The Gramm-Leach-Bliley Act (GLBA) is also known as the Financial Modernization Act of 1999. It is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information
What is it?
The Gramm-Leach-Bliley Act (GLBA) removed restrictions prevented any one financial institution from operating as any combination of an investment bank, commercial bank, or insurance company. It is also known as the Financial Services Modernization Act of 1999.
Who oversees it?
The Federal Reserve Board and the Federal Trade Commission.
Who does it apply to?
The GLBA applies to any “financial institution” defined as: any company that offers financial products or services to individuals. These products and services may include, but are not limited to: loans, financial advice, or insurance.
How does it impact IT professionals?
IT professionals may be called upon by their clients to assist in developing and maintaining a comprehensive Information Security Policy. Additionally, GLBA requirements call for a firewall to prevent traffic from untrusted networks and hardened hosts where financial data is held.
What do your clients need to be GLBA compliant?
- Deploy and maintain a secure firewall that denies untrusted traffic.
- Limit network access to ports and services to only those deemed essential for operation.
- Perform and document network vulnerability assessments at least semi-annually.
- Implement Intrusion Detection Systems (IDS) on hosts with sensitive data.
- House devices that process or store financial data in a physically secure location, accessible only by those with business need-to-know.
- Security patches and updates should be applied as soon as possible, or automatically when possible.
- Monitor for announced vulnerabilities in hardware and software.
- Implement and maintain a trusted anti-virus solution.
- Where possible, host based firewalls should be implemented.
- Services and applications should be limited to the minimum needed to accomplish business tasks.
- No vendor supplied default passwords should be permitted on hardware or software installations.
- Individual access to systems with financial data should be limited to those users with business need-to-know.
- Financial data collected and stored should be the minimum amount required to conduct business functions.
- Encrypted transmission and storage of financial data should be utilized for all devices, including laptops and portable media.
- Devices processing or storing financial data should log all relevant security and access information. These logs should be reviewed daily and retained for at least 90 days.
- Financial data should be backed up and tested regularly. Backups should be stored in a secure location both on and off-site.
- Sensitive data that has been terminated based on business need should be securely disposed of by an approved information disposal vendor.
User Account Security
- A policy will be implemented and maintained that establishes a unique identifier for each user (User ID).
- Authentication for a User ID will be based upon the sensitivity of the data.
- In cases where a User ID and password are used for authentication, the password must be encrypted.
Software that is developed internally should be based on secure coding practices and reviewed for vulnerabilities.
Information Security Policy
- Each organization or department processing or storing financial data shall develop and implement an Information Security Policy that establishes procedures for computer incident reporting and response.
- Each organization or department processing or storing financial data shall provide annual information security training.
- Each external vendor will be required to meet the security standards set out in the GLBA.
What are the dangers of not being GLBA compliant?
- Fines up to $1,000,000
- Termination of management and possible prohibition on working in the banking/financial industry
- Imprisonment for more than 10 years
- Termination of FDIC insurance
For more information about GLBA compliance and the possible penalties for non-compliance, see: http://ecora.com/Ecora/whitepapers/IDRS_GLBA.pdf
Event and Audit Log Retention Requirements
In order to maintain GLBA compliance, event and audit logs must be retained for a period of six years.
GLBA Compliance Services at a Glance
MSPs can provide value to their clients by providing a comprehensive Information Security Policy that documents both network and user security. Access controls should be implemented on any host that houses sensitive data and these access controls should be documented within the Information Security Policy.
Additionally, MSPs may be called upon to provide security hardening services for hosts that store or process sensitive financial data.