The Gramm-Leach-Bliley Act is a U.S. federal law created to control how financial institutions deal with a consumer’s non-public personal information (NPI). This is information that a financial institution collects when providing a financial product or service that can identify an individual and that isn’t otherwise publicly available.
The Act has three main elements:
- The Privacy Rule, which regulates the collection and use of NPI
- The Safeguards Rule, which requires financial institutions to implement a security program to protect NPI
- Pretexting provisions, which prohibits access to NPI under false pretence
It’s beyond this article to provide a detailed description of the Act, but readers can learn more about the general provisions, privacy rule and safeguards rule by following the links under the Sources heading.
From a compliance point of view, the principles that need to be met are:
- Ensuring the security and confidentiality of NPI
- Protecting against unauthorized access which could cause substantial harm or inconvenience to any customer
- Protecting against any threats which might affect the security or integrity of NPI
This article recommends a series of steps that will ensure these principles are met and GLBA compliance is achieved.
1. Understand the Regulation and How It Applies to You
Review the Act, with help from your legal team when needed, to make sure you understand the scope and how it applies to your company. This might seem a very basic first step, but it will ensure you have a firm foundation for designing and implementing your compliance program.
Use the review to identify the main implications that need to be considered in detail as you work through the remaining steps.
2. Conduct a Risk Assessment
The goals of the risk assessment are to catalog the systems used for managing NPI and to identify threats and vulnerabilities that put (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Brian Hickey. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/orw_d33Wwcg/