As we move into the second decade of managing information risks under the regulatory oversight of Section 501(b)...
of the Gramm-Leach-Bliley Act, it's clear that we continue to face many of the same issues we faced in 2001 when the regulation took effect. Section 501(b) of GLBA requires each financial institution to respect the privacy of its customers and protect the security and confidentiality of nonpublic personal information. As the pace of technology change remains rapid, protecting customer information continues to be a challenge.
Security is commonly one step behind the innovation curve. Nevertheless, GLBA compliance requires us to analyze the risks before moving customer information into emerging technology models such as voice over IP (VoIP) systems or cloud computing. The regulation requires us to assess the risks associated with new technologies even though we may not completely understand where the data will be stored, who will have access to it, and how well we are prepared to protect the confidentiality of the information.
Multimedia like VoIP has changed the nature of the information we manage. VoIP systems process electronic conversations, including conversations that include sensitive customer information. Similarly, systems such as remote deposit capture (RDC) process check information in the form of digital images. The images obviously contain the most sensitive customer information, including account numbers.
New technologies that manage customer data such as VoIP require careful risk assessment and application of overall risk management goals despite a common lack of understanding about the nature of the new technologies themselves. It is fair to say that most network projects aimed at implementing VoIP are more concerned with cutting costs than with stored and cached phone conversations that may contain customer information, and therefore fall within the scope of GLBA requirements.
We are also increasingly seeing some of the same challenges with respect to cloud computing: We're not quite sure what it means with respect to security, but the potential gains in efficiency and cost are driving us towards it. Clearly, organizations would be well served to invest time and effort early in the process to identify and assess observable risks in any new technology that processes customer data.
There are many types of risk assessments conducted continuously related to the information systems of a bank, and VoIP and cloud would presumably be covered from an IT controls perspective. 501(b), however, is concerned with the assessments of risks to customer information. That is different than, say, assessing the risks faced by a data center, or a single application. Organizations struggle at times to understand the focus is on the information and not necessarily on the technology and systems used to process the information.
Most importantly, with respect to 501(b), an organization must place emphasis on identification of all customer information within its architecture -- including data in both electronic and non-electronic formats -- in order to establish a foundation for developing an understanding of the true nature of the risks they face.
About the author:
Paul Rohmeyer is a faculty member in the graduate school at Stevens Institute of Technology. He provides technology risk management guidance to firms in the financial services industry, and previously held management positions in the financial services, telecommunications and pharmaceutical industries.