Updated GLBA Safeguards Rule

Infographic GLBA
Passwords Rules

 

Although organizations still have the flexibility to design their information security programs with relation to the size/complexity of their institutions and the sensitivity of the customer information, the more prescriptive requirements of the updated Safeguards Rule may have an impact on programs that had been previously considered compliant. Updates to the Safeguards Rule include:

Written Information Security Program

A comprehensive, written program that includes administrative, technical, and physical safeguards as appropriate to the institution’s size and complexity, and the sensitivity of the customer information being handled.

Designation of a Qualified Individual

An individual appointed to oversee, implement, and enforce the information security program.

Written Reports to the Board of Directors

At least annually, the Qualified Individual must create a written report outlining the overall status of the information security program and submit it to the board of directors.

Periodic Risk Assessments

Requirements for performing documented risk assessments, evaluating and categorizing security risks and threats, assessing the confidentiality, integrity, and availability of the institution’s information systems and customer information, and requirements for mitigating or accepting identified risks.

Data Inventorying and Classification

Identify and manage customer data and identify all systems on which that data is collected, stored, or transmitted.

Access/Authentication Controls

Implement, and periodically review, access and authentication controls to limit access by unauthorized individuals and prevent unauthorized access.

System Monitoring

Procedures to monitor and log the activity of authorized users and detect unauthorized access or use of customer information.

Data Retention and Disposal

Secure disposal of customer information no later than 2 years after the last date of use unless retention is necessary for a legitimate business purpose.

Encryption of Customer Information at Rest and in Transit

Organizations can still adopt effective compensating controls if they are unable to implement encryption that can sufficiently prevent the deciphering of information in most circumstances.

Multifactor Authentication

MFA must be implemented for any individual accessing systems that contain customer information, for both internal and external users accessing the system.

Penetration Testing and Vulnerability Scanning

Requirements to perform annual penetration testing and bi-annual vulnerability scanning for those systems that contain customer information or are connected to systems that contain customer information.

Secure Development Practices

Adopt secure development practices for in-house developed applications used for transmitting, accessing, or storing customer information, and implement requirements for evaluating and testing the security of externally developed applications when third-party applications are used to handle customer information.

Change Management Procedures

Requirement to develop procedures to assess the security of devices, networks, or other systems added to the environment, or the effect of removing such items or otherwise modifying the information systems.

Incident Response Plan (IRP)

Development of a written IRP that addresses internal response processes, clearly defined roles and responsibilities, as well as decision-making authority, external and internal communications, and the evaluation and revision of the IRP following a security event, and specifically called out ransomware attacks.

Employee Training

Provide personnel with security awareness training that has been updated to reflect the evolving risks identified by the risk assessment.

Vendor Management

Institutions must take “reasonable” steps to ensure vendors maintain proper safeguards: have appropriate contract language in place to ensure all third-party service providers have instituted such safeguards, and periodically evaluate selected providers on the adequacy of their safeguards based on perceived risk.

Reach out to CampusGuard to assist with your GLBA Compliance Program.

GLBA Safeguards
GLBA Safeguards
GLBA Safeguards

Share

About the Author
Kathy Staples

Kathy Staples

Marketing Manager

Kathy Staples has over 20 years of experience in digital marketing, with special focus on corporate marketing initiatives and serving as an account manager for many Fortune 500 clients. As CampusGuard's Marketing Manager, Kathy's main objectives are to drive the company's brand awareness and marketing strategies while strengthening our partnerships with higher education institutions and organizations. Her marketing skills encompass multiple digital marketing initiatives, including campaign development, website management, SEO optimization, and content, email, and social media marketing.

Related Content