GLBA authorizes the agencies that regulate financial institutions (FTC, SEC, etc.) to create information security standards for the institutions. Crimson Security Inc.’s GLBA security assessments are done under the umbrella structure of the ISO27002 using the “Interagency Guidelines Establishing Standards for Safeguarding Customer Information”. The Control areas include:
- Preliminary Information Gathering
- Access controls on customer information systems
- Access restrictions at physical locations containing customer information
- Encryption of electronic customer information
- Procedures to ensure that system modifications do not affect security
- Dual control procedures, segregation of duties, and employee background checks
- Monitoring systems to detect actual attacks on or intrusions into customer information systems
- Response programs that specify actions to be taken when unauthorized access has occurred
- Protection from physical destruction or damage to customer information.