GLBA @ 2 What GLBA really says, Who is doing what, and Compliance “on the cheap” Michael G....

GLBA @ 2GLBA @ 2What GLBA really says,Who is doing what, andCompliance “on the cheap”Michael G. Carr, JD, CISSP

Chief Information Security OfficerUniversity of Nebraskamcarr@nebraska.edu

GLBA @ 2 GLBA @ 2

2005 © University of Nebraska

2005 © Mike Carr (University of Nebraska)

Unless noted, this work is the intellectual property of the author.

Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on

the reproduced materials and notice is given that the copying is by permission of the author.

To disseminate otherwise or to republish requires written permission from the author.

GLBA @ 2 GLBA @ 2

AgendaAgenda•Historical Review•Assessment

of the law, of collegial response

•Current Events•“Inexpensive” Approaches

GLBA @ 2 GLBA @ 2

Historical ReviewHistorical Review

•Gramm-Leach-Bliley Act of 1999

Removed banking restrictions Required privacy policy notices Required information security

controls Applied to institutions of higher

education

GLBA @ 2 GLBA @ 2

•Gramm-Leach-Bliley Act Enacted in 1999

Senate: 90-8, House: 362-57

then-Sentator Phil Gramm (R-TX)

Chair, US Senate Banking Committee

then-Representative Jim Leach (R-IA) Chair, House Financial Services Committee

then-Representative Tom Bliley (R-VA) Chair, FTC Commerce Committee

GLBA @ 2 GLBA @ 2

Historical Historical ReviewReview

•The Great Depression•Crash: Oct 1929•By ’32:

Stock: 20¢ on the $1

30% unemployment

44% bank failures

Dorothea Lange’s Migrant Mother

GLBA @ 2 GLBA @ 2

•Franklin D. Roosevelt•32nd President

•Carried 42/48 states•1st order: “Bank Holiday”

to restore confidence

GLBA @ 2 GLBA @ 2

“…the only thing to fear is fear itself.”

1st Inaugural Address, March 4, 1933

GLBA @ 2 GLBA @ 2

•New Deal – “alphabet soup” agencies

• AAA the Agricultural Adjustment Administration

• FSA the Farm Security Administration • CCC the Civilian Conservation Corps • NRA the National Recovery Act • NYA the National Youth Administration • WPA the Works Projects Administration • PWA the Public Works Administration • SSA the Social Security Administration • REA the Rural Electrification Administration

Note: the FTC was already in existence (1914)

GLBA @ 2 GLBA @ 2

•Banking Legislation•Glass-Steagall Act of 1933

Limited commercial bank dealings No collaboration with full-service

brokerage firms No participating in investment

banking activities Goal:Goal: protect depositors

•Bank Holding Act of 1956

No non-bank ownership

GLBA @ 2 GLBA @ 2

• 1995: EU Data Protection Directive Int’l data exchange homeland privacy

• 1997: Charter Pacific Bank Sold credit cards to adult website

• 1998: NationsBank Shared customer data

• 1999: US Bankcorp Shared customer data in

violation of own policy

GLBA @ 2 GLBA @ 2

• Glass-Steagall & Bank Holding Act repealed by the Financial Services Modernization Act of 1999 Signed by President

Clinton aka Gramm-Leach-Bliley

Act or GLBA (P.L 106-102) 15 USC § 6801-6810

GLBA @ 2 GLBA @ 2

AssessmentAssessment

• GLBA Goal: Continued de-regulation Permit one-stop shopping Permit cross-selling While providing consumer

safeguards

GLBA @ 2 GLBA @ 2

• 2 Main GLBA Provisions: Privacy RulePrivacy Rule, 16 CFR Part 313

Disclosure of privacy policy “Opt-Out”

Safeguards RuleSafeguards Rule, 16 CFR Part 314 “Comprehensive information

security program”

GLBA @ 2 GLBA @ 2

• GLBA “Audience”: Financial Institutions Organizations that are

“significantly engaged” in providing financial svcs

Universities are included “…significantly engaged in

lending funds to consumers” (16 CFR Part 313.1)

GLBA @ 2 GLBA @ 2

• GLBA applies to Higher Ed, but…

If compliant with FERPA Family Educational Rights & Privacy Act of 1974

Then compliant with Privacy Rule 16 CFR Part 313.1

GLBA @ 2 GLBA @ 2

• However… 16 CFR Part 314 GLBA “Safeguarding Rules” Requires administrative,

technical, and physical safeguarding of customer information

GLBA @ 2 GLBA @ 2

Compliance Deadline: May 23, May 23, 20032003

GLBA @ 2 GLBA @ 2

• Without getting into a lot of detail… Written InfoSec program Appropriate to the

size & complexity of the institution,

nature & scope of activities, and

sensitivity of customer info at issue

16 CFR 314, Section A. Background

GLBA @ 2 GLBA @ 2

• Written Policy: Then-existing

policies and procedures may have been adequate

Might just needed to have been written down

GLBA @ 2 GLBA @ 2

• One size does not fit all!• “Appropriate” for me might

not be “appropriate” for you

• It depends…

GLBA @ 2 GLBA @ 2

• What most (many?) institutions did: Wrote a Q&D info security plan Identified a Security Officer Tasked this “CISO” with GLBA

compliance responsibility Went back to business as usual

GLBA @ 2 GLBA @ 2

DISCLAIMER!DISCLAIMER!

