GLBA/FFIEC | Dell SecureWorks

GLBA/FFIEC

Financial Services Regulation

The Gramm-Leach-Bliley Act (GLBA) of 1999 first established a requirement to protect consumer financial information. Financial services regulations on information security, initiated by the GLBA, require financial institutions in the United States to create an information security program to:

As a critical technology service provider, Dell SecureWorks undergoes periodic examinations by the member agencies of the Federal Financial Institutions Examination Council (FFIEC), as well as annual Statement on Auditing Standard  (SSAE 16) Type II audits.
  • Ensure the security and confidentiality of customer information;
  • Protect against any anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

The Federal Financial Institutions Examination Council (FFIEC) supports this mission by providing extensive, evolving guidelines for compliance. The FFIEC is charged with providing specific guidelines for evaluating institutions for compliance with GLBA, among other things. Enforcement falls to five agencies: the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS). In collaboration, these agencies have developed a series of topical handbooks that provide guidance, address significant technology changes and incorporate a risk-based approach for IT practices in the financial industry.

Dell SecureWorks supports GLBA/FFIEC compliance in the following ways:

Section

Summary

Solutions

Security Process

Implement an ongoing security process and institute appropriate governance for the security function, assigning clear and appropriate roles and responsibilities to the board of directors, management and employees.

    How does Dell SecureWorks Help?

  • Security and Risk Consulting, including Corporate Information Security Program Development, Policies, Standards, and Security Baseline development, and Enterprise Security Architecture and Standards Development

Information Security Risk Assessment

Maintain an ongoing information security risk assessment program that considers assets, data and threats to prioritize risk.

    How does Dell SecureWorks Help?

  • Security and Risk Consulting including Enterprise Risk Assessment and Analysis

Information Security Strategy

Develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include controls, processes and policies.

    How does Dell SecureWorks Help?

  • Security and Risk Consulting including Corporate Information Security Program Development and Enterprise Security Architecture and Standards Development

Security Controls Implementation

  • Access Control
  • Physical and Environmental Protection
  • Encryption
  • Malicious Code Prevention
  • Systems Development, Acquisition, and Maintenance
  • Personnel Security
  • Data Security
  • Service Provider Oversight
  • Business Continuity Considerations
  • Insurance

Establish security controls to:

  • Restrict access to authorized individuals and devices and to disallow access to all others.
  • Define physical security zones and implement appropriate preventative and detective controls in each zone.
  • Employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.
  • Protect against the risk of malicious code by implementing appropriate controls at the host and network level
  • Ensure that systems are developed, acquired and maintained with appropriate security controls.
  • Mitigate the risks posed by internal users
  • Control and protect access to paper, film and computer-based media to avoid loss or damage.
  • Exercise their security responsibilities for outsourced operations
  • Provide for business continuity and disaster recovery
  • Evaluate the extent and availability of coverage in relation to the specific risks they are seeking to mitigate.

Security Monitoring

Financial institutions should gain assurance of the adequacy of their risk mitigation strategy and implementation by monitoring network and host activity to identify policy violations, anomalous behavior, unauthorized configuration and other conditions which increase the risk of intrusion or other security events. They should also analyze the results of monitoring to accurately and quickly identify, classify, escalate, report, and guide responses to security events; and responding to intrusions and other security events and weaknesses.

    How does Dell SecureWorks Help?

  • Log Monitoring
  • SIEM
  • Managed Firewall & VPN
  • Managed Intrusion Prevention and Detection
  • Managed HIPS
  • Security and Risk Consulting including GLBA Compliance and Incident Response Program Development

Security Process Monitoring and Updating

Financial institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls.  They should then use that information to update the risk assessment, strategy, and implemented controls.

    How does Dell SecureWorks Help?

  • Vulnerability Scanning
  • CTU Intelligence
  • Security and Risk Consulting including Penetration Testing and Web Application Testing

Next Steps

phonepicCall Us Today
(877) 838-7947
UK +44 131 260 3044

ENTERPRISE SOLUTIONS

SMB SOLUTIONS

Online Tools

  • Print this Page
  • Share This Resource






By completing this form you'll be opting in to receiving future communications about products and services from Dell SecureWorks.