home
NEWS       BLOGS       FORUMS       NEWSLETTERS       RESEARCH       EVENTS       DIGITAL LIBRARY       CAREERS  
Network Computing Network Computing Powered by InformationWeek Business Technology Network

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |		 APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers


The Business of IT
F E A T U R E  
Feds Reach Out and Touch IT

  July 10, 2003
  By Sean Doherty


>> continued from previous page

Gramm-Leach-Bliley
TOC Issue TOC
Printer Print full article
Printer Print this page
Printer Download as PDF
E-Mail E-Mail this URL
Discuss Discuss this article
flame author Flame the author
 
  In this article
arrow
 Introduction
arrow
 All in the Implementation
arrow
 Gramm-Leach-Bliley
arrow
 Whip Out the Crystal Ball
arrow
 HIPAA
arrow
 An Open Door Policy
arrow
 Sarbanes-Oxley
arrow
 Executive Summary
arrow
 Law vs. Regulation
arrow
 FYI
arrow
 With 1386, California Leads the Way
arrow
 Hospitals Get HIPAA
arrow
 Web Links
arrow
 Epoll Results

By now, we're all familiar with the privacy notices sent by banks and other financial institutions--those pamphlets printed in small type that appear, seemingly randomly, in our mailboxes. But they are not random: Financial institutions are complying with the Gramm-Leach-Bliley Act, aka the Financial Services Modernization Act of 1999.

GLBA requires banks and financial institutions to alert customers, in writing or electronically, of their policies and practices in disclosing customer information. The alert must provide a procedure to opt out of the disclosure. GLBA also recognizes that financial institutions collect personal information, including names, addresses, and credit card, phone and social security numbers, in many ways--from loan applications to Web cookies. For IT, GLBA puts the onus on banks and other financial institutions to protect the security and confidentiality of a customer's "personally identifiable financial information."

Under GLBA, a "customer" is defined as a consumer who has a continuing relationship with an institution. A continuing relationship is established when an institution issues one or more of a consumer's financial services or products. This definition exempts any private information collected from businesses, as well as from consumers who have not established an ongoing relationship.



GLBA in a Nutshell

click to enlarge
Personally identifiable financial information is any information a consumer provides a bank to obtain a financial product or service. It can result from a bank transaction to obtain a loan or safety deposit box. It also includes a customer's account balance, payment and overdraft history, and credit/debit card purchase history. GLBA even extends its reach to Web servers and includes information gathered by cookies.

Information not protected includes aggregate information or "blind data" not containing personal identifiers, such as the total number of mortgage applications by county or aggregate account balances by zip code. It also excludes information generally available to the public, such as federal, state and local government data, and information widely distributed to the media. For example, it would exclude a loan secured by a mortgage filed with a county clerk.

Banking on IT

To implement the GLBA, the Department of the Treasury, the Federal Reserve System and the FDIC published the "Interagency Guidelines Establishing Standards for Safeguarding Customer Information." Each agency republished these guidelines in an appendix to their safety regulations for financial institutions (all the agencies agreed on the text of the guidelines with only slight differences). Hence, complying is not only a matter of law, but also directly affects the safety and soundness of the entity as a whole--for example, an organization's status as a depository institution or national bank. Furthermore, each institution is responsible for ensuring that its affiliates and service providers also safeguard customer information.

GLBA requires financial institutions to implement a comprehensive, written infosec policy that includes administrative, technical and physical safeguards for customer information. Institutions can consider their size, complexity, and the nature and scope of their activities when drafting and implementing, but security programs must meet some broad objectives in regard to customer information: ensure its security and confidentiality, guard it from anticipated threats or hazards, and protect it against unauthorized access.

IT is not the "last man" for accountability under the GLBA's security policy. A company's board of directors or an appropriate board committee must approve the written infosec program and oversee its development, implementation and maintenance. It must also review reports generated for management at least once a year. The reports must provide the overall status of the infosec program and the institution's compliance with the guidelines.

Affected customer information systems incorporate a litany of devices and mechanisms, including hardware and software for information processing, storage, and search and retrieval; messaging systems; and backup and archival tools. Each system may require administrative, technical and physical safeguards, but banks and institutions have a lot of flexibility when implementing such safeguards. A large consideration involves assessing risk. Specifically, enterprises must identify "reasonably foreseeable" internal and external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or information systems.

What constitutes a reasonably foreseeable threat? Think industry standards: Banks and financial institutions will be expected to use those security measures commonly practiced in the industry, such as implementing firewalls, antivirus programs and intrusion-detection systems. If most other banks implement a secure VPN for remote access and yours does not, you may not be perceived as a victim when you suffer a breach in security from a remote location--especially if customer information is compromised.

Customers demand that their information be treated with respect, integrity and security. To stay competitive, you must meet those demands. Financial institutions not only must know who is accessing their networks, but also what data is being accessed and who is engaging in transactions. This requires OS-, application- and database-level logging. Putting all this information in one viewable console with a tool like TriGeo Network Security's Contego can facilitate security monitoring and make it easy to analyze the sufficiency of policies and procedures to control risks. But scoping out the risk requires constant vigilance.

start top  All in the Implementation Whip Out the Crystal Ball 





Ready to take that job and shove it?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
Federal CTO Sees IT Leading U.S. Out Of Recession
Aneesh Chopra is looking to other CIOs to advise him on fleshing out a more detailed agenda to best serve the president's IT agenda.

IT Spending To Fall By 3.8 Percent
IT spending is expected to decline by 3.8 percent in 2009 according to Gartner.

More articles from our career center










2009 IT Salary Survey: Meager Raises, Solid Prospects
Though raises are notably smaller than a year ago, and job security’s shrinking, IT careers are looking safer than many others in this economic downturn. Get all the findings in InformationWeek's 2009 IT Salary Survey. Available FREE for a limited time.
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch
Microsite of the Week


Powerful Information at Your Fingertips



Techweb
Informationweek Business Technology Network
InformationweekInformationweek 500Informationweek 500 ConferenceInformationweek AnalyticsInformationweek Events
Informationweek MagazineGlobal CIOIWK Government ITbMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingPlug Into The CloudDr. DobbsContentinople
space
TechWeb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0Mobile Business ExpoNoJitter
Black HatGTECEnergy CampCloud ConnectGov 2.0 ExpoGov 2.0 Summit
space
Light Reading Communications Network
Light ReadingLight Reading AsiaUnstrungCable Digital NewsInternet EvolutionPyramid Research
Heavy ReadingLight Reading LiveLight Reading InsiderEthrnet ExpoTelco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems and TechnologyInsurance and TechnologyWall Street and TechnologyAccelerating WallstreetBST SummitBuyside Trading SummitIT Summit
space
Microsoft Technology Network
MSDNTechNetTotal IT ProTotal Dev ProNET Total Dev Pro CommunitySQL Total Dev Pro Community
space


App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |  Advertising Contacts  |   Briefing Centers
Copyright © 2009  United Business Media LLC  |  Privacy Statement  |  Terms of Service