Elevate’s GLBA 501(b) compliance services include:
Ensure your workforce and board of directors are aware of their responsibilities towards compliance.
Risk Assessment – Elevate’s methodology for the GLBA Risk Assessment is based on a phased approach with the following steps:
- Asset Inventory: Elevate will work with our clients to document the inventories and the classification of assets to ensure mission-critical assets are evaluated and classified.
- Threat Analysis: Elevate will work with our clients to determine existing and emerging threats, system vulnerabilities, and controls to reduce risks identified for the information assets in scope. Furthermore, the likelihood of occurrence, the severity of impact as well as the risk level will be evaluated.
- Controls/Safeguard Analysis: During this phase Elevate performs the evaluation of controls implemented by our financial services clients to reduce risks to an acceptable level. The sufficiency of implemented controls will be reviewed by Elevate, and it is during this phase that recommendations to mitigate identified remaining risks are developed.
- Reporting and Recommendations: Elevate provide actionable recommendations and the required elements of reporting towards GLBA compliance.
GLBA Proposed ‘Amendments to Safeguards’ Rule
In March 2019, the Federal Trade Commission (FTC) published a set of proposed amendments to the Standards for Safeguarding Customer Information under the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule.
The FTC’s proposed amendments to the Safeguards Rule would add more detailed requirements on how financial institutions must protect customer information. The proposed amendments are generally consistent with the insurance data security model law issued by the National Association of Insurance Commissioners (NAIC) and the New York Department of Financial Services (NYDFS) cybersecurity regulations.
Under the amendments, applicable financial institutions would be required to:
Designate a single qualified individual to serve as the Chief Information Security Officer (CISO):
The proposed amendment would no longer allow financial institutions to designate more than one employee to manage the information security program. The CISO can be an employee of an affiliate or a service provider rather than an employee of the financial institution. The financial institution would still however need to:
- retain responsibility for compliance with the Rule;
- designate a senior member of its personnel to be responsible for direction and oversight of the CISO, and
- require the service provider or affiliate to maintain an information security program that protects the financial institution in accordance with the Rule.
Conduct information security risk assessments:
The risk assessments must be written in accordance with criteria for evaluating the individual risks the institution faces based on their particular information systems and the customer information they possess. Additionally, the risk assessment must describe how the financial institution will mitigate or accept any identified risks and how the financial institution’s information security program will address those risks.
Design and implement various elements within the information security program, including:
- Access controls to authenticate authorized users of information systems
- Inventories of data, personnel, devices, systems, and facilities
- Access controls to restrict access to physical locations containing customer information
- Encryption of all customer information in transit and at rest
- Secure development practices for applications developed in-house and used for transmitting, accessing, or storing information
- Multi-factor authentication for any individual accessing customer information or internal networks that contain customer information
- Audit trails to detect and respond to security events
- Procedures for the secure disposal of customer information in any format that is no longer necessary for their business operations or other legitimate business purposes
- Change management procedures for additions, deletions, or modifications to the information systems
- Monitoring for authorized user activity and unauthorized access, use, or tampering of customer information
- Providing employee Security Awareness Training for all personnel that has the ability to handle, access, or dispose of customer information
- Reporting by the CISO, at least annually, to the institution’s Board or equivalent