If you receive errors when attempting to view this white paper, please install the latest version of
Adobe Reader.
"Qualys® is headquartered in Redwood Shores, California, with offices in France, Germany, the U.K., Japan and Hong Kong, and has partners worldwide."
Source : Qualys
Making Gramm-Leach-Bliley Security Compliance Fast & Easy
Security Compliance is also known as : Security Compliance, Security Compliance Management Toolkit Series, Security Standard Compliance, Generate Compliance Audit Reports, Compliance White Papers, Compliance Mgmt Software, 
Security Compliance Software, Information Security, Security Compliance Loan, PCI Data Security Standard Compliance, Impact Growing Compliance Mandates, Security Compliance Suite Addresses, Identity Compliance Tool, Ensure Security Compliance , Ensure Regulatory Compliance, Simplify Security Processes Required, Discover Information Security Compliance , DISC.
EXECUTIVE SUMMARY
Gramm-Leach-Bliley Act Defined
Gramm-Leach-Bliley is U.S. Public Law 106-102, the Financial Services Modernization Act (GLBA or "the Act") signed into law on Nov. 12, 1999. Congress created the Act to improve consumer financial services. The complex, seven-Title law applies to about 9,500 financial institutions that offer financial products and services such as securities, banking, loans, and insurance. A series of rules and guidelines were established by several federal agencies for implementation of the Act, including deadlines for compliance.
Security Technology Focus
This paper focuses on the Act's digital security requirements, especially security audits and vulnerability management. Security rules and guidelines are to assure people that the confidentiality and privacy of financial information electronically collected, maintained, used, or transmitted is secure ' especially when financial information can be directly linked to an individual. Security is not a product as much as it is an on-going, dynamic process. Accordingly, many security rules and guidelines published by federal agencies are processintensive. Automation of these on-going processes with a web service like QualysGuard can speed and simplify frequent compliance audits ' especially when institutions monitor GLBA security compliance of subsidiaries and affiliates.
QualysGuard Security Audit and Vulnerability Management Web Service Meets Key Compliance Rules
QualysGuard is a network security audit and vulnerability management web service from Qualys, Inc. It meets key security technology requirements detailed in the Final Rules published by:
- Board of Governors of the Federal Reserve System
- Federal Deposit Insurance Corporation
- National Credit Union Association
- Office of the Comptroller of the Currency
- Office of Thrift Supervision
- Secretary of the Treasury
- Securities and Exchange Commission
- Federal Trade Commission
Organizations can comply with Gramm-Leach-Bliley security rules faster, easier and for less cost with the automated QualysGuard web service. This paper maps QualysGuard capabilities to specific requirements of the law, helping security managers to quickly understand a fast, easy and cost-effective compliance path. It concludes with instructions for obtaining a free trial of the QualysGuard service.
AUTOMATION MAKES CONTINUOUS GLBA SECURITY COMPLIANCE EASIER ' FOR HALF THE COST
Financial services Security Professionals have their work cut out to comply with GLBA. Details of security provisions for Gramm-Leach-Bliley are complex and process-intensive. To comply with the process intensive GLBA guidelines, organizations can take one of two paths. One is a do-it-yourself productsoriented approach requiring expensive staff for installation and maintenance. Alternatively, Qualys offers an easier, faster and more cost-effective approach by using the QualysGuard web service.
QualysGuard Provides Instant, Automated Security Audits
Good security requires frequent audits for vulnerabilities in all network security processes, anywhere non-public data can be found. As a turnkey web service, QualysGuard enables immediate, on-going compliance with key Gramm-Leach- Bliley security rules and guidelines. Subscribers can scan their perimeter-facing hosts with Qualys Remote Scanners, internal hosts with QualysGuard Scanner Appliance, and manage both with an easy-to-use web interface. The combination of internal and external audits provides the most comprehensive, GLBA-compliant assessment of risks to unauthorized access of non-public financial data. QualysGuard customers may also use the service to monitor GLBA compliance by service providers, subsidiaries and other affiliates.
QualysGuard Web Service Dramatically Cuts Total Cost of Ownership
Total Cost of Ownership (TCO) analysis for five years shows tremendous savings using an automated web service for auditing network security and vulnerability management versus a do-it-yourself products-oriented solution. For a mid-sized enterprise, the expense of using even "free" security software on self maintained servers is more than $1.2M for five years, mainly due to administrative and maintenance efforts. The five-year TCO for the automated QualysGuard web service is just under $600K, or half the expense.
TCO increases when factoring administrative duties like signature and engine updates, consolidated reporting, vulnerability life cycle management, and historical trend analysis for various time frames. Five-year TCO for the do-it-yourself approach is more than $1.6M while the automated QualysGuard web service is well under $700K.
GRAMM-LEACH-BLILEY"IMPROVING SECURITY FOR THE FINANCIAL INDUSTRY
Congress enacted the Gramm-Leach-Bliley Act as a broad effort to improve financial services to consumers. The Act details seven major legislative areas: Our focus in this paper is security technology, covered by Title V (Privacy). Security safeguard provisions are in Sections 501 and 505(b) of the Act.
Through the Act, Congress directed several federal agencies to establish standards for safeguarding customer information. The Act permitted most of the Banking agencies to develop their safeguards standards by issuing "guidelines." The Act required the Securities and Exchanges Commission and the Federal Trade Commission to issue standards as "rules" (formal regulations).
