Gramm-Leach-Bliley (GLB) requires that financial institutions establish an effective information security program to protect the confidentiality and security of nonpublic personal customer information or be subject to substantial monetary and legal penalties.

The Dilemma
GLB requires financial institutions to assess their own security needs and risks and then devise, implement, and maintain appropriate measures as business decisions. Each entity must balance their resources and business requirements against the risks to protected information. But, where to start?

The SMP Solution
Without a detailed understanding of what vulnerabilities exist in your particular environment, it is difficult to understand the risks facing your organization. SMP recommends beginning with an assessment of the existing information security policies and controls to provide insight into how your organization protects critical data while it operates on a day-to-day, incident response, and disaster recovery/business continuity bases. Reviewing the safeguards your organization has in place as they relate to IT security and regulatory compliance forms a baseline for the project. An infrastructure assessment logically follows to review network design, security device configuration and deployment, and physical security/environmental conditions. Through interviews and observation, SMP confirms the policies and controls are in place as documented.

This is followed by vulnerability testing of the external and internal networks. SMP probes the perimeter security to validate that external controls are in place and working as represented to our consultants. This phase can include vulnerability and penetration testing over the internet, modem, PBX, and wireless testing. An in-depth review of systems on the internal network is also performed. SMP tests the internal controls to determine if they protect valuable information and meet stated goals of organizational policies, "essential practices" and regulatory compliance. Each system and application within the scope of the engagement are tested for vulnerabilities and unauthorized access.

All findings are reviewed and compared to current policies. Each identified vulnerability on the external and internal network is rated, documented, and an appropriate solution provided. Gaps are identified, regulatory compliance assessed, possible improvements proposed, and remediation efforts outlined. A report is prepared for presentation to your organization.

Our report establishes a baseline against which progress towards GLB compliance can be measured. It assists in prioritizing and setting realistic targets, and it recommends steps to reduce each risk. It can be presented to senior management, board members, and regulatory examiners to demonstrate that a comprehensive risk assessment has been performed, gaps identified, and solutions provided to resolve them.

SMP’s GLBA Services are important building blocks in the creation and maintenance of a comprehensive information security program. SMP is expert in helping financial institutions implement compliant programs. Each offering is customized to best fit the needs of each organization.

Recurrent Validations
Once the initial program is in place, it is necessary to perform repeat assessments on a regularly scheduled basis. With the constantly changing nature of information security, including new threats and new defenses, follow-up tests or validations are a must for maintaining adequate protection. Client networks are always being updated, new technologies are constantly being offered, and knowledge of client staff must be continuously augmented in order to keep up with the latest trends. Clients’ infrastructure will most likely grow with its network as time progresses and new complexities are added.

Strong security is good business. With SMP’s help, organizations can develop a balanced security approach that provides due diligence without impeding business operations. Organizations can be confident that they have taken reasonable measures to protect confidential information and have reduced potential liabilities.