• Identify the Gramm-Leach-Bliley Act (GLBA) requirements for implementing the administrative, technical, and physical controls necessary to protect nonpublic personal information
• Determine the requirements for handling nonpublic personal information and understand the GLBA guidelines on how to properly secure this data
• Investigate how GLBA has impacted security controls for protecting nonpublic personal information and financial information
• Write a 2–3-page APA-formatted essay that defines a process for obtaining and addressing GLBA compliance information for a financial organization’s audit
Written Essay Assignment 2-3:
• Recognize risks, threats, and vulnerabilities commonly found in the Workstation Domain
• Identify Workstation Domain-known vulnerabilities and exploits on the Common Vulnerabilities & Exposures (CVE) database listing of common vulnerabilities and exploits
• Write a 2–3-page APA-formatted essay that describes how risks, threats, and vulnerabilities or misconfigurations at the operating system level in the Workstation Domain might expose that workstation
Sample Solution
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect the privacy and security of consumers' nonpublic personal information (NPI). The GLBA is composed of three main rules: the Safeguards Rule, the Privacy Rule, and the Pretexting Rule.
Safeguards Rule
The Safeguards Rule (16 CFR 314) requires financial institutions to develop, implement, and maintain a comprehensive information security program. This program must include administrative, technical, and physical safeguards.
- Administrative Safeguards: These are managerial controls such as policies and procedures. Examples include:
- Designating a qualified individual to oversee the information security program.
- Conducting risk assessments to identify and evaluate potential threats.
- Implementing employee training programs on data security.
- Overseeing service providers to ensure they maintain appropriate safeguards.
- Developing and implementing an incident response plan.
- Technical Safeguards: These involve using hardware and software technologies to protect sensitive information and systems. Examples includeThe Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect the privacy and security of consumers' nonpublic personal information (NPI). The GLBA is composed of three main rules: the Safeguards Rule, the Privacy Rule, and the Pretexting Rule.
-
- Implementing access controls, such as authentication and authorization mechanisms.
- Encrypting customer information, both in transit and at rest.
- Using firewalls and intrusion detection/prevention systems.
- Regularly testing and monitoring the effectiveness of safeguards, including penetration testing and vulnerability assessments.
- Implementing multi-factor authentication.
- Physical Safeguards: These involve protecting physical access to customer information. Examples include:
- Locking rooms and file cabinets where customer information is stored.
- Controlling access to physical locations, such as buildings and computer facilities.
- Implementing procedures for the secure disposal of customer information.
- Maintaining backup and recovery procedures to protect against data loss.
Privacy Rule
The Privacy Rule (16 CFR 313) governs how financial institutions collect and disclose consumers' personal financial information. Key requirements include:
- Providing customers with a privacy notice that explains the institution's information-sharing practices.
- Giving customers the right to "opt-out" of having their information shared with certain nonaffiliated third parties.
- Restricting the disclosure of account numbers and access codes to nonaffiliated third parties for marketing purposes.
Pretexting Rule
The Pretexting Rule prohibits obtaining or attempting to obtain customer information under false pretenses (i.e., pretexting). To comply with this rule, financial institutions must:
- Implement measures to verify the identity of individuals requesting information.
- Train employees to recognize and prevent pretexting attempts, such as phishing and social engineering.
- Establish procedures to prevent the unauthorized access to customer accounts.
Compliance with the GLBA is mandatory for financial institutions, and failure to comply can result in significant penalties, including fines, civil penalties, and legal action.