As part of the updated Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, required by the Federal Trade Commission (FTC), organizations must “designate a Qualified Individual (QI) to implement and supervise your company’s information security program.”
The rule continues to explain that “the Qualified Individual may be employed by you, an affiliate, or a service provider.” There’s no strict requirement for a specific degree or title, however, practical experience tailored to your organization’s specific needs is key.
It’s worth noting that the new requirement explicitly states using a third-party service provider to manage your InfoSec program does not release you of responsibility. Even if a service provider is enlisted to implement and oversee the program, ultimate accountability lies with your organization. It’s crucial to assign a senior employee to supervise the service provider. If the QI is from an affiliate or service provider, they must adhere to your business’s information security standards.
We’ve outlined several key qualities conducive to successful performance in the role. When selecting a QI, prioritize someone who:
- Possesses a comprehensive understanding of the GLBA regulations, including its various provisions regarding consumer financial privacy and safeguarding sensitive information.
- Has experience working within the financial services industry or dealing with financial data.
- Holds an unbiased approach and is adept at working collaboratively in a cross-functional team environment.
- Retains deep knowledge of data security best practices, including encryption, access controls, and risk assessment methodologies.
- Finds compromise in difficult situations.
- Demonstrates effective communication skills for conveying compliance requirements to relevant stakeholders within the organization.
- Has a strong understanding of both the IT and business needs.
- Is able to make risk-based decisions for the organization.
- Can conduct internal audits and monitor systems to ensure ongoing compliance with GLBA regulations.
- Displays a willingness to stay updated on industry trends, new regulations, and emerging technologies relevant to GLBA compliance.
- Maintains strong problem-solving abilities to address compliance issues, respond to security incidents, and implement corrective actions promptly.
- Represents the organization during an audit or data breach.
- Prioritizes confidentiality, honesty, and compliance with ethical standards.
- Is aware of legal and regulatory compliance and privacy requirements at the state and federal levels so they can interpret and apply GLBA requirements accurately.
Oftentimes, the Chief Information Security Officer (CISO), Information Security Officer (ISO), or Privacy Officer are the most suitable candidates to fulfill the role of QI. These positions are adept at overseeing GLBA requirements and assuming the overarching responsibility for the organization’s Information Security program, a task demanding full-time dedication in most cases.
In our GLBA assessments, we frequently advise against appointing the Chief Information Officer (CIO) as the QI. This decision stems from the CIO’s primary focus on the broader strategic aspects of the business, rather than involvement in day-to-day operations. Additionally, the demands of the CIO role may not accommodate additional responsibilities, particularly the significant task of overseeing the organization’s InfoSec program and its various components.
Watch our video to learn more about the updates to the GLBA Safeguards Rule and find more guidance on our GLBA playlist on YouTube. We also offer GLBA Awareness training for your staff and loads of GLBA content on our Insights page. Contact us if you have any questions or if you need assistance with your GLBA compliance.
