GLBA Security Policy Solutions

GLBA/FFIEC Information Security Policies

The Gramm-Leach-Bliley Act of 1999 (GLBA), Title V, requires financial services organizations to insure the security and confidentiality of customer records and information. Title V has both privacy and security requirements for the protection of nonpublic personal information. Among the many requirements, organizations must adopt a “written security program” that includes administrative, technical, and physical safeguards for protecting customer information.  Specific guidance includes the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook

Develop Security Policies Quickly

Information Security Policies Made Easy - Version 13Information Security Policies Made Easy (ISPME) provides a complete set of security policies and standards that cover both internal data security and customer data privacy. ISPME provides complete policy coverage for FFIEC, and enables organizations to quickly establish a risk-based information security policy program.   » Learn More  » Request a Sample

Document Information Security Roles

GLBA is very specific about the requirements for properly defining information security roles and responsibilities. According to GLBA, “the lines of authority and responsibility for development, implementation, and administration of a financial institution’s information security program need to be well defined and clearly articulated.”

Information Security Roles and Responsibilities Made EasyInformation Security Roles and Responsibilities Made Easy is the only resource available that can save your organization hours of detailed effort in developing and documenting your security organization. Information Security Roles and Responsibilities Made Easy will save your organization many hours of development effort.   » Learn More  » Request a Sample

Policies and GLBA Requirements

According to GLBA, organizations must develop written policies that define the administrative, technical and physical safeguards that protect customer information. GLBA also requires that organizations provide notice of written privacy policies to customers. Beyond simply writing policies, however, organizations must establish an environment of information control that includes risk assessments, security awareness training, personnel security, physical security, incident response and disaster recovery. Information Shield publications will save organizations hundreds of development hours by providing a complete library of policies and standards that cover each of these critical areas.

Organizational Compliance with GLBA

In order to help simplify compliance with GLBA, the various Federal agencies responsible for enforcement of the Act established Interagency Guidelines Establishing Standards for Safeguarding Customer Information. These guidelines are intended to help implement industry best-practices by breaking them down into seven different steps. The following table illustrates how Information Shield publications help with each of these compliance requirements.

  1. Involve the Board of Directors
    According to GLBA, the Board of Directors should approve the “written” information security program. Information Shield publications provide over 1200 pages of relevant, pre-written information security documents that are easy to customize. ISPME and ISRR both contain valuable advice on how to better involve senior management in the information security program.
  2. Assess Risk
    ISPME provides pre-written policies covering organizational risk assessments, including such critical items as asset inventories, data classification and labeling, vulnerability assessment, and User-Owner-Custodian roles.
  3. Manage and Control Risk
    Within GLBA, “manage and control risk” includes the specific data protection requirements that make up a due-care information security program. ISPME is organized around the ISO 27002 security standard, and provides the most complete policy topic coverage of any information security resource. Over 1500 pre-written information security policies cover the latest security topics.
  4. Oversee Service Provider Arrangements
    ISPME contains over 50 specific policies related to managing security of contractors and third-party service providers. ISRRME contains valuable advice and checklists to insuring security in outsourcing contracts.
  5. Adjust the Program
    Within GLBA, “adjust the program” means that organizations must continually monitor their information security program and make adjustments based on new threats. ISPME provides over 100 specific policies relating to the management and monitoring of an information security program, including incident response and disaster recovery.
  6. Report to the Board
    ISPME provides written policies that establish the requirements for annual analysis and reporting on the information security program. ISRR helps organizations clearly document the roles and responsibilities of security personnel who collect and analyze this data.
  7. Implement the Standards
    Information Shield publications provide expert advice to help organizations build and maintain an effective security environment. Information Shield publications are based on the consulting experience of internationally-known security expert Charles Cresson Wood, CISSP, CISM, CISA.


For more information on using Information Shield solutions for your GLBA compliance efforts, please contact us.