Financial institutions must comply with the "Guidelines Establishing Standards for Safeguarding Customer Information" (guidelines) as issued pursuant to the Gramm-Leach-Bliley Act of 1999 (GLBA).The guidelines were published in the Federal Register on February 1, 2001, and effective on July 1, 2001. When financial institutions introduce e-banking or related support services, management must re-assess the impact to customer information under the GLBA. The guidelines require financial institutions to:
- Ensure the security and confidentiality of customer information;
- Protect against any anticipated threats or hazards to the security or integrity of such information; and
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
The guidelines outline specific measures institutions should consider in implementing a security program. These measures include:
- Identifying and assessing the risks that may threaten consumer information; In order to perform a risk assessment, a financial institution gathers information about the internal and external environment, analyzes that information, and provides a hierarchical list of risks to be mitigated. This assessment guides the testing program, indicating which controls should be subject to more frequent or rigorous testing.
- Developing a written plan containing policies and procedures to manage and control these risks;
- Implementing and testing the plan; and
- Adjusting the plan on a continuing basis to account for changes in technology, the sensitivity of customer information, and internal or external threats to information security.
The guidelines also outline the responsibilities of management to oversee the protection of customer information including the security of customer information maintained or processed by service providers. Oversight of third-party service providers and vendors is discussed in this booklet under the headings "Board and Management Oversight" and "Managing Outsourcing Relationships." Additional information on the guidelines can be found in the IT Handbook's "Management Booklet." The IT Handbook's "Information Security Booklet" presents additional information on the risk assessment process and information processing controls.
The guidelines required by the GLBA apply to customer information stored in electronic form as well as paper-based records. Examination procedures specifically addressing compliance with the GLBA guidelines can be accessed through the agency websites listed in the reference section of this booklet. Although the guidelines supporting GLBA define customer as "a consumer who has a customer relationship with the institution," management should consider expanding the written information security program to cover the institution's own confidential records as well as confidential information about its commercial customers.
Information Security Program
Information Security Controls