Events for Gramm Leach Bliley Act (GLBA)

Maintaining Compliance with the Gramm-Leach-Bliley Act Section 501(b)

In many ways, the most significant challenges presented by Section 501(b) are those that are non-technical such as conducting an enterprise-wide Information Security Risk Assessment and the requirements to engage the Board of Directors in the ongoing management of operational risk. This workshop will expand on many of these areas and present practical and proven approaches many institutions have adopted in order to comply with Section 501(B) of GLBA and Section 216 of Fair and Accurate Credit Transaction Act.

FFIEC examination guidelines direct bank examiners to consider the specific review areas listed below. In the course of this workshop, we will provide detailed “best practices” recommendations to help organizations achieve compliance in each of the following important review areas:

Determine the Involvement of the Board. Section 501(b) calls for significant board involvement in the creation and oversight of the information security program. A number of specific processes should be present and easily explained to the examiner such as the roles of specific information security program reviewers or review committees.

Evaluate the Risk Assessment Process. Each banking organization must explain to examiners the method(s) used to estimate risk. This includes evaluation of multiple dimensions of risk such as technical risk and transaction risk. The organization must be able to demonstrate effectiveness in assessing risk. A formal risk assessment process should be in place and documented.

Evaluate the Adequacy of the Program to Manage and Control Risk. Once risk is measured or estimated, the organization must take actions to manage risk. This includes decisions on risk treatment, including the process for choosing to accept, reduce, or assign risk. Risk reduction, or mitigation may include the application of information technologies such as access control systems.

Assess the Measures Taken to Oversee Service Providers. Outsourcing critical functions or operations to external service providers does not remove the institution’s responsibilities to safeguard customer information. The organization must demonstrate defined processes to evaluate and continually monitor service providers with respect to the expectations of Section 501(b).

Determine whether an Effective Process Exists to Adjust the Program. All information security programs must be continuously assessed and adjusted to account for changes in the environment including the addition of new technologies, the emergence of new threats, and modifications to the business such as mergers or acquisition.

View the Event

Share or bookmarklet this web page at: