GLBA/FFIEC Compliance Solutions

Financial Services Regulation

GLBA, FFIEC and the protection of consumer financial information

Financial services regulations on information security, initiated by the Gramm-Leach-Bliley Act (GLBA), require financial institutions in the United States to create an information security program to:

As a critical technology service provider, SecureWorks undergoes periodic examinations by the member agencies of the Federal Financial Institutions Examination Council (FFIEC), as well as annual Statement on Auditing Standard 70 (SAS-70) Type II audits.

"Ensure the security and confidentiality of customer information;
Protect against any anticipated threats or hazards to the security or integrity of such information; and
Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer."

The Federal Financial Institutions Examination Council (FFIEC) has supported this mission by providing extensive, evolving guidelines for compliance. These are collected in the FFIEC IT Examination Handbook (html version; pdf version), as well as updates issued by the five enforcing agencies.

Who's in Charge
The Financial Services Modernization Act, a.k.a. the Gramm-Leach-Bliley Act (GLBA) of 1999, first established a requirement to protect consumer financial information. The Federal Financial Institutions Examination Council (FFIEC) is charged with providing specific guidelines for evaluating institutions for compliance with GLBA (among other things). Enforcement falls to five agencies, the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS). Different agencies may have additional requirements, such as this recent FDIC directive.

SecureWorks supports GLBA/FFIEC compliance in the following ways:

Section	Summary	Solutions
Security Process	Implement an ongoing security process and institute appropriate governance for the security function, assigning clear and appropriate roles and responsibilities to the board of directors, management and employees.	How does SecureWorks Help? SecureWorks' Professional Services team can perform the risk analysis to determine the appropriate controls based on your organizational risk. SecureWorks can provide consulting based on security and financial services experience and best practices to cover security program development and compliance architecture development. Professional Services, including Corporate Information Security Program Development, Policies, Standards, and Security Baseline development, and Enterprise Security Architecture and Standards Development
Information Security Risk Assessment	Maintain an ongoing information security risk assessment program that considers assets, data, threats to prioritize risk.	How does SecureWorks Help? These requirements mandate the need to create and maintain a risk-based assessment of your network that accounts for protected data and security assets. Using a risk-based methodology aligned with FFIEC requirements, SecureWorks’ Professional Services team can help you regularly audit your IT systems, track critical assets and protected data and understand the impact of threats. Professional Services including Enterprise Risk Assessment and Analysis
Information Security Strategy	Develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include controls, processes and policies.	How does SecureWorks Help? These requirements mandate having minimum security management controls in place. SecureWorks’ Professional Services team can evaluate your security management controls, identify gaps in your security management program and make recommendations for addressing any deficiencies. We can also assess your security program to determine if mandated security policies are being followed in practice. Professional Services including Corporate Information Security Program Development and Enterprise Security Architecture and Standards Development
Security Controls Implementation Access Control Physical and Environmental Protection Encryption Malicious Code Prevention Systems Development, Acquisition, and Maintenance Personnel Security Data Security Service Provider Oversight Business Continuity Considerations Insurance	Establish security controls to: Restrict access to authorized individuals and devices and to disallow access to all others. Define physical security zones and implement appropriate preventative and detective controls in each zone. Employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit. Protect against the risk of malicious code by implementing appropriate controls at the host and network level Ensure that systems are developed, acquired and maintained with appropriate security controls. Mitigate the risks posed by internal users Control and protect access to paper, film and computer-based media to avoid loss or damage. Exercise their security responsibilities for outsourced operations Provide for business continuity and disaster recovery Evaluate the extent and availability of coverage in relation to the specific risks they are seeking to mitigate.	How does SecureWorks Help? SecureWorks Managed Firewall & VPN, Managed NIPS/NIDS, and Managed HIPS services all contribute to protecting against internal and external threats through access control and malicious code protection. These services also provide full lifecycle device management, including change and configuration management. All changes are tracked and documented within the SecureWorks Portal, allowing you to easily demonstrate compliance with change control policies and procedures. Managed Firewall & VPN Managed Intrusion Prevention and Detection Managed HIPS Encrypted Email Professional Services including Policies, Standards, and Security Baseline development and Security Awareness program development
Security Monitoring	Financial institutions should gain assurance of the adequacy of their risk mitigation strategy and implementation by monitoring network and host activity to identify policy violations, anomalous behavior, unauthorized configuration and other conditions which increase the risk of intrusion or other security events. They should also analyze the results of monitoring to accurately and quickly identify, classify, escalate, report, and guide responses to security events; and responding to intrusions and other security events and weaknesses.	How does SecureWorks Help? SecureWorks Security Monitoring, SIM On-Demand Service, and Security Management Services (IPS/IDS, Firewall and Host IPS) monitor network and host activity to identify and provide first line response to security incidents. We also provide unlimited remote incident response support from our certified security professionals. Within the SecureWorks Portal, incidents are fully documented from identification to closure for tracking and audit purposes. SecureWorks Professional Services can also help you develop FFIEC-compliant procedures for responding to incidents and reporting them. SecureWorks can also review your existing incident response procedures for compliance with GLBA requirements and industry best practices. Log Monitoring SIEM Managed Firewall & VPN Managed Intrusion Prevention and Detection Managed HIPS Professional Services including GLBA Compliance and Incident Response Program Development
Security Process Monitoring and Updating	Financial institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls. They should then use that information to update the risk assessment, strategy, and implemented controls.	How does SecureWorks Help? SecureWorks' Professional Services can help you meet this requirement by conducting periodic vulnerability assessments to ensure the security of your environment and to perform web application assessments. SecureWorks' Vulnerability Scanning service provides you with the ability to conduct periodic scans of your infrastructure to identify any potential vulnerabilities or out-of-date systems. SecureWorks' Threat Intelligence service provides you with new vulnerability and threat alerts tailored to your environment, which keeps your team on top of any new patches relevant to your systems. With both the Scanning and Intelligence services, you will gain access to the SecureWorks Portal to generate on-demand reports to demonstrate compliance. The SecureWorks Portal also provides automated reporting specific to FFIEC regulations at the board, executive and administrator levels. Vulnerability Scanning Threat Intelligence Professional Services including Penetration Testing and Web Application Testing

*First Name:
*Last Name:
*Company:
*Telephone:
*Email:
*Country:
*State/Province:

GLBA/FFIEC Compliance Solutions

Financial Services Regulation

GLBA, FFIEC and the protection of consumer financial information

SecureWorks supports GLBA/FFIEC compliance in the following ways:

Next Steps

Past Webcasts >>

SecureWorks News >>

Press Releases >>

Threats >>

Online Tools

Info Request

Join Newsletter

Next Steps
	Request More Information Now
	Call Us Today 877-905-6661