glba @ 2 what glba really says, who is doing what, and compliance “on the cheap” michael g....
TRANSCRIPT
GLBA @ 2GLBA @ 2What GLBA really says,Who is doing what, andCompliance “on the cheap”Michael G. Carr, JD, CISSP
Chief Information Security OfficerUniversity of [email protected]
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
2005 © Mike Carr (University of Nebraska)
Unless noted, this work is the intellectual property of the author.
Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on
the reproduced materials and notice is given that the copying is by permission of the author.
To disseminate otherwise or to republish requires written permission from the author.
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AgendaAgenda•Historical Review•Assessment
of the law, of collegial response
•Current Events•“Inexpensive” Approaches
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
Historical ReviewHistorical Review
•Gramm-Leach-Bliley Act of 1999
Removed banking restrictions Required privacy policy notices Required information security
controls Applied to institutions of higher
education
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
Historical ReviewHistorical Review
•Gramm-Leach-Bliley Act Enacted in 1999
Senate: 90-8, House: 362-57
then-Sentator Phil Gramm (R-TX)
Chair, US Senate Banking Committee
then-Representative Jim Leach (R-IA) Chair, House Financial Services Committee
then-Representative Tom Bliley (R-VA) Chair, FTC Commerce Committee
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
Historical Historical ReviewReview
•The Great Depression•Crash: Oct 1929•By ’32:
Stock: 20¢ on the $1
30% unemployment
44% bank failures
Dorothea Lange’s Migrant Mother
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
Historical Historical ReviewReview
•Franklin D. Roosevelt•32nd President
•Carried 42/48 states•1st order: “Bank Holiday”
to restore confidence
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
Historical Historical ReviewReview
“…the only thing to fear is fear itself.”
1st Inaugural Address, March 4, 1933
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
Historical ReviewHistorical Review
•New Deal – “alphabet soup” agencies
• AAA the Agricultural Adjustment Administration
• FSA the Farm Security Administration • CCC the Civilian Conservation Corps • NRA the National Recovery Act • NYA the National Youth Administration • WPA the Works Projects Administration • PWA the Public Works Administration • SSA the Social Security Administration • REA the Rural Electrification Administration
Note: the FTC was already in existence (1914)
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
Historical Historical ReviewReview
•Banking Legislation•Glass-Steagall Act of 1933
Limited commercial bank dealings No collaboration with full-service
brokerage firms No participating in investment
banking activities Goal:Goal: protect depositors
•Bank Holding Act of 1956
No non-bank ownership
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
Historical ReviewHistorical Review
• 1995: EU Data Protection Directive Int’l data exchange homeland privacy
• 1997: Charter Pacific Bank Sold credit cards to adult website
• 1998: NationsBank Shared customer data
• 1999: US Bankcorp Shared customer data in
violation of own policy
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
Historical Historical ReviewReview
• Glass-Steagall & Bank Holding Act repealed by the Financial Services Modernization Act of 1999 Signed by President
Clinton aka Gramm-Leach-Bliley
Act or GLBA (P.L 106-102) 15 USC § 6801-6810
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• GLBA Goal: Continued de-regulation Permit one-stop shopping Permit cross-selling While providing consumer
safeguards
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• 2 Main GLBA Provisions: Privacy RulePrivacy Rule, 16 CFR Part 313
Disclosure of privacy policy “Opt-Out”
Safeguards RuleSafeguards Rule, 16 CFR Part 314 “Comprehensive information
security program”
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• GLBA “Audience”: Financial Institutions Organizations that are
“significantly engaged” in providing financial svcs
Universities are included “…significantly engaged in
lending funds to consumers” (16 CFR Part 313.1)
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• GLBA applies to Higher Ed, but…
If compliant with FERPA Family Educational Rights & Privacy Act of 1974
Then compliant with Privacy Rule 16 CFR Part 313.1
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• However… 16 CFR Part 314 GLBA “Safeguarding Rules” Requires administrative,
technical, and physical safeguarding of customer information
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• However… 16 CFR Part 314 GLBA “Safeguarding Rules” Requires administrative,
technical, and physical safeguarding of customer information
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• However… 16 CFR Part 314 GLBA “Safeguarding Rules” Requires administrative,
technical, and physical safeguarding of customer information
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• However… 16 CFR Part 314 GLBA “Safeguarding Rules” Requires administrative,
technical, and physical safeguarding of customer information
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• However… 16 CFR Part 314 GLBA “Safeguarding Rules” Requires administrative,
technical, and physical safeguarding of customer information
Compliance Deadline: May 23, May 23, 20032003
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• Without getting into a lot of detail… Written InfoSec program Appropriate to the
size & complexity of the institution,
nature & scope of activities, and
sensitivity of customer info at issue
16 CFR 314, Section A. Background
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• Written Policy: Then-existing
policies and procedures may have been adequate
Might just needed to have been written down
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• One size does not fit all!• “Appropriate” for me might
not be “appropriate” for you
• It depends…
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• What most (many?) institutions did: Wrote a Q&D info security plan Identified a Security Officer Tasked this “CISO” with GLBA
compliance responsibility Went back to business as usual
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
DISCLAIMER!DISCLAIMER!
