Information not protected includes aggregate information or "blind data" not containing personal identifiers, such as the total number of mortgage applications by county or aggregate account balances by zip code. It also excludes information generally available to the public, such as federal, state and local government data, and information widely distributed to the media. For example, it would exclude a loan secured by a mortgage filed with a county clerk.

Banking on IT

To implement the GLBA, the Department of the Treasury, the Federal Reserve System and the FDIC published the "Interagency Guidelines Establishing Standards for Safeguarding Customer Information." Each agency republished these guidelines in an appendix to their safety regulations for financial institutions (all the agencies agreed on the text of the guidelines with only slight differences). Hence, complying is not only a matter of law, but also directly affects the safety and soundness of the entity as a whole--for example, an organization's status as a depository institution or national bank. Furthermore, each institution is responsible for ensuring that its affiliates and service providers also safeguard customer information.

GLBA requires financial institutions to implement a comprehensive, written infosec policy that includes administrative, technical and physical safeguards for customer information. Institutions can consider their size, complexity, and the nature and scope of their activities when drafting and implementing, but security programs must meet some broad objectives in regard to customer information: ensure its security and confidentiality, guard it from anticipated threats or hazards, and protect it against unauthorized access.

IT is not the "last man" for accountability under the GLBA's security policy. A company's board of directors or an appropriate board committee must approve the written infosec program and oversee its development, implementation and maintenance. It must also review reports generated for management at least once a year. The reports must provide the overall status of the infosec program and the institution's compliance with the guidelines.

Affected customer information systems incorporate a litany of devices and mechanisms, including hardware and software for information processing, storage, and search and retrieval; messaging systems; and backup and archival tools. Each system may require administrative, technical and physical safeguards, but banks and institutions have a lot of flexibility when implementing such safeguards. A large consideration involves assessing risk. Specifically, enterprises must identify "reasonably foreseeable" internal and external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or information systems.

What constitutes a reasonably foreseeable threat? Think industry standards: Banks and financial institutions will be expected to use those security measures commonly practiced in the industry, such as implementing firewalls, antivirus programs and intrusion-detection systems. If most other banks implement a secure VPN for remote access and yours does not, you may not be perceived as a victim when you suffer a breach in security from a remote location--especially if customer information is compromised.

Customers demand that their information be treated with respect, integrity and security. To stay competitive, you must meet those demands. Financial institutions not only must know who is accessing their networks, but also what data is being accessed and who is engaging in transactions. This requires OS-, application- and database-level logging. Putting all this information in one viewable console with a tool like TriGeo Network Security's Contego can facilitate security monitoring and make it easy to analyze the sufficiency of policies and procedures to control risks. But scoping out the risk requires constant vigilance.