Information security, ISO27001 and GLBA
The Gramm-Leach-Bliley Act (GLBA), also known as the “Financial Services Reform Act of 1999” requires US “financial institutions” to establish administrative, technical and physical information safeguards to ensure the confidentiality and integrity of customer records and information. In order to comply with this federal mandate, institutions that are significantly engaged in financial activities are required to identify and assess security risks, plan and implement security solutions to protect sensitive information, and establish measures to monitor and manage security systems. Section 501(b) of GLBA established the required high-level privacy and security requirements with which financial institutions must comply. The Federal Trade Commission (FTC) was authorized to implement it and issued Final Rule (16 CFR Part 314) in May 2002. With a few exceptions, the effective date for financial institution compliance with the Final Rule was May 23, 2003 (with a two-year grandfathering of service contracts, until May 24, 2004).
In summary, the objectives of GLBA are to:
- Protect the security and confidentiality of customers’ non-public personal information
- Institute administrative, technical, and physical safeguards
- Protect against anticipated threats and hazards to information security
- Protect against unauthorized access to or use of information
- Establish a continuous risk-based information security program with:
- Board oversight
- Assessment of threats and vulnerabilities
- Risk management and controls
- Training and Testing
- Vendor oversight
- Monitoring, auditing, adjusting and reporting
ISO27001 provides an independent, internationally recognized best-practice framework for achieving these objectives.
