The Gramm-Leach-Bliley Act (GLBA) addresses standards for developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information. However, to adequately address the safeguards in place to protect customer information, the financial institution must first identify and assess the risks specific to its institution. In other words, a holistic risk assessment exercise must be completed to effectively gauge what risks the institution is vulnerable to.
To meet the needs of the examiners and to effectively manage the risk to customer information, the institution’s risk assessment must identify all reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems. One of the most difficult tasks is identifying all of these threats and deciding how often the institution should revisit them to ensure that they remain current and relevant.
To identify threats and the risks associated with them, the assessor must consider all categories of threats and then discuss with management how they may apply to their specific institution. For example, certain categories of risks and threats to the customer information systems to consider may include:
- Natural Risks/Threats (Flooding Destruction, Electrical Outages, etc.)
- Human Risks/Threats (Social Engineering, Sabotage, Theft, etc.)
- Technical Risks/Threats (Server Failure, Data Corruption, Virus/Malware, etc.)
Once all of the risks have been identified, the assessor should evaluate with management the probability and impact of occurrence of each of the risks and then use these estimates to assign an overall risk rating to each one. This will allow management to rank the highest risk items to their information systems and draw up a plan of attack to mitigate these risks.
The GLBA guidelines stress that there be a specific method to how financial institutions identify risk to their customer information and how they go about protecting it. When preparing for your next IT exam, keep these guidelines in mind and make sure your institution has effectively identified all risks as required prior to implementing a control strategy.
© 2012 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.