GLBA compliance can become a headache only if you don't get it right the first time. While regulators may give you more time to make corrections, the cost of going back and doing the same things a second time can unnecessarily use up constrained budget resources. As an overview, here is what GLBA requires:
- Implementing and maintaining a comprehensive and ongoing information security program.
- Assessing and evaluating threats and associated risks with the help of comprehensive risk assessments.
- Implementing controls that are commensurate with the associated risk identified in the risk assessment process.
- Implementing pretexting protection, which includes safeguards against social engineering attacks, in the form of evaluations, audits and employee training.
- Oversight of service providers.
- Board of Directors involvement and approval, supported by annual reporting.
First published on BankersOnline.com 3/16/09