Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Live Chat

Get Quote

ADAudit Plus » Get Quote
 
  

What is GLBA?

The Gramm-Leach-Bliley Act (GLBA) is a federal law in the U.S. It regulates how financial institutions protect Non-public Personal Information (NPI). This compliance mandate defines
  • Financial institutions as any company that has a significant involvement in providing financial services.
  • Non-public Personal Information (NPI) as data such as credit card numbers, account numbers, addresses, phone numbers, social security numbers, and other data that are not publicly available.

This mandate also regulates how these institutions share information with authorized third party organizations. It also stipulates that customers should be informed on what information will be shared with third parties and be given the right to refuse permission to share this information.

What happens if you don't comply with the GLBA?

Monetary penalties

Failing to comply with the GLBA results in compliance violation fines that might run into hundreds of thousands of dollars and could even lead to imprisonment for the people involved in the violation. For example, financial institutions face a fine of up to $100,000 as a penalty for violation. High-ranking individuals like directors also face fines up to $10,000.

Other consequences of non-compliance

  • Bad publicity for the company.
  • Ruins customer trust
  • Reduces the prospect of gaining new customers
  • Legal ramifications

This article discusses the checklist that will help you secure NPI and thereby ensure your compliance with the GLBA. It also elaborates the capabilities of ADAudit Plus, a real-time AD auditing solution that help you comply with the GLBA at ease.

The GLBA checklist for NPI protection

  • Have you identified the NPI in your organization and how it is stored?
    • One way to identify and get visibility of NPI in your organizations is to classify them into three categories
      • Data in use (encompasses data that is being updated constantly and stored in spreadsheets, databases).
      • Data in motion (encompasses data transferred over secure channels to third parties)
      • Data at rest (data that is stored in off-site secondary storage devices, data warehouses, archives backup storage facilities)
  • Have you taken all measures to ensure the physical security of the data?
    • Have you restricted the access to storage facilities to a limited number of employees?
    • Have these employees had background checks conducted on them?
    • Have you imposed restrictions on the use of removable storage devices.
    • Have employees been briefed on security protocol they must follow?
    • Is there documentation for this briefing?
  • Have you taken all measures to ensure the network security of the data?
    • Are high-level permissions to access the data restricted only to a handful of individuals?
    • Have you created clear guidelines on proper and improper use of information held by your company?
    • Has this guideline been circulated to all employees?
    • Have you ensured that channels used for transmission of data are secured with proper technological measures?
    • Do you have process to regularly review and change this guideline if needed?
  • Have you ensured that there are proper ways to dispose personal information (for example, shredding devices and bins)
  • Have you verified that third parties in charge of handling your data also have also implemented security measures from their end to prevent any data leaks?
  • Does your information security program include other essential measures like, mandatory locks on file cabinets, and computers, strong password policies for user accounts, and a clean desk policy.
  • Have you made it clear to your customers about how their data will be used and got explicit consent from them for storing and processing their information?
    • Are your customers aware that other parties apart from your organization will have access to their data?
    • Are they aware of what data of theirs is being shared with these third-parties?
    • Have they consented to sharing this data with third-parties?
    • Are they also aware of the "opt-out" policy through which they can choose not to share their information?
    • Is there documentation to prove that customers have been made aware of your company's data sharing policy?
  • And finally,in case there is a data breach at your organization do you have a instant incident detection and remediation system?
    • Have you taken measures to ensure that once data breaches occur they can be contained so that other components of your network don't get infected.
    • Do you have a plan in place to let all your customers know in case of a data breach?

If you've checked all the boxes on this checklist, then you can be sure that you've met GLBA 's IT security requirements. But how would you prove your adherence to the auditors? To make your GLBA auditing simple, you need a solution like ADAudit Plus. Go ahead and read how this solution can make your GLBA auditing as easy as a breeze.

How ADAudit Plus can help you comply with the statutes in the GLBA.

ADAudit Plus is a comprehensive solution that simplifies AD auditing and reporting. It is a one-stop solution that brings together intuitive user interface, pre-configured reports, and advanced filter options that help you comply with and prove your adherence to the GLBA compliance. This solution provides you with a a fully equipped dashboard that gives you a holistic view of the various systems in your network. This way you can correlate events across the network and spot suspicious behavior thereby meeting GLBA clauses 314.4(b), 314.4(b)(1), 314.4(b)(3), 314.4(c), 501B, 501B(1), 501B (2)&(3).

The product also has a special section displaying reports related to various compliance laws.

Displayed below are the reports related to GLBA compliance.

Reports available in ADAudit Plus to help you comply with the GLBA:

Group Management: This report shows changes made to security and distribution groups; for example a user being added to or deleted from a group.

Local Logon failures: The report displays a list of logon failures with comments on what type of error caused the logon failure; for example a bad password entry.

User Management: This section shows a list of users who may have been created or deleted or whose accounts may have been disabled recently.

Logon Duration: This report describes a user's logon details like logon and logoff time, logon type, which workstation the user logged in from, and for how long the user was logged in.

All File and Folder Changes: The report list all changes made to a file or folder ,such as a folder whose owner has been changed, or if a file was created or deleted or modified. You can also see if the contents of a file were copied and pasted elsewhere.

File Read Access: The report lists the files that were accessed recently and who accessed these files.

Folder Permission Changes: This report lists permission changes that were made to a folder. You can view if any user was recently granted permission and who made the modification.

Folder Audit Setting Changes(SACL): This reports displays any changes that were made to the audit settings that were initially in place and who made these changes.

Folder Owner Changes: This report shows all folders whose owners were changed, along with information about who made those changes.

Remote Desktop Services Activity: This report describes any attempts to logon to your network remotely.

Domain Policy Changes: This report shows any changes that were made to the domain policy settings such as a change to password settings of users.

ADAudit Plus is a real-time, web-based Windows Active Directory (AD) change reporting software that audits, reports and alerts on Active Directory, Windows servers and workstations, and NAS storage devices to meet the demands of security, and compliance requirements. You can track AD management changes, processes, folder modifications, permissions changes, and more with 200+ reports and real-time alerts. You can also get out-of-the-box reports for compliance mandates such as the GLBA. To learn more, visit https://www.manageengine.com/active-directory-audit/.

More related links

     

Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.

Try ADAudit Plus for free

 

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote