Download presentation
Presentation is loading. Please wait.
2
GLBA @ 2 What GLBA really says, Who is doing what, and Compliance “on the cheap” Michael G. Carr, JD, CISSP Chief Information Security Officer University of Nebraska mcarr@nebraska.edu
3
GLBA @ 2 2005 © University of Nebraska 2005 © Mike Carr (University of Nebraska) Unless noted, this work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
4
GLBA @ 2 2005 © University of Nebraska Agenda Historical Review Assessment of the law, of collegial response Current Events “Inexpensive” Approaches
5
GLBA @ 2 2005 © University of Nebraska Historical Review Gramm-Leach-Bliley Act of 1999 Removed banking restrictions Required privacy policy notices Required information security controls Applied to institutions of higher education
6
GLBA @ 2 2005 © University of Nebraska Historical Review Gramm-Leach-Bliley Act Enacted in 1999 Senate: 90-8, House: 362-57 then-Sentator Phil Gramm (R-TX) Chair, US Senate Banking Committee then-Representative Jim Leach (R-IA) Chair, House Financial Services Committee then-Representative Tom Bliley (R-VA) Chair, FTC Commerce Committee
7
GLBA @ 2 2005 © University of Nebraska Historical Review The Great Depression Crash: Oct 1929 By ’32: Stock: 20¢ on the $1 30% unemployment 44% bank failures Dorothea Lange’s Migrant Mother
8
GLBA @ 2 2005 © University of Nebraska Historical Review Franklin D. Roosevelt 32 nd President Carried 42/48 states 1 st order: “Bank Holiday” to restore confidence
9
GLBA @ 2 2005 © University of Nebraska Historical Review “…the only thing to fear is fear itself.” 1 st Inaugural Address, March 4, 1933
10
GLBA @ 2 2005 © University of Nebraska Historical Review New Deal – “alphabet soup” agencies AAAthe Agricultural Adjustment Administration FSAthe Farm Security Administration CCCthe Civilian Conservation Corps NRAthe National Recovery Act NYAthe National Youth Administration WPAthe Works Projects Administration PWAthe Public Works Administration SSAthe Social Security Administration REAthe Rural Electrification Administration Note: the FTC was already in existence (1914)
11
GLBA @ 2 2005 © University of Nebraska Historical Review Banking Legislation Glass-Steagall Act of 1933 Limited commercial bank dealings No collaboration with full-service brokerage firms No participating in investment banking activities Goal: Goal: protect depositors Bank Holding Act of 1956 No non-bank ownership
12
GLBA @ 2 2005 © University of Nebraska Historical Review 1995: EU Data Protection Directive Int’l data exchange homeland privacy 1997: Charter Pacific Bank Sold credit cards to adult website 1998: NationsBank Shared customer data 1999: US Bankcorp Shared customer data in violation of own policy
13
GLBA @ 2 2005 © University of Nebraska Historical Review Glass-Steagall & Bank Holding Act repealed by the Financial Services Modernization Act of 1999 Signed by President Clinton aka Gramm-Leach-Bliley Act or GLBA (P.L 106-102) 15 USC § 6801-6810
14
GLBA @ 2 2005 © University of Nebraska Assessment GLBA Goal: Continued de-regulation Permit one-stop shopping Permit cross-selling While providing consumer safeguards
15
GLBA @ 2 2005 © University of Nebraska Assessment 2 Main GLBA Provisions: Privacy Rule Privacy Rule, 16 CFR Part 313 Disclosure of privacy policy “Opt-Out” Safeguards Rule Safeguards Rule, 16 CFR Part 314 “Comprehensive information security program”
16
GLBA @ 2 2005 © University of Nebraska Assessment GLBA “Audience”: Financial Institutions Organizations that are “significantly engaged” in providing financial svcs Universities are included “…significantly engaged in lending funds to consumers” (16 CFR Part 313.1)
17
GLBA @ 2 2005 © University of Nebraska Assessment GLBA applies to Higher Ed, but… If compliant with FERPA Family Educational Rights & Privacy Act of 1974 Then compliant with Privacy Rule 16 CFR Part 313.1
18
GLBA @ 2 2005 © University of Nebraska Assessment However… 16 CFR Part 314 GLBA “Safeguarding Rules” Requires administrative, technical, and physical safeguarding of customer information
19
GLBA @ 2 2005 © University of Nebraska Assessment However… 16 CFR Part 314 GLBA “Safeguarding Rules” Requires administrative, technical, and physical safeguarding of customer information
20
GLBA @ 2 2005 © University of Nebraska Assessment However… 16 CFR Part 314 GLBA “Safeguarding Rules” Requires administrative, technical, and physical safeguarding of customer information
