"It is
impossible for ideas to compete in the marketplace if no forum for
their presentation is provided or available." Thomas Mann, 1896
COMPLYING TO THE GRAMM-LEACH-BLILEY ACT
Author: Charles Baumert
Contributed by Cylink Corporation - 2003
A recent
NetworkWorld survey reported that in 2002, 66% of IT managers increased their
spending on IT security. Recent world events have certainly played
a part in raising awareness of the importance of IT security and encouraging
investment in this area. At the same time government and industry
regulators worldwide have been working steadily to put into place measurable
and enforceable standards to ensure that business can be carried out in an
environment of trust.
This paper
summarizes several key elements of one of the most important pieces of
government regulation on security.
On November
12, 1999, President Clinton signed the Gramm-Leach-Bliley (G-L-B) Act (Pub.
L.106-102) into law. Section 501, entitled Protection of Nonpublic
Personal Information, requires the Agencies and the Securities and Exchange
Commission, the National Credit Union Administration and the Federal Trade
Commission to establish appropriate standards for the financial institutions
subject to their respective jurisdictions relating to the administrative,
technical and physical safeguards for customer records and information.
These safeguards are intended to: (1) Insure the security and confidentiality
of customer records and information; (2) protect against any anticipated
threats or hazards to the security or integrity of such records; and (3)
protect against unauthorized access to or use of such records or information
that would result in substantial harm or inconvenience to any customer. 1
The Office of
the Comptroller of the Currency, Board of Governors of the Federal Reserve
System, Federal Deposit Insurance Corporation, and Office of Thrift
Supervision (collectively, the Agencies) have published final Guidelines that
implement sections 501 of the G-L-B Act. 2
The Agencies retained July 1, 2001 as the effective date for these Guidelines.
However, they also included a transition rule for contracts with service
providers that provides a two-year period for grand fathering existing
contracts. Thus a contract entered into on or before July 1, 2001
satisfied the provision of this part until July 1, 2003. 3
The Board of
Governors of the Federal Reserve System’s final Guidelines apply to
approximately 9,500 institutions, including state member banks, bank holding
companies and certain of their non bank subsidiaries or affiliates, state
uninsured branches and agencies of foreign banks, commercial lending companies
owned or controlled by foreign banks, and Edge and Agreement corporations.
The Board estimates that over 4,500 of the institutions are small institutions
with assets of less than $100 million. 4
Paragraph IIIC
of 12 CFR Part 30 states:
Manage and Control Risk.
Each bank shall:
1.
Design its information security program to control the identified risks,
commensurate with the sensitivity of the information as well as the complexity
and scope of the bank’s activities. Each bank must consider whether
the following security measures are appropriate for the bank, and if so, adopt
those measures the bank concludes are appropriate.
c. Encryption
of electronic customer information, including while in transit or in storage
on networks or systems to which unauthorized individuals may have access.
5
The
solution I believe is secure leased lines from 2.4 Mbps to 52 Mbps, ATM from E1/T1 to
OC-12, Frame Relay from 2 Mbps to 52 Mbps, and we offer IPSec VPNs up to 100
Mbps full duplex (200 Mbps) with Triple-DES encryption and 20,000 simultaneous
connections.
Encryption
appliances provide the following benefits:
-
Confidentiality/Privacy – keeps important information confidential, private and within the control of the owning organization
.
-
Authentication – ensures that the identities of both the sender and the receiver of a communication are authentic before information is exchanged.
-
Paragraph IIIC
of 12 CFR Part 30 goes on to indicates the potential requirement for:
e. Dual
control procedures, segregation of duties, and employee background checks for
employees with responsibilities for or access to customer information.6
Any
solution
must facilitate meeting this requirement in a number of ways.
Firstly, that
encryptors are standalone security devices which are not integrated into IT
network equipment like routers or firewalls. This ensures maximum
bandwidth availability and also maximum security. Integrated products
typically have reduced performance when security is enabled and also more
subject to security breaches.
Secondly, that
solutions are centrally managed from a dedicated Security Network Management
platform called PrivaCy Manager, which provides a Java-based platform for all
of our VPN and WAN Security appliances. PrivaCy Manager’s graphical
representation of the network's topology and its point-and-click interface
simplifies the tasks of configuring, modifying and managing network security.
Furthermore, PrivaCy Manager can implement a broad range of security policies
for determining access to network security devices, while preventing
unauthorized devices from masquerading as legitimate devices within a user’s
network. PrivaCy Manager’s ease of management is one of our
competitive advantages in helping our customers to lower their total cost of
network security.
(PrivaCy Manager manages all the security functions in a network while a separate management system can be used for control of the IT network. This enables true segregation of duties.
)
Paragraph IIID
of 12 CFR Part 30 states:
D. Oversee Service Provider Arrangements.
Each bank shall
1. Exercise
appropriate due diligence in selecting its service providers
2. Require its
service providers by contract to implement appropriate measures
designed to meet the objectives of these Guidelines; and
3. Where
indicated by the bank’s risk assessment, monitor its service providers to
confirm that they have satisfied their obligations as required by paragraph
D.2. As part of this monitoring, a bank should review audits, summaries
of test results, or other equivalent evaluations of its service providers. 7
This part of
the regulations further expands the bank’s scope of responsibility in
ensuring that its information remains secure. Each bank has
responsibility to understand the security aspects of its business and ensure
that adequate measures are in place even if these services are outsourced.
In today’s regulatory environment it is the responsibility of each bank to honestly assess its need for encryption and segregation of duties and to implement appropriate solutions.
Sources:
1)
Interagency Guidelines Establishing Standards for
Safeguarding Customer Information and Rescission of Year 2000 Standards for
Safety and Soundness p.5
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency,
12 CFR Part 30
Docket No. 00-35
RIN 1557- AB84
FEDERAL RESERVE SYSTEM
12 CFR Parts 208, 211, 225 and 263
Docket No. R-1073
FEDERAL DEPOSIT INSURANCE
CORPORATION
12 CFR Parts 308 and 364
RIN 3064-AC39
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Parts 568 and 570
Docket No. 2000-112
RIN 1550-AB36
2) Ibid, p.2
3) Ibid, p. 40
4) Ibid, p. 53
5) Ibid, p.
109
6) Ibid, p.
109
7) Ibid, p.110
Visit the Authors Web Site
Inquiry Only - No Cost Or Obligation
Search Our Site
Search the ENTIRE Business
Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.
Disclaimer
The Business Forum, its Officers, partners, and all other
parties with which it deals, or is associated with, accept
absolutely no responsibility whatsoever, nor any liability,
for what is published on this web site. Please refer to:
Home
Calendar
The Business Forum Journal
Features
Concept
History
Library
Formats
Guest Testimonials
Client Testimonials
Experts
Search
News Wire
Join
Why Sponsor
Tell-A-Friend
Contact The Business Forum
The Business Forum
Beverly Hills, California United States of America
Email: [email protected]
Graphics by DawsonDesign
Webmaster:
bruceclay.com
© Copyright The Business Forum Institute 1982 - 2010 All rights reserved.
