GLBA @ 2 What GLBA really says, Who is doing what, and Compliance “on the cheap” Michael G. Carr, JD, CISSP Chief Information Security Officer University

GLBA @ 2GLBA @ 2What GLBA really says,Who is doing what, andCompliance “on the cheap”Michael G. Carr, JD, CISSP

Chief Information Security OfficerUniversity of [email protected]

GLBA @ 2 GLBA @ 2

2005 © University of Nebraska

2005 © Mike Carr (University of Nebraska)

Unless noted, this work is the intellectual property of the author.

Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on

the reproduced materials and notice is given that the copying is by permission of the author.

To disseminate otherwise or to republish requires written permission from the author.

GLBA @ 2 GLBA @ 2


AgendaAgenda•Historical Review•Assessment

of the law, of collegial response

•Current Events•“Inexpensive” Approaches

GLBA @ 2 GLBA @ 2


Historical ReviewHistorical Review

•Gramm-Leach-Bliley Act of 1999

Removed banking restrictions Required privacy policy notices Required information security

controls Applied to institutions of higher

education

GLBA @ 2 GLBA @ 2



•Gramm-Leach-Bliley Act Enacted in 1999

Senate: 90-8, House: 362-57

then-Sentator Phil Gramm (R-TX)

Chair, US Senate Banking Committee

then-Representative Jim Leach (R-IA) Chair, House Financial Services Committee

then-Representative Tom Bliley (R-VA) Chair, FTC Commerce Committee

GLBA @ 2 GLBA @ 2


Historical Historical ReviewReview

•The Great Depression•Crash: Oct 1929•By ’32:

Stock: 20¢ on the $1

30% unemployment

44% bank failures

Dorothea Lange’s Migrant Mother

GLBA @ 2 GLBA @ 2



•Franklin D. Roosevelt•32nd President

•Carried 42/48 states•1st order: “Bank Holiday”

to restore confidence

GLBA @ 2 GLBA @ 2



“…the only thing to fear is fear itself.”

1st Inaugural Address, March 4, 1933

GLBA @ 2 GLBA @ 2



•New Deal – “alphabet soup” agencies

• AAA the Agricultural Adjustment Administration

• FSA the Farm Security Administration • CCC the Civilian Conservation Corps • NRA the National Recovery Act • NYA the National Youth Administration • WPA the Works Projects Administration • PWA the Public Works Administration • SSA the Social Security Administration • REA the Rural Electrification Administration

Note: the FTC was already in existence (1914)

GLBA @ 2 GLBA @ 2



•Banking Legislation•Glass-Steagall Act of 1933

Limited commercial bank dealings No collaboration with full-service

brokerage firms No participating in investment

banking activities Goal:Goal: protect depositors

•Bank Holding Act of 1956

No non-bank ownership

GLBA @ 2 GLBA @ 2



• 1995: EU Data Protection Directive Int’l data exchange homeland privacy

• 1997: Charter Pacific Bank Sold credit cards to adult website

• 1998: NationsBank Shared customer data

• 1999: US Bankcorp Shared customer data in

violation of own policy

GLBA @ 2 GLBA @ 2



• Glass-Steagall & Bank Holding Act repealed by the Financial Services Modernization Act of 1999 Signed by President

Clinton aka Gramm-Leach-Bliley

Act or GLBA (P.L 106-102) 15 USC § 6801-6810

GLBA @ 2 GLBA @ 2


AssessmentAssessment

• GLBA Goal: Continued de-regulation Permit one-stop shopping Permit cross-selling While providing consumer

safeguards

GLBA @ 2 GLBA @ 2



• 2 Main GLBA Provisions: Privacy RulePrivacy Rule, 16 CFR Part 313

Disclosure of privacy policy “Opt-Out”

Safeguards RuleSafeguards Rule, 16 CFR Part 314 “Comprehensive information

security program”

GLBA @ 2 GLBA @ 2



• GLBA “Audience”: Financial Institutions Organizations that are

“significantly engaged” in providing financial svcs

Universities are included “…significantly engaged in

lending funds to consumers” (16 CFR Part 313.1)

