Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Your Computing Environment to Conform to Privacy Regulations July 31, 2002.

Published byAngela Cameron Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing Your Computing Environment to Conform to Privacy Regulations July 31, 2002."— Presentation transcript:

1 Securing Your Computing Environment to Conform to Privacy Regulations July 31, 2002

2 1 Agenda Introductions Why Privacy Matters Gramm-Leach-Bliley 101 Interagency Guidelines Scenarios Summary of Key Points

3 2 Why Privacy Matters Privacy is one of the most visible business and public policy issues facing institutions in the information economy  The Internet has seen consumers’ awareness increase … customers are demanding a greater sense of trust and confidence  Privacy is increasingly a matter of regulatory compliance: - U.S. financial services and health information privacy legislation - Emerging state legislative activity - Global data protection legislation and regulation  Consequences of a privacy failure can include: - Damage to brand, reputation, and ability to retain customers - Loss of revenue and new business opportunities - Potential federal and state enforcement actions - Class action litigation - For global operations, interruption of transborder dataflows

4 3 Introduction to Gramm-Leach-Bliley GLBA Title V Privacy Requirements Apply to: All Financial Institutions (banks, broker dealers, mutual funds, insurance companies) – both regulated and non-regulated Activities that are financial in nature or incidental to financial activities Title V Protects: Any nonpublic personal data collected in the purchase or administration of financial products for individual, family or household use –regardless of source –regardless of whether the purchase goes through GLBA does not preempt stronger state law protecting privacy of consumer information

5 4 Privacy Protections Overview of Title V Privacy Requirements Require financial institutions to develop privacy policies and procedures to protect nonpublic personal information Require disclosure of these policies in a clear and conspicuous notice Restrict sharing of nonpublic personal information and account identifiers Provides opt-out consumer choice for sharing with non-affiliates; no choice when sharing occurs between affiliates Security rules have now been developed, requiring financial institutions to have extensive security policies and procedures Public information can be shared without restriction, but the agencies have established a due diligence standard for classifying information as nonpublic

6 5 GLBA Security Requirements GLBA Section 501(b) requires agencies/authority to establish appropriate standards for financial institutions in their jurisdiction relating to the administrative, technical and physical safeguards of non-public customer data to: Insure the security and confidentiality of customer records and information Protect against anticipated threats and hazards to the security or integrity of these records Protect against unauthorized access or use which could result in substantial harm or inconvenience to a customer

7 6 Gramm-Leach-Bliley Title V Banking Agencies (FDIC, OCC, OTS, Federal Reserve) Issued final privacy regulations Issued final security guidelines “Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Recession of Year 2000 Standards for Safety and Soundness“ Banking Agencies (FDIC, OCC, OTS, Federal Reserve) Issued final privacy regulations Issued final security guidelines “Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Recession of Year 2000 Standards for Safety and Soundness“ Title III Insurance Title VII Other provisions ATM fee reform Community reinvestment Other regulatory improvements FTC Issued final privacy regulations Issued final security regulations SEC Issued final privacy regulations known as “Regulation S-P” Title VI Federal Home Loan Bank System modernization Title I Facilitates affiliation among banks, securities firms and insurance companies Title IV Unitary savings and loan holding companies National Credit Union Association (NCUA) Issued final privacy regulations Issued final security regulations State insurance regulators NAIC model law 672 NCOIL draft model legislation NYS Regulation 169/173 Potential for 50 different state laws. Title V Consumer Privacy

8 7 GLBA Key Terms Nonpublic personal information means: Individually identifying information provided by consumers, or obtained through transactions or third parties in the process of obtaining or administering financial products, including lists compiled from public information. Nonpublic information can include:  Salary  Social Security Number  Account numbers  Account balances  Financial products purchased  Identifying information collected via cookies  Any information not collected from a public source, etc… Public information means: Identifying information lawfully available to the general public from public records or other public databases such as:  Public records (e.g.,real estate disclosures, bankruptcy filings, tax liens)  Information from telephone white pages  Information from website with nonrestricted access

