Regulatory Compliance for Financial Institutions: Implementation of a GLBA-Complaint Information Security Program The objective of this work in writing is to examine the implementation of a GLBA-complaint information security program.

Objectives of the Information Security Program

The Gramm-Leach-Bliley Act (GLBA) makes a requirement of financial institutions to "develop, implement, and maintain a comprehensive written information security program that protects the privacy and integrity of customer records. GLBA mandates emphasize the need for each bank, thrift, and credit union agency to adopt a proactive information security and technology risk management capability. By doing so, your institution can protect information, applications, databases, and the network as part of a comprehensive information security program." (Net Forensics, 2012, p.1)

Financial institutions are required by banking regulators to "evolve beyond point-security products. You must employ an integrated security strategy that establishes perimeter security as well as security inside the network and among all databases, applications, and end-point devices such as laptops, PCs, wired and wireless devices, PDAs, and more." (Net Forensics, 2012, p.1) All devices on the network are required to collaborate "to ensure proactive security is working effectively." (Net Forensics, 2012, p.1)

In addition all devices must be adaptable in real-time to the changing profile risk and new threats to security as they happen. (Net Forensics, 2012, p., paraphrased) The FDIC reports that the Interagency Guidelines Establishing Information Security Standards (Guidelines) "set forth standards pursuant to section 39 of the Federal Deposit Insurance Act, 12 U.S.C. 1831p -- 1, and sections 501 and 505(b), 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act. These Guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. These Guidelines also address standards with respect to the proper disposal of consumer information pursuant to sections 621 and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s and 1681w)." (2000, p.1)

III. Scope of the Information Security Program

According to the FDIC, the guidelines are applicable to customer information that is maintained "by or on behalf of, and to the disposal of consumer information by or on the behalf of, entities over which the Federal Deposit Insurance Corporation (FDIC) has authority. Such entities, referred to as "the bank" are banks insured by the FDIC (other than members of the Federal Reserve System), insured state branches of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers)." (2000, p.1)

IV. Oversight and Delivery of the Information Security Program

Stated as the arrangement for overseeing service provider arrangements are that each bank shall:

(1) Exercise appropriate due diligence in selecting its service providers;

(2) Require its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and (3) Where indicated by the bank's risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, a bank should review audits, summaries of test results, or other equivalent evaluations of its service providers. (FDIC, 2000, p.1)

V. Information Security Program Overview

The Information Security Program involves each bank implementing a "comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities." (FDIC, 2000, p.1) A uniform set of policies is not required to be implemented by all parts of the bank it is required that all elements of the information security program are coordinated. The bank's information security program should be designed in such a way that:

(1) Ensures the security and confidentiality of customer information;

(2) Protects against any anticipated threats or hazards to the security or integrity of such information;

(3) Protects against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and (4) Ensures the proper disposal of customer information and consumer information. (FDIC, 2000, p.1)

VI. Identification and Classification of Information Security

Customer information includes "any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the financial institution or its affiliates." (Purdue University, 2000) Non-public personal information means financial information personally identifiable that is:

(1) Provided by a consumer to a financial institution;

(2) Resulting from any transaction with the consumer or any service performed for the consumer; or (3) Otherwise obtained by the financial institution. (Purdue University, 2000)

This also includes "…any list, description, or other grouping of consumers and publicly available information pertaining to them that is derived using any personally identifiable financial information...

(FDIC, 2000, p.1)
VII. Information Security Risk and Vulnerability Assessment

In the area of managing and controlling risk, it is stated that each bank is required to:

(1) Design its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the bank's activities. Each bank must consider whether the following security measures are appropriate for the bank and, if so, adopt those measures the bank concludes are appropriate: (a) Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means; (b) Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals; (c) Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access; (d) Procedures designed to ensure that customer information system modifications are consistent with the bank's information security program; (e) Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information;(f) Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems; (g) Response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and (h) Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.

(2) Train staff to implement the bank's information security program.

(3) Regularly test the key controls, systems, and procedures of the information security program. The frequency and nature of such tests should be determined by the bank's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

(4) Develop, implement, and maintain, as part of its information security program, appropriate measures to properly dispose of customer information and consumer information in accordance with each of the requirements of this paragraph III. (FDIC, 2000, p.1)

VIII. Management and Control of Information Security Risk

Risk assessments and controls makes the following requirements:

(1) The Security Guidelines direct every financial institution to assess the following risks, among others, when developing its information security program: (a) Reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems; (b) The likelihood and potential damage of threats, taking into consideration the sensitivity of customer information; and (c) The sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.

(2) Following the assessment of these risks, the Security Guidelines require a financial institution to design a program to address the identified risks. The particular security measures an institution should adopt will depend upon the risks presented by the complexity and scope of its business. At a minimum, the financial institution is required to consider the specific security measures enumerated in the Security Guidelines,4 and adopt those that are appropriate for the institution, including: (a) Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means; (b) Background checks for employees with responsibilities for access to customer information; and (c) Response programs that specify actions to be taken when the…