GLBA: Security and Consumer Privacy for the Financial Services Industry
Established in 1999, the Gramm-Leach-Bliley Act (GLBA) allowed the integration of different financial services into a single company - for example, banks could establish and buy brokerage services, or buy insurance companies. The law applies to a broad range of organizations that fall under the "financial services" umbrella, including banks, financial and investment advisors, brokerages, mortgage lenders, and others. But this new flexibility in the financial services industry came at a price: GLBA mandates a "Safeguards Rule" that requires every financial institution, regardless of its line(s) of business, to implement a risk-based information security program, aimed primarily at protecting the clients of the institution. The Safeguards Rule mandates that financial services organizations:
Ensure the security and confidentiality of customer records and information
Protect against any anticipated threats or hazards to the security or integrity of such records
Protect against unauthorized access or use of such records or information which could result in substantial harm or inconvenience to any customer
Specific guidance on implementing the Safeguards Rule is provided by the Federal Financial Institutions Examination Council (FFIEC), which publishes a comprehensive Information Security (IS) Handbook to help financial services organizations comply with a broad range of mandates, including GLBA and many others. The FFIEC IS Handbook provides the blueprint of best practices that address initiating, implementing, maintaining and enhancing the necessary security objectives and controls within financial services organizations, to meet the Safeguards Rule of GLBA.
The GLBA Business Challenge
Perhaps the greatest challenge presented by the FFIEC IS Handbook - and consequently, the GLBA Safeguards Rule itself - rests in its broad scope of individual security controls. These controls span the IT infrastructure, calling for the monitoring and analysis of data generated by all systems, network appliances and security solutions across the enterprise. Thus, when implementing controls according to GLBA and the FFIEC, an organization must implement, collect and process a variety of different types of data across the infrastructure. Traditional
log management and SIEM solutions that rely only on event data are not adequate to meet the rigorous compliance audit and reporting requirements of GLBA, because they lack the ability to collect and correlate other types of critical security data: system asset and configuration data, known vulnerabilities, performance metrics, and network flow data.
SecureVue: Comprehensive GLBA and FFIEC Compliance Auditing
eIQ's SecureVue
security, risk and audit management platform combines
security information and event management (SIEM) and compliance automation to help organizations address the greatest number of FFIEC requirements mandated in the IS Handbook. SecureVue contains over 200 reports mapped to individual sections of the IS Handbook, and also contains a comprehensive compliance library - containing over 2,500 technical and functional controls - to enables organizations to define, monitor and measure GLBA and FFIEC IS Handbook system configuration compliance.
By collecting, archiving, correlating, analyzing and reporting on log, vulnerability, configuration, asset, performance and network flow data, SecureVue merges the complex monitoring, testing and auditing demands of the GLBA Safeguards Rule into a single solution. The automated end-to-end correlation, along with built-in analytics, makes compliance auditing for GLBA an easily manageable task.
Ensure the security and confidentiality of customer records and information
