The Financial Services Modernization Act, better known as the Gramm-Leach-Bliley Act (GLBA), requires that financial institutions ensure the security of customer data, protect data against known or anticipated risks and secure data to protect it from unauthorized access.
In order to protect against risks, financial organizations must first perform a vulnerability and/or risk assessment to identify the risks that could compromise their data, and determine what the potential effects of the risk could be. With that information, financial firms can then make intelligent choices about how to best allocate security resources to protect customer data and ensure GLBA compliance.
Risk assessment objectives
Before analyzing the security of your network or performing a risk assessment, first understand what the objectives are. In a perfect world, network should be secure in every way possible, but with limited time and resources with which to conduct the assessment, stay focused on the GLBA requirements despite temptation to do otherwise.
Since the goal of a GLBA risk assessment is to determine whether existing security measures sufficiently protect customer data -- that includes any known and anticipated threats, internally or externally -- examine the technical, physical, management and policy-based controls in place to verify that they are adequate. Consider how existing security controls compare with security controls used by other financial firms. Once it's determined where improvements can be made, establish what additional controls need to be in place in order to maintain an acceptable level of risk, and the most cost-effective, expeditious way to put them in place.
What to look for
Protecting customer data relies on more than simply password-protecting or encrypting the data itself. Approach the task from a broad perspective, and consider each of the following areas:
- Network security controls
- External or remote security measures
- Security policies and procedures
- Physical security of IT assets
- Physical security of hard copy documentation
- Incident-response procedures
- User education and awareness
- Disaster recovery and business-continuity plans
- Third-party security (vendors/suppliers/outsourcing)
For some of these areas, such as security policies and procedures, or disaster recovery and business continuity plans, it is a matter of ensuring that the policies and plans exist, that they function properly, and that the key stakeholders required to execute them are aware of the procedures and trained to follow them.
Physical security of both IT and hard copy document assets is key as well. Firewalls, intrusion detection systems (IDS) and other information security measures will have little effect if a thief simply walks off with the hard drive or backup tape containing customer data or manages to acquire hard copy documentation containing confidential customer data. Make sure that customer data is protected physically and that only those who are authorized and have a need to access the data are able to do so.
Assessing network security controls
There are a number of areas to examine regarding the security controls in place internally on the network. You will probably identify some areas that need to be tweaked or improved, but GLBA does not impose any extraordinary measures that shouldn't already be in place. Here are some of the key aspects to consider:
- Enforcing secure passwords
- Restricting file and folder access to authorized personnel
- Restricting firewalls / router access lists
- Protecting antimalware
- Restricting and securing remote access
- Fault tolerance and continuity of service for critical systems
- Auditing and logging of security events
- Ongoing monitoring of network security
- Securing wireless networks
While it is possible to perform the GLBA assessment manually, much of the effort can be expedited by using tools that can automate the process. For financial organizations that rely completely (or at least primarily) on Microsoft Windows operating systems and applications, the free Microsoft Baseline Security Analyzer tool can quickly scan network systems and provide a report to help identify at-risk systems.
Another approach involves using the Nessus vulnerability scanner from Tenable Network Security. Nessus is more comprehensive, looking beyond the scope of Microsoft products, and it also provides a GLBA-specific scanning plug-in. While Nessus is available for free, a subscription is required in order to obtain the GLBA plug-in.
Completing the assessment
Aside from analyzing policies and procedures, physical access security and internal network security controls, GLBA also requires that customer data be protected from external risks. Financial organizations need to ensure that confidential or sensitive information is not available outside of the network. It may be beneficial to engage a third-party security organization to examine external security. A penetration test can help identify the resources and information available externally, and the vulnerabilities in your network defenses.
Finally, GLBA isn't the only regulation in town. For financial organizations that must comply with other regulations in addition to GLBA, such as PCI DSS or FFIEC, make sure that new security controls satisfy all of your compliance requirements and that there are no conflicts.
About the author:
Tony Bradley is a CISSP, and a Microsoft MVP. He is a Security Consultant with BT in Houston. Tony is also a respected expert and author in the field of information security whose work is translated and read around the world. He contributes regularly to a variety of Web and print publications, and has written or co-written eight books. In addition, Tony is the face of the About.com site for Internet / Network Security, where he writes articles and tips on information security and has almost 40,000 subscribers to his weekly newsletter. Mr. Bradley has consulted with Fortune 500 companies regarding information security architecture, policies and procedures, and his knowledge and skills have helped organizations protect their information and their communications.
This was first published in April 2008