Normal 0 false false false EN-US X-NONE X-NONE MicrosoftInternetExplorer4 /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} The Gramm-Leach-Biley Act (GLBA) was enacted to ensure protection over customer’s records and information. LogRhythm can help financial institutions implement and perform procedures to indentify risks, eliminate or reduce these risks, and to monitor and maintain the implemented processes and procedures to ensure that the identified risks are effectively managed. Please read this whitepaper for more details…
LogRhythm and GLBA Compliance
The Gramm-Leach-Bliley Act (GLBA), also known as The Financial Modernization Act of 1999, was enacted to ensure protection over customer's records and information. Authorization to implement this act was given to The Federal Trade Commission (FTC) with an effective date for compliance set on May 23, 2003. GLBA consists of three primary parts; the Financial Privacy Rule, Safeguards Rule, and Pretexting provisions. These rules and provisions make up the requirements for financial institutions to (a) ensure protection of the security and confidentiality of customer's nonpublic personal information (NPI), (b) implement administrative, technical, and physical safeguards, (c) protect against anticipated threats and hazards to information security, and (d) protect against unauthorized access to or use of information. These requirements extend to an institutions business partners as well. Noncompliance can result in penalties that include criminal prosecution, monetary fines and up to 5 years in prison.
To satisfy these legal requirements, financial institutions are required to perform security risk assessments, develop and implement security solutions that effectively detect, prevent, and allow timely incident response, and to perform auditing and monitoring of their security environment. Section 501(b) of the GLBA established the high-level privacy and security requirements that financial institutions must comply with in order to protect customer information. The collection, management, and analysis of log data is integral to meeting many GLBA requirements. The use of LogRhythm directly meets some requirements and decreases the cost of complying with others. IT environments consist of heterogeneous devices, systems, and applications all reporting log data. Millions of individual log entries can be generated daily if not hourly. The task of organizing this information can be overwhelming in itself. The additional requirements of analyzing and reporting on log data prove manual processes or homegrown solutions inadequate and costly. LogRhythm Report Center Screenshot LogRhythm can help. Log collection, archive, and recovery is fully automated across the entire IT infrastructure. LogRhythm automatically performs the first level of log analysis. Log data is categorized, identified, and normalized for easy analysis and reporting. LogRhythm's powerful alerting capability automatically identifies the most critical issues and notifies relevant personnel. With the click of a mouse, LogRhythm's pre-configured GLBA report package ensures you meet your reporting requirements.
Copyright 2008 LogRhythm, Inc. All Rights Reserved Page 1 of 7 LogRhythm Compliance Support for GLBA
GLBA requires financial institutions to implement and perform procedures to identify risks, eliminate or reduce these risks, and to monitor and maintain the
implemented processes and procedures to ensure that the identified risks are effectively managed. The Federal Financial Institutions Examination
Council (FFIEC), having been tasked with providing guidance and enforcement, has documented the necessary controls for compliance in their "FFIEC
Information Security Handbook". The remainder of this paper lists the specific control requirements taken from both the FFIEC Information Security
Handbook and associated Tier I and Tier II Examination Procedures. For each control requirement, an explanation of how LogRhythm supports
compliance is provided.
Tier 1 Determine the Adequacy of Security Monitoring
Objective
6
LogRhythm can collect all relevant log messages that have an impact on security and monitoring responsibilities and alert on violations.
Compliance Requirement
How LogRhythm Supports Compliance
LogRhythm provides central monitoring of activity and conditions by collecting
log data from hosts, applications, network devices, etc. LogRhythm provides
Obtain an understanding of the institution's monitoring plans and
real-time event monitoring, alerting, and reporting on specific activity and
activities, including both activity monitoring and condition monitoring.
conditions.
1.6.1
* Activity monitoring consists of host and network data gathering, and
Example Rep... [download for more]
