GrammLeachBliley ACT

1
Gramm-Leach-Bliley ACT
2

• Under the GLBA Act the NCUA and FDIC are required
  to establish appropriate standards
• for the credit unions relating to the

3

• Administrative
• Technical
• Physical
• Safeguards for the members records and
  information

4

• These safeguards are intended to
• Insure the security and confidentiality of member
  records and information
• Protect against any anticipated threats or
  hazards to the security or integrity of such
  records and
• Protect against unauthorized access to or use of
  such records or information that could result in
  substantial harm or inconvenience to any member.

5

• So what does this mean to the Credit Union?

6

• Revision to your existing
• Information Security Programs to include

7

• Assign Oversight responsibilities to the Board of
  Directors.
• Identify and assess the risks that may threaten
  your membership information.
• Develop policies and procedures to manage and
  control these risks

8

• Implement and test the Information Security
  plans.
• Review process in place to adjust the plan on a
  continuing basis to account for changes in
  technology, the sensitivity of membership
  information and the internal threats to
  information security.

9

• Todays Focus
• Identify and assess the risks that may threaten
  your membership information

10

• GLBA Risk Assessment
• 20 Steps to perform!

11

• Step 1
• Identify each business process
• Membership and employee related

12

• Some Examples
• New Member Accounts
• ACH enrollment
• ACH transactions
• ACH returns
• Employee payroll
• Employee benefit records
• 1098's (Federal) Mortgage Interest Paid
• Credit and Disability Insurance Claims

13

• Step 2
• Identify all related vendors

14

• Step 3
• Identify owner of the business process including
  the department

15

• Step 4
• Identify all membership or confidential
  information shared during the process

16

• Some Examples
• Name
• Account
• Date of birth
• Social
• Salary information
• Financial information
• Tax information

17

• Some Examples Continued
• Employee Payroll
• Settlement information

18

• Step 5
• Identify if information is non-sensitive or
  sensitive

19

• Non-sensitive is classified as
• Information designed to be available for public
  use, such as published annual reports, marketing
  material, etc.

20

• Sensitive is classified as
• Confidential - information (with extremely high
  impact to the financial institution if disclosed)
  concerned with such activities as strategic
  planning, product development, marketing
  strategy, financial forecasts and results. All
  information addressing vulnerabilities, such as
  audits and security incident reports, is
  considered Confidential.

21

• Sensitive is classified as
• Restricted - information (with high impact to the
  financial institution if disclosed) of a personal
  nature about staff or members, which the
  financial institution, as custodian of that
  information, is obligated to protect. This
  classification also includes production data and
  software.

22

• Sensitive is classified as
• Internal Use - information (with medium impact to
  the credit union if disclosed) commonly shared
  within the credit union, including operating
  procedures, policies, interoffice memorandums and
  the Internal Directory.

23

• Step 6
• Identify method of collection for each business
  process
• ACH enrollment
• ACH transaction processing
• ACH returns

24

• Examples of method of collections
• On-line applications
• Walk-ins
• Phone
• Fax

25

• Step 7
• List the formats the data is in and how it is
  transmitted or transported.

26

• Examples of formats, and the transmission or
  transportation method
• Encrypted file sent via standard email
• Unencrypted file sent via standard email
• Hardcopy delivered via credit union employee
• Media tape delivered via third party courier
• Electronic file sent via FTP to a secured website

27

• Step 8
• For each format identified, how long is it
  retained and where.
• Need to ask yourself where does this information
  ultimately end up???

28

• Examples of formats and retention location
• Loan files secured in locked cabinet for 7 years
• Unencrypted file retained on public file server
• Reports scanned to Optical or cold storage
• Hardcopy applications retained in off-site
  storage
• Media tape at DR Hot-sites

29

• Step 9 Who internally needs access as part of
  their job and who in fact has access?
• List the various ways in which the information
  can be accessed

30

• Step 10 Is access to data restricted?

31

• Step 11 Identify any third parties who provide
  the initial information or receive the end
  product
• Identify any third parties who provide the
  initial information or receive the end product
• Describe how and why this information is shared

32

• Examples of vendors with initial data
• FINCEN
• OFAC
• Credit Bureaus

33

• Examples of vendors who end up with data
• Service Bureau
• Credit Bureaus
• Marketing firms
• State and Federal agencies
• Insurance companies

34

• Step 12 Identify how this information is
  disposed of
• Identify how the information is disposed of by
  the credit union or related vendors

35

• We have have Identified
• WHO, WHAT, WHERE

36

• Using the information
• we have collected we next identify
• The Risks

37

• Step 13 Identify the level of risk based on the
  membership or confidential information involved
• First focus on high to medium risks

38

• Step 14 Identify the possible internal threats

39

• Examples of internal threats
• cleaning crews have access to information in desk
  drawers
• employee loss of flash drive, floppy or CD
• employees unaware of the security policies
• internal email
• public accessible areas
• related software manual is left in the open
• disgruntled employees

40

• Step 15 Identify the possible external threats

41

• Examples of external threats
• data processor employees
• Fed-Ex mishandling
• hackers
• intercepted via standard email
• Internet
• loan collection agents
• remote access

42

• Step 16 Assign a probability rating to each
  threat identified
• High
• Medium
• Low

43

• Step 17 Identify the type risk the threat may
  trigger
• Reputation
• Financial
• Technological
• Strategic

44

• Identified the threats, probability and possible
  risks
• Next step..

45

• Step 18 Identify the access controls in place

46

• Examples of access controls
• Logins and passwords
• Physical security
• File room access log in place
• Encrypted files
• Employee access termination procedures in place
  and documented

47

• Step 19 Identify the vendor oversight in place
• SAS70
• Privacy document
• Security Policy
• Incident Response
• Disposal Policy

48

• Step 20 Assign an overall rating taking into
  consideration
• Level of membership/confidential information
  shared
• Formats
• Retention
• Access levels
• Threats
• Existing Controls
• Vendor Oversight

49

• Step 20 Assign an overall rating taking into
  consideration
• High
• Medium
• Low

50

• THANK YOU

51

• Buckley Technology Group
• Kris Buckley, President
• www.buckleytechgroup.com
• 781.258.0618