9 8 Public Information Due Diligence “Reasonable Basis” under banking, FTC and insurance models: The institution has taken steps to determine that the information is available to the general public and the individual has not prevented disclosure of the information if that option is available “Reasonable Belief” under the SEC rule: The institution has confirmed or the consumer has represented that the information is available through a public source and the consumer has not restricted disclosure of the information where that option is available; or The institution has taken steps to submit the information, in accordance with policies/procedures and applicable law, to a keeper of records that is required to make information public

10 9 Interagency Guidelines The Agencies require regulated entities to implement a comprehensive written information security program addressing administrative, technical and physical safeguards to protect sensitive customer information. The objectives of the entities IS program are to: (a) Ensure the security and confidentiality of customer information; (b) Protect against any anticipated threats or hazards to the security or integrity of such information; and (c) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. Compliance Date: July 1, 2001 Grandfathering clause extends the compliance date for contracts entered into on or before March 5, 2001 to July 1, 2003

11 10 Interagency Guidelines – Key Components Assess Risk Identify external and internal threats to customer information Assess the likelihood of potential damages Determine the adequacy of mitigating controls Board of Directors must approve the IS program Board must oversee and remain accountable for the IS program Manage and Control Risk Design IS program that is appropriate for “size and scope of operations” Conduct IS training for employees Regularly test key controls Logical Access Controls Physical Access Controls Encryption of customer data while in transit or storage

12 11 Interagency Guidelines – Key Components Manage and Control Risk Change control procedures Segregation of duties Security monitoring / Audit logging Incident reporting and escalation procedures BCP/DR plans Oversee Service Provider Arrangements Due diligence in selecting providers Gain comfort that service provider has implemented controls to protect customer data Includes contractual obligations to protect customer data

13 12 Interagency Guidelines – Key Components Adjust the IS Program as appropriate Review threats, scope of operations, technologies and controls Report to the Board At least annually on the status of the IS program to include: –Risk Assessment –Risk Management and Control Decisions –Service Provider Arrangements –Results of Testing –Security Breaches/Violations and Managements Response –Recommended Changes to the IS program

14 13 OCC The OCC is already engaging in privacy examinations. Focus at the current time is helping companies into compliance. Use Examination Guidelines as a benchmark. An assessment against these guidelines, gap analysis and plan to close gaps demonstrates good faith effort. Completing an information inventory is also a good first step. Safeguarding of Customer Information and security has been a focus. Reviewing issues such as notice content, notice delivery, opt-out systems, and complaint tracking/monitoring. Companies need to have some support for the accuracy of their privacy notice.

15 14 SEC The SEC is already engaging in privacy examinations in accordance with Regulation S-P. The exams are typically conducted by teams of four (4) and take approximately one (1) week. Recent comments made by the SEC’s John Walsh, Office of Compliance, are as follows: Focus at the current time is on helping companies into compliance, not fining them. Intentional misuse of consumer information may still draw a fine. SEC is expecting to see some form of information inventory. Companies need to have some support for the accuracy of their privacy notice. Safeguarding of Customer Information is a focus area of the SEC. Even though they provided very little guidance, the SEC is looking at issues such as senior management involvement and training of personnel. SEC is also reviewing issues such as notice content, notice delivery, opt- out systems, and complaint tracking/monitoring.

16 15 The Basics of Data Nonpublic personal information Individually identifying information provided by consumers, or obtained through transactions or third parties in the process of obtaining or administering financial products, including lists compiled from public information Who – Can access it? What – Is it? / Why – Is it critical? When – Is the regulation effective? Where – Is it stored? How – Does it move?

17 16 The Audit Model Old Model – Identify the critical data (HR Data, Legal documentation, Trade secrets, etc.) and restrict access to the machines where it is stored. New Model – Identify the type of critical data (Nonpublic Customer Information), the location of it, and determine the flow of this data through and outside of the corporate network. Secure all the network components that support that flow.

