Structuring Your GLBA Compliance Program

9/15/2011

Even though a Congressional act can sometimes create confusion or misconceptions,
banks are still required to remain compliant with the Gramm-Leach-Bliley Act. Even though this congressional act that has been around for more than 10 years, bank management continue to struggle with developing an internal strategy that applies a measurable framework to extrapolate GLBA controls.

The first issue that a bank management has to decide is how they are going to interpret GLBA. In other words, GLBA must be translated into a set of agreeable standards. While this might seem like nailing jello to a wall, there are a number of programs and vendors that provide this service for the banking industry. These services can be expensive, but they often promise a streamlined process that helps formalize your compliance program. And while these vendors often guarantee compliance with GLBA if their product is purchased, you still have to consider how many hours must be devoted to the product so that compliance is guaranteed. Most of the programs that we see require a full time equivalent employee to continuously update the GLBA Compliance software application. While these programs might not be a practical solution for all banks, it is good to know that these services exist.

If your bank insists on developing internal GLBA Compliance controls, there are a few central resources in the development and delivery of high-quality services in which to build your IT Audit universe around. You can take GLBA and apply National Institute of Standards and Technology (NIST) controls, Center for Internet Security (CIS), International Organization for Standardization (ISO) or the Community of Sponsoring Organization (COSO) / COBIT framework.

Access to the processes or toolsets these organizations provide will often involve a membership or a straight purchase, but once the bank has decided on which framework to adopt, you should contact your regulators to ensure they are comfortable with the GLBA / Audit framework you have adopted. Do not assume that if your follow FFIEC Guidance you are safe from scrutiny. FFIEC Guidance is a compilation of general guidelines that come from a variety of sources and best practices. It is, however, critical to choose a standard and then apply that standard to your location.

This process of identifying risk-based controls can be tedious, however, after testing and reporting, it will put your bank in a better position to avoid scrutiny, breeches and general control failures. Additionally, your bank will then be in a position to coordinate internal / external IT assessments.