Among other things, GLBA requires covered entities to establish, implement, monitor, and maintain a written information security program. This written plan should address ensuring the security and confidentiality of customer data, protecting against threats to the safety and integrity of data, and limiting unauthorized access to information that could harm customers if it were released. When the cybersecurity program has been effectively established and maintenance protocols have been put in place, the organization will have a proactive security approach while maintaining readiness as required by GLBA.
The two key rules within the GLBA are The Financial Privacy Rule (16 CFR Part 313) and The Safeguards Rule (16 CFR Part 314). Both rules dictate how covered institutions manage customer data; the Financial Privacy Rule governs data collection and disclosure while the Safeguards Rule controls data security. Additionally, institutions covered by the Rule must take steps to ensure that their service providers and affiliates protect customer data as well.
First, a company must designate a coordinator for the information security program.
The coordinator, often given the Chief Information Security Officer title, will implement and supervise programs to ensure the company addresses information security risk in a comprehensive manner. The program should address at least the following three topics:
The company needs to identify internal and external security risks that could result in theft, misuse, alteration, or destruction of data. Companies may do this internally but frequently smaller companies hire consultants to perform comprehensive security reviews.
Next, the company should design, implement, and build a program to test their information security safeguards. Third party consultants can provide independent security assessments as well as provide penetration testers to attack the network. The program should run on a regular basis to stay up to date as security threats evolve and advance.
It is also crucial for security teams to oversee third party providers. Several recent major hacks have been the result of inadequate supervision of third parties. GLBA spells out two ways covered entities should interact with their vendors:
Finally, GLBA requires companies to review and amend the program. GLBA calls out a few reasons why a company may need to update their security program: