Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, August 11, 2006

Implementing Information Safeguards Under Gramm-Leach-Bliley

The Gramm-Leach-Bliley Act (GLBA) contains a rule, known as the Safeguard Rule, under which the Federal Trade Commission and other federal agencies have established standards for financial institutions relating to administrative, technical, and physical safeguards for customer information.  The objectives are to ensure the security and confidentiality of customer records and information, protect against threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to any customer.

The rule requires financial institutions to develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards. As part of its program, each financial institution must designate an employee or employees to coordinate its information security program.

The FTC has published a complete list of safeguards at  When implementing the Safeguards Rule, a company must consider all areas of its operation, especially employee management and training; information systems; and managing system failures.  Companies may also want to check the references of any potential employees who would have access to customer information, and ask each new employee to sign an agreement to follow the confidentiality and security standards for handling that information.  The Safeguards Rule also requires financial institutions to maintain security within their information systems - which include network and software design as well as information processing, storage, transmission, retrieval, and disposal.

Similarly, in order to prevent and manage system failures, the new publication suggests that companies should respond to any security breach in a timely manner; regularly update firewalls and antivirus software; and install patches to repair software vulnerabilities.  The FTC provides additional guidance at

Guidance is also available from leading security professionals who’ve assembled consensus lists of vulnerabilities and defenses so that every organization, regardless of its resources or expertise in information security, can take basic steps to reduce its risks.

Posted on 08/11