In many ways, the most significant challenges presented by Section 501(b) are those that are non-technical such as conducting an enterprise-wide Information Security Risk Assessment and the requirements to engage the Board of Directors in the ongoing management of operational risk. This workshop will expand on many of these areas and present practical and proven approaches many institutions have adopted in order to comply with Section 501(b) of GLBA and Section 216 of Fair and Accurate Credit Transaction Act.
FFIEC examination guidelines direct bank examiners to consider the specific review areas listed below. In the course of this workshop, we will provide detailed "best practices" recommendations to help organizations achieve compliance in each of the following important review areas:
Determine the Involvement of the Board. Section 501(b) calls for significant board involvement in the creation and oversight of the information security program. A number of specific processes should be present and easily explained to the examiner such as the roles of specific information security program reviewers or review committees;
Evaluate the Risk Assessment Process. Each banking organization must explain to examiners the method(s) used to estimate risk. This includes evaluation of multiple dimensions of risk such as technical risk and transaction risk. The organization must be able to demonstrate effectiveness in assessing risk. A formal risk assessment process should be in place and documented;
Evaluate the Adequacy of the Program to Manage and Control Risk. Once risk is measured or estimated, the organization must take actions to manage risk. This includes decisions on risk treatment, including the process for choosing to accept, reduce, or assign risk. Risk reduction, or mitigation may include the application of information technologies such as access control systems;
Assess the Measures Taken to Oversee Service Providers. Outsourcing critical functions or operations to external service providers does not remove the institution's responsibilities to safeguard customer information. The organization must demonstrate defined processes to evaluate and continually monitor service providers with respect to the expectations of Section 501(b);
Determine whether an Effective Process Exists to Adjust the Program. All information security programs must be continuously assessed and adjusted to account for changes in the environment including the addition of new technologies, the emergence of new threats, and modifications to the business such as mergers or acquisition;
Interagency Guidelines Establishing Information Security Standards (Security Guidelines) implement Section 501(b) of the Gramm-Leach-Bliley Act (GLB Act) and Section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The Security Guidelines establish standards relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity and the proper disposal of customer information. In many ways regulatory agencies have been quite forthcoming in documenting their expectations of banking institutions with respect to Section 501(b) and Section 216 compliance. A number of documented interpretations of Section 501(b) requirements are generally available and offer significant guidance in achieving compliance. However, we see it necessary to augment the materials provided by regulators and examiners to establish a truly robust program that is compliant with GLBA and FACTA.
The following information has been compiled by BankInfoSecurity.com in the course of assessing and examining banking institutions and provides insight to the major areas of non-compliance. The following section expand on examples of specific compliance review areas that an institution can apply during the course of a Section 501(b) compliance assessment and represents a combination of steps suggested by the language of GLBA Section 501(b), interpretive memos and documents produced by regulators, and BankInfoSecurity.com's project experiences.
GLBA Section 501(b) Compliance Assessment
In a general memo released soon after GLBA became law, The Federal Deposit Insurance Corporation (FDIC) described to their examiners that "the (GLBA) guidelines require each institution to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the institution and the nature and scope of its activities. While all parts of the institution are not required to implement a uniform set of policies, all elements of the information security program must be coordinated." This comment succinctly described most of the significant information security challenges presented by GLBA Section 501(b):
- Comprehensive Information Security Program. Institutions must examine "information security program" with the process goals of Protection, Detection, Response, and Governance in mind. An organization must evaluate the roles, responsibilities, and technologies used to operationalize each process goal.
- Written. The Information Security Program must be described in formal documentation. The documentation should be well organized and subject to defined governance (specifically change control) processes.
- Administrative Safeguards. Roles, responsibilities, policies, and procedures make up significant aspects of administrative safeguards. Once established, management or modification of these safeguards should be subject to governance processes.
- Technical Safeguards. Most organizations have instituted specific security technologies such as firewalls, IDS, and access control systems to enable technical safeguards. In order to comply with the information security requirements of the GLBA Section 501(b), an organization must assess the effectiveness of the existing safeguards and identify the need for additional technical measures.
- Physical Safeguards. The regulation indicates physical security should be considered in the context of GLBA. Physical protection measures should be subject to the same level of rigorous evaluation as technical and administrative safeguards.
- All Elements of the Information Security Program Must be Coordinated. Banking institutions have an obligation to establish information security program standards and coordinate adherence to the standards across the organization. Organizations need to evaluate the process of standards creation and the method by which adherence to standards is achieved. During on-going audits and assessments, an organization must conduct sample testing in subsidiary organizations to audit compliance with standards.