Presentation is loading. Please wait.

Presentation is loading. Please wait.

2 What GLBA really says, Who is doing what, and Compliance “on the cheap” Michael G. Carr, JD, CISSP Chief Information Security Officer University.

Similar presentations


Presentation on theme: "2 What GLBA really says, Who is doing what, and Compliance “on the cheap” Michael G. Carr, JD, CISSP Chief Information Security Officer University."— Presentation transcript:

1

2 2 What GLBA really says, Who is doing what, and Compliance “on the cheap” Michael G. Carr, JD, CISSP Chief Information Security Officer University of Nebraska

3 © University of Nebraska 2005 © Mike Carr (University of Nebraska) Unless noted, this work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

4 © University of Nebraska Agenda Historical Review Assessment  of the law, of collegial response Current Events “Inexpensive” Approaches

5 © University of Nebraska Historical Review Gramm-Leach-Bliley Act of 1999  Removed banking restrictions  Required privacy policy notices  Required information security controls  Applied to institutions of higher education

6 © University of Nebraska Historical Review Gramm-Leach-Bliley Act  Enacted in 1999  Senate: 90-8, House:  then-Sentator Phil Gramm (R-TX)  Chair, US Senate Banking Committee  then-Representative Jim Leach (R-IA)  Chair, House Financial Services Committee  then-Representative Tom Bliley (R-VA)  Chair, FTC Commerce Committee

7 © University of Nebraska Historical Review The Great Depression Crash: Oct 1929 By ’32:  Stock: 20¢ on the $1  30% unemployment  44% bank failures Dorothea Lange’s Migrant Mother

8 © University of Nebraska Historical Review Franklin D. Roosevelt 32 nd President Carried 42/48 states 1 st order: “Bank Holiday”  to restore confidence

9 © University of Nebraska Historical Review “…the only thing to fear is fear itself.” 1 st Inaugural Address, March 4, 1933

10 © University of Nebraska Historical Review New Deal – “alphabet soup” agencies AAAthe Agricultural Adjustment Administration FSAthe Farm Security Administration CCCthe Civilian Conservation Corps NRAthe National Recovery Act NYAthe National Youth Administration WPAthe Works Projects Administration PWAthe Public Works Administration SSAthe Social Security Administration REAthe Rural Electrification Administration Note: the FTC was already in existence (1914)

11 © University of Nebraska Historical Review Banking Legislation Glass-Steagall Act of 1933  Limited commercial bank dealings  No collaboration with full-service brokerage firms  No participating in investment banking activities  Goal:  Goal: protect depositors Bank Holding Act of 1956  No non-bank ownership

12 © University of Nebraska Historical Review 1995: EU Data Protection Directive  Int’l data exchange  homeland privacy 1997: Charter Pacific Bank  Sold credit cards to adult website 1998: NationsBank  Shared customer data 1999: US Bankcorp  Shared customer data in violation of own policy

13 © University of Nebraska Historical Review Glass-Steagall & Bank Holding Act repealed by the Financial Services Modernization Act of 1999  Signed by President Clinton  aka Gramm-Leach-Bliley Act or GLBA (P.L )  15 USC §

14 © University of Nebraska Assessment GLBA Goal:  Continued de-regulation  Permit one-stop shopping  Permit cross-selling  While providing consumer safeguards

15 © University of Nebraska Assessment 2 Main GLBA Provisions:  Privacy Rule  Privacy Rule, 16 CFR Part 313  Disclosure of privacy policy  “Opt-Out”  Safeguards Rule  Safeguards Rule, 16 CFR Part 314  “Comprehensive information security program”

16 © University of Nebraska Assessment GLBA “Audience”:  Financial Institutions  Organizations that are “significantly engaged” in providing financial svcs  Universities are included  “…significantly engaged in lending funds to consumers” (16 CFR Part 313.1)

17 © University of Nebraska Assessment GLBA applies to Higher Ed, but…  If compliant with FERPA  Family Educational Rights & Privacy Act of 1974  Then compliant with Privacy Rule  16 CFR Part 313.1