GLBA @ 2 GLBA @ 2



• GLBA applies to Higher Ed, but…

If compliant with FERPA Family Educational Rights & Privacy Act of 1974

Then compliant with Privacy Rule 16 CFR Part 313.1

GLBA @ 2 GLBA @ 2



• However… 16 CFR Part 314 GLBA “Safeguarding Rules” Requires administrative,

technical, and physical safeguarding of customer information

GLBA @ 2 GLBA @ 2





GLBA @ 2 GLBA @ 2





GLBA @ 2 GLBA @ 2





GLBA @ 2 GLBA @ 2





Compliance Deadline: May 23, May 23, 20032003

GLBA @ 2 GLBA @ 2



• Without getting into a lot of detail… Written InfoSec program Appropriate to the

size & complexity of the institution,

nature & scope of activities, and

sensitivity of customer info at issue

16 CFR 314, Section A. Background

GLBA @ 2 GLBA @ 2



• Written Policy: Then-existing

policies and procedures may have been adequate

Might just needed to have been written down

GLBA @ 2 GLBA @ 2



• One size does not fit all!• “Appropriate” for me might

not be “appropriate” for you

• It depends…

GLBA @ 2 GLBA @ 2



• What most (many?) institutions did: Wrote a Q&D info security plan Identified a Security Officer Tasked this “CISO” with GLBA

compliance responsibility Went back to business as usual

GLBA @ 2 GLBA @ 2


DISCLAIMER!DISCLAIMER!

Many Colleges and Universities implemented information security

programsin good faith

and have worked since to protect the confidentiality, integrity and

availability of their “financial transaction”-customers’

nonpublic personal information

GLBA @ 2 GLBA @ 2



• Many (most?) consider GLBA to be an “I/T” thing technical safeguards & risk

assessment of “information systems” of “detecting, preventing and

responding to attacks, instructions or other systems failures”

16 CFR 314.4 Elements (2) and (3)

GLBA @ 2 GLBA @ 2



• Some have… Funded network vulnerability

testing, or Implemented firewalls, intrusion

detection/prevention, encryption “to identify reasonably foreseeable

internal and external risks” Updated purchasing agreements

“oversee service providers”

GLBA @ 2 GLBA @ 2



• Some have… Developed security awareness

programs Incorporated infosec awareness

into new employee orientation Used GLBA to justify

stronger password requirements reduced sign-on initiatives increased I/T budget

GLBA @ 2 GLBA @ 2



• But if we look back…

FTC spelled out the 5 5 elements of GLBA

WeWe get to decide what is “appropriate”

GLBA @ 2 GLBA @ 2



• The 5 GLBA Elements:a) Infosec program

coordinatorb) Identity risksc) Safeguards to control

the risksd) Oversee service

providerse) Evaluate & adjust the

program

GLBA @ 2 GLBA @ 2



• How did these get interpreted?a) “Designate an employee or

employees to coordinate your information security program.” 16 CFR 314.4 (a)

Appointed or hired someone to be the organization’s Information Security Officer (ISO)

GLBA @ 2 GLBA @ 2



• How did these get interpreted?b) “Identify reasonably foreseeable

internal and external risks . . . that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise…” 16 CFR 314.4 (b)

GLBA @ 2 GLBA @ 2



• How did these get interpreted?…assess the risk in:

b) 1. employee training & mgmt:

Orientation & awareness programs

b) 2. information systems Maintain status quo

b) 3. detecting, preventing & responding to attacks, intrusions…

Pen testing, vulnerability assessments, self-scanning

GLBA @ 2 GLBA @ 2



• How did these get interpreted?c) “Design and implement

information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.”

16 CFR 314.4 (c)

GLBA @ 2 GLBA @ 2



• How did these get interpreted?c) “Design and implement

information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.”

16 CFR 314.4 (c)

GLBA @ 2 GLBA @ 2



• How did these get interpreted? Firewalls Intrusion detection systems (IDS) Intrusion prevention systems

(IPS) Incident Response Procedures Digital Forensics

GLBA @ 2 GLBA @ 2



• How did these get interpreted?d) “Oversee Service Providers, by:

1) Taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards… and

2) Requiring Service Providers by contract to implement & maintain such safeguards.”

