Information Shield GLBA Solutions

The Gramm-Leach-Bliley Act of 1999

The Gramm-Leach-Bliley Act of 1999 (GLBA), Title V, requires financial services organizations to insure the security and confidentiality of customer records and information. Title V has both privacy and security requirements for the protection of nonpublic personal information. Among the many requirements, organizations must adopt a "written security program" that includes administrative, technical, and physical safeguards for protecting customer information. Information Shield can save organizations thousands of dollars in their compliance efforts by helping address many of the critical aspects of GLBA.

Information Security Policies Made Easy (ISPME) provides a complete set of security policies and standards that cover both internal data security and customer data privacy. ISPME is organized around the ISO 17799 security standard, and enables organizations to quickly establish a risk-based information security policy program. Specific benefits include:

GLBA is very specific about the requirements for properly defining information security roles and responsibilities. According to GLBA, "the lines of authority and responsibility for development, implementation, and administration of a financial institution's information security program need to be well defined and clearly articulated."

Information Security Roles and Responsibilities Made Easy (ISRR) is the only resource available that can save your organization hours of detailed effort in developing and documenting your security organization. Information Security Roles and Responsibilities Made Easy contains:

Policies and GLBA Requirements

According to GLBA, organizations must develop written policies that define the administrative, technical and physical safeguards that protect customer information. GLBA also requires that organizations provide notice of written privacy policies to customers. Beyond simply writing policies, however, organizations must establish an environment of information control that includes risk assessments, security awareness training, personnel security, physical security, incident response and disaster recovery. Information Shield publications will save organizations hundreds of development hours by providing a complete library of policies and standards that cover each of these critical areas.

Organizational Compliance with GLBA

In order to help simplify compliance with GLBA, the various Federal agencies responsible for enforcement of the Act established Interagency Guidelines Establishing Standards for Safeguarding Customer Information. These guidelines are intended to help implement industry best-practices by breaking them down into seven different steps. The following table illustrates how Information Shield publications help with each of these compliance requirements.

  1. Involve the Board of Directors
    2. According to GLBA, the Board of Directors should approve the "written" information security program. Information Shield publications provide over 1200 pages of relevant, pre-written information security documents that are easy to customize. ISPME and ISRR both contain valuable advice on how to better involve senior management in the information security program.
  2. Assess Risk
    3. ISPME provides pre-written policies covering organizational risk assessments, including such critical items as asset inventories, data classification and labeling, vulnerability assessment, and User-Owner-Custodian roles.
  3. Manage and Control Risk
    4. Within GLBA, "manage and control risk" includes the specific data protection requirements that make up a due-care information security program. ISPME is organized around the ISO 17799 security standard, and provides the most complete policy topic coverage of any information security resource. Over 1300 pre-written policies cover the latest security topics.
  4. Oversee Service Provider Arrangements
    5. ISPME contains over 50 specific policies related to managing security of contractors and third-party service providers. ISRR contains valuable advice and checklists to insuring security in outsourcing contracts.
  5. Adjust the Program
    6. Within GLBA, "adjust the program" means that organizations must continually monitor their information security program and make adjustments based on new threats. ISPME provides over 100 specific policies relating to the management and monitoring of an information security program, including incident response and disaster recovery.
  6. Report to the Board
    7. ISPME provides written policies that establish the requirements for annual analysis and reporting on the information security program. ISRR helps organizations clearly document the roles and responsibilities of security personnel who collect and analyze this data.
  7. Implement the Standards
    8. Information Shield publications provide expert advice to help organizations build and maintain an effective security environment. Information Shield publications are based on the consulting experience of internationally-known security expert Charles Cresson Wood, CISSP, CISM, CISA.

For more information on using Information Shield solutions for your GLBA compliance efforts, please contact us.

"Each [bank] shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank holding company and the nature and scope of its activities."

-II. Standards for Safeguarding Customer Information
"[...] the lines of authority and responsibility for development, implementation, and administration of a financial institution's information security program need to be well defined and clearly articulated."

- Interagency Guidelines Establishing Standards for Safeguarding Customer Information
"The Agencies expect that in all cases, management will provide its board (or the appropriate board committee) a written report on the information security program consistent with the Guidelines at least annually."

- Interagency Guidelines