In-Depth

Tips for Gramm-Leach-Bliley Compliance

Security vendor Symantec offers best practices for staying in compliance with the Gramm-Leach-Bliley Act.

• By Mathew Schwartz
• 11/12/2003

Of course, GLBA isn’t the only thing they’re grappling with, notes Bruce Moulton, vice president of Symantec's Information Security Business Strategy, but lessons learned there will ultimately help them meet other requirements.

To help organizations get GLBA-compliant, Moulton says you should note the “broader climate” of regulations: the Health Insurance Portability and Accountability Act, the California Breach Notification Act (SB 1386), the Sarbanes-Oxley Act of 2002 , the Basel Capital Accord II (Europe), BS 7799 (Britain), ISO 17799, the NERC (North American Electric Reliability Council) Urgent Action Standard 1200, the Homeland Security Act, the USA Patriot Act, and even Visa’s Cardholder Information Security Program (VISA CISP).

“The bad news for companies is that it’s a long list, and each one of these regulations can have significant implications for companies, including penalties, up to criminal penalties. The worse news is that companies can have obligations under many of these regulations,” he says.

On the other hand, “complying with one may, in the best of circumstances, mean you comply with another or all of the others.” Or at least the techniques used to meet one regulation will help when tackling others.

Within the broad context of GLBA, Moulton also called out some other points companies should be aware of.

First, “there is a burden to be informed, a burden to be aware. A burden to be aware of what? What attacks are being performed, which threats are out there.” To stay current, he recommends companies subscribe to an information service, perform frequent network self-assessments, and utilize network penetration testing. To know if it’s being attacked, a company needs firewalls and intrusion detection systems (IDS), of course.

Second, security has to work across the organization. “There is a very clear directive that the board of directors is responsible, either at the board level or in committee, and they must oversee” the security program, Moulton says. “As far as I can tell, this is a relatively new requirement, [and] I know of very few institutions where security has been visible at the board level, even in institutions with mature programs.” Also of interest, he notes, is that the financial industry tried to strike this requirement from the final GLBA regulation. They failed.

“If there's a giant killer requirement in the guidelines, this may be it. Making it clear that the buck stops at the board, and they should be required to deal with this, should have a very powerful effect on financial institutions.” Given “the seriousness of the matter,” chief information security officers, he says, should anticipate working with the legal department to manage their interactions with the board.

Another note of caution: regulators like to see well-documented security programs. Many companies, however, don’t do that. “My experience is that many institutions don't really have their program committed to in writing,” says Moulton. Furthermore, “many don't address physical and administrative safeguards” either, a GLBA no-no.

“The good news is that you have the latitude to assess risk in the way that you choose. You can make your own bed to lie in. And the bad news is that you must assess risk. It's challenging work that consumes resources,” he says.

To help get there, Moulton recommends companies start with eight steps. While a GLBA program will need to encompass more than this, Moulton labels these as a place to start:

• Access controls on customer information systems
  
• Access restrictions at physical locations with customer information
  
• Electronic customer information encryption
  
• Procedures for customer information system modifications
  
• Dual control procedures, duty segregation, background checks
  
• Monitoring systems to detect actual/attempted attacks
  
• Response programs for suspected or detected attacks
  
• Measures to protect against environmental hazards

Moulton says he designed the list based on the assumption that “examiners will first focus on the items that have been outlined in the [GLBA] guidance.”

Of course, don’t just take his word for it. Look at the examiners guidance: The Federal Financial Institutions Examination Council (FFIEC) handbook. “I warn you, it's a long document, but it contains the guidance to examiners,” Moulton cautions, and thus may help companies tailor their information security programs to best meet GLBA requirements.

You'll find the FFIEC handbook here: www.ffiec.gov/guides.htm