Information Risk Group - Security Assessments

GLBA Brochure.pdf

Gramm Leach Bliley Act (GLBA)

In recognition of the importance of protecting personal financial information, the GLBA was signed into law on November 12, 1999. The act dictates that financial institutions must, under 15 USC 6801 Section 501, 505(b) and 507, establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, physical and technical safeguards. GLBA further states that "it is the policy of the Congress (and now the United States) that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information." These safeguards must be sufficient to:

insure the security and confidentiality of customer records and information;
protect against any anticipated threats or hazards to the security or integrity of such records; and
protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

These general compliance objectives have been further refined by financial institution regulatory agencies in subsequent guidelines. Information Risk Group has developed specific work programs to assist financial institutions in achieving GLBA compliance per each agencies policies. Please contact IRG if you have questions about what steps are required for your institution.

Compliance Dates

The effective date for implementing these guidelines is dependent upon which government agency is responsible for regulating your financial institution. See the chart below for a further explanation:

Regulatory Agency	Financial Institutions Regulates	Implemetation Compliance Date	Outsourced Technical Services Compliance Date
FDIC	Primary federal regulator of state-chartered "nonmember" banks--commercial and savings banks that are not members of the Federal Reserve System.	July 1, 2001	July 1, 2003
OTS	Primary regulator of all federal and many state-chartered thrift institutions, which include savings banks and savings and loan associations.	July 1, 2001	July 1, 2003
OCC	Charters, regulates, and supervises all national banks. Also supervises the federal branches and agencies of foreign banks.	July 1, 2001	July 1, 2003
FTC	Mortgage lender or broker Check casher Pay-day lender Professional Tax Preparers, Tax Planners Credit counseling service Financial Advisors Retailer that issues its own credit card Personal Property or Real Estate Appraisers Auto dealers that lease and/or finance Collection Agency Services Medical-services provider that establishes for a significant number of its patients long-term payment plans that involve interest charges Government entities that provide financial products such as student loans or mortgages	May 23, 2003	May 23, 2006 (To conform third-party service contracts entered into before July 24, 2002)
FRB	Primary federal regulator for state-chartered banks that are members of the Federal Reserve System, as well as for all bank and financial holding companies and certain operations of foreign banking organizations.	July 1, 2001	July 1, 2003
NCUA	Charters and supervises federal credit unions and insures the deposits in all federal and many state-chartered credit unions.	July 1, 2001	July 1, 2003
State Banks	Supervise state-chartered banks, savings institutions, and credit unions.	July 1, 2001	July 1, 2003
State Insurance Authorities	Insurance companies are regulated at the state level.	varies by state	varies by state

How can Information Risk Group assist your company in complying with these guidelines?

Regardless of size all financial institution must take specific actions to comply with GLBA. The steps that must be taken vary slightly by regulating agency; however, each agency has based its guidelines around a common set of information security principles.

Each financial institution must develop a written information security plan that includes:

designate one or more employees to coordinate the safeguards
identify and assess the risks to customer information in each relevant area of the company's operation, and evaluate the effectiveness of the current safeguards for controlling these risks
design and implement a safeguards program, and regularly monitor and test it
select appropriate service providers and contract with them to implement safeguards
evaluate and adjust the program in light of relevant circumstances, including changes in the firm's business arrangements or operations, or the results of testing and monitoring of safeguards.

Information Risk Group has developed several specific offerings to aid financial institutions in complying with the requirements of GLBA. Our methodologies are based on years of experience as technical auditors with large financial firms and the major accounting agencies. IRG reviews are performed in an efficient and timely manner in order to minimize any impact from our assessment on your company and its personnel. Our present offerings with respect to GLBA are as follows:

Information Security Plan Development
Execution of a security assessment designed to comply with Section 501 and 505(b) of the GLBA
Inicident Response to security penetrations inline with GLBA guidance
Annual host and perimeter vulnerability assessments
Implementation and design review of Intrusion Detection Systems, Incident Response and Business Continuity Plans

Contact IRG today for further information on how we can help you comply with GLBA.

Information Risk Group LLC
3220 Henderson Blvd.
Tampa, FL 33609

E-mail: inforisk@inforiskgroup.com

Information Risk Group offering information security and risk management services to companies throughout the Americas.


© Copyright 2006 Information Risk Group LLC. All Rights Reserved. \| Contact Information Risk Group Webmaster