Compliances

So what is Gramm-Leach-Bliley Act (GLBA) requirement for Protection of Customer Information. Here is simple guidelines based on section V and the ammendment of appendix B. This act require the institution not only to protect but also assess and then control the IT risk.

Section V of the Gramm-Leach-Bliley Act of 1999
Governs privacy in the context of Financial Institution Safeguards.

Section 501(a): It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic information.

Section 501(b): Establish appropriate standards for the financial institutions subject to their jurisdictions relating to administrative, technical, and physical safeguards
1. To insure the security and confidentiality of customer records and information;
2. To protect against anticipated threats or hazards to the security or integrity of such records; and
3. To protect against unauthorized access to use of such records or information which could result in substantial harm or inconvenience to any customer.

2. Appendix B to Part 570
Outlines the Agency’s expectations for the creation, implementation, and maintenance of an information security program. This program must include administrative, technical complexity of the institution and the nature and scope of its activities. The guidelines describe the oversight role of the board of directors in this process and management’s continuing duty to evaluate and report to the board on the overall status of this program.

Objectives
- The organization manages information system accounts, including authorizing, establishing, activating, modifying, reviewing, disabling, and removing accounts;
- The organization defines in the security plan, explicitly or by reference, the frequency of information system account reviews and the frequency is at least annually;
- The organization reviews information system accounts in accordance with organization-defined frequency; and
- The organization initiates required actions on information system accounts based on the review.

Download free IT Security Governance Implementation Strategy Checklist:
1. Define and enumerate the desired outcomes for the information security program

2. Determine the objectives necessary to achieve those outcomes

3. Describe the attributes and characteristics of the desired state of security

Download free Information Security Memorandum of Understanding (MOU) / Memorandum of Agreement (MOA). The purpose of this memorandum is to establish a management agreement between "Organization A" and "Organization B" regarding the development, management, operation, and security of a connection between "System A," owned by Organization A, and "System B," owned by Organization B. This agreement will govern the relationship between Organization A and Organization B, including designated managerial and technical staff, in the absence of a common management authority.

Security Incidents:

Effective risk management and control
• Banks must meet a series of qualitative standards, including: the existence of an independent risk control and audit function, effective use of risk reporting systems, active involvement of board of directors and senior management, and appropriate documentation of risk management systems.
• Banks must establish an independent operational risk management and control process, which covers the design, implementation and review of its operational risk measurement methodology. Responsibilities include establishing the framework for the measurement of operational risk and control over the construction of the operational risk methodology and key inputs.
• Banks. internal audit groups must conduct regular reviews of the operational risk management process and measurement methodology.

Measurement and validation
• Banks must have appropriate risk reporting systems to generate data used in the calculation of a capital charge and the ability to construct management reporting based on the results.
• Banks must begin to systematically track relevant operational risk data by business line across the firm. It should be noted that the ability to monitor loss events and effectively gather loss data is a basic step for operational risk measurement and management and is a pre-requisite for movement to the more advanced regulatory approach.
• Banks will have to develop specific, documented criteria for mapping current business lines and activities into the standardised framework. In addition, a bank should regularly review the framework and adjust for new or changing business activities and risks as appropriate.