impossible for ideas to compete in the marketplace if no forum for
COMPLYING TO THE GRAMM-LEACH-BLILEY ACT
Author: Charles Baumert
NetworkWorld survey reported that in 2002, 66% of IT managers increased their
spending on IT security. Recent world events have certainly played
a part in raising awareness of the importance of IT security and encouraging
investment in this area. At the same time government and industry
regulators worldwide have been working steadily to put into place measurable
and enforceable standards to ensure that business can be carried out in an
environment of trust.
summarizes several key elements of one of the most important pieces of
government regulation on security.
12, 1999, President Clinton signed the Gramm-Leach-Bliley (G-L-B) Act (Pub.
L.106-102) into law. Section 501, entitled Protection of Nonpublic
Personal Information, requires the Agencies and the Securities and Exchange
Commission, the National Credit Union Administration and the Federal Trade
Commission to establish appropriate standards for the financial institutions
subject to their respective jurisdictions relating to the administrative,
technical and physical safeguards for customer records and information.
These safeguards are intended to: (1) Insure the security and confidentiality
of customer records and information; (2) protect against any anticipated
threats or hazards to the security or integrity of such records; and (3)
protect against unauthorized access to or use of such records or information
that would result in substantial harm or inconvenience to any customer. 1
The Office of
the Comptroller of the Currency, Board of Governors of the Federal Reserve
System, Federal Deposit Insurance Corporation, and Office of Thrift
Supervision (collectively, the Agencies) have published final Guidelines that
implement sections 501 of the G-L-B Act. 2
The Agencies retained July 1, 2001 as the effective date for these Guidelines.
However, they also included a transition rule for contracts with service
providers that provides a two-year period for grand fathering existing
contracts. Thus a contract entered into on or before July 1, 2001
satisfied the provision of this part until July 1, 2003. 3
The Board of
Governors of the Federal Reserve System’s final Guidelines apply to
approximately 9,500 institutions, including state member banks, bank holding
companies and certain of their non bank subsidiaries or affiliates, state
uninsured branches and agencies of foreign banks, commercial lending companies
owned or controlled by foreign banks, and Edge and Agreement corporations.
The Board estimates that over 4,500 of the institutions are small institutions
with assets of less than $100 million. 4
of 12 CFR Part 30 states:
Manage and Control Risk.
Each bank shall:
Design its information security program to control the identified risks,
commensurate with the sensitivity of the information as well as the complexity
and scope of the bank’s activities. Each bank must consider whether
the following security measures are appropriate for the bank, and if so, adopt
those measures the bank concludes are appropriate.
of electronic customer information, including while in transit or in storage
on networks or systems to which unauthorized individuals may have access.
solution I believe is secure leased lines from 2.4 Mbps to 52 Mbps, ATM from E1/T1 to
OC-12, Frame Relay from 2 Mbps to 52 Mbps, and we offer IPSec VPNs up to 100
Mbps full duplex (200 Mbps) with Triple-DES encryption and 20,000 simultaneous
appliances provide the following benefits:
of 12 CFR Part 30 goes on to indicates the potential requirement for:
control procedures, segregation of duties, and employee background checks for
employees with responsibilities for or access to customer information.6
must facilitate meeting this requirement in a number of ways.
encryptors are standalone security devices which are not integrated into IT
network equipment like routers or firewalls. This ensures maximum
bandwidth availability and also maximum security. Integrated products
typically have reduced performance when security is enabled and also more
subject to security breaches.
solutions are centrally managed from a dedicated Security Network Management
platform called PrivaCy Manager, which provides a Java-based platform for all
of our VPN and WAN Security appliances. PrivaCy Manager’s graphical
representation of the network's topology and its point-and-click interface
simplifies the tasks of configuring, modifying and managing network security.
Furthermore, PrivaCy Manager can implement a broad range of security policies
for determining access to network security devices, while preventing
unauthorized devices from masquerading as legitimate devices within a user’s
network. PrivaCy Manager’s ease of management is one of our
competitive advantages in helping our customers to lower their total cost of
(PrivaCy Manager manages all the security functions in a network while a separate management system can be used for control of the IT network. This enables true segregation of duties.
of 12 CFR Part 30 states:
D. Oversee Service Provider Arrangements.
Each bank shall
appropriate due diligence in selecting its service providers
2. Require its
service providers by contract to implement appropriate measures
designed to meet the objectives of these Guidelines; and
indicated by the bank’s risk assessment, monitor its service providers to
confirm that they have satisfied their obligations as required by paragraph
D.2. As part of this monitoring, a bank should review audits, summaries
of test results, or other equivalent evaluations of its service providers. 7
This part of
the regulations further expands the bank’s scope of responsibility in
ensuring that its information remains secure. Each bank has
responsibility to understand the security aspects of its business and ensure
that adequate measures are in place even if these services are outsourced.
In today’s regulatory environment it is the responsibility of each bank to honestly assess its need for encryption and segregation of duties and to implement appropriate solutions.
Interagency Guidelines Establishing Standards for
Safeguarding Customer Information and Rescission of Year 2000 Standards for
Safety and Soundness p.5
DEPARTMENT OF THE TREASURY
FEDERAL RESERVE SYSTEM
FEDERAL DEPOSIT INSURANCE
DEPARTMENT OF THE TREASURY
2) Ibid, p.2
3) Ibid, p. 40
4) Ibid, p. 53
5) Ibid, p.
6) Ibid, p.
7) Ibid, p.110
Visit the Authors Web Site
Inquiry Only - No Cost Or Obligation
Click Here for The Business Forum Library of White Papers
Search Our Site
Search the ENTIRE Business
Forum site. Search includes the Business