What are the key requirements of the GLBA Safeguards Rule?

What are the key requirements of the GLBA Safeguards Rule?
Bill McCauley
Author: Bill McCauley

  The Gramm-Leach-Bliley Act (GLBA) contains the Safeguards Rule.  This requires financial businesses to establish, implement, and maintain a comprehensive information security program, which is designed to safeguard the security, confidentiality, and integrity of customer data. The requirements in this regulation are applied to a wide range of businesses, and includes institutions within the education sector that provide financial products or services to clients or consumers.

  The information security program is the core focus of this regulation.  The designation of a “Qualified Individual”, use of basic security controls, security awareness training, and the requirement to do regular assessments are all key components of your information security program.

  You must first choose a Qualified Individual, who will manage, implement, and enforce your information security program. This position will encompass several responsibilities, and the ideal candidate will have a cybersecurity background and/or experience working with information security systems. The Qualified Individual will also need to communicate with various departments within the company and should report to someone in senior management. Furthermore, they will provide senior management with frequent, written updates on the current status of the information security program and any security concerns that pose a risk to the organization. While this position can be outsourced, it’s important to remember that you, as the organization, are still responsible for meeting these compliance requirements.  

  The Safeguards Rule states that safeguards must be developed and put into effect to reduce risk and protect customer information. The information security program will need to incorporate a variety of security measures, including administrative, technical, and physical controls, in order to achieve this objective. Administrative controls leverage managerial controls such as policies and procedures. Technical controls are utilized to safeguard sensitive systems or information, and are usually implemented with hardware or software technologies such as authentication techniques, encryption, firewalls, and so on. Physical controls may include security guards, guard dogs, locks, cameras, and other similar things. In general, these types of security measures are based on well-known and accepted information security standards and can be readily found in any CISSP course. For more information on CISSP, click here: Breaking the Bootcamp Model

  Security awareness training for your staff is an essential component of a strong information security program. Even though a certain level of risk may be unique to one sector (banking, education, automotive, etc), there are many risks commonly shared by all sectors.  For example, any business that uses email will need to educate its personnel on how to recognize and respond to phishing emails. The training itself should be relevant to the main activities carried out by employees within your company and the threats that frequently exist within your industry. This ensures that a wide range of security awareness is provided for all employees while also allowing for more specialized training if necessary, such as for your information security personnel.

  Lastly, let's take a look at the assessments and testing activities that may be found throughout the Safeguards Rule. In general, a risk assessment is a process of identifying and analyzing threats and vulnerabilities. This may be done in a variety of ways, including a business analysis report on cyber dangers within your sector, broad cyber security concerns on relevant technologies, a vulnerability assessment, and a full-fledged penetration test.

  While the rule doesn't describe exactly how the risk assessment is to be done, it does state that written criteria will be required to evaluate, categorize, assess, and mitigate security risks related to the confidentiality, integrity, and availability of your information systems and customer information.

  This list includes many of the essential components required for your information security program. There are several other areas that should be considered as part of the full Safeguards Rule requirements, including vendor management, encryption, alerting, monitoring, continuous improvement, data retention, and secure destruction of customer information.

  This concludes our look into the GLBA Safeguards Rule and its information security program requirements.  If you’re interested in learning more about security fundamentals, we have a Professionally Evil Fundamentals YouTube channel that covers a variety of technology topics.  In addition, if you’re looking for a penetration test, training for your organization, or just have general security questions please Contact Us.

Join the professionally evil newsletter