The Business Forum

"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896


COMPLYING TO THE GRAMM-LEACH-BLILEY ACT

Author: Charles Baumert
Contributed by Cylink Corporation - 2003

 

 

A recent NetworkWorld survey reported that in 2002, 66% of IT managers increased their spending on IT security.  Recent world events have certainly played a part in raising awareness of the importance of IT security and encouraging investment in this area. At the same time government and industry regulators worldwide have been working steadily to put into place measurable and enforceable standards to ensure that business can be carried out in an environment of trust. 

This paper summarizes several key elements of one of the most important pieces of government regulation on security.  

On November 12, 1999, President Clinton signed the Gramm-Leach-Bliley (G-L-B) Act (Pub. L.106-102) into law.  Section 501, entitled Protection of Nonpublic Personal Information, requires the Agencies and the Securities and Exchange Commission, the National Credit Union Administration and the Federal Trade Commission to establish appropriate standards for the financial institutions subject to their respective jurisdictions relating to the administrative, technical and physical safeguards for customer records and information.  These safeguards are intended to: (1) Insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any customer. 1  

The Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of Thrift Supervision (collectively, the Agencies) have published final Guidelines that implement sections 501 of the G-L-B Act. 2

The Agencies retained July 1, 2001 as the effective date for these Guidelines.  However, they also included a transition rule for contracts with service providers that provides a two-year period for grand fathering existing contracts.  Thus a contract entered into on or before July 1, 2001 satisfied the provision of this part until July 1, 2003. 3

The Board of Governors of the Federal Reserve System’s final Guidelines apply to approximately 9,500 institutions, including state member banks, bank holding companies and certain of their non bank subsidiaries or affiliates, state uninsured branches and agencies of foreign banks, commercial lending companies owned or controlled by foreign banks, and Edge and Agreement corporations.  The Board estimates that over 4,500 of the institutions are small institutions with assets of less than $100 million. 4

Paragraph IIIC of 12 CFR Part 30 states:

Manage and Control Risk. 

Each bank shall:

1.   Design its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the bank’s activities.  Each bank must consider whether the following security measures are appropriate for the bank, and if so, adopt those measures the bank concludes are appropriate.

c. Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access. 5

The  solution I believe is secure leased lines from 2.4 Mbps to 52 Mbps, ATM from E1/T1 to OC-12, Frame Relay from 2 Mbps to 52 Mbps, and we offer IPSec VPNs up to 100 Mbps full duplex (200 Mbps) with Triple-DES encryption and 20,000 simultaneous connections.

Encryption appliances provide the following benefits:

  • Confidentiality/Privacy – keeps important information confidential, private and within the control of the owning organization.

  • Authentication – ensures that the identities of both the sender and the receiver of a communication are authentic before information is exchanged.

  • Information Integrity – ensures the integrity of information during transmission so that it may be relied upon as the basis of decisions and transactions

Paragraph IIIC of 12 CFR Part 30 goes on to indicates the potential requirement for:

e. Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information.6

Any solution must facilitate meeting this requirement in a number of ways.

Firstly, that encryptors are standalone security devices which are not integrated into IT network equipment like routers or firewalls.  This ensures maximum bandwidth availability and also maximum security.  Integrated products typically have reduced performance when security is enabled and also more subject to security breaches.

Secondly, that solutions are centrally managed from a dedicated Security Network Management platform called PrivaCy Manager, which provides a Java-based platform for all of our VPN and WAN Security appliances. PrivaCy Manager’s graphical representation of the network's topology and its point-and-click interface simplifies the tasks of configuring, modifying and managing network security.  Furthermore, PrivaCy Manager can implement a broad range of security policies for determining access to network security devices, while preventing unauthorized devices from masquerading as legitimate devices within a user’s network.  PrivaCy Manager’s ease of management is one of our competitive advantages in helping our customers to lower their total cost of network security. 

(PrivaCy Manager manages all the security functions in a network while a separate management system can be used for control of the IT network.  This enables true segregation of duties.)

Paragraph IIID of 12 CFR Part 30 states:

D. Oversee Service Provider Arrangements.  

Each bank shall

1. Exercise appropriate due diligence in selecting its service providers

2. Require its service providers by contract to implement appropriate   measures designed to meet the objectives of these Guidelines; and

3. Where indicated by the bank’s risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by paragraph D.2.  As part of this monitoring, a bank should review audits, summaries of test results, or other equivalent evaluations of its service providers. 7

This part of the regulations further expands the bank’s scope of responsibility in ensuring that its information remains secure.  Each bank has responsibility to understand the security aspects of its business and ensure that adequate measures are in place even if these services are outsourced.

In today’s regulatory environment it is the responsibility of each bank to honestly assess its need for encryption and segregation of duties and to implement appropriate solutions.


Sources:

1) Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness p.5

DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency,
12 CFR Part 30
Docket No. 00-35
RIN 1557- AB84

FEDERAL RESERVE SYSTEM
12 CFR Parts 208, 211, 225 and 263
Docket No. R-1073

 FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Parts 308 and 364
RIN 3064-AC39

DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Parts 568 and 570
Docket No. 2000-112
RIN 1550-AB36

2) Ibid, p.2

3) Ibid, p. 40

4) Ibid, p. 53

5) Ibid, p. 109

6) Ibid, p. 109

7) Ibid, p.110


Visit the Authors Web Site

Website URL:

 http://www.cylink.com

Your Name:
Company Name:
E-mail:

Inquiry Only - No Cost Or Obligation

 


3D Animation : red star  Click Here for The Business Forum Library of White Papers   3D Animation : red star
 


Search Our Site

Search the ENTIRE Business Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.


Disclaimer

The Business Forum, its Officers, partners, and all other
parties with which it deals, or is associated with, accept
absolutely no responsibility whatsoever, nor any liability,
for what is published on this web site.    Please refer to:

legal description


Home    Calendar    The Business Forum Journal     Features    Concept    History
Library    Formats    Guest Testimonials    Client Testimonials    Experts    Search
News Wire
     Join     Why Sponsor    Tell-A-Friend    Contact The Business Forum



The Business Forum

Beverly Hills, California United States of America

Email:  [email protected]

Graphics by DawsonDesign

Webmaster:  bruceclay.com
 


© Copyright The Business Forum Institute 1982 - 2010  All rights reserved.