GLBA/FFIEC Compliance Solutions
Financial Services Regulation
Financial services regulations on information security, initiated by the Gramm-Leach-Bliley Act (GLBA), require financial institutions in the United States to create an information security program to:
|
As a critical technology service provider, SecureWorks undergoes periodic examinations by the member agencies of the Federal Financial Institutions Examination Council (FFIEC), as well as annual Statement on Auditing Standard 70 (SAS-70) Type II audits.
|
- "Ensure the security and confidentiality of customer information;
- Protect against any anticipated threats or hazards to the security or integrity of such information; and
- Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer."
The Federal Financial Institutions Examination Council (FFIEC) has supported this mission by providing extensive, evolving guidelines for compliance. These are collected in the FFIEC IT Examination Handbook (html version; pdf version), as well as updates issued by the five enforcing agencies.
Who's in Charge
The Financial Services Modernization Act, a.k.a. the Gramm-Leach-Bliley Act (GLBA) of 1999, first established a requirement to protect consumer financial information. The Federal Financial Institutions Examination Council (FFIEC) is charged with providing specific guidelines for evaluating institutions for compliance with GLBA (among other things). Enforcement falls to five agencies, the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS). Different agencies may have additional requirements, such as this recent FDIC directive.
SecureWorks supports GLBA/FFIEC compliance in the following ways:
|
Section
|
Summary
|
Solutions
|
|
Security Process
|
Implement an ongoing security process and institute appropriate governance for the security function, assigning clear and appropriate roles and responsibilities to the board of directors, management and employees.
|
How does SecureWorks Help?
SecureWorks' Security and Risk Consulting team can perform the risk analysis to determine the appropriate controls based on your organizational risk.
SecureWorks can provide consulting based on security and financial services experience and best practices to cover security program development and compliance architecture development.
- Security and Risk Consulting, including Corporate Information Security Program Development, Policies, Standards, and Security Baseline development, and Enterprise Security Architecture and Standards Development
|
|
Information Security Risk Assessment
|
Maintain an ongoing information security risk assessment program that considers assets, data, threats to prioritize risk.
|
How does SecureWorks Help?
These requirements mandate the need to create and maintain a risk-based assessment of your network that accounts for protected data and security assets.
Using a risk-based methodology aligned with FFIEC requirements, SecureWorks’ Professional Services team can help you regularly audit your IT systems, track critical assets and protected data and understand the impact of threats.
- Security and Risk Consulting including Enterprise Risk Assessment and Analysis
|
|
Information Security Strategy
|
Develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include controls, processes and policies.
|
How does SecureWorks Help?
These requirements mandate having minimum security management controls in place.
SecureWorks’ Professional Services team can evaluate your security management controls, identify gaps in your security management program and make recommendations for addressing any deficiencies. We can also assess your security program to determine if mandated security policies are being followed in practice.
- Security and Risk Consulting including Corporate Information Security Program Development and Enterprise Security Architecture and Standards Development
|
|
Security Controls Implementation
- Access Control
- Physical and Environmental Protection
- Encryption
- Malicious Code Prevention
- Systems Development, Acquisition, and Maintenance
- Personnel Security
- Data Security
- Service Provider Oversight
- Business Continuity Considerations
- Insurance
|
Establish security controls to:
- Restrict access to authorized individuals and devices and to disallow access to all others.
- Define physical security zones and implement appropriate preventative and detective controls in each zone.
- Employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.
- Protect against the risk of malicious code by implementing appropriate controls at the host and network level
- Ensure that systems are developed, acquired and maintained with appropriate security controls.
- Mitigate the risks posed by internal users
- Control and protect access to paper, film and computer-based media to avoid loss or damage.
- Exercise their security responsibilities for outsourced operations
- Provide for business continuity and disaster recovery
- Evaluate the extent and availability of coverage in relation to the specific risks they are seeking to mitigate.
|
|
|
Security Monitoring
|
Financial institutions should gain assurance of the adequacy of their risk mitigation strategy and implementation by monitoring network and host activity to identify policy violations, anomalous behavior, unauthorized configuration and other conditions which increase the risk of intrusion or other security events. They should also analyze the results of monitoring to accurately and quickly identify, classify, escalate, report, and guide responses to security events; and responding to intrusions and other security events and weaknesses.
|
How does SecureWorks Help?
SecureWorks Security Monitoring, SIM On-Demand Service, and Security Management Services (IPS/IDS, Firewall and Host IPS) monitor network and host activity to identify and provide first line response to security incidents. We also provide unlimited remote incident response support from our certified security professionals. Within the SecureWorks Portal, incidents are fully documented from identification to closure for tracking and audit purposes.
SecureWorks Professional Services can also help you develop FFIEC-compliant procedures for responding to incidents and reporting them. SecureWorks can also review your existing incident response procedures for compliance with GLBA requirements and industry best practices.
- Log Monitoring
- SIEM
- Managed Firewall & VPN
- Managed Intrusion Prevention and Detection
- Managed HIPS
- Security and Risk Consulting including GLBA Compliance and Incident Response Program Development
|
|
Security Process Monitoring and Updating
|
Financial institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls. They should then use that information to update the risk assessment, strategy, and implemented controls.
|
How does SecureWorks Help?
SecureWorks' Professional Services can help you meet this requirement by conducting periodic vulnerability assessments to ensure the security of your environment and to perform web application assessments.
SecureWorks' Vulnerability Scanning service provides you with the ability to conduct periodic scans of your infrastructure to identify any potential vulnerabilities or out-of-date systems. SecureWorks' Threat Intelligence service provides you with new vulnerability and threat alerts tailored to your environment, which keeps your team on top of any new patches relevant to your systems. With both the Scanning and Intelligence services, you will gain access to the SecureWorks Portal to generate on-demand reports to demonstrate compliance.
The SecureWorks Portal also provides automated reporting specific to FFIEC regulations at the board, executive and administrator levels.
- Vulnerability Scanning
- Threat Intelligence
- Security and Risk Consulting including Penetration Testing and Web Application Testing
|
Global
