Triware Networld Systems 

27 Years Of Around The Clock Superior Network Systems Service & Support!


   Back ] Up ] Next ]



Information Security & Privacy Regulatory Compliance: The Gramm-Leach-Bliley Act

This is the first of a series of white papers that will cover issues related to Information Security & Privacy Regulatory compliance.  This is an effort on the part of TNS to demystify the issues regarding what information security & privacy regulations cover, to what level of detail, what you need to know to be in compliance with them, and what benefits and risks are involved.

Think your organization’s information security and privacy are not regulated? Think again!

It is becoming clear that organizations that nominally are not regulated are being measured against those that are and they tend to be found wanting. And by wanting, we mean that their practices are below par and could therefore make the organization legally liable for events or errors related to their security and privacy practices.

So, if you think regulations don’t affect you, think again.

Information security and privacy regulations have far-reaching effects even on those organizations that are not regulated.  Just by living in a particular state or doing business with certain sectors of industry, you may be under certain regulations of which you are not even aware.

Information security and privacy regulations seek to measure and prescribe how your organization conducts and are perceived to conduct its due diligence, what safeguards are in place, and how well you follow them.

When things are going well and there are no security issues, it is easy not to worry too much about regulations and best practices, but best practices are what regulations are all about.  When things go wrong and you lose that critical piece of intellectual property your client entrusted you with, or when you fail to report a breach and get sued, how will your organization be assessed in terms of the required due diligence?

Information security and privacy regulations are the base, the bare minimum, that regulated organizations -- and by inference your own organization -- are expected to maintain.  When a prosecuting attorney comes to litigate, they will hold your organization to whatever standard they can find, regulated or not.  How would your organization today prove that it is thoroughly and adequately performing its due diligence in the Information Security and Privacy world?  If your organization does not have formal written documentation on how it handles Information Security and Privacy, then your organization will be measured against regulations that ‘mostly’ apply to other industries.

Here is a list of acronyms that represents just some of the regulatory guidelines you may be judged against: GLBA, SOX, PCI, FFIEC, NIST, ISO27001, ISO27002, Cobit, HIPAA, and BSA. These are just some of the major regulations and federal evidentiary laws that may apply and be applied to you.

Below is the matrix we develop to help navigating the Information Security & Privacy maze:

In separate white paper, we will cover each of the following major industry in details:

bullet Banking / Finance
bullet Medical
bullet Hi-Tech
bullet Defense

Separately, we also plan to have another white paper covering Payment Card Industry (PCI) compliance.

Below are some of the brief descriptions of some key regulations.

The most digestible of these is Payment Card Industry (PCI), necessary for anyone who takes in credit card information.  It is enforced by the credit card manufacturers themselves but can affect any business.  PCI is very well defined in terms of identifying what is determined to be securing IT computing.  PCI can go a long way toward mitigating a suit that alleges lack of due diligence on the management of customer-sensitive intellectual property or private data.  In fact, if you are PCI certified and you lose card data through no fault of your own, you will not suffer penalties.  If your company were run like a PCI compliant outfit, you could reasonably expect the same result.

Another good measurement is Sarbanes-Oxley Section 404 (SOX 404), the computing portion of the SOX regulation.  SOX 404 is an auditing standard put out by the Public Company Accounting Oversight Board (PCAOB) ASN5.  ASN5 is more convoluted than PCI, but it does emphasize a significant trend in the information security field: risk assessments. 

Risk assessments are a huge part of proving your due diligence. If your organization does not have an information security risk assessment process, how does your organization even know where the assets are that need to be protected?  How would your organization document the procedures for protecting them?  When things go wrong, these are the questions your organization will need to answer.  What will be of interest is not so much how some security breach happened, but what your organization did and is doing to stop these security events from happening.  Again, compliance with the regulations can help regardless of whether your organization is required to comply or not.

One of my favorites is the Gramm-Leach-Bliley Act (GLBA) which has evolved over the years and has proven very effective in regulating financial institutions.  In addition to the required information security risk assessment, there are requirements for regular controls testing, a must if you want to prove due diligence.

The size of your organization will protect it in some cases from overreaching expectations by prosecutors, however even small organizations can expect large fines if they process medical data or credit card information.  So, the type of organization will also affect how well you are perceived to be doing due diligence.

Not regulated?  Maybe not by direct law or regulation, but by practice and common standards all organizations need to be compliant with Information Security & Privacy regulations to some extent to avoid risks and protect sensitive or proprietary data.  Hopefully this article will start you thinking more seriously about your organization’s information security and also clear up some misconceptions. Unless your organization has an all-encompassing and fully fleshed out Information Security & Privacy program, your organization could be held to your State’s and other regulatory agency standards.

By John Barchie, Senior Information Security Governance Fellow

John Barchie Biography

John Kenneth Barchie, CISM, CISSP, CNE, MCSE is an Information Technology and Information Security Expert with over 15 years in the high-tech and financial industries. John has been engaged to manage, audit, review and improve over 200 information technology departments and to charter corporate security functions.

Back to Top

Sign up for TNS News Letter

Information Request Form

Select the items that apply, and then let us know how to contact you.

Request a Senior Partner contact me
Request a Web Meeting and / or Web Demo
Refresh >>
Enter code

Business Partners


© Copyrights Triware Networld Systems, L.L.C. ® 1991-2018