NETBankAudit - Cyber Audit Specialists Assessement Services   
Information Security Risk Assessment
and IT Audit Specialists
 
Home
Company
       º About NETBankAudit
       º Management
       º Staff
Services
       º External Testing
       º IT Vulnerability
       º Internet Banking Risk
       º GLBA Info Risk
       º IT Audit
       º BC & DR Planning

Articles & Info

Regulations

Contact Info

NETWORK SECURITY ASSESSMENT
Positive experience or another trip to the Dentist? What you should be getting from your audit?

Gramm Leach Bliley Act

Tilte V, section 502, referred to as "Obligations with Respect to Disclosures of Personal Information" is the section in GLB that relates directly to Information Security in Banks and Credit Unions

This section mandates financial institutions to implement "administrative, technical, and physical safeguards" for their customer's personal information. It has three main objectives:

  • Provide the necessary level of protection to ensure confidentiality of customer records and information.
  • Protect information from threats.
  • Protect against unauthorized access that would result in substantial harm or inconvenience to the customer

As a financial institution you should have already implemented a security program but GLB basically forces you to put one in place.

Security Program Components

The act states that customer "nonpublic personally identifiable information" needs to be protected.

  • Bank account numbers
  • SS numbers
  • Balances and other personal financial information

Responsibility
The Board of directors is responsible for approving the security policy and the security program. The policies need to be kept constantly kept up to date.

Risk Management
The risks and threats that can affect the confidentiality of customers information must be assessed by each institution. Potential threats have to be identified and countermeasures should be put into place to protect customer information against unauthorized access. This includes access control, safeguards to protect data that is transmitted, and physically protecting it within the building. The monitoring of activities involved with the use of customer information, auditing, incident handling, and disaster recovery all have to be addressed. Procedures should be developed to ensure that customers information is protected under all perceivable situations.

Training
All employees are required to be properly trained in the role they must play in protecting customer information.

Test Security Measures
All financial institutions must test their security procedures and controls regularly to ensure their effectiveness. The more complex the environment the more often it should be tested. 

Service Provider
All financial institutions are responsible for their customer information even if it is held at a service provider's facility. This requires due diligence on the institution's part because they will need to properly select and monitor the service provider they employ. 

Disclosing Procedures
Financial institutions must disclose their security policies and practices.

Responding to Incidents
The act requires that all intrusions be reported on the interagency Suspicious Activity Report.

Summary
Gramm Leach Bliley provides general requirements for how customer information should be protected. The act does not include many specifics on how you should go about accomplishing this goal. The advent of almost universal on line banking services and now wireless mobile access to accounts has greatly added to the complex nature of protecting customer information.
© 2005-06 NETBankAudit. All rights reserved.