GLBA / FFIEC Compliance

Known for its three authors, Senators Gramm, Leach, and Bliley, the US Federal Government passed the Financial Services Modernization Act of 1999 (aka GLBA), which includes provisions to protect consumers' personal financial information held by financial institutions.

As part of its implementation of the GLBA, the Federal Trade Commission (FTC) issued the Safeguards Rule under section 501(b), requiring financial institutions under FTC jurisdiction to secure customer records and information. The three main objectives of GLBA 501(b) are to:

  • Ensure the security and confidentiality of customer records and information
  • Protect against any anticipated threats or hazards to the security or integrity of such records
  • Protect against unauthorized access or use of such records or information which could result in substantial harm or inconvenience to any customer.

The Federal Financial Institutions Examination Council (FFIEC), comprised of examiners from many different regulatory bodies tasked with GLBA enforcement, has created an Information Security Handbook and an exhaustive set of tests to assess compliance with the Safeguards Rule. The security process recommended by the FFIEC comprises five key areas:

  • Information security risk assessment
  • Information security strategy
  • Implement security controls
  • Security testing
  • Monitoring and updating
Addressing GLBA and Related Acts with IPLocks

GLBA and related acts promise stiff penalties to organizations that fail to keep customer data safe, making software such as IPLocks an organizationfs best friend. The following section enumerates some FFIEC Guidelines for GLBA, then identifies how IPLocks addresses each guideline:

  • Information Security Assessment: Gather data on assets and threats to those assets
    • IPLocks can auto-discover all databases on your network
    • IPLocks can probe for weaknesses in database security and recommend how to fix those weaknesses
  • Security Strategy that includes - prevention, detection, and response
    • IPL hardens databases;
    • Monitor access for policy violations and anomalous activity
    • Respond in near real-time to security policy violations
    • Audit configuration changes and vulnerability exposures
  • IDS/IPS monitoring of incoming and outgoing traffic
    • Monitor user and application access for anomalous activity
    • Automatically disconnect ebadf sessions
    • Integrate with existing ticketing systems for security control
  • Hardening: minimum system requirements - disallowing non-compliant activity
    • IPL test for custom configurations; automates monitoring and enforcement of configuration policy.
    • Security Monitoring: policy violations, anomalous activity, security events
    • IPL continuous monitoring for security events, anomalous behavior, configuration changes & policy violations, and vulnerability exposure
© 2014 IPLocks Japan K.K. All Rights Reserved Worldwide. IPLocks is a registered trademark of IPLocks, Incorporated.
Privacy Statement | Terms of Use
home|company|solutions|products|news & events|contact us|iplocks-japan