16 CFR 314.4 (d)

GLBA @ 2 GLBA @ 2



• How did these get interpreted? Additional contract verbiage Addendums to existing

agreements

GLBA @ 2 GLBA @ 2



• How did these get interpreted?e) “Evaluate and adjust your

information security program in light of the results of the testing and monitoring…”

16 CFR 314.4 (e)

Maintain status quo

GLBA @ 2 GLBA @ 2



• Are these interpretations good/bad?

* YES! ** YES! * In general, sound management &

technical practices push us to implement agreements, firewalls, risk assessments, etc.

However, GLBA customer customer informationinformation

GLBA @ 2 GLBA @ 2



• Customer Information “…nonpublic personal information

as defined in 16 CFR 313.3(n), about a customer . . ., whether in paper, electronic or other form….”

16 CFR 314.2(b)

GLBA @ 2 GLBA @ 2



• Customer Information Section 509(4) of GLBA “ ‘‘personally identifiable financial

information’’ that is provided by a consumer to a financial institution, results from any transaction with the consumer or any service performed for the consumer, or is otherwise obtained by the financial institution.”

16 CFR 313.3(n)

GLBA @ 2 GLBA @ 2


What the %#!_& What the %#!_& does that mean?does that mean?

GLBA @ 2 GLBA @ 2



• Customer Information 23 April 2003 note from Coalition

of Higher Education Assistance Organizations (COHEAO)

What kinds of transactions? Extensions of credit, yes Installment contracts, probably

no– Unless loan with interest

charged Stored-value cards, probably no Alumni credit cards, probably

no

“If the school is not receiving individual customer account or activity

information, only a funding stream, the activity is probably not covered”

“If the school is not receiving individual customer account or activity

information, only a funding stream, the activity is probably not covered”

GLBA @ 2 GLBA @ 2



• Which means . . . ? When the University/College acts

like a bank and collects SSN, routing numbers, and/or savings/checking account numbers…

GLBA applies But, for better or worse…

GLBA has sometimes been implemented across the entire institution, and

In some instances, ignored completely

GLBA @ 2 GLBA @ 2



• If you recall… GLBA requires “administrative,

technical and physical safeguards” Many institutions have failed to

address the administrative and physical safeguards in the business offices Ad-hoc & canned reports –

shredding? Background checks – student

workers? Departmental servers – hardened? Workstation security – screensaver

pswds?

GLBA @ 2 GLBA @ 2


GLBA @ 2 GLBA @ 2


Current EventsCurrent Events

• 2004: FTC Nationwide GLBA Compliance Sweep of auto dealers and mortgage companies Sunbelt Lending Services, Inc.

Agreed to consent decree Compliant w/in 6 months Audit every other yr for 10 yrs

Nationwide Mortgage Group, Inc. Currently negotiating decree

GLBA @ 2 GLBA @ 2


Current EventsCurrent Events

• Choicepoint & Lexis/Nexis breaches Federal legislation pending Require “data brokers” to

notify consumers in the event of a breach

• San Jose Medical Group PC theft

• Sen. Feinstein: SSN Misuse Prevention Act, Notification Act, Privacy Act

GLBA @ 2 GLBA @ 2


““Inexpensive” Inexpensive” ApproachesApproaches

• Share this material with Financial Aid, Student Records, and H/R

• Trustees, Board or Presidential directive away from SSN

• ABWA – audit by walking around

• Training materials In general & for financial aid staff New employee orientation, annual

reviews

GLBA @ 2 GLBA @ 2



• Download/share:

ID Theft video clipUS Attorney’s Office, Central

District CA www.usdoj.gov/usao/cac/idtheft/idtheft.html

ID Theft DVDUS Postal Inspectorswww.usps.com/postalinspectors/id_intro.htm

GLBA @ 2 GLBA @ 2



• Information Security Awareness

US-CERT, www.us-cert.gov EDUCAUSE resources StaySafeOnline.info National Cyber Security Awareness

Month October

GLBA @ GLBA @ 22

Discussion?

Questions?

Michael G. Carr, JD, CISSP

Chief Information Security OfficerUniversity of [email protected]

Documents

GLBA @ 2 What GLBA really says, Who is doing what, and Compliance “on the cheap” Michael G. Carr, JD, CISSP Chief Information Security Officer University