18 17 Life Cycle Model Assess What is our sensitive customer information? Where does this information reside? How does the information flow (creation, storage, transmission, destruction)? Design Where should our data be stored? Who should be able to access sensitive customer data? What type of access should they have? Implement Assign Hardware, O/S, and Application access controls to meet these needs

19 18 Scenario 1: Outsourced Web Our website is outsourced to a 3rd party that controls and manages the web servers The website allows individuals to view and update policy information (transactional) The 3 rd party has a connection back to our network to access our databases

20 19 Concerns How is the website built? Is our site a virtual instance of the web server or its own physical server? Is our site segregated from other customers by VLAN’s or by a separate physical network? Which 3 rd party employees have access to our site and what type of access do they have?

21 20 Concerns Cont. Where are our technical security concerns? Web Application –Parameter Tampering, Cookie Poisoning, etc. Web Server Software –IIS Buffer Overflows, php/cgi vulnerabilities Operating System –Windows issues, Unix configurations Network Architecture/Design –Router/Firewall rules

22 21 Scenario 2: Internal Data Flow Customer Data is stored in many disparate systems across the network This data is flowing around the internal network from mainframes through client/server apps to individual workstations Data is often printed to hardcopy for review, analysis and storage

23 22 Concerns Authorization and Access Control Strong Authentication (Biometrics) Cross Platform credentials (Single-Sign On) Inter-O/S Communication (scripts, batches, etc) Communication Paths How do really know where data is/is going? –By watching the flow of packets >Netstat >Sniffers >Port bindings >Services

24 23 Concerns Cont. What about physical security? Printers File Cabinets Paper on desks Interoffice envelopes Etc.

25 24 Scenario 3: Data Leaving Perimeter Our data is available to our remote users via VPN / independent field reps (non-employees) Data is sent to with 3 rd parties for Printing, etc Data is sent electronically to 3 rd party network for backup What about data on servers, workstations, laptops when their lease expires?

26 25 Concerns Authentication VPN configuration, dial-up lines, tokens Access Control What can 3 rd parties do with their network connection? How are routers/firewalls configured? How is data handled once it leaves our network? SAS 70 Their 3 rd party connections

27 26 Summary of Key Points Components of an Effective IS Program – Interagency Guidelines Appropriate Board level involvement and accountability Management level responsibility and accountability for program development, implementation, training, testing, monitoring and reporting A formal risk assessment process A comprehensive written Information Security Program A proper incident response strategy/plan Exercising appropriate due diligence in the selecting, contracting with, and monitoring of service providers (compliance with Guidelines for service provider contracts entered into on or before March 5, 2001 is grandfathered until July 1, 2003) Reporting to the Board or appropriate committee at least annually Ongoing adjustment of Information Security Program

28 27 Summary of Key Points Board Responsibilities – Interagency Guidelines Approve the Bank’s written Information Security Program and policies Oversee development, implementation and maintenance of the Bank’s Information Security Program Assign specific responsibilities for the implementation of the Information Security Program Review reports indicating the status of the Information Security Program and the bank’s compliance with the Interagency Guidelines (at least annually) Note: A committee of the board may approve the institution’s written security program. In addition, the Guidelines permit the Board to assign the specific implementation responsibilities and review of management reports to a committee or an individual.

29 28 Summary of Key Points Management Responsibilities – Interagency Guidelines Develop, implement and maintain a comprehensive Information Security Program that is appropriate to the Bank’s size and complexity, the nature and scope of its activities, and the sensitivity of any customer information at issue Develop a comprehensive Risk Assessment Process Monitor, evaluate and adjust Risk Assessment strategy/plans Develop a training program that is designed to implement the institution’s information security policies and procedures Conduct regular testing of key controls, systems and procedures (or review results of testing) by independent third parties or by staff independent of those that develop or maintain the security program Oversee service provider arrangements Adjust the Information Security Program Report to the Board or an appropriate committee (at least annually)

Download ppt "Securing Your Computing Environment to Conform to Privacy Regulations July 31, 2002."

Similar presentations

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Auditing Computer Systems

Auditing Computer Systems
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA By David Abbott, FDIC IT Examiner.

Directors’ College 2007 Protecting Your Customers’ Privacy A Directors’ Guide to GLBA By David Abbott, FDIC IT Examiner.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA 2014. The policy advocacy and regulatory work of the GSMA Mobile Money team.

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.
Network security policy: best practices

Network security policy: best practices
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Similar presentations

Ads by Google