GLBA Safeguards Rule: Penetration Testing Requirements

Article GLBA
GLBA Safeguards Rule Penetration Testing


With the new FTC Safeguards Rule requirements that took effect June 9, 2023, there are more stringent testing requirements defined. The original rule required financial institutions to periodically monitor or test the effectiveness of their safeguards. The revised rule specifically states that the testing process must either deploy continuous monitoring of the implemented safeguards or include annual penetration testing and bi-annual vulnerability scanning.

Most organizations will no longer be able to rely on automated system checks or basic vulnerability scans, but will now be required to perform penetration testing on all in-scope systems to confirm security safeguards are doing what they have been designed to do.

Vulnerability assessments or scans will look for known vulnerabilities across your networks and applications. Penetration testing, as defined in the final rule, means a “test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems.” The testers will simulate manual, real-world attacks on the institution’s systems to determine if any identified vulnerabilities can be exploited, and if so, could attackers gain access to sensitive information or move laterally across the organization’s networks.

Any systems storing or transmitting Non-Public Personal Information (NPI) collected as part of a financial service (i.e., sensitive financial student loan information) will need to have internal and external testing performed to ensure GLBA data cannot be compromised. The new rule does not include social engineering as part of the definition, but phishing tests, password audits, etc. can also be good information security tools to ensure users are adhering to what is being communicated to them via training and organizational procedures.

If your organization is currently working to meet the new requirements of the Safeguards Rule, you know the first step is to accurately identify and define your GLBA scope. Once you have an understanding of what systems and applications are used for accessing, storing, or transmitting NPI, the penetration testing team can review this attack surface to determine the level of effort needed to perform both internal and external testing for the identified systems.

Once testing is complete, your organization will have a comprehensive report outlining any exploited vulnerabilities, steps to reproduce the attacks, and actions that can be taken to effectively remediate and shore up your defenses. The goal of penetration testing is for your organization to understand the gaps that may exist in your environment before the bad guys find them, and allow your team to prioritize resources and plan accordingly to remediate any higher-risk findings.

If you have questions regarding how to effectively scope your GLBA environments and allocate appropriate resources for penetration testing, please don’t hesitate to reach out to us.

Additional feedback from our RedLens InfoSec Manager:

[Wheeler]: Although the GLBA Safeguards Rule isn’t as descriptive as some other compliance frameworks are with regard to penetration testing, one thing is clear: an external and internal penetration test is required at least annually (if continuous monitoring is not utilized). The other thing they are clear on is that penetration testing must be performed by an assessor, meaning a human being. Terms like “automated pen testing” and “AI pen testing” have made their way into the InfoSec community in recent years, likely to try to find efficiencies and save money. I would argue that these technologies have a long way to go before being considered as a replacement for the actual, hands-on, manual work of a penetration tester. We all use tools to assist with testing, but we must not rely solely on them. It is the knowledge and experience of a penetration tester that can identify and chain things together to successfully exploit a system or retrieve sensitive data that should have been protected. When considering a firm for penetration testing, ask them how they perform the tests, how much automation is used, and what experience their testers have. The old saying “you get what you pay for” is so true, even in the InfoSec community.


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.