Many Colleges and Universities implemented information security

programsin good faith

and have worked since to protect the confidentiality, integrity and

availability of their “financial transaction”-customers’

nonpublic personal information

GLBA @ 2 GLBA @ 2

• Many (most?) consider GLBA to be an “I/T” thing technical safeguards & risk

assessment of “information systems” of “detecting, preventing and

responding to attacks, instructions or other systems failures”

16 CFR 314.4 Elements (2) and (3)

GLBA @ 2 GLBA @ 2

• Some have… Funded network vulnerability

testing, or Implemented firewalls, intrusion

detection/prevention, encryption “to identify reasonably foreseeable

internal and external risks” Updated purchasing agreements

“oversee service providers”

GLBA @ 2 GLBA @ 2

• Some have… Developed security awareness

programs Incorporated infosec awareness

into new employee orientation Used GLBA to justify

stronger password requirements reduced sign-on initiatives increased I/T budget

GLBA @ 2 GLBA @ 2

• But if we look back…

FTC spelled out the 5 5 elements of GLBA

WeWe get to decide what is “appropriate”

GLBA @ 2 GLBA @ 2

• The 5 GLBA Elements:a) Infosec program

coordinatorb) Identity risksc) Safeguards to control

the risksd) Oversee service

providerse) Evaluate & adjust the

program

GLBA @ 2 GLBA @ 2

• How did these get interpreted?a) “Designate an employee or

employees to coordinate your information security program.” 16 CFR 314.4 (a)

Appointed or hired someone to be the organization’s Information Security Officer (ISO)

GLBA @ 2 GLBA @ 2

• How did these get interpreted?b) “Identify reasonably foreseeable

internal and external risks . . . that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise…” 16 CFR 314.4 (b)

GLBA @ 2 GLBA @ 2

• How did these get interpreted?…assess the risk in:

b) 1. employee training & mgmt:

Orientation & awareness programs

b) 2. information systems Maintain status quo

b) 3. detecting, preventing & responding to attacks, intrusions…

Pen testing, vulnerability assessments, self-scanning

GLBA @ 2 GLBA @ 2

• How did these get interpreted?c) “Design and implement

information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.”

16 CFR 314.4 (c)

GLBA @ 2 GLBA @ 2

• How did these get interpreted?c) “Design and implement

information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.”

16 CFR 314.4 (c)

GLBA @ 2 GLBA @ 2

• How did these get interpreted? Firewalls Intrusion detection systems (IDS) Intrusion prevention systems

(IPS) Incident Response Procedures Digital Forensics

GLBA @ 2 GLBA @ 2

• How did these get interpreted?d) “Oversee Service Providers, by:

1) Taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards… and

2) Requiring Service Providers by contract to implement & maintain such safeguards.”

16 CFR 314.4 (d)

GLBA @ 2 GLBA @ 2

• How did these get interpreted? Additional contract verbiage Addendums to existing

agreements

GLBA @ 2 GLBA @ 2

• How did these get interpreted?e) “Evaluate and adjust your

information security program in light of the results of the testing and monitoring…”

16 CFR 314.4 (e)

Maintain status quo

GLBA @ 2 GLBA @ 2

• Are these interpretations good/bad?

* YES! ** YES! * In general, sound management &

technical practices push us to implement agreements, firewalls, risk assessments, etc.

However, GLBA customer customer informationinformation

GLBA @ 2 GLBA @ 2

• Customer Information “…nonpublic personal information

as defined in 16 CFR 313.3(n), about a customer . . ., whether in paper, electronic or other form….”

16 CFR 314.2(b)

GLBA @ 2 GLBA @ 2

• Customer Information Section 509(4) of GLBA “ ‘‘personally identifiable financial

information’’ that is provided by a consumer to a financial institution, results from any transaction with the consumer or any service performed for the consumer, or is otherwise obtained by the financial institution.”

16 CFR 313.3(n)

GLBA @ 2 GLBA @ 2

What the %#!_& What the %#!_& does that mean?does that mean?

GLBA @ 2 GLBA @ 2

• Customer Information 23 April 2003 note from Coalition

of Higher Education Assistance Organizations (COHEAO)

What kinds of transactions? Extensions of credit, yes Installment contracts, probably

no– Unless loan with interest

charged Stored-value cards, probably no Alumni credit cards, probably

“If the school is not receiving individual customer account or activity

information, only a funding stream, the activity is probably not covered”

“If the school is not receiving individual customer account or activity

information, only a funding stream, the activity is probably not covered”

GLBA @ 2 GLBA @ 2

• Which means . . . ? When the University/College acts

like a bank and collects SSN, routing numbers, and/or savings/checking account numbers…

GLBA applies But, for better or worse…

GLBA has sometimes been implemented across the entire institution, and

In some instances, ignored completely

GLBA @ 2 GLBA @ 2

• If you recall… GLBA requires “administrative,

technical and physical safeguards” Many institutions have failed to

address the administrative and physical safeguards in the business offices Ad-hoc & canned reports –

shredding? Background checks – student

workers? Departmental servers – hardened? Workstation security – screensaver

pswds?