21
GLBA @ 2 2005 © University of Nebraska Assessment However… 16 CFR Part 314 GLBA “Safeguarding Rules” Requires administrative, technical, and physical safeguarding of customer information
22
GLBA @ 2 2005 © University of Nebraska Assessment However… 16 CFR Part 314 GLBA “Safeguarding Rules” Requires administrative, technical, and physical safeguarding of customer information May 23, 2003 Compliance Deadline: May 23, 2003
23
GLBA @ 2 2005 © University of Nebraska Assessment Without getting into a lot of detail… Written InfoSec program Appropriate to the size & complexity of the institution, nature & scope of activities, and sensitivity of customer info at issue 16 CFR 314, Section A. Background
24
GLBA @ 2 2005 © University of Nebraska Assessment Written Policy: Then-existing policies and procedures may have been adequate Might just needed to have been written down
25
GLBA @ 2 2005 © University of Nebraska Assessment One size does not fit all! “Appropriate” for me might not be “appropriate” for you It depends…
26
GLBA @ 2 2005 © University of Nebraska Assessment What most (many?) institutions did: Wrote a Q&D info security plan Identified a Security Officer Tasked this “CISO” with GLBA compliance responsibility Went back to business as usual
27
GLBA @ 2 2005 © University of Nebraska DISCLAIMER! Many Colleges and Universities implemented information security programs in good faith and have worked since to protect the confidentiality, integrity and availability of their “financial transaction”-customers’ nonpublic personal information
28
GLBA @ 2 2005 © University of Nebraska Assessment Many (most?) consider GLBA to be an “I/T” thing technical safeguards & risk assessment of “information systems” of “detecting, preventing and responding to attacks, instructions or other systems failures” 16 CFR 314.4 Elements (2) and (3)
29
GLBA @ 2 2005 © University of Nebraska Assessment Some have… Funded network vulnerability testing, or Implemented firewalls, intrusion detection/prevention, encryption “to identify reasonably foreseeable internal and external risks” Updated purchasing agreements “oversee service providers”
30
GLBA @ 2 2005 © University of Nebraska Assessment Some have… Developed security awareness programs Incorporated infosec awareness into new employee orientation Used GLBA to justify stronger password requirements reduced sign-on initiatives increased I/T budget
31
GLBA @ 2 2005 © University of Nebraska Assessment But if we look back… 5 FTC spelled out the 5 elements of GLBA We We get to decide what is “appropriate”
32
GLBA @ 2 2005 © University of Nebraska Assessment The 5 GLBA Elements: a)Infosec program coordinator b)Identity risks c)Safeguards to control the risks d)Oversee service providers e)Evaluate & adjust the program
33
GLBA @ 2 2005 © University of Nebraska Assessment How did these get interpreted? a)“Designate an employee or employees to coordinate your information security program.” 16 CFR 314.4 (a) Appointed or hired someone to be the organization’s Information Security Officer (ISO)
34
GLBA @ 2 2005 © University of Nebraska Assessment How did these get interpreted? b)“Identify reasonably foreseeable internal and external risks... that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise…” 16 CFR 314.4 (b)
35
GLBA @ 2 2005 © University of Nebraska Assessment How did these get interpreted? …assess the risk in: b) 1. employee training & mgmt: Orientation & awareness programs b) 2. information systems Maintain status quo b) 3. detecting, preventing & responding to attacks, intrusions… Pen testing, vulnerability assessments, self-scanning
36
GLBA @ 2 2005 © University of Nebraska Assessment How did these get interpreted? c)“Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.” 16 CFR 314.4 (c)
37
GLBA @ 2 2005 © University of Nebraska Assessment How did these get interpreted? c)“Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.” 16 CFR 314.4 (c)
38
GLBA @ 2 2005 © University of Nebraska Assessment How did these get interpreted? Firewalls Intrusion detection systems (IDS) Intrusion prevention systems (IPS) Incident Response Procedures Digital Forensics
39
GLBA @ 2 2005 © University of Nebraska Assessment How did these get interpreted? d)“Oversee Service Providers, by: 1)Taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards… and 2)Requiring Service Providers by contract to implement & maintain such safeguards.” 16 CFR 314.4 (d)
