Gramm-Leach-Bliley Act (GLBA)
Financial Privacy and Safeguards
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA), includes provisions to protect consumers’ personal financial information held by financial institutions. The principal parts of the GLBA are the Financial Privacy Rule and the Safeguards Rule. The Safeguards Rule issued by the Federal Trade Commission (FTC) is intended to establish standards for financial institutions to develop, implement, and maintain administrative, technical, and physical safeguards to protect security, confidentiality and integrity of customer information.
Protecting Financial Information
Secure Shell is widely used within environments subject to GLBA. SSH Communications Security solutions address GLBA compliance requirements by encrypting data-in-transit, controlling access to financial information and by auditing access to financial records.
- GLBA Requirements
Secure Shell Guidance
- Financial Privacy Rule 313.6(b)(6)
(i) Customer information restricted to necessary personnel
Implement Secure Shell access controls to ensure both human and automated access to records are restricted to legitimate business needs.
- (ii) Safeguard against threats to customer privacy
Audit and monitor Secure Shell based access to financial records.
- Safe Guard Rule 314
3(b)(1) Confidentiality of customer information is protected
3(b)(2) Information is protected against anticipated threats or hazards
3(b)(3) Information is protected against unauthorized access
Implement access controls and key management to ensure private Secure Shell keys cannot be used for unauthorized access or theft of financial records.
- 4(b)(2) Risk assessment for network, software, storage, disposal
Risk assessment should include Secure Shell based trust relationships and potential threats of unintended escalation of access.
- 4(b)(3) Detection, prevention, and response to attacks
4(c) Design and implement safeguards
4(d) Oversee service providers
Provide monitoring, audit and forensics capability covering all Secure Shell access to financial records.