About the Gramm-Leach-Bliley Act
When the Gramm-Leach-Bliley Act (GLBA) was signed into law in 1999, the goal of the legislation was “to enhance competition in the financial services industry by providing a framework for the affiliation of banks, securities firms, insurance companies, and other financial service providers....” The law made consumer insurance, banking, and investment information accessible through a single source. At the same time, the law mandated that any organization with access to non-public customer information—including financial institutions, insurance companies, credit card companies, debt collection agencies, and real estate settlement firms—meet stringent administrative, technical, and physical safeguards to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
Staying Compliant; Staying Secure
Until now, for most organizations, compliance has been driven by events—like a security breach or network outage—which led to a review of the IT infrastructure and security controls, and external and internal pressure to make improvements. With the advent of significant new regulations like the Gramm-Leach-Bliley Act, however, ensuring compliance has become a business requirement, and concerns about new corporate and regulatory requirements have made compliance a top-of-mind issue for executives and the organizations they lead. In fact, a published report from a leading research firm stated that “compliance spending in 2006 will reach $27.3 billion. Spending will climb even higher in 2007, with companies devoting $28 billion to compliance initiatives.”
The challenge for many organizations lies in the common misconception that compliance and security are equal, and, by achieving compliance, an organization will ensure infrastructure security and vice versa. According to Khalid Kark, senior research analyst at Forrester Research Inc., security and compliance are two distinct issues; compliance does not always equal security, and the real challenge is to remain compliant while staying secure. “There are two broad trends,” Kark said during a recent Ecora webinar. “Because of well-publicized security breaches, many organizations have taken a broad view and consider security in terms of the possible risk to corporate information. At the same time, regulatory pressures and compliance requirements have dominated the agenda, so organizations are focusing on just one particular area and not looking at security holistically. To get desired results, organizations must address both information risk and compliance through a comprehensive corporate governance framework.”
In recent years, implementing this comprehensive governance framework has been made more difficult because the annual investment in security spending is dropping.Kark added that sometimes this funding has been redirected to compliance at the expense of security. “To be both compliant and secure, organizations need to shift their thinking from responding to tactical IT security issues like firewalls, intrusion detection systems, viruses and worms, system hardening, and encryption to addressing information risk and more strategic business concerns, such as protecting intellectual property, ensuring regulatory compliance, preventing insider abuse, and safeguarding customer privacy,” he said. “The result can be a comprehensive program that addresses both information risk and compliance concerns within an organization.”
FFEIC IT Examination Handbook as a Framework to Ensure Compliance and Security
The Federal Financial Institutions Examination Council (FFIEC) designs and supervises audits for the majority of federal agencies that oversee organizations that must comply with GLBA. To ensure that all auditors work within uniform principles, standards, and report forms, the FFIEC publishes the IT Examination Handbook. The Handbook was substantially revised and expanded in July 2006 and can now provide a clear framework for an organization’s compliance/security program, including a five-step security process:
1. Information Security Risk. Identify and assess threats, vulnerabilities, attacks, probabilities and outcomes.
2. Information Security Strategy. Mitigate risk by integrating technology, policies, procedures, and training, approved by the board.
3. Security Controls Implementation. Define and implement specific roles and responsibilities, and ensure that sufficient knowledge, skills, and motivation exist to fulfill the duties; acquire and operate technology to support security controls.
4. Security Monitoring. Assure that risks are appropriately assessed and mitigated and that controls are effective and performing as intended.
5. Security Process Monitoring and Updating. Gather and analyze information regarding new threats and vulnerabilities, actual attacks on the organization or others combined with the effectiveness of the existing security controls.
