Question:

Response from David Lineman:

From the perspective of information protection, most organizations are concerned with Title V of GLBA. Section 501 from Subtitle A of the GLBA is titled, "Protection of Nonpublic Personal Information". Title V has both security and privacy requirements for the protection of customer information that impact an organization. Information Shield helps organizations in both areas.

First, let's discuss privacy. In a nutshell, GLBA requires organizations to follow "fair information principles" with respect to non-public personal customer information. These fair information principles include, among other requirements, the posting and notification of an organization's privacy policy. These principles also require customers to be able to "opt-out" of having their information shared with other organizations.

Information Security Policies Made Easy, by Charles Cresson Wood provides pre-written policies that organizations can use to establish their internal and external privacy requirements. It includes a pre-written sample privacy policy that can easily be customized and posted on an external web site. More importantly, it includes pre-written policies that define how the organization internally protects customer information. ISPME includes two sample Privacy Policies, one providing more "lenient" treatment and anther more "stringent" protection of customer information.

Later in the fall of 2005, Information Shield will release the Privacy Management Toolkit (PMT), by noted privacy expert Rebecca Herold, CISSP, CISM. The PMT will contain a number of resources to help organizations maintain a leading privacy programs based on OECD Fair Information Principles.

Title V, Section 501B of GLBA also requires organizations to insure the security and confidentiality of customer data by adopting a "written security program". This security program should include "administrative, technical, and physical safeguards." According to GLBA, this program should use risk-assessment methods to help identify and assess risks to customer data and to enact appropriate security controls to mitigate these risks.

Information Shield publications can help organizations save thousands of dollars and hundreds of development hours with Title V compliance. First, Information Security Policies Made Easy, Version 10 provides over 1300 pre-written information security policies that cover all aspects of a complete information security program. ISPME policies cover important GLBA topics such as the Board of Director's involvement in information security, risk assessments, data classification, security of third-party contracts, incident response, and many others. (A complete list of topics can be found within the ISPME table of contents.)

In addition to pre-written policies, Information Security Roles and Responsibilities Made Easy, Version 2 provides organizations with critical documentation of their security infrastructure. GLBA specifies clearly that security and privacy responsibilities must be assigned and properly documented. ISRR provides over 70 documents, including pre-written job descriptions for 40 different organization roles, security-related department mission statements, and documented security organizational charts and reporting relationships. ISRR also includes valuable advice on security of outsourcing and third-party service providers.

More specific information about how Information Shield products help organizations implement the data protection requirements of GLBA can be found in the Regulatory Resource Center.