Under the Gramm-Leach-Bliley Act Safeguards Rule, financial institutions must develop and implement a comprehensive information security program, including administrative, technical, and physical safeguards. While the Rule is designed to be flexible—e.g., the information security program should be appropriate to the entity’s size and complexity, the nature and scope of the entity’s activities, and the sensitivity of any customer information at issue—there are certain basic elements that must be included in any information security program:
- one or more employees be designated to coordinate the information security program;
- a mechanism to identify and assess the risks to customer information in each relevant area of the company’s operation and to evaluate the effectiveness of the current safeguards for controlling these risks;
- regular monitoring and testing of the program;
- controls to select service providers that can maintain appropriate safeguards, to ensure the contract requires them to maintain safeguards, and to oversee their handling of customer information; and
- evaluation and adjustment of the program in light of relevant circumstances, including changes in the firm’s business or operations or the results of security testing and monitoring.1
1 16 CFR § 314.4 et seq.