18 © University of Nebraska Assessment However…  16 CFR Part 314  GLBA “Safeguarding Rules”  Requires administrative, technical, and physical safeguarding of customer information

19 © University of Nebraska Assessment However…  16 CFR Part 314  GLBA “Safeguarding Rules”  Requires administrative, technical, and physical safeguarding of customer information

20 © University of Nebraska Assessment However…  16 CFR Part 314  GLBA “Safeguarding Rules”  Requires administrative, technical, and physical safeguarding of customer information

21 © University of Nebraska Assessment However…  16 CFR Part 314  GLBA “Safeguarding Rules”  Requires administrative, technical, and physical safeguarding of customer information

22 © University of Nebraska Assessment However…  16 CFR Part 314  GLBA “Safeguarding Rules”  Requires administrative, technical, and physical safeguarding of customer information May 23, 2003  Compliance Deadline: May 23, 2003

23 © University of Nebraska Assessment Without getting into a lot of detail…  Written InfoSec program  Appropriate to the  size & complexity of the institution,  nature & scope of activities, and  sensitivity of customer info at issue 16 CFR 314, Section A. Background

24 © University of Nebraska Assessment Written Policy:  Then-existing policies and procedures may have been adequate  Might just needed to have been written down

25 © University of Nebraska Assessment One size does not fit all! “Appropriate” for me might not be “appropriate” for you It depends…

26 © University of Nebraska Assessment What most (many?) institutions did:  Wrote a Q&D info security plan  Identified a Security Officer  Tasked this “CISO” with GLBA compliance responsibility  Went back to business as usual

27 © University of Nebraska DISCLAIMER! Many Colleges and Universities implemented information security programs in good faith and have worked since to protect the confidentiality, integrity and availability of their “financial transaction”-customers’ nonpublic personal information

28 © University of Nebraska Assessment Many (most?) consider GLBA to be an “I/T” thing  technical safeguards & risk assessment  of “information systems”  of “detecting, preventing and responding to attacks, instructions or other systems failures” 16 CFR Elements (2) and (3)

29 © University of Nebraska Assessment Some have…  Funded network vulnerability testing, or  Implemented firewalls, intrusion detection/prevention, encryption  “to identify reasonably foreseeable internal and external risks”  Updated purchasing agreements  “oversee service providers”

30 © University of Nebraska Assessment Some have…  Developed security awareness programs  Incorporated infosec awareness into new employee orientation  Used GLBA to justify  stronger password requirements  reduced sign-on initiatives  increased I/T budget

31 © University of Nebraska Assessment But if we look back… 5  FTC spelled out the 5 elements of GLBA  We  We get to decide what is “appropriate”

32 © University of Nebraska Assessment The 5 GLBA Elements: a)Infosec program coordinator b)Identity risks c)Safeguards to control the risks d)Oversee service providers e)Evaluate & adjust the program

33 © University of Nebraska Assessment How did these get interpreted? a)“Designate an employee or employees to coordinate your information security program.” 16 CFR (a)  Appointed or hired someone to be the organization’s Information Security Officer (ISO)

34 © University of Nebraska Assessment How did these get interpreted? b)“Identify reasonably foreseeable internal and external risks... that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise…” 16 CFR (b)

35 © University of Nebraska Assessment How did these get interpreted? …assess the risk in: b) 1. employee training & mgmt:  Orientation & awareness programs b) 2. information systems  Maintain status quo b) 3. detecting, preventing & responding to attacks, intrusions…  Pen testing, vulnerability assessments, self-scanning

36 © University of Nebraska Assessment How did these get interpreted? c)“Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.” 16 CFR (c)

37 © University of Nebraska Assessment How did these get interpreted? c)“Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.” 16 CFR (c)

38 © University of Nebraska Assessment How did these get interpreted?  Firewalls  Intrusion detection systems (IDS)  Intrusion prevention systems (IPS)  Incident Response Procedures  Digital Forensics

