When the Gramm-Leach-Bliley Act was implemented, each regulatory agency adopted a set of interagency guidelines and regulations required for compliance with the provisions of the Act. Within each of those guidelines and regulations was this text:
“Each institution shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the institution's compliance with these Guidelines. The report, which will vary depending upon the complexity of each institution's program should discuss material matters related to its program, addressing issues such as: Risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations, and management's responses; and recommendations for changes in the information security program.”
The implementation of this requirement is often referred to as a “GLBA Board Report”. When we start working with a new institution, we immediately start assembling this report in the back of our minds. While the report itself does not need to be long, the processes that go into being able to provide an accurate report are a powerful motivator throughout the year. Some of the processes that must be healthy to provide a good report include:
- Policy review and approval
- Strategic planning
- Cybersecurity risk appetite definition
- Risk assessments
- FFIEC CAT (or NCUA ACET) completion
- Third-Party due diligence
- Audit remediation tracking
- Business continuity planning and testing
- Incident response planning and testing
- Cyber insurance coverage review
- Employee training and testing
- Vulnerability management
When we get to the point with an institution that we can confidently write a GLBA Board Report, we know that the security program is working. The report becomes a milestone for us and for the organization.
If you are with an institution that struggles with the GLBA Board Report or has not created one, we recommend that you start by attempting to summarize the health of each of the processes listed above. If you find that doing so is difficult, it might mean that your security program needs some work in the areas that are difficult to summarize.
If you need assistance writing your GLBA Board Report or in implementing any portion of an information security program shoot us an email at support@bedelsecurity.com or give us a call at 833-297-7681.
Additional Resources:
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
The Perfect Meeting Agenda to Improve IT & Cyber Governance
https://www.bedelsecurity.com/blog/the-perfect-meeting-agenda-to-improve-it-cyber-governance
Your Information Security Program Needs Focus
https://www.bedelsecurity.com/blog/your-information-security-program-needs-focus
Two Essential Ingredients to Improve Your Information Security Program
https://www.bedelsecurity.com/blog/two-essential-ingredients-to-improve-your-information-security-program
The Gist of Governance
https://www.bedelsecurity.com/blog/the-gist-of-governance
Does Your Change Management Process Need a Conversion
https://www.bedelsecurity.com/blog/does-your-change-management-process-need-a-conversion