Chapter 3
The Gramm-Leach-Bliley Act
While the healthcare industry deals with HIPAA, the financial services industry is working under
the strict Gramm-Leach-Bliley Act (GLBA). Passed in 1999, the act contains seven titles and
740 sections, making it a large and comprehensive piece of legislation. Title V, Section 502,
"Obligations with respect to disclosures of personal information" is an important section of the
act that deals with information privacy and security. This section is having a major impact on IT
operations.
As with HIPAA, financial institutions must not only protect customers' confidential information
but also provide an accounting for all disclosures of that information. And, as with HIPAA,
while your network devices aren't strictly responsible for such disclosure, they can cause it.
Thus, you need to implement measures--auditing, role-based security, and centralized
management, for example--that provide you with controls and auditing tools to ensure that your
devices don't become an unintended source of disclosure.
The GLBA has three broad requirements with regard to information security. Institutions must:
· Provide safeguards that ensure the security and confidentiality of customer records and
information.
· Provide measures that protect against any anticipated threats or hazards to the security
and integrity of such records.
· Provide protection against unauthorized access to, or use of, such records or information
that would result in substantial harm or inconvenience to any customer.
In addition, you must be able to provide records that prove you have taken steps to meet these
requirements and that your measures have been continuously in effect. A change-management
solution can provide evidence in the form of a device change history.
21 CFR Part 11
Title 21 CFR Part 11 is comprehensive legislation that specifies stringent requirements for the
security of electronic records. Many government contractors and institutions are required to
comply with these requirements, which include:
· Validating computer systems to ensure reliability and consistency
· Maintaining an audit trail listing changes to data
· Requiring authority checks to ensure that only authorized individuals can use the system
With regard to network devices, these requirements are most easily met through third-party
management software. Although a device, such as a router, can provide rough audit trails
through technologies such as TACACS or RADIUS, such logs don't provide the level of detail
required by 21 CFR Part 11. A third-party solution, however, can periodically poll devices'
configurations to create a detailed, historical accounting of how the device has changed.
Solutions that provide a centralized, alternative management interface can also implement role-
based security, authority checks, and detailed auditing records that indicate who made changes to
devices' configurations. As with HIPAA and the GLBA, this audit trail is one of the most
important government requirements.
63