Many Colleges and Universities implemented information security
programsin good faith
and have worked since to protect the confidentiality, integrity and
availability of their “financial transaction”-customers’
nonpublic personal information
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• Many (most?) consider GLBA to be an “I/T” thing technical safeguards & risk
assessment of “information systems” of “detecting, preventing and
responding to attacks, instructions or other systems failures”
16 CFR 314.4 Elements (2) and (3)
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• Some have… Funded network vulnerability
testing, or Implemented firewalls, intrusion
detection/prevention, encryption “to identify reasonably foreseeable
internal and external risks” Updated purchasing agreements
“oversee service providers”
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• Some have… Developed security awareness
programs Incorporated infosec awareness
into new employee orientation Used GLBA to justify
stronger password requirements reduced sign-on initiatives increased I/T budget
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• But if we look back…
FTC spelled out the 5 5 elements of GLBA
WeWe get to decide what is “appropriate”
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• The 5 GLBA Elements:a) Infosec program
coordinatorb) Identity risksc) Safeguards to control
the risksd) Oversee service
providerse) Evaluate & adjust the
program
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• How did these get interpreted?a) “Designate an employee or
employees to coordinate your information security program.” 16 CFR 314.4 (a)
Appointed or hired someone to be the organization’s Information Security Officer (ISO)
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• How did these get interpreted?b) “Identify reasonably foreseeable
internal and external risks . . . that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise…” 16 CFR 314.4 (b)
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• How did these get interpreted?…assess the risk in:
b) 1. employee training & mgmt:
Orientation & awareness programs
b) 2. information systems Maintain status quo
b) 3. detecting, preventing & responding to attacks, intrusions…
Pen testing, vulnerability assessments, self-scanning
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• How did these get interpreted?c) “Design and implement
information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.”
16 CFR 314.4 (c)
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• How did these get interpreted?c) “Design and implement
information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.”
16 CFR 314.4 (c)
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• How did these get interpreted? Firewalls Intrusion detection systems (IDS) Intrusion prevention systems
(IPS) Incident Response Procedures Digital Forensics
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• How did these get interpreted?d) “Oversee Service Providers, by:
1) Taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards… and
2) Requiring Service Providers by contract to implement & maintain such safeguards.”
16 CFR 314.4 (d)
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• How did these get interpreted? Additional contract verbiage Addendums to existing
agreements
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• How did these get interpreted?e) “Evaluate and adjust your
information security program in light of the results of the testing and monitoring…”
16 CFR 314.4 (e)
Maintain status quo
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• Are these interpretations good/bad?
* YES! ** YES! * In general, sound management &
technical practices push us to implement agreements, firewalls, risk assessments, etc.
However, GLBA customer customer informationinformation
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• Customer Information “…nonpublic personal information
as defined in 16 CFR 313.3(n), about a customer . . ., whether in paper, electronic or other form….”
16 CFR 314.2(b)
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• Customer Information Section 509(4) of GLBA “ ‘‘personally identifiable financial
information’’ that is provided by a consumer to a financial institution, results from any transaction with the consumer or any service performed for the consumer, or is otherwise obtained by the financial institution.”
16 CFR 313.3(n)
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
What the %#!_& What the %#!_& does that mean?does that mean?
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• Customer Information 23 April 2003 note from Coalition
of Higher Education Assistance Organizations (COHEAO)
What kinds of transactions? Extensions of credit, yes Installment contracts, probably
no– Unless loan with interest
charged Stored-value cards, probably no Alumni credit cards, probably
no
“If the school is not receiving individual customer account or activity
information, only a funding stream, the activity is probably not covered”
“If the school is not receiving individual customer account or activity
information, only a funding stream, the activity is probably not covered”
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• Which means . . . ? When the University/College acts
like a bank and collects SSN, routing numbers, and/or savings/checking account numbers…
GLBA applies But, for better or worse…
GLBA has sometimes been implemented across the entire institution, and
In some instances, ignored completely
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
AssessmentAssessment
• If you recall… GLBA requires “administrative,
technical and physical safeguards” Many institutions have failed to
address the administrative and physical safeguards in the business offices Ad-hoc & canned reports –
shredding? Background checks – student
workers? Departmental servers – hardened? Workstation security – screensaver
pswds?
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
Current EventsCurrent Events
• 2004: FTC Nationwide GLBA Compliance Sweep of auto dealers and mortgage companies Sunbelt Lending Services, Inc.
Agreed to consent decree Compliant w/in 6 months Audit every other yr for 10 yrs
Nationwide Mortgage Group, Inc. Currently negotiating decree
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
Current EventsCurrent Events
• Choicepoint & Lexis/Nexis breaches Federal legislation pending Require “data brokers” to
notify consumers in the event of a breach
• San Jose Medical Group PC theft
• Sen. Feinstein: SSN Misuse Prevention Act, Notification Act, Privacy Act
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
““Inexpensive” Inexpensive” ApproachesApproaches
• Share this material with Financial Aid, Student Records, and H/R
• Trustees, Board or Presidential directive away from SSN
• ABWA – audit by walking around
• Training materials In general & for financial aid staff New employee orientation, annual
reviews
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
““Inexpensive” Inexpensive” ApproachesApproaches
• Download/share:
ID Theft video clipUS Attorney’s Office, Central
District CA www.usdoj.gov/usao/cac/idtheft/idtheft.html
ID Theft DVDUS Postal Inspectorswww.usps.com/postalinspectors/id_intro.htm
GLBA @ 2 GLBA @ 2
2005 © University of Nebraska
““Inexpensive” Inexpensive” ApproachesApproaches
• Information Security Awareness
US-CERT, www.us-cert.gov EDUCAUSE resources StaySafeOnline.info National Cyber Security Awareness
Month October
GLBA @ GLBA @ 22
Discussion?
Questions?
Michael G. Carr, JD, CISSP
Chief Information Security OfficerUniversity of [email protected]