39 © University of Nebraska Assessment How did these get interpreted? d)“Oversee Service Providers, by: 1)Taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards… and 2)Requiring Service Providers by contract to implement & maintain such safeguards.” 16 CFR (d)

40 © University of Nebraska Assessment How did these get interpreted?  Additional contract verbiage  Addendums to existing agreements

41 © University of Nebraska Assessment How did these get interpreted? e)“Evaluate and adjust your information security program in light of the results of the testing and monitoring… ” 16 CFR (e)  Maintain status quo

42 © University of Nebraska Assessment Are these interpretations good/bad? * YES! * IIn general, sound management & technical practices push us to implement agreements, firewalls, risk assessments, etc. HHowever, GLBA customer information

43 © University of Nebraska Assessment Customer Information  “…nonpublic personal information as defined in 16 CFR 313.3(n), about a customer..., whether in paper, electronic or other form….” 16 CFR 314.2(b)

44 © University of Nebraska Assessment Customer Information  Section 509(4) of GLBA  “ ‘‘personally identifiable financial information’’ that is provided by a consumer to a financial institution, results from any transaction with the consumer or any service performed for the consumer, or is otherwise obtained by the financial institution.” 16 CFR 313.3(n)

45 © University of Nebraska What the %#!_& does that mean?

46 © University of Nebraska Assessment Customer Information  23 April 2003 note from Coalition of Higher Education Assistance Organizations (COHEAO)  What kinds of transactions?  Extensions of credit, yes  Installment contracts, probably no –Unless loan with interest charged  Stored-value cards, probably no  Alumni credit cards, probably no “If the school is not receiving individual customer account or activity information, only a funding stream, the activity is probably not covered” “If the school is not receiving individual customer account or activity information, only a funding stream, the activity is probably not covered”

47 © University of Nebraska Assessment Which means... ?  When the University/College acts like a bank and collects SSN, routing numbers, and/or savings/checking account numbers…  GLBA applies  But, for better or worse…  GLBA has sometimes been implemented across the entire institution, and  In some instances, ignored completely

48 © University of Nebraska Assessment If you recall…  GLBA requires “administrative, technical and physical safeguards”  Many institutions have failed to address the administrative and physical safeguards in the business offices  Ad-hoc & canned reports – shredding?  Background checks – student workers?  Departmental servers – hardened?  Workstation security – screensaver pswds?

49 © University of Nebraska

50 © University of Nebraska Current Events 2004: FTC Nationwide GLBA Compliance Sweep of auto dealers and mortgage companies  Sunbelt Lending Services, Inc.  Agreed to consent decree  Compliant w/in 6 months  Audit every other yr for 10 yrs  Nationwide Mortgage Group, Inc.  Currently negotiating decree

51 © University of Nebraska Current Events Choicepoint & Lexis/Nexis breaches  Federal legislation pending  Require “data brokers” to notify consumers in the event of a breach San Jose Medical Group PC theft Sen. Feinstein: SSN Misuse Prevention Act, Notification Act, Privacy Act

52 © University of Nebraska “Inexpensive” Approaches Share this material with Financial Aid, Student Records, and H/R Trustees, Board or Presidential directive away from SSN ABWA – audit by walking around Training materials  In general & for financial aid staff  New employee orientation, annual reviews

53 © University of Nebraska “Inexpensive” Approaches Download/share:  ID Theft video clip US Attorney’s Office, Central District CA  ID Theft DVD US Postal Inspectors

54 © University of Nebraska “Inexpensive” Approaches Information Security Awareness  US-CERT,  EDUCAUSE resources  StaySafeOnline.info  National Cyber Security Awareness Month  October

55 2 Discussion? Questions? Michael G. Carr, JD, CISSP Chief Information Security Officer University of Nebraska


Download ppt "2 What GLBA really says, Who is doing what, and Compliance “on the cheap” Michael G. Carr, JD, CISSP Chief Information Security Officer University."

Similar presentations


Ads by Google