Good corporate governance depends on the effective management of internal controls and on the availability, confidentiality, and integrity of information within the organization. Corporate reputation, brand preservation, and financial results all depend on the defense of business processes, and on compliance with a growing array of legislation and regulation. For organizations in the financial sector, this particularly includes the Gramm-Leach-Bliley Act (GLBA). The network has a fundamentally important role to play, because it touches every aspect of the extended organization and connects business processes. The old, perimeter-based network security model is inadequate for managing security risks related to customer information. Financial organizations need an end-to-end system-based approach that is integrated, collaborative, and adaptive, one that helps them better manage their network security risk while readying them to meet GLBA requirements.
In a compliance environment that contains overlapping, inconsistent, sometimes untested, and often contradictory laws and regulations, organizations must increasingly turn to best-practice solutions that combat their real-world information threats while helping them meet regulatory requirements. ISO 17799 is one such best practice framework. The Cisco® Self-Defending Network provides the first line of corporate defense, because it is the foundation for the organization's data, applications, and business processes-the protection of which is a prerequisite for GLBA compliance.
OVERVIEW OF THE GRAMM-LEACH-BLILEY ACT
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Reform Act of 1999, requires U.S. "financial institutions" to establish administrative, technical, and physical information safeguards to ensure the confidentiality and integrity of customer records and information. To comply with this federal mandate, institutions that are significantly engaged in financial activities are required to identify and assess security risks, plan and implement security solutions to protect sensitive information, and establish measures to monitor and manage security systems. Section 501(b) of GLBA established the high-level privacy and security requirements with which financial institutions must comply. The Federal Trade Commission (FTC) was authorized to implement it and issued its Final Rule (16 CFR Part 314) in May 2002. With a few exceptions, the effective date for compliance with the Final Rule was May 23, 2003 (May 24, 2004, for existing service contracts) In summary, the objectives of GLBA are to:
• Protect the security and confidentiality of customers' nonpublic personal information
• Institute administrative, technical, and physical safeguards
• Protect against anticipated threats and hazards to information security
• Protect against unauthorized access to or use of information
A further objective is to establish a continuous risk-based information security program with:
• Board oversight
• Assessment of threats and vulnerabilities
• Risk management and controls
• Training and testing
• Vendor oversight
• Monitoring, auditing, adjusting, and reporting
ISO 17799 provides an independent, internationally recognized best-practice framework for achieving these objectives, and the Cisco Self-Defending Network aligns itself with the controls recommended by ISO 17799.
WHO IS AFFECTED BY GLBA?
Examples of organizations that engage in financial activities and are financial institutions for the purposes of GLBA:
• Banks, securities firms, and insurance companies
• Mortgage lenders or brokers
• Check cashers and payday lending services
• Credit counseling service and other financial advisors
• Medical-services providers with long-term, interest-bearing payment plans for a significant number of its patients
• Financial or investment advisory services including tax planning, tax preparation, and individual financial management
• Retailers that issue their own credit cards
• Auto dealers that lease or finance purchases
• Higher education institutions providing financial aid or student loans
• Collection agencies
• Government entities that provide financial products such as student loans or mortgages
SOLUTIONS
A comprehensive approach to security that protects every aspect of the business is required to meet stringent regulatory standards and protect today's open environments.
The Cisco Self-Defending Network makes use of the network as the platform for security. A highly secure network platform provides a common infrastructure that integrates security throughout all aspects of the network, and it enables collaborative processes to occur between the various security and network elements. It also provides the foundation upon which innovative technologies and advanced security services may be layered to control and contain threats, maintain confidential communications, and secure transactions. Its flexible, cost-effective approach enables customers to deploy security where they need it most to address specific requirements and objectives. Cisco also offers a broad set of network security management and control solutions to help organizations reach their business objectives while managing associated network risks.
The Cisco Self-Defending Network not only provides flexible, in-depth protection but enables:
• Increased revenues and opportunity
• Greater business resiliency and agility
• Improved customer relationships
• Cost-effective enhancement of efficiency while reducing complexity
Because protection of personal information is the key focus of GLBA, access controls/perimeter security, physical security, and secure transmission are key control areas. These three controls should interact to protect data sources and transmission of personal data. As part of an integrated plan, technology such as personal firewalls, network-based intrusion protection systems (IPS), host-based IPS, and VPN technology can be deployed to provide the necessary security protocols. An active security event management system is critical for the detection component for any security incidents.
Which Cisco Products and Solutions Help Address the GLBA Requirements?
Protect Against Unauthorized Access
• Cisco Access Control Servers, 802.1x, Network Admission Control, Cisco Integrated Services Routers, Cisco ASA 5500 Series Adaptive Security Appliances
Secure Data Exchange with Affiliates and Service Providers
• VPNs (such as those using IP Security, DMVPN, and Secure Sockets Layer VPN technologies)
Detecting, Preventing, and Responding to Attacks and Intrusions
