The Gramm-Leach-Bliley Act (GLBA) Section 501(b) Compliance Assessment. In a general memo released soon after GLBA became law, The Federal Deposit Insurance Corporation (FDIC) described to their examiners that “the (GLBA) guidelines require each institution to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the institution and the nature and scope of its activities. While all parts of the institution are not required to implement a uniform set of policies, all elements of the information security program must be coordinated.” This comment succinctly described most of the significant information security challenges presented by GLBA Section 501(b):
Institutions must examine “information security program” with the process goals of Protection, Detection, Response, and Governance in mind. An organization must evaluate the roles, responsibilities, and technologies used to operationalize each process goal.
The Information Security Program must be described in formal documentation. The documentation should be well organized and subject to defined governance (specifically change control) processes.
Roles, responsibilities, policies, and procedures make up significant aspects of administrative safeguards. Once established, management or modification of these safeguards should be subject to governance processes.
Most organizations have instituted specific security technologies such as firewalls, IDS, and access control systems to enable technical safeguards. In order to comply with the information security requirements of the GLBA Section 501(b), an organization must assess the effectiveness of the existing safeguards and identify the need for additional technical measures.
The regulation indicates physical security should be considered in the context of GLBA. Physical protection measures should be subject to the same level of rigorous evaluation as technical and administrative safeguards.
Banking institutions have an obligation to establish information security program standards and coordinate adherence to the standards across the organization. Organizations need to evaluate the process of standards creation and the method by which adherence to standards is achieved. During on-going audits and assessments, an organization must conduct sample testing in subsidiary organizations to audit compliance with standards.