Slashdot Mirror
Gramm-Leach-Bliley Act and Its Impact on Sysadmims?
NetworkCop asks: "Hi, I was recently reading a white paper on a company that helped banks to comply with the Gramm-Leach-Bliley Security Act. However, it sounded like it was a simple Nessus/NMAP scan. Does anyone here have experience implementing the requirement of this Act in a *nix platform?"
and have never heard of this. here is a link to some info on it.
If you work at a university, or other organization, talk to your entity's legal counsel.
There is no substitute for professional legal advice which applies to your particular situation.
..are these laws or other regulations that require banks and such to follow certain (assumingly proper) security practices?
can this be extended to other industries, with the goal of making companies responsible for their own failures?
I guess they just don't teach em like they used to.
Yawn.
I examine financial institutions (credit unions) in the area of IT controls and policies and procedures. I can tell you that the GLB Act basically specifies 3 things.
They are:
-all data is private, you must keep it secure
-vendors handling your data must keep it at least as secure as you are required to
-I can't remember the 3rd at this time of night
Anyway, if I found out during the exam that the party who performed an "audit" only did a simple port scan, I certainly wouldn't hesitate in letting the credit union know that they were taken advantage of and their "security audit" was most likely unacceptable and could not be relied upon as showing due diligence in execution of their duties. I've had some extremely small credit unions tell me that their DSL Internet connection has a firewall....a Linksys cable/modem router and ZoneAlarm Pro! and they were serious!
Due to varying circumstances, I give a lot of leeway in what is required of these financial institutions. I don't necessarily require them to have an IDS or a firewall. It all depends on their particular circumstances. However, if there is even a possibility of remote access, I scrutinize their setups and make recommendations on what they can do to improve the situation and cover their asses.
I'm good with numbers -
I'm beginning to think slash should include a spell checker, and warn before committing a story.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
The GBLA requires more than just locking down computers. You MUST have a person designated as the security officer, you MUST renew privacy choices with customers, you MUST track where data goes, you MUST secure information including paper. It is a process. You should read the law. And get a lawyer to help. This should not be up to the IT people. Management should be dealing with this.
This is basically the same as HIPPA. There's a boatload of stuff about that. You know how to google?
Interagency Guidelines Establishing Standards For Safeguarding Customer Information
Interagency Guidelines
In our GLBA audits, some of the things examiners were looking for the most were:
- A written security program that coordinates all aspects of the physical and electronic data security
- A risk assessment that details systems and the data they contain, vulnerabilties and threats, controls in place to mitigate threats, and the overall effectiveness of controls
- Vendor management policies and practices
- Involement, approval, and annual reporting to the board of directors of the security program
While a penetration test is definetely one part of what is necessary to obtain GLBA complaince, there is a great deal more than that.One last excellent resource is the FFIEC Information Technology Examination Handbook.
Kevin
The FFIEC recently posted a new information security examination handbook. Because the booklet "serves as a supplement to agency GLBA 501(b) expectations", it may answer your questions.