40
GLBA @ 2 2005 © University of Nebraska Assessment How did these get interpreted? Additional contract verbiage Addendums to existing agreements
41
GLBA @ 2 2005 © University of Nebraska Assessment How did these get interpreted? e)“Evaluate and adjust your information security program in light of the results of the testing and monitoring… ” 16 CFR 314.4 (e) Maintain status quo
42
GLBA @ 2 2005 © University of Nebraska Assessment Are these interpretations good/bad? * YES! * IIn general, sound management & technical practices push us to implement agreements, firewalls, risk assessments, etc. HHowever, GLBA customer information
43
GLBA @ 2 2005 © University of Nebraska Assessment Customer Information “…nonpublic personal information as defined in 16 CFR 313.3(n), about a customer..., whether in paper, electronic or other form….” 16 CFR 314.2(b)
44
GLBA @ 2 2005 © University of Nebraska Assessment Customer Information Section 509(4) of GLBA “ ‘‘personally identifiable financial information’’ that is provided by a consumer to a financial institution, results from any transaction with the consumer or any service performed for the consumer, or is otherwise obtained by the financial institution.” 16 CFR 313.3(n)
45
GLBA @ 2 2005 © University of Nebraska What the %#!_& does that mean?
46
GLBA @ 2 2005 © University of Nebraska Assessment Customer Information 23 April 2003 note from Coalition of Higher Education Assistance Organizations (COHEAO) What kinds of transactions? Extensions of credit, yes Installment contracts, probably no –Unless loan with interest charged Stored-value cards, probably no Alumni credit cards, probably no “If the school is not receiving individual customer account or activity information, only a funding stream, the activity is probably not covered” “If the school is not receiving individual customer account or activity information, only a funding stream, the activity is probably not covered”
47
GLBA @ 2 2005 © University of Nebraska Assessment Which means... ? When the University/College acts like a bank and collects SSN, routing numbers, and/or savings/checking account numbers… GLBA applies But, for better or worse… GLBA has sometimes been implemented across the entire institution, and In some instances, ignored completely
48
GLBA @ 2 2005 © University of Nebraska Assessment If you recall… GLBA requires “administrative, technical and physical safeguards” Many institutions have failed to address the administrative and physical safeguards in the business offices Ad-hoc & canned reports – shredding? Background checks – student workers? Departmental servers – hardened? Workstation security – screensaver pswds?
49
GLBA @ 2 2005 © University of Nebraska
50
GLBA @ 2 2005 © University of Nebraska Current Events 2004: FTC Nationwide GLBA Compliance Sweep of auto dealers and mortgage companies Sunbelt Lending Services, Inc. Agreed to consent decree Compliant w/in 6 months Audit every other yr for 10 yrs Nationwide Mortgage Group, Inc. Currently negotiating decree
51
GLBA @ 2 2005 © University of Nebraska Current Events Choicepoint & Lexis/Nexis breaches Federal legislation pending Require “data brokers” to notify consumers in the event of a breach San Jose Medical Group PC theft Sen. Feinstein: SSN Misuse Prevention Act, Notification Act, Privacy Act
52
GLBA @ 2 2005 © University of Nebraska “Inexpensive” Approaches Share this material with Financial Aid, Student Records, and H/R Trustees, Board or Presidential directive away from SSN ABWA – audit by walking around Training materials In general & for financial aid staff New employee orientation, annual reviews
53
GLBA @ 2 2005 © University of Nebraska “Inexpensive” Approaches Download/share: ID Theft video clip US Attorney’s Office, Central District CA www.usdoj.gov/usao/cac/idtheft/idtheft.html ID Theft DVD US Postal Inspectors www.usps.com/postalinspectors/id_intro.htm
54
GLBA @ 2 2005 © University of Nebraska “Inexpensive” Approaches Information Security Awareness US-CERT, www.us-cert.gov EDUCAUSE resources StaySafeOnline.info National Cyber Security Awareness Month October
55
GLBA @ 2 Discussion? Questions? Michael G. Carr, JD, CISSP Chief Information Security Officer University of Nebraska mcarr@nebraska.edu
Similar presentations
