerns illustrated through a Federal Trade Commission enforcement action. Together, these elements outline the comprehensive framework that banks, thrifts, and credit unions must adopt to protect customer data, ensure regulatory compliance, and maintain proactive security across all systems and devices.
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to "develop, implement, and maintain a comprehensive written information security program that protects the privacy and integrity of customer records." GLBA mandates emphasize the need for each bank, thrift, and credit union to adopt a proactive information security and technology risk management capability. By doing so, an institution can protect information, applications, databases, and its network as part of a comprehensive information security program (Net Forensics, 2012, p. 1).
Financial institutions are required by banking regulators to evolve beyond point-security products. They must employ an integrated security strategy that establishes perimeter security as well as security inside the network and among all databases, applications, and end-point devices such as laptops, PCs, wired and wireless devices, PDAs, and more (Net Forensics, 2012, p. 1). All devices on the network are required to collaborate "to ensure proactive security is working effectively" (Net Forensics, 2012, p. 1).
In addition, all devices must be adaptable in real time to the changing risk profile and new security threats as they emerge (Net Forensics, 2012, paraphrased). The FDIC reports that the Interagency Guidelines Establishing Information Security Standards "set forth standards pursuant to section 39 of the Federal Deposit Insurance Act, 12 U.S.C. 1831p-1, and sections 501 and 505(b), 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act. These Guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. These Guidelines also address standards with respect to the proper disposal of consumer information pursuant to sections 621 and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s and 1681w)" (FDIC, 2000, p. 1).
According to the FDIC, the guidelines are applicable to customer information maintained "by or on behalf of, and to the disposal of consumer information by or on behalf of, entities over which the Federal Deposit Insurance Corporation (FDIC) has authority. Such entities, referred to as 'the bank,' are banks insured by the FDIC (other than members of the Federal Reserve System), insured state branches of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers)" (FDIC, 2000, p. 1).
With respect to the oversight of service provider arrangements, each bank shall:
(1) Exercise appropriate due diligence in selecting its service providers;
(2) Require its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and
(3) Where indicated by the bank's risk assessment, monitor its service providers to confirm that they have satisfied their obligations. As part of this monitoring, a bank should review audits, summaries of test results, or other equivalent evaluations of its service providers (FDIC, 2000, p. 1).
The Information Security Program requires each bank to implement a "comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities" (FDIC, 2000, p. 1). A uniform set of policies is not required to be implemented by all parts of the bank, but all elements of the information security program must be coordinated. The bank's information security program should be designed to:
(1) Ensure the security and confidentiality of customer information;
(2) Protect against any anticipated threats or hazards to the security or integrity of such information;
(3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and
(4) Ensure the proper disposal of customer information and consumer information (FDIC, 2000, p. 1).
Customer information includes "any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the financial institution or its affiliates" (FDIC, 2000). Nonpublic personal information means financially identifiable information that is:
(1) Provided by a consumer to a financial institution;
(2) Resulting from any transaction with the consumer or any service performed for the consumer; or
(3) Otherwise obtained by the financial institution (FDIC, 2000).
This also includes "any list, description, or other grouping of consumers and publicly available information pertaining to them that is derived using any personally identifiable financial information that is not publicly available" (FDIC, 2000). Nonpublic personal information includes the following:
(1) Social Security Number (SSN)
(2) Financial account numbers
(3) Credit card numbers
(4) Date of birth
(5) Name, address, and phone numbers when collected together with financial data
(6) Details of any financial transactions (FDIC, 2000)
Examples of financial activities at a college or university covered by GLBA include:
(1) Student or other loans, including receiving application information and the making and servicing of such loans;
(2) Collection of delinquent loans;
(3) Check cashing services;
(4) Financial or investment advisory services;
(5) Credit counseling services;
(6) Travel agency services provided in connection with financial services;
(7) Tax planning or tax preparation;
(8) Obtaining information from a consumer report; and
(9) Career counseling services for those seeking employment in finance, accounting, or auditing (FDIC, 2000, p. 1).
In the area of managing and controlling risk, each bank is required to design its information security program to control identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the bank's activities. Each bank must consider whether the following information security measures are appropriate and, if so, adopt those it concludes are suitable:
(a) Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals, and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain it through fraudulent means;
(b) Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities, to permit access only to authorized individuals;
(c) Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access;
(d) Procedures designed to ensure that customer information system modifications are consistent with the bank's information security program;
(e) Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information;
(f) Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems;
(g) Response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and
(h) Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures (FDIC, 2000, p. 1).
Banks are also required to:
(2) Train staff to implement the bank's information security program;
(3) Regularly test the key controls, systems, and procedures of the information security program — the frequency and nature of such tests should be determined by the bank's risk assessment, and tests should be conducted or reviewed by independent third parties or staff independent of those who develop or maintain the security programs; and
(4) Develop, implement, and maintain appropriate measures to properly dispose of customer information and consumer information in accordance with the requirements of the Guidelines (FDIC, 2000, p. 1).
Risk assessments and controls impose the following requirements. The Security Guidelines direct every financial institution to assess the following risks, among others, when developing its information security program:
(a) Reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems;
(b) The likelihood and potential damage of threats, taking into consideration the sensitivity of customer information; and
(c) The sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks (FDIC, 2000, p. 1).
You’re 62% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.