GLBA/FFIEC
Financial Services Regulation
The Gramm-Leach-Bliley Act (GLBA) of 1999 first established a requirement to protect consumer financial information. Financial services regulations on information security, initiated by the GLBA, require financial institutions in the United States to create an information security program to:
|
As a critical technology service provider, Dell SecureWorks undergoes periodic examinations by the member agencies of the Federal Financial Institutions Examination Council (FFIEC), as well as annual Statement on Auditing Standard 70 (SAS-70) Type II audits. |
- Ensure the security and confidentiality of customer information;
- Protect against any anticipated threats or hazards to the security or integrity of such information; and
- Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.
The Federal Financial Institutions Examination Council (FFIEC) supports this mission by providing extensive, evolving guidelines for compliance. The FFIEC is charged with providing specific guidelines for evaluating institutions for compliance with GLBA, among other things. Enforcement falls to five agencies: the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS). In collaboration, these agencies have developed a series of topical handbooks that provide guidance, address significant technology changes and incorporate a risk-based approach for IT practices in the financial industry.
Dell SecureWorks supports GLBA/FFIEC compliance in the following ways:
|
Section |
Summary |
Solutions |
|---|---|---|
|
Security Process |
Implement an ongoing security process and institute appropriate governance for the security function, assigning clear and appropriate roles and responsibilities to the board of directors, management and employees. |
How does Dell SecureWorks Help? Dell SecureWorks' Security and Risk Consulting team can perform the risk analysis to determine the appropriate controls based on your organizational risk. Dell SecureWorks can provide consulting based on security and financial services experience and best practices to cover security program development and compliance architecture development. |
|
Information Security Risk Assessment |
Maintain an ongoing information security risk assessment program that considers assets, data, threats to prioritize risk. |
How does Dell SecureWorks Help? These requirements mandate the need to create and maintain a risk-based assessment of your network that accounts for protected data and security assets. Using a risk-based methodology aligned with FFIEC requirements, Dell SecureWorks’ Professional Services team can help you regularly audit your IT systems, track critical assets and protected data and understand the impact of threats. |
|
Information Security Strategy |
Develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include controls, processes and policies. |
How does Dell SecureWorks Help? These requirements mandate having minimum security management controls in place. Dell SecureWorks’ Professional Services team can evaluate your security management controls, identify gaps in your security management program and make recommendations for addressing any deficiencies. We can also assess your security program to determine if mandated security policies are being followed in practice. |
|
Security Controls Implementation
|
Establish security controls to:
|
How does Dell SecureWorks Help? Dell SecureWorks Managed Firewall & VPN, Managed NIPS/NIDS, and Managed HIPS services all contribute to protecting against internal and external threats through access control and malicious code protection. These services also provide full lifecycle device management, including change and configuration management. All changes are tracked and documented within the Dell SecureWorks Portal, allowing you to easily demonstrate compliance with change control policies and procedures. |
|
Security Monitoring |
Financial institutions should gain assurance of the adequacy of their risk mitigation strategy and implementation by monitoring network and host activity to identify policy violations, anomalous behavior, unauthorized configuration and other conditions which increase the risk of intrusion or other security events. They should also analyze the results of monitoring to accurately and quickly identify, classify, escalate, report, and guide responses to security events; and responding to intrusions and other security events and weaknesses. |
How does Dell SecureWorks Help? Dell SecureWorks Security Monitoring, SIM On-Demand Service, and Security Management Services (IPS/IDS, Firewall and Host IPS) monitor network and host activity to identify and provide first line response to security incidents. We also provide unlimited remote incident response support from our certified security professionals. Within the Dell SecureWorks Portal, incidents are fully documented from identification to closure for tracking and audit purposes. Dell SecureWorks Professional Services can also help you develop FFIEC-compliant procedures for responding to incidents and reporting them. Dell SecureWorks can also review your existing incident response procedures for compliance with GLBA requirements and industry best practices. |
|
Security Process Monitoring and Updating |
Financial institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls. They should then use that information to update the risk assessment, strategy, and implemented controls. |
How does Dell SecureWorks Help? Dell SecureWorks' Professional Services can help you meet this requirement by conducting periodic vulnerability assessments to ensure the security of your environment and to perform web application assessments. Dell SecureWorks' Vulnerability Scanning service provides you with the ability to conduct periodic scans of your infrastructure to identify any potential vulnerabilities or out-of-date systems. Dell SecureWorks' CTU Intelligence service provides you with new vulnerability and threat alerts tailored to your environment, which keeps your team on top of any new patches relevant to your systems. With both the Scanning and Intelligence services, you will gain access to the Dell SecureWorks Portal to generate on-demand reports to demonstrate compliance. The Dell SecureWorks Portal also provides automated reporting specific to FFIEC regulations at the board, executive and administrator levels. |
Next Steps | |
|---|---|
 |
Call Us Today (877) 838-7947 |
Online Tools
- Print this Page
- Share This Resource
- Sign up for the SecureWorks 'On the Radar' Newsletter