Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gramm-Leach-Bliley Act and Its Impact on Sysadmims?

Posted by Cliff on from the complying-with-the-law dept.

NetworkCop asks: "Hi, I was recently reading a white paper on a company that helped banks to comply with the Gramm-Leach-Bliley Security Act. However, it sounded like it was a simple Nessus/NMAP scan. Does anyone here have experience implementing the requirement of this Act in a *nix platform?"

6 of 17 comments (clear)

  1. In case you are like me.... by sweetooth · · Score: 4, Informative

    and have never heard of this. here is a link to some info on it.

    1. Re:In case you are like me.... by Ivan+the+Terrible · · Score: 2, Informative

      How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act A Guide for Small Business from the Federal Trade Commission

  2. Lawyer by falsification · · Score: 3, Informative
    Talk to an attorney. You should be able to consult with your corporate legal counsel. If you don't know who that is, ask an upper management type.

    If you work at a university, or other organization, talk to your entity's legal counsel.

    There is no substitute for professional legal advice which applies to your particular situation.

  3. GLB requirements by Thu+Anon+Coward · · Score: 5, Informative

    I examine financial institutions (credit unions) in the area of IT controls and policies and procedures. I can tell you that the GLB Act basically specifies 3 things.
    They are:
    -all data is private, you must keep it secure
    -vendors handling your data must keep it at least as secure as you are required to
    -I can't remember the 3rd at this time of night

    Anyway, if I found out during the exam that the party who performed an "audit" only did a simple port scan, I certainly wouldn't hesitate in letting the credit union know that they were taken advantage of and their "security audit" was most likely unacceptable and could not be relied upon as showing due diligence in execution of their duties. I've had some extremely small credit unions tell me that their DSL Internet connection has a firewall....a Linksys cable/modem router and ZoneAlarm Pro! and they were serious!

    Due to varying circumstances, I give a lot of leeway in what is required of these financial institutions. I don't necessarily require them to have an IDS or a firewall. It all depends on their particular circumstances. However, if there is even a possibility of remote access, I scrutinize their setups and make recommendations on what they can do to improve the situation and cover their asses.

    --



    I'm good with numbers - .45, 7.62, 9.....
  4. GLBA Compliance Requirements by bongk · · Score: 5, Informative
    If you are a sysadmin trying to understand what you need to do to comply with GLBA, some of the best resources are:
    Interagency Guidelines Establishing Standards For Safeguarding Customer Information

    Interagency Guidelines .. Federal Reserve System Examiner Guidance

    In our GLBA audits, some of the things examiners were looking for the most were:
    • A written security program that coordinates all aspects of the physical and electronic data security
    • A risk assessment that details systems and the data they contain, vulnerabilties and threats, controls in place to mitigate threats, and the overall effectiveness of controls
    • Vendor management policies and practices
    • Involement, approval, and annual reporting to the board of directors of the security program
    While a penetration test is definetely one part of what is necessary to obtain GLBA complaince, there is a great deal more than that.

    One last excellent resource is the FFIEC Information Technology Examination Handbook.


    Kevin

  5. Re:Just like HIPPA by Anonymous Coward · · Score: 1, Informative

    I even know how to spell it...HIPAA

    stands for Health Insurance Portability and Accountability Act