Penetration Testing and The Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Reform Act of 1999, requires financial institutions to establish administrative, technical, and physical information safeguards to ensure the confidentiality and integrity of customer records and information.

To comply with the GLB mandate, organizations that are significantly engaged in financial activities are required to identify and assess security risks. They are also required to plan and implement security solutions to protect sensitive information, as well as establish measures to monitor and manage security systems.

Penetration testing with iVOLUTION Security assists you in complying with the components of GLBA Title V. Section 501 (b),

Section 501(b) of GLBA established the high-level privacy and security requirements with which financial institutions must comply. The Federal Trade Commission (FTC) was authorized to implement it and issued its Final Rule (16 CFR Part 314) in May 2002. This section focuses on customer protections.

The key elements of the regulation, as related to information security, can be listed as:

• Protect the security and confidentiality of customers' nonpublic personal information
• Institute administrative, technical, and physical safeguards
• Protect against anticipated threats and hazards to information security
• Protect against unauthorized access to, or use of, information

A further objective is to establish a continuous risk-based information security program with:

• Board oversight
• Assessment of threats and vulnerabilities
• Risk management and controls
• Training and testing
• Vendor oversight
• Monitoring, auditing, adjusting, and reporting

Penalties for non-compliance include fines to institutions of up to $100,000 per violation. Officers and directors of institutions in violation of GLBA can face fines of up to $10,000 per violation, as well as up to five years in prison, and the revocation of professional licenses.