As data breaches continually make headlines, cybersecurity issues garner more attention. Organizations must leverage security controls to prevent, detect, mitigate, and respond to cybersecurity incidents. Below you can find two cybersecurity standards/regulations that individuals interested in cybersecurity and privacy should learn. To use auditor lingo, these standards/regulations consist of security controls—among other controls—that safeguard personal identifiable information and information systems.
Security controls can be categorized as preventive, detective, and corrective. Preventive controls consist of prevent cyberattacks from a malicious actor (e.g. encryption). Detective controls consist of controls that detect and report occurrences of malicious acts (e.g. intrusion detection system). Corrective controls are controls that minimize the impact of a threat or attack (e.g. disaster/ business recovery plan).
Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is federal law that requires financial institutions to explain their information-sharing practices to their customers and to protect their customer’s private information.
The GLBA requires the Consumer Financial Protection Bureau (CFPB), the Securities and Exchange Commission, the Commodity Futures Trading Commission (CFTC), and the Federal Trade Commission (FTC) to promulgate regulations to safeguard nonpublic personal information (NPI). NPI consists of any “personally identifiable financial information”—not “publicly available”—leveraged to provide financial services or products regarding individuals collected by financial institutions.
Under GLBA, the term “financial institutions” has a broad definition. “Financial institutions” entails entities that “significantly engaged” in “financial activities.” The FTC also interpreted financial institutions as nontraditional financial institutions such as entities that provide “financial data processing and transmission services, facilities (including hardware, software, documentation, or personnel) data bases, advice, or access to these by technological means.” Additionally, entities registered with the SEC—such as brokers, dealers, investment companies, and investment advisers—must also comply with certain sections of GLBA.
GLBA also requires the FTC and SEC to implement standards, while other agencies have the option of issuing guidance. The SEC released the Procedures to Safeguard Customer Records and Information (the SEC Safeguard Rule) in 2002 and the FTC Safeguard Rules were released in 2003. The Safeguard Rules require financial institutions to develop, implement, and maintain a comprehensive information security program. This program includes some of the following: identify and assess risk to customer information, design and implement a safeguard program, and evaluate and adjust the program in light of relevant circumstances.