Information Security Legislation
249
•
Information security program —
The entity must have an information
security program that is “written in one or more readily accessible parts
and contains administrative, technical, and physical safeguards that are
appropriate to your size and complexity, the nature and scope of your
activities, and the sensitivity of any customer information at issue.”
1
This
requirement essentially says that the information security program should
be aligned to the risks that the company is facing.
•
Coordination of the information security program —
There must be an
individual or group of individuals responsible for interfacing with the
relevant groups and acting as a coordinator or “single point of contact”
for the information security program. This aspect of the GLBA is related
to the whole concept of ownership and helps ensure that proper commu-
nication takes place between the relevant parties.
•
Regular risk analysis —
An ongoing risk analysis for any company is very
important because it is a mechanism to discover any potential security
issues for the company.
•
Implementation of controls to mitigate risks discovered in the risk
analysis —
One of the results of the risk assessment is the discovery of
security risks. Once discovered, the requirement is to implement measures
to mitigate these risks and monitor, on a regular basis, that these measures
are working as intended.
•
Overseeing of service providers —
Because of the complexity of business
today, many companies try to focus on their core competencies. The
financial services industry is no exception; companies in this field frequently
use third-party service providers for various parts of their operations. The
security concern with these providers is that customer information is
residing on their systems, and companies using these providers sometimes
have no sense of how this information is being secured. This requirement
obligates the company to ensure that the service providers have security
measures in place to properly safeguard customer information. Companies
should perform the appropriate due diligence when selecting a provider
and also have the appropriate provisions in the contract with the service
provider.
•
Evaluation and adjustment of the information security program —
This
requirement is really a byproduct of the requirement related to risk anal-
ysis. As new risks are identified, new controls should be implemented to
address those risks. In achieving compliance with this requirement, com-
panies should constantly evaluate their information security programs and
make adjustments as necessary.
Based on the requirements, it is clear that the objective is for financial services
companies to implement and maintain good information security programs, which
will ultimately protect customer information.
When conducting a security assessment with a financial services company, it is
best to become familiar with the GLBA security requirements and ask the appropriate
AU1706_C10.fm Page 249 Thursday, August 19, 2004 7:51 PM