|
TITLE V - PRIVACY
Financial institutions that are regulated by the
Federal Reserve Bank (FRB),
Federal Deposit Insurance Corporation (FDIC),
Office of the Comptroller of the Currency (OCC),
National Credit Union Association (NCUA),
Office of Thrift Supervision (OTS),
Securities and Exchange Commission (SEC)
and state insurance authorities are called upon to comply with the privacy provisions
of the Gramm-Leach-Bliley Act. Specifically, the section entitled TITLE V -
PRIVACY.
For an in-depth look at the TITLE V - PRIVACY section of the
Gramm-Leach-Bliley Act,
CLICK HERE.
Developed Standards for Safeguarding Information
The Office of the Comptroller of the Currency (OCC),
Office of Thrift Supervision (OTS),
Federal Deposit Insurance Corporation (FDIC),
and the Federal Reserve Bank (FRB)
all published these final guidelines and established
standards for safeguarding customer information that implement sections
501
and 505
(b) of the Gramm-Leach-Bliley Act (G-L-B Act) called the:
Interagency Guidelines Establishing Standards for Safeguarding Customer
Information
The
National Credit Union Administration (NCUA)
also put together security
requirements to include the security of member information to implement
provisions of the Gramm-Leach-Bliley Act. This evolved into the...
National Credit Union Administration (NCUA) Guidelines for Safeguarding
Member Information
The objectives for the "Interagency"
and the
"NCUA" guidelines for
safeguarding information are the following:
1) Ensure the security and confidentiality of customer/member information
2) Protect against any anticipated threats or hazards to the security or
integrity of such information; and
3) Protect against unauthorized access to or use of such information that
could result in substantial harm or inconvenience to any customer/member.
The "Interagency"
and the "NCUA"
guidelines also describe how to develop and implement customer/member information security
programs that contain the following:
A. Involve the Board of Directors
B. Assess Risk
C. Manage and Control Risk
D. Oversee Service Provider Agreements
E. Adjust the Program
F. Report to the Board
G. Implement the Standards
Gramm-Leach-Bliley Act Related Links:
OCC Preparedness Questionnaire
OCC InfoSec Exam Procedures
FRB InfoSec Exam Procedures
Privacy Exam Procedures
Solution:
AppDetective™ fulfills data confidentiality, integrity and overall
"unauthorized access" requirements in achieving the information safeguard
objectives developed by the FRB, FDIC, OCC, NCUA, OTS in bringing your
enterprise applications into compliance with the Gramm-Leach-Bliley Act. The
following capabilities of AppDetective™ make this possible:
AppDetective™ is an easy-to-execute solution fulfilling the following
security measures as detailed within the following sections on developing an
information security program by the FRB, FDIC, OCC, NCUA, and the OTS:
B. Assess Risk. Each bank / holding bank / credit union shall:
- Identify reasonably foreseeable Internet and external threats that could
result in unauthorized disclosure, misuse, alteration, or destruction of
customer information or customer information systems.
- Assess the likelihood of potential damage of these threats, taking into
consideration the sensitivity of customer information.
- Assess the sufficiency of policies, procedures, customer information
systems, and other arrangements in place to control risks.
C. Manage and Control Risk. Each bank / holding bank / credit union shall:
- Design its information security program to control the identified risks,
commensurate with the sensitivity of the information as well as the
complexity and scope of the bank's activities. Each bank/holding
company/credit union must consider whether the following security measures
are appropriate for the bank and, if so, adopt those measures the bank
concludes are appropriate:
a. Monitoring systems and procedures to detect actual and attempted
attacked on or intrusions into customer/member information systems.
b. Response programs that specify actions for you to take when you suspect
or detect that unauthorized individuals have gained access to
customer/member information systems, including appropriate reports to
regulatory and law enforcement agencies.
- Train staff to implement the bank/holding bank/credit union information
security program.
- Regularly test the key controls, systems and procedures of the
information security program. The frequency and nature of such tests should
be determined by the bank's / holding company's / credit union's risk
assessment. Tests should be conducted or reviewed by independent third
parties or staff independent of those that develop or maintain the security
programs.
D. Oversee Service Provider Agreements. Each bank / holding bank / credit
union shall:
- Exercise appropriate due diligence in selecting its service providers;
- Require its service providers by contract to implement appropriate
measure designed to meet the objectives of these Guidelines; and
- Where indicated by the bank's / holding company's / credit union's risk
assessment, monitor its service providers to confirm
E. Adjust the Program (NCUA).
- Each credit union should monitor, evaluate, and adjust, as appropriate, the
information security program in light of any relevant changes in technology,
the sensitivity of its member information, internal or external threats to
information, and the credit union's own changing business arrangements, such
as mergers and acquisitions, alliances and joint ventures, outsourcing
arrangements, and changes to member information systems.
F. Adjust the Program (Interagency).
-
Where indicated by the bank's risk assessment, monitor its service
providers to confirm that they have satisfied their obligations as required
by section D.2. As part of this monitoring, a bank should review audits,
summaries of test results, or other equivalent evaluations of its service
providers.
|
Securing Critical Databases with DbProtect