GLBA @ 2 GLBA @ 2

Current EventsCurrent Events

• 2004: FTC Nationwide GLBA Compliance Sweep of auto dealers and mortgage companies Sunbelt Lending Services, Inc.

Agreed to consent decree Compliant w/in 6 months Audit every other yr for 10 yrs

Nationwide Mortgage Group, Inc. Currently negotiating decree

GLBA @ 2 GLBA @ 2

Current EventsCurrent Events

• Choicepoint & Lexis/Nexis breaches Federal legislation pending Require “data brokers” to

notify consumers in the event of a breach

• San Jose Medical Group PC theft

• Sen. Feinstein: SSN Misuse Prevention Act, Notification Act, Privacy Act

GLBA @ 2 GLBA @ 2

““Inexpensive” Inexpensive” ApproachesApproaches

• Share this material with Financial Aid, Student Records, and H/R

• Trustees, Board or Presidential directive away from SSN

• ABWA – audit by walking around

• Training materials In general & for financial aid staff New employee orientation, annual

reviews

GLBA @ 2 GLBA @ 2

• Download/share:

ID Theft video clipUS Attorney’s Office, Central

District CA www.usdoj.gov/usao/cac/idtheft/idtheft.html

ID Theft DVDUS Postal Inspectorswww.usps.com/postalinspectors/id_intro.htm

GLBA @ 2 GLBA @ 2

• Information Security Awareness

US-CERT, www.us-cert.gov EDUCAUSE resources StaySafeOnline.info National Cyber Security Awareness

Month October

GLBA @ GLBA @ 22

Discussion?

Questions?

Michael G. Carr, JD, CISSP

Chief Information Security OfficerUniversity of Nebraskamcarr@nebraska.edu

GLBA @ 2 What GLBA really says, Who is doing what, and Compliance “on the cheap” Michael G....

Documents

IoT in Healthcare - NCHICA · IoT in Healthcare Lee Olson, CISSP, CISM, Mayo Clinic Rosemary Herhold, CPA, CISA, CISSP, Duke Health . Agenda What is IoT? Common IoT Control Weaknesses

Understanding the Complexities of DoD Directive 8140 / NICE vs … · 2021. 4. 1. · CISSP (or Associate) CISSP (or Associate) CISSP-ISSAP CSSLP CSSLP CISSP-ISSEP DoD Approved DoDD

CISSP Planning Kit - [SAFEWAY]safewayconsultoria.com/wp-content/uploads/2017/06/global-cissp... · CISSP ® Planning Kit. Have questions? ... CISSP Study Guide, 7th Edition CISSP

IBM의AI기반보안솔루션 나병준실장/CISSP IBM · 2020-07-14 · What is WATSON ? • 인간의뇌를닮은컴퓨팅기술에기반 • IBM WATSON은인간의뇌와같이학습하고이해하며,

CISSP Study Notes from CISSP Prep Guide - Edy Susanto · 1 CISSP Study Notes from CISSP Prep Guide These notes were prepared from the The CISSP Prep Guide: Mastering the Ten Domains

Cissp Week

CISSP Week 14

GLBA Compliance with O365 Manager Plus - ManageEngine · with O365 Manager Plus GLBA Compliance . About GLBA The Gramm-Leach-Bliley Act (GLB Act or GLBA) is also known as the Financial

Logical Specification of the GLBA and HIPAA Privacy Laws€¦ · Logical Specification of the GLBA and HIPAA ... these provide the expressive power necessary to capture legal

Pass4sure CISSP

Cissp Cram

GUIDE TOTHE CISSPCBK - Verbundzentrale des · PDF fileOFFICIAL(ISCf GUIDETOTHE CISSPCBK THIRD EDITION Edited by HaroldF.Tipton-CISSP-ISSAP,ISSMP StevenHernandez-CISSP,CAP,SSCP,CSSLP

GLBA Jr Ranger Book web.pdf

GLBA, SOX & Finance Datasheet - eFax Corporate Secure Faxing

What is CISSP Anyway? A Presentation by: George L. McMullin II, CISSP COO, CorpNet Security, Inc. Executive Director, NEbraskaCERT

2012 Cissp Definitions Natural to System High - tjscott.netcissp.tjscott.net/definitions/cissp.defs.nat.systemhigh.pdf · 2012 Cissp Definitions Natural to System High ... 2012 Cissp

CISSP Study Group - Greater Minneapolis · CISSP Study Group Communications and Network Security Presented by Duane Harrington CISSP #27890

Baseline Exam Questions - OpenSecurityTrainingopensecuritytraining.info/CISSP-Main_files/CISSP_Baseline_Exam_V5...CISSP CBK Review Baseline Exam CISSP CBK Review Page 2 C ... Company

IRBsearch | GLBA data

GLBA Exit Report