GrammLeachBliley ACT - PowerPoint PPT Presentation

1 / 51
About This Presentation
Title:

GrammLeachBliley ACT

Description:

Credit Bureaus. ITLE. TITLE. 33. Examples of vendors who end up with data: Service Bureau. Credit Bureaus. Marketing firms. State and Federal agencies. Insurance ... – PowerPoint PPT presentation

Number of Views:24
Avg rating:3.0/5.0
Slides: 52
Provided by: kristina79
Category:

less

Transcript and Presenter's Notes

Title: GrammLeachBliley ACT


1
Gramm-Leach-Bliley ACT
2
  • Under the GLBA Act the NCUA and FDIC are required
    to establish appropriate standards
  • for the credit unions relating to the

3
  • Administrative
  • Technical
  • Physical
  • Safeguards for the members records and
    information

4
  • These safeguards are intended to
  • Insure the security and confidentiality of member
    records and information
  • Protect against any anticipated threats or
    hazards to the security or integrity of such
    records and
  • Protect against unauthorized access to or use of
    such records or information that could result in
    substantial harm or inconvenience to any member.

5
  • So what does this mean to the Credit Union?

6
  • Revision to your existing
  • Information Security Programs to include

7
  • Assign Oversight responsibilities to the Board of
    Directors.
  • Identify and assess the risks that may threaten
    your membership information.
  • Develop policies and procedures to manage and
    control these risks

8
  • Implement and test the Information Security
    plans.
  • Review process in place to adjust the plan on a
    continuing basis to account for changes in
    technology, the sensitivity of membership
    information and the internal threats to
    information security.

9
  • Todays Focus
  • Identify and assess the risks that may threaten
    your membership information

10
  • GLBA Risk Assessment
  • 20 Steps to perform!

11
  • Step 1
  • Identify each business process
  • Membership and employee related

12
  • Some Examples
  • New Member Accounts
  • ACH enrollment
  • ACH transactions
  • ACH returns
  • Employee payroll
  • Employee benefit records
  • 1098's (Federal) Mortgage Interest Paid
  • Credit and Disability Insurance Claims

13
  • Step 2
  • Identify all related vendors

14
  • Step 3
  • Identify owner of the business process including
    the department

15
  • Step 4
  • Identify all membership or confidential
    information shared during the process

16
  • Some Examples
  • Name
  • Account
  • Date of birth
  • Social
  • Salary information
  • Financial information
  • Tax information

17
  • Some Examples Continued
  • Employee Payroll
  • Settlement information

18
  • Step 5
  • Identify if information is non-sensitive or
    sensitive

19
  • Non-sensitive is classified as
  • Information designed to be available for public
    use, such as published annual reports, marketing
    material, etc.

20
  • Sensitive is classified as
  • Confidential - information (with extremely high
    impact to the financial institution if disclosed)
    concerned with such activities as strategic
    planning, product development, marketing
    strategy, financial forecasts and results. All
    information addressing vulnerabilities, such as
    audits and security incident reports, is
    considered Confidential.

21
  • Sensitive is classified as
  • Restricted - information (with high impact to the
    financial institution if disclosed) of a personal
    nature about staff or members, which the
    financial institution, as custodian of that
    information, is obligated to protect. This
    classification also includes production data and
    software.

22
  • Sensitive is classified as
  • Internal Use - information (with medium impact to
    the credit union if disclosed) commonly shared
    within the credit union, including operating
    procedures, policies, interoffice memorandums and
    the Internal Directory.

23
  • Step 6
  • Identify method of collection for each business
    process
  • ACH enrollment
  • ACH transaction processing
  • ACH returns

24
  • Examples of method of collections
  • On-line applications
  • Walk-ins
  • Phone
  • Fax

25
  • Step 7
  • List the formats the data is in and how it is
    transmitted or transported.

26
  • Examples of formats, and the transmission or
    transportation method
  • Encrypted file sent via standard email
  • Unencrypted file sent via standard email
  • Hardcopy delivered via credit union employee
  • Media tape delivered via third party courier
  • Electronic file sent via FTP to a secured website

27
  • Step 8
  • For each format identified, how long is it
    retained and where.
  • Need to ask yourself where does this information
    ultimately end up???

28
  • Examples of formats and retention location
  • Loan files secured in locked cabinet for 7 years
  • Unencrypted file retained on public file server
  • Reports scanned to Optical or cold storage
  • Hardcopy applications retained in off-site
    storage
  • Media tape at DR Hot-sites

29
  • Step 9 Who internally needs access as part of
    their job and who in fact has access?
  • List the various ways in which the information
    can be accessed

30
  • Step 10 Is access to data restricted?

31
  • Step 11 Identify any third parties who provide
    the initial information or receive the end
    product
  • Identify any third parties who provide the
    initial information or receive the end product
  • Describe how and why this information is shared

32
  • Examples of vendors with initial data
  • FINCEN
  • OFAC
  • Credit Bureaus

33
  • Examples of vendors who end up with data
  • Service Bureau
  • Credit Bureaus
  • Marketing firms
  • State and Federal agencies
  • Insurance companies

34
  • Step 12 Identify how this information is
    disposed of
  • Identify how the information is disposed of by
    the credit union or related vendors

35
  • We have have Identified
  • WHO, WHAT, WHERE

36
  • Using the information
  • we have collected we next identify
  • The Risks

37
  • Step 13 Identify the level of risk based on the
    membership or confidential information involved
  • First focus on high to medium risks

38
  • Step 14 Identify the possible internal threats

39
  • Examples of internal threats
  • cleaning crews have access to information in desk
    drawers
  • employee loss of flash drive, floppy or CD
  • employees unaware of the security policies
  • internal email
  • public accessible areas
  • related software manual is left in the open
  • disgruntled employees

40
  • Step 15 Identify the possible external threats

41
  • Examples of external threats
  • data processor employees
  • Fed-Ex mishandling
  • hackers
  • intercepted via standard email
  • Internet
  • loan collection agents
  • remote access

42
  • Step 16 Assign a probability rating to each
    threat identified
  • High
  • Medium
  • Low

43
  • Step 17 Identify the type risk the threat may
    trigger
  • Reputation
  • Financial
  • Technological
  • Strategic

44
  • Identified the threats, probability and possible
    risks
  • Next step..

45
  • Step 18 Identify the access controls in place

46
  • Examples of access controls
  • Logins and passwords
  • Physical security
  • File room access log in place
  • Encrypted files
  • Employee access termination procedures in place
    and documented

47
  • Step 19 Identify the vendor oversight in place
  • SAS70
  • Privacy document
  • Security Policy
  • Incident Response
  • Disposal Policy

48
  • Step 20 Assign an overall rating taking into
    consideration
  • Level of membership/confidential information
    shared
  • Formats
  • Retention
  • Access levels
  • Threats
  • Existing Controls
  • Vendor Oversight

49
  • Step 20 Assign an overall rating taking into
    consideration
  • High
  • Medium
  • Low

50
  • THANK YOU

51
  • Buckley Technology Group
  • Kris Buckley, President
  • www.buckleytechgroup.com
  • 781.258.0618
Write a Comment
User Comments (0)
About PowerShow.com