GLBA Compliance

Institutions must examine “information security program” with the process goals of Protection, Detection, Response, and Governance in mind. An organization must evaluate the roles, responsibilities, and technologies used to operationalize each process goal.

The Information Security Program must be described in formal documentation. The documentation should be well organized and subject to defined governance (specifically change control) processes.

Roles, responsibilities, policies, and procedures make up significant aspects of administrative safeguards. Once established, management or modification of these safeguards should be subject to governance processes.

Most organizations have instituted specific security technologies such as firewalls, IDS, and access control systems to enable technical safeguards. In order to comply with the information security requirements of the GLBA Section 501(b), an organization must assess the effectiveness of the existing safeguards and identify the need for additional technical measures.

The regulation indicates physical security should be considered in the context of GLBA. Physical protection measures should be subject to the same level of rigorous evaluation as technical and administrative safeguards.

Banking institutions have an obligation to establish information security program standards and coordinate adherence to the standards across the organization. Organizations need to evaluate the process of standards creation and the method by which adherence to standards is achieved. During on-going audits and assessments, an organization must conduct sample testing in subsidiary organizations to audit compliance with standards.