The Banking industry was first to publish security guidelines. Subsequent guidelines and rules from other agencies are similar, if not identical. This paper uses Banking guidelines as the baseline for fulfilling security provisions of Gramm-Leach-Bliley ' "Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness; Final Rule" (12 CFR Part 30, et al., Federal Register, February 1, 2001, pages 8616-8641). Authors were the Federal Reserve System, FDIC, NCUA, and U.S. Treasury's Comptroller of the Currency, and Office of Thrift Supervision.
Securities Standards Short List
Every governed organization must create a comprehensive, written Information Security Program fulfilling Objectives described in the sidebar. Guidelines specify seven steps for development and implementation. Virtually all require Vulnerability Assessment, and most key elements can be automated with QualysGuard. The steps include:
- Involve the Board of Directors
- Assess Risk ' Identify reasonably foreseeable internal and external risks, assess likelihood and potential damage of these threats, and assess sufficiency of existing security. All risks to non-public data must be assessed, even innocuous entry points such as a small wireless LAN operated by a bank branch office.
- Manage and Control Risk ' Regularly test security policy and infrastructure. A third party should conduct or review tests.
- Oversee Service Provider Arrangements ' Insure that service providers, subsidiaries and affiliates are following Security Guidelines.
- Adjust the Program ' Constantly evaluate security provisions, especially for new technology, new threats, and changes to infrastructure. Regular, documented audits are a must because enforcement agencies do many spot checks each year with little or no advance notice.
- Report to the Board ' Issue written track record of security audits, risks found, responses, and recommended changes.
- Implement the Standards ' Deadline was July 1, 2001, with service provider contracts grandfathered until July 1, 2003.
Who Must Comply?
The law applies to "financial institutions" ' companies that offer financial products and services to individuals, including banks, insurance companies, mortgage companies, securities brokers, loan brokers, some financial or investment advisors, tax preparers, providers of real estate settlement services, and debt collectors.
INSTANT COMPLIANCE WITH KEY SECURITY RULES
QualysGuard meets key Gramm-Leach-Bliley security safeguard rules and guidelines detailed below.
| Interagency Security Guidelines ' Banking 12 CFR Part 30, Appendix B, Sec. III | QualysGuard Capabilities |
| Assess Risk ' Each bank shall: "Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systus." (B)(1) | QualysGuard tests your network with the industry's largest, most up-todate database of security vulnerability audits |
| Assess Risk ' Each bank shall: "Assess the likelihood and potential damage of these threats…." (B)(2) | QualysGuard automatically prioritizes vulnerabilities to help you identify the biggest security risks |
| Assess Risk ' Each bank shall: "Assess the sufficiency of policies, procedures, customer information systus, and other arranguents in place to control risks." (B)(3) | Using QualysGuard for regular network scans helps you instantly assess the repellant capability of security policy |
| Manage and Control Risk ' Each bank shall: "Regularly test the key controls, systus and procedures of the information security program…. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs." (C)(3) | The third-party QualysGuard web service provides you with unlimited scans 24x7 ' a Guideline-compliant compliment to every security program |
| Oversee Service Providers ' Each bank shall: "Require its service providers by contract to impluent appropriate measures designed to meet the objectives of these Guidelines;" (D)(2) | Financial institutions can direct service providers to use QualysGuard to satisfy this Gramm-Leach-Bliley Act Guideline |
| Oversee Service Providers ' Each bank shall: "…monitor its service providers to confirm that they have satisfied their obligations as required by section D.2. As part of this monitoring, a bank should review audits, summaries of test results, or other equivalent evaluations of its service providers." (D)(3) | Financial institutions can use QualysGuard to monitor and test networks of service providers for compliance with security Guidelines |
| Adjust the Program ' "Each bank shall monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the bank's own changing business arranguents, such as mergers and acquisitions, alliances and joint ventures, outsourcing arranguents, and changes to customer information systus." (E) | QualysGuard helps financial institutions to instantly react to any change in security technology, new threats, and new business arranguents |
| Report to the Board ' "Each bank shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the bank's compliance with these Guidelines. The reports should discuss material matters related to its program, addressing issues such as: risk assessment; risk managuent and control decisions; service provider arranguents; results of testing; security breaches or violations and managuent's responses; and recommendations for changes in the information security program." (F) | Security data revealed by powerful QualysGuard reporting capabilities presents a comprehensive, organized snapshot of a network's security risks, easily understood by executive level managers |
| Impluent the Standards ' "Each bank must impluent an information security program pursuant to these Guidelines by July 1, 2001. (A grandfathering of agreuents with service providers expires on July 1, 2003.) (G)(1 and 2) | As a web service, QualysGuard requires no special installation or provisioning; users get immediate compliance adhering to these Guidelines |
FREE, EASY TRIAL
Experience the benefits of automated network security audits and vulnerability management with a free, seven-day trial of QualysGuard. Here are the easy steps:
- Complete a short form at https://www.qualys.com/GLBA or call a Qualys sales representative at 800.745.4355.
- Qualys will email you a link. Click the link to scan your system. Qualys will assign an account name and password for the free trial.
- Enter range of IP addresses for an audit scan. Click on "start" to begin the scan.
- View the scan's audit results online, read suggested solutions, download patches and fix security problems ' just as if you were a regular QualysGuard subscriber.
- Repeat scans as